-
Cisco ASA 5580 Adaptive Security Appliance Command Reference, Version 8.1
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
mac address through multicast-routing Commands
match default-inspection-traffic
match flow ip destination-address
match third-party-registration
memory delayed-free-poisoner desired-fragment-count
memory delayed-free-poisoner desired-fragment-size
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
memory delayed-free-poisoner watchdog-percent
mac address through multicast-routing Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address
To manually assign a private MAC address to an interface or subinterface, use the mac-address command in interface configuration mode. In multiple context mode, this command can assign a different MAC address to the interface in each context. To revert the MAC address to the default, use the no form of this command.
mac-address mac_address [standby mac_address]
no mac-address [mac_address [standby mac_address]]
Syntax Description
Defaults
The default MAC address is the burned-in MAC address of the physical interface. Subinterfaces inherit the physical interface MAC address. Some commands set the physical interface MAC address (including this command in single mode), so the inherited address depends on that configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the Cisco Security Appliance Command Line Configuration Guide for more information.
You can assign each MAC address manually with this command, or you can automatically generate MAC addresses for shared interfaces in contexts using the mac-address auto command. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Examples
The following example configures the MAC address for GigabitEthernet 0/1.1:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDEhostname/contextA(config-if)# no shutdownRelated Commands
mac-address auto
To automatically assign private MAC addresses to each shared context interface, use the mac-address auto command in global configuration mode. To disable automatic MAC addresses, use the no form of this command.
mac-address auto
no mac-address auto
Syntax Description
This command has no arguments or keywords.
Defaults
Auto-generation is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco Security Appliance Command Line Configuration Guide for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. Because the mac-address auto command only sets shared interfaces, you should still set virtual MAC addresses for unshared interfaces in an Active/Standby configuration using the mac-address or failover mac address command (Active/Active failover automatically assigns virtual MAC addresses to physical interfaces).
When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
•
•
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:
•
•
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Examples
The following example enables automatic MAC address generation:
hostname(config)# mac-address autoRelated Commands
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used to exempt MAC addresses from authentication and/or authorization, use the mac-list command in global configuration mode. To remove a MAC list entry, use the no form of this command.
mac-list id {deny | permit} mac macmask
no mac-list id {deny | permit} mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MAC address exemption from authentication and authorization, use the aaa mac-exempt command. You can only add one instance of the aaa mac-exempt command, so be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
Examples
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# aaa mac-exempt match abcThe following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000hostname(config)# aaa mac-exempt match acdThe following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000hostname(config)# aaa mac-exempt match 1Related Commands
mail-relay
To configure a local domain name, use the mail-relay command in parameters configuration mode. To disable this feature, use the no form of this command.
mail-relay domain_name action {drop-connection | log}
no mail-relay domain_name action {drop-connection | log}
Syntax Description
domain_name
Specifies the domain name.
drop-connection
Closes the connection.
log
Generates a system log message.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a mail relay for a specific domain:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mail-relay mail action drop-connectionRelated Commands
management-access
To allow management access to an interface other than the one from which you entered the security appliance when using VPN, use the management-access command in global configuration mode. To disable management access, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
mgmt_if
Specifies the name of the management interface you want to access when entering the security appliance from another interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command allows you to connect to an interface other than the one you entered the security appliance from when using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel. For example, if you enter the security appliance from the outside interface, this command lets you connect to the inside interface using Telnet; or you can ping the inside interface when entering from the outside interface.
You can define only one management-access interface.
Note
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5510 and higher adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the security appliance or context, and not to individual interfaces.
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
map-name
To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.
To remove this mapping, use the no form of this command.
map-name user-attribute-name Cisco-attribute-name
no map-name user-attribute-name Cisco-attribute-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, no name mappings exist.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-name command, you can create map yourown attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hourshostname(config-ldap-attribute-map)#Within ldap-attribute-map mode, you can enter "?" to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config-ldap-attribute-map)# map-name ?ldap mode commands/options:cisco-attribute-names:cVPN3000-Access-HourscVPN3000-Allow-Network-Extension-ModecVPN3000-Auth-Service-TypecVPN3000-Authenticated-User-Idle-TimeoutcVPN3000-Authorization-RequiredcVPN3000-Authorization-Type::cVPN3000-X509-Cert-Datahostname(config-ldap-attribute-map)#Related Commands
map-value
To map a user-defined value to a Cisco LDAP attribute, use the map-value command in ldap-attribute-map configuration mode. To delete an entry within a map, use the no form of this command.
map-value user-attribute-name user-value-string Cisco-value-string
no map-value user-attribute-name user-value-string Cisco-value-string
Syntax Description
Defaults
By default, there are no user-defined values mapped to Cisco attributes.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-value command, you can map your own attribute values to Cisco attribute names and values. You can tthen bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example, entered in ldap-attribute-map mode, sets the user-defined value of the user attribute Hours to a user-defined time policy named workDay and a Cisco-defined time policy named Daytime:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-value Hours workDay Daytimehostname(config-ldap-attribute-map)#Related Commands
mask
When using the Modular Policy Framework, mask out part of the packet that matches a match command or class map by using the mask command in match or class configuration mode. This mask action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. For example, you can you use mask command for the DNS application inspection to mask a header flag before allowing the traffic through the security appliance. To disable this action, use the no form of this command.
mask [log]
no mask [log]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the mask command to mask part of the packet that matches the match command or class command.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
Examples
The following example masks the RD and RA flags in the DNS header before allowing the traffic through the security appliance:
hostname(config-cmap)# policy-map type inspect dns dns-map1hostname(config-pmap-c)# match header-flag RDhostname(config-pmap-c)# mask loghostname(config-pmap-c)# match header-flag RAhostname(config-pmap-c)# mask logRelated Commands
mask-banner
To obfuscate the server banner, use the mask-banner command in parameters configuration mode. To disable this feature, use the no form of this command.
mask-banner
no mask-banner
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to mask the server banner:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mask-bannerRelated Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the security appliance to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)#
match access-list
When using the Modular Policy Framework, use an access list to identify traffic to which you want to apply actions by using the match access-list command in class-map configuration mode. To remove the match access-list command, use the no form of this command.
match access-list access_list_name
no match access-list access_list_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match access-list command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match port command. You can only include one match access-list command in the class map, and you cannot combine it with other types of match commands. The exception is if you define the match default-inspection-traffic command which matches the default TCP and UDP ports used by all applications that the security appliance can inspect, then you can narrow the traffic to match using a match access-list command. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
2.
3.
4.
Examples
The following example creates three Layer 3/4 class maps that match three access lists:
hostname(config)# access-list udp permit udp any anyhostname(config)# access-list tcp permit tcp any anyhostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255hostname(config)# class-map all_udphostname(config-cmap)# description "This class-map matches all UDP traffic"hostname(config-cmap)# match access-list udphostname(config-cmap)# class-map all_tcphostname(config-cmap)# description "This class-map matches all TCP traffic"hostname(config-cmap)# match access-list tcphostname(config-cmap)# class-map to_serverhostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"hostname(config-cmap)# match access-list host_fooRelated Commands
match any
When using the Modular Policy Framework, match all traffic to which you want to apply actions by using the match any command in class-map configuration mode. To remove the match any command, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match any command to identify all traffic. Alternatively, you can enter a different type of match command, such as the match port command. You cannot combine the match any command with other types of match commands.
2.
3.
4.
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyRelated Commands
match apn
To configure a match condition for an access point name in GTP messages, use the match apn command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] apn regex [regex_name | class regex_class_name]
no match [not] apn regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for an access point name in an GTP inspection class map:
hostname(config-cmap)# match apn class gtp_regex_apnRelated Commands
match body
To configure a match condition on the length or length of a line of an ESMTP body message, use the match body command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] body [length | line length] gt bytes
no match [not] body [length | line length] gt bytes
Syntax Description
length
Specifies the length of an ESMTP body message.
line length
Specifies the length of a line of an ESMTP body message.
bytes
Specifies the number to match in bytes.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a body line length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# match body line length gt 1000
Related Commands
match called-party
To configure a match condition on the H.323 called party, use the match called-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] called-party [regex regex]
no match [not] match [not] called-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the called party in an H.323 inspection class map:
hostname(config-cmap)# match called-party regex caller1Related Commands
match calling-party
To configure a match condition on the H.323 calling party, use the match calling-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] calling-party [regex regex]
no match [not] match [not] calling-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the calling party in an H.323 inspection class map:
hostname(config-cmap)# match calling-party regex caller1Related Commands
match certificate
During the PKI certificate validation process, the security appliance checks certificate revocation status to maintain security. It can use either CRL checking or Online Certificate Status Protocol (OCSP) to accomplish this task. With CRL checking, the security appliance retrieves, parses, and caches Certificate Revocation Lists, which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status in that it localizes certificate status on a Validation Authority, which it queries for the status of a specific certificate.
Certificate match rules let you configure OCSP URL overrides, which specify a URL to check for revocation status, rather than the URL in the AIA field of the remote user certificate. Match rules also let you configure trustpoints to use to validate OCSP responder certificates, which lets the security appliance validate responder certificates from any CA, including self-signed certificates and certificates external to the validation path of the client certificate.
To configure a certificate match rule, use the match certificate command in crypto ca trustpoint mode. To remove the rule from the configuration, use the no form of this command.
match certificate map-name override ocsp [trustpoint trustpoint-name] seq-num url URL
no match certificate map-name override ocsp
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
crypto ca trustpoint mode
•
•
•
•
•
Command History
Usage Guidelines
Be aware of the following tips when configuring OCSP:
•
•
•
•
•
•
Examples
The following example shows how to create a certificate match rule for a trustpoint called newtrust. The rule has a map name called mymap, sequence number of 4, a trustpoint called mytrust, and specifies a URL of 10.22.184.22.
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22hostname(config-ca-trustpoint)#The next example shows step-by-step how to configure a crypto ca certificate map, and then a match certificate rule to identify a trustpoint that contains a CA certificate to validate the responder certificate. This is necessary if the CA identified in the newtrust trustpoint does not issue an OCSP responder certificate.
Step 1
hostname(config)# crypto ca certificate map mymap 1 subject-name attr cn eq mycerthostname(config-ca-cert-map)# subject-name attr cn eq mycerthostname(config-ca-cert-map)#Step 2
hostname(config-ca-cert-map)# exithostname(config)# crypto ca trustpoint mytrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate mytrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfMIIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/b v8RqzqpmZYguveV9cLQK5tsxqW3DysMU/4/qUGPfkVZ0iKPCgpIAWmq2ojhCFPyx ywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 7100d897 05914652 25b2f0fc e773df42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedStep 3
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate newtrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/bgQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE OPIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 9508g897 82914638 435f9f0fc x9y2p42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedhostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# revocation-check ocsphostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22Any connection that uses the newtrust trustpoint for client certificate authentication checks to see if the client certificate matches the attribute rules specified in the mymap certificate map. If so, the security appliance accesses the OCSP responder at 10.22.184.22 for certificate revocation status. It then uses the mytrust trustpoint to validate the responder certificate.
Note
Related Commands
match cmd
To configure a match condition on the ESMTP command verb, use the match cmd command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
no match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
Syntax Description
verb verb
Specifies the ESMTP command verb.
line length gt bytes
Specifies the length of a line.
RCPT count gt recipients_number
Specifies the number of recipient email addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition in an ESMTP inspection policy map for the verb (method) NOOP exchanged in the ESMTP transaction:
hostname(config-pmap)# match cmd verb NOOPRelated Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# match port 65535Default traffic for inspections are as follows:
Examples
The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)#Related Commands
match dns-class
To configure a match condition for the Domain System Class in a DNS Resource Record or Question section, use the match dns-class command in class-map or policy-map configuration mode. To remove a configured class, use the no form of this command.
match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
no match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all fields (questions and RRs) of a DNS message and matches the specified class. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS class in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-class eq INRelated Commands
match dns-type
To configure a match condition for a DNS type, including Query type and RR type, use the match dns-type command in class-map or policy-map configuration mode. To remove a configured dns type, use the no form of this command.
match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
no match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all sections of a DNS message (questions and RRs) and matches the specified type. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS type in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-type eq aRelated Commands
match domain-name
To configure a match condition for a DNS message domain name list, use the match domain-name command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] domain-name regex regex_id
match [not] domain-name regex class class_id
no match [not] domain-name regex regex_id
no match [not] domain-name regex class class_id
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command matches domain names in the DNS message against predefined list. Compressed domain names will be expanded before matching. The match condition can be narrowed down to a particular field in conjunction with other DNS match commands.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to match the DNS domain name in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match domain-name regexRelated Commands
match dscp
To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.
match dscp {values}
no match dscp {values}
Syntax Description
values
Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match dscp command:
hostname(config)# class-map cmaphostname(config-cmap)# match dscp af43 cs1 efhostname(config-cmap)#Related Commands
match ehlo-reply-parameter
To configure a match condition on the ESMTP ehlo reply parameter, use the match ehlo-reply-parameter command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] ehlo-reply-parameter parameter
no match [not] ehlo-reply-parameter parameter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for an ehlo reply parameter in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# match ehlo-reply-parameter auth
Related Commands
match filename
To configure a match condition for a filename for FTP transfer, use the match filename command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] filename regex [regex_name | class regex_class_name]
no match [not] filename regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filename in an FTP inspection class map:
hostname(config)# class-map type inspect ftp match-all ftp_class1hostname(config-cmap)# description Restrict FTP users ftp1, ftp2, and ftp3 from accessing /roothostname(config-cmap)# match username regex class ftp_regex_userhostname(config-cmap)# match filename regex ftp-fileRelated Commands
match filetype
To configure a match condition for a filetype for FTP transfer, use the match filetype command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] filetype regex [regex_name | class regex_class_name]
no match [not] filetype regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filetype in an FTP inspection policy map:
hostname(config-pmap)# match filetype class regex ftp-regex-filetypeRelated Commands
match flow ip destination-address
To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.
match flow ip destination-address
no match flow ip destination-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalhostname(config)#Related Commands
match header
To configure a match condition on the ESMTP header, use the match header command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
no match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a header in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# match header length gt 512
Related Commands
match header-flag
To configure a match condition for a DNS header flag, use the match header-flag command in class-map or policy-map configuration mode. To remove a configured header flag, use the no form of this command.
match [not] header-flag [eq] {f_well_known | f_value}
no match [not] header-flag [eq] {f_well_known | f_value}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a DNS class map or policy map. Only one entry can be entered in a DNS class map.
Examples
The following example shows how to configure a match condition for a DNS header flag in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match header-flag AARelated Commands
match im-subscriber
To configure a match condition for a SIP IM subscriber, use the match im-subscriber command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] im-subscriber regex [regex_name | class regex_class_name]
no match [not] im-subscriber regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for a SIP IM subscriber in a SIP inspection class map:
hostname(config-cmap)# match im-subscriber regex class im_senderRelated Commands
match invalid-recipients
To configure a match condition on the ESMTP invalid recipient address, use the match invalid-recipients command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] invalid-recipients count gt number
no match [not] invalid-recipients count gt number
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for invalid recipients count in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# match invalid-recipients count gt 1000
Related Commands
match ip address
To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ip address {acl...}
no match ip address {acl...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match ip address acl_dmz1 acl_dmz2Related Commands
match ip next-hop
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip next-hop {acl...} | prefix-list prefix_list
no match ip next-hop {acl...} | prefix-list prefix_list
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2Related Commands
match ip route-source
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip route-source {acl...} | prefix-list prefix_list
no match ip route-source {acl...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2Related Commands
match login-name
To configure a match condition for a client login name for instant messaging, use the match login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] login-name regex [regex_name | class regex_class_name]
no match [not] login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for a client login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match login-name regex loginRelated Commands
match media-type
To configure a match condition on the H.323 media type, use the match media-type command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] media-type [audio | data | video]
no match [not] media-type [audio | data | video]
Syntax Description
audio
Specifies to match audio media type.
data
Specifies to match data media type.
video
Specifies to match video media type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for audio media type in an H.323 inspection class map:
hostname(config-cmap)# match media-type audioRelated Commands
match message id
To configure a match condition for a GTP message ID, use the match message id command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message id [message_id | range lower_range upper_range]
no match [not] message id [message_id | range lower_range upper_range]
Syntax Description
message_id
Specifies an alphanumeric identifier between 1 and 255.
range lower_range upper_range
Specifies a lower and upper range of IDs.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message ID in a GTP inspection class map:
hostname(config-cmap)# match message id 33Related Commands
match message length
To configure a match condition for a GTP message ID, use the match message length command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message length min min_length max max_length
no match [not] message length min min_length max max_length
Syntax Description
min min_length
Specifies a minimum message ID length. Value is between 1 and 65536.
max max_length
Specifies a maximum message ID length. Value is between 1 and 65536.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message length in a GTP inspection class map:
hostname(config-cmap)# match message length min 8 max 200Related Commands
match message-path
To configure a match condition for the path taken by a SIP message as specified in the Via header field, use the match message-path command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] message-path regex [regex_name | class regex_class_name]
no match [not] message-path regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for the path taken by a SIP message in a SIP inspection class map:
hostname(config-cmap)# match message-path regex class sip_messageRelated Commands
match mime
To configure a match condition on the ESMTP mime encoding type, mime filename length, or mime file type, use the match mime command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] mime [encoding type | filename length gt bytes | filetype regex]
no match [not] mime [encoding type | filename length gt bytes | filetype regex]
Syntax Description
encoding type
Specifies to match on the encoding type.
filename length gt bytes
Specifies to match on the filename length.
filetype regex
Specifies to match on the file type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a mime filename length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# match mime filename length gt 255
Related Commands
match peer-ip-address
To configure a match condition for the peer IP address for instant messaging, use the match peer-ip-address command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-ip-address ip_address ip_address_mask
no match [not] peer-ip-address ip_address ip_address_mask
Syntax Description
ip_address
Specifies a hostname or IP address of the client or server.
ip_address_mask
Specifies the netmask for the client or server IP address.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer IP address in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-ip-address 10.1.1.0 255.255.255.0Related Commands
match peer-login-name
To configure a match condition for the peer login name for instant messaging, use the match peer-login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-login-name regex [regex_name | class regex_class_name]
no match [not] peer-login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-login-name regex peerloginRelated Commands
match port
When using the Modular Policy Framework, match the TCP or UDP ports to which you want to apply actions by using the match port command in class-map configuration mode. To remove the match port command, use the no form of this command.
match port {tcp | udp} {eq port | range beg_port end_port}
no match port {tcp | udp} {eq port | range beg_port end_port}
Syntax Description
eq port
Specifies a single port name or number.
range beg_port end_port
Specifies beginning and ending port range values between 1 and 65535.
tcp
Specifies a TCP port.
udp
Specifies a UDP port.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the matchport command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match access-list command (the class-map type management command only allows the match port command). You can only include one match port command in the class map, and you cannot combine it with other types of match commands.
2.
3.
4.
Examples
The following example shows how to define a traffic class using a class map and the match port command:
hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 8080Related Commands
match precedence
To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.
match precedence value
no match precedence value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match precedence command to specify the value represented by the TOS byte in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match precedence command:
hostname(config)# class-map cmaphostname(config-cmap)# match precedence 1hostname(config-cmap)#Related Commands
match protocol
To configure a match condition for a specific instant messaging protocol, such as MSN or Yahoo, use the match protocol command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] protocol {msn-im | yahoo-im}
no match [not] protocol {msn-im | yahoo-im}
Syntax Description
msn-im
Specifies to match the MSN instant messaging protocol.
yahoo-im
Specifies to match the Yahoo instant messaging protocol.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the Yahoo instant messaging protocol in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match protocol yahoo-imRelated Commands
match question
To configure a match condition for a DNS question or resource record, use the match question command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match {question | {resource-record answer | authority | additional}}
no match {question | {resource-record answer | authority | additional}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects the DNS header and matches the specified field. It can be used in conjunction with other DNS match commands to define inspection of a particular question or RR type..
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS question in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match questionRelated Commands
match req-resp
To configure a match condition for both HTTP requests and responses, use the match req-resp command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] req-resp content-type mismatch
no match [not] req-resp content-type mismatch
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command enables the following checks:
•
•
•
If the message fails any of the above checks, the security appliance takes the configured action.
The following is the list of supported content types.
