-
Cisco ASA 5500 Series Command Reference, 8.2
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
eigrp log-neighbor-warnings through functions Commands
export webvpn translation-table
flow-export template timeout-rate
eigrp log-neighbor-warnings through functions Commands
eigrp log-neighbor-changes
To enable the logging of EIGRP neighbor adjacency changes, use the eigrp log-neighbor-changes command in router configuration mode. To turn off this function, use the no form of this command.
eigrp log-neighbor-changes
no eigrp log-neighbor-changes
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The eigrp log-neighbor-changes command is enabled by default; only the no form of the command appears in the running configuration.
Examples
The following example disables the logging of EIGRP neighbor changes:
hostname(config)# router eigrp 100hostname(config-router)# no eigrp log-neighbor-changesRelated Commands
eigrp log-neighbor-warnings
To enable the logging of EIGRP neighbor warning messages, use the eigrp log-neighbor-warnings command in router configuration mode. To turn off this function, use the no form of this command.
eigrp log-neighbor-warnings [seconds]
no eigrp log-neighbor-warnings
Syntax Description
seconds
(Optional) The time interval (in seconds) between repeated neighbor warning messages. Valid values are from 1 to 65535. Repeated warnings are not logged if they occur during this interval.
Defaults
This command is enabled by default. All neighbor warning messages are logged.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The eigrp log-neighbor-warnings command is enabled by default; only the no form of the command appears in the running configuration.
Examples
The following example disables the logging of EIGRP neighbor warning messages:
hostname(config)# router eigrp 100hostname(config-router)# no eigrp log-neighbor-warningsThe following example logs EIGRP neighbor warning messages and repeats the warning messages in 5-minute (300 seconds) intervals:
hostname(config)# router eigrp 100hostname(config-router)# eigrp log-neighbor-warnings 300Related Commands
eigrp router-id
To specify router ID used by the EIGRP routing process, use the eigrp router-id command in router configuration mode. To restore the default value, use the no form of this command.
eigrp router-id ip-addr
no eigrp router-id [ip-addr]
Syntax Description
ip-addr
Router ID in IP address (dotted-decimal) format. You cannot use 0.0.0.0 or 255.255.255.255 as the router ID.
Defaults
If not specified, the highest-level IP address on the adaptive security appliance is used as the router ID.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the eigrp router-id command is not configured, EIGRP automatically selects the highest IP address on the adaptive security appliance to use as the router ID when an EIGRP process is started.The router ID is not changed unless the EIGRP process is removed using the no router eigrp command or unless the router ID is manually configured with the eigrp router-id command.
The router ID is used to identify the originating router for external routes. If an external route is received with the local router ID, the route is discarded. To prevent this, use the eigrp router-id command to specify a global address for the router ID.
A unique value should be configured for each EIGRP router.
Examples
The following example configures 172.16.1.3 as a fixed router ID for the EIGRP routing process:
hostname(config)# router eigrp 100hostname(config-router)# eigrp router-id 172.16.1.3Related Commands
router eigrp
Enters router configuration mode for the EIGRP routing process.
show running-config router
Displays the commands in the global router configuration.
eigrp stub
To configure the EIGRP routing process as a stub routing process, use the eigrp stub command in router configuration mode. To remove EIGRP stub routing, use the no form of this command.
eigrp stub [receive-only] | {[connected] [redistributed] [static] [summary]}
no eigrp stub [receive-only] | {[connected] [redistributed] [static] [summary]}
Syntax Description
Defaults
Stub routing is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the eigrp stub command to configure the adaptive security appliance as a stub where the adaptive security appliance directs all IP traffic to a distribution router.
Using the receive-only keyword restricts the adaptive security appliance from sharing any of its routes with any other router in the autonomous system; the adaptive security appliance only receives updates from the EIGRP neighbor. You cannot use any other keyword with the receive-only keyword.
You can specify one or more of the connected, static, summary, and redistributed keywords. If any of these keywords is used with the eigrp stub command, only the route types specified by the particular keyword are sent.
The connected keyword permits the EIGRP stub routing process to send connected routes. If the connected routes are not covered by a network statement, it may be necessary to redistribute connected routes with the redistribute command under the EIGRP process.
The static keyword permits the EIGRP stub routing process to send static routes. Without the configuration of this option, EIGRP will not send any static routes. If the static routes are not covered by a network statement, it may be necessary to redistribute them with the redistribute command under the EIGRP process.
The summary keyword permits the EIGRP stub routing process to send summary routes. You can create summary routes manually with the summary-address eigrp command or automatically with the auto-summary command enabled (auto-summary is enabled by default).
The redistributed keyword permits the EIGRP stub routing process to send routes redistributed into the EIGRP routing process from other routing protocols. If you do you configure this option, EIGRP does not advertise redistributed routes.
Examples
The following example uses the eigrp stub command to configure the adaptive security appliance as an EIGRP stub that advertises connected and summary routes:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub connected summaryThe following example uses the eigrp stub command to configure the adaptive security appliance as an EIGRP stub that advertises connected and static routes. Sending summary routes is not permitted.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub connected staticThe following example uses the eigrp stub command to configure the adaptive security appliance as an EIGRP stub that only receives EIGRP updates. Connected, summary, and static route information is not sent.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0 eigrphostname(config-router)# eigrp stub receive-onlyThe following example uses the eigrp stub command to configure the adaptive security appliance as an EIGRP stub that advertises routes redistributed into EIGRP from other routing protocols:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stub redistributedThe following example uses the eigrp stub command without any of the optional arguments. When used without arugments, the eigrp stub commands advertises connected and static routes by default.
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# eigrp stubRelated Commands
eject
To support the removal of an ASA 5500 series external compact Flash device, use the eject command in user EXEC mode.
eject [/noconfirm] disk1:
Syntax Description
disk1:
Specifies the device to eject.
/noconfirm
Specifies that you do not need to confirm device removal before physically removing the external Flash device from the security appliance.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The eject command allows you to safely remove a compact Flash device from an ASA 5500 series security appliance.
The following example shows how to use the eject command to shut down disk1 gracefully before the device is physically removed from the security appliance:
hostname# eject /noconfig disk1:It is now safe to remove disk1:hostname# show versionCisco Adaptive Security Appliance Software Version 8.0(2)34Compiled on Fri 18-May-07 10:28 by juser System image file is "disk0:/cdisk.asa"Config file at boot was "startup-config"wef5520 up 5 hours 36 minsHardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHzInternal ATA Compact Flash, 256MBSlot 1: Compact Flash has been ejected!It may be removed and a new device installed.BIOS Flash M50FW016 @ 0xffe00000, 2048KB<---More--->Related Commands
To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca-trustpoint configuration mode. To restore the default setting, use the no form of this command.
email address
no email
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca-trustpoint configuration
•
•
•
command:
Command History
Examples
The following example enters crypto ca-trustpoint configuration mode for trustpoint central, and includes the email address user1@user.net in the enrollment request for trustpoint central:
hostname(config)# crypto ca-trustpoint centralhostname(ca-trustpoint)# email user1@user.nethostname(ca-trustpoint)#Related Commands
enable
To enter privileged EXEC mode, use the enable command in user EXEC mode.
enable [level]
Syntax Description
level
(Optional) The privilege level between 0 and 15. Not used with enable authentication (the aaa authentication enable console command).
Defaults
Enters privilege level 15 unless you are using enable authentication (using the aaa authentication enable console command), in which case the default level depends on the level configured for your username.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The default enable password is blank. See the enable password command to set the password.
Without enable authentication, when you enter the enable command, your username changes to enable_level, where the default level is 15. With enable authentication (using the aaa authentication enable console command), the username and associated level are preserved. Preserving the username is important for command authorization (the aaa authorization command command, using either local or TACACS+).
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode. To use levels in between, enable local command authorization (the aaa authorization command LOCAL command) and set the commands to different privilege levels using the privilege command. TACACS+ command authorization does not use the privilege levels configured on the adaptive security appliance.
See the show curpriv command to view your current privilege level.
Enter the disable command to exit privileged EXEC mode.
Examples
The following example enters privileged EXEC mode:
hostname> enablePassword: Pa$$w0rdhostname#The following example enters privileged EXEC mode for level 10:
hostname> enable 10Password: Pa$$w0rd10hostname#Related Commands
enable (webvpn)
To enable WebVPN or e-mail proxy access on a previously configured interface, use the enable command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To disable WebVPN on an interface, use the no version of the command.
enable ifname
no enable
Syntax Description
ifname
Identifies the previously configured inteface. Use the nameif command to configure interfaces.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
Examples
The following example shows how to enable WebVPN on the interface named Outside:
hostname(config)# webvpnhostname(config-webvpn)# enable OutsideThe following example shows how to configure POP3S e-mail proxy on the interface named Outside:
hostname(config)# pop3shostname(config-pop3s)# enable Outsideenable gprs
To enable GPRS with RADIUS accounting, use the enable gprs command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. The security appliance checks for the 3GPP VSA 26-10415 in the Accounting-Request Stop messages to properly handle secondary PDP contexts. To disable this command, use the no form of this command.
enable gprs
no enable gprs
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
radius-accounting parameter configuration
•
•
•
•
—
Command History
Usage Guidelines
This option is disabled by default. A GTP license is required to enable this feature.
Examples
The following example shows how to enable GPRS with RADIUS accounting:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# enable gprsRelated Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
enable password
To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.
enable password password [level level] [encrypted]
no enable password level level
Syntax Description
Defaults
The default password is blank. The default level is 15.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.
For multiple context mode, you can create an enable password for the system configuration as well as for each context.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Examples
The following example sets the enable password to Pa$$w0rd:
hostname(config)# enable password Pa$$w0rdThe following example sets the enable password to Pa$$w0rd10 for level 10:
hostname(config)# enable password Pa$$w0rd10 level 10The following example sets the enable password to an encrypted password that you copied from another adaptive security appliance:
hostname(config)# enable password jMorNbK0514fadBh encryptedRelated Commands
endpoint
To add an endpoint to an HSI group for H.323 protocol inspection, use the endpoint command in hsi group configuration mode. To disable this feature, use the no form of this command.
endpoint ip_address if_name
no endpoint ip_address if_name
Syntax Description
if_name
The interface through which the endpoint is connected to the security appliance.
ip_address
IP address of the endpoint to add. A maximum of ten endpoints per HSI group is allowed.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
HSI group configuration
•
•
•
•
—
Command History
Examples
The following example shows how to add endpoints to an HSI group in an H.323 inspection policy map:
hostname(config-pmap-p)# hsi-group 10hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 insidehostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outsideRelated Commands
endpoint-mapper
To configure endpoint mapper options for DCERPC inspection, use the endpoint-mapper command in parameters configuration mode. To disable this feature, use the no form of this command.
endpoint-mapper [epm-service-only] [lookup-operation [timeout value]]
no endpoint-mapper [epm-service-only] [lookup-operation [timeout value]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the endpoint mapper in a DCERPC policy map:
hostname(config)# policy-map type inspect dcerpc dcerpc_maphostname(config-pmap)# parametershostname(config-pmap-p)# endpoint-mapper epm-service-onlyRelated Commands
enforcenextupdate
To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in ca-crl configuration mode. To permit a lapsed or missing NextUpdate field, use the no form of this command.
enforcenextupdate
no enforcenextupdate
Syntax Description
Defaults
The default setting is enforced (on).
Command Modes
The following table shows the modes in which you can enter the command:
Ca-crl configuration
•
•
•
•
•
Command History
Usage Guidelines
If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the adaptive security appliance allows a missing or lapsed NextUpdate field in a CRL.
Examples
The following example enters ca-crl configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# enforcenextupdatehostname(ca-crl)#Related Commands
cache-time
Specifies a cache refresh time in minutes.
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
enrollment-retrieval
To specify the time in hours that an enrolled user can retrieve a PKCS12 enrollment file, use the enrollment-retrieval command in local ca server configuration mode. To reset the time to the default number of hours (24), use the no form of this command.
enrollment-retrieval timeout
no enrollment-retrieval
Syntax Description
timeout
Specifies the number of hours users have to retrieve an issued certificate from the local CA enrollment web page. Valid timeout values range from one to 720 hours.
Defaults
By default, the PKCS12 enrollment file is stored and retrievable for 24 hours.
Command Modes
The following table shows the modes in which you can enter the command:
Ca server configuration
•
—
•
—
—
Command History
Usage Guidelines
A PKCS12 enrollment file contains an issued certificate and key pair. The file is stored on the local CA server and is available for retrieval from the enrollment web page for the time period specified with the enrollment-retrieval command.
When a user is marked as allowed to enroll, that user has otp expiration amount of time to enroll with that password. Once the user enrolls successfully, a PKCS12 file is generated, stored, and a copy is returned by way of the enrollment web page. The user can return for another copy of the file for any reason (such as when a download fails while trying enrollment) for the enrollment-retrieval command time period.
Note
Examples
The following example specifies that a PKCS12 enrollment file is available for retrieval from the local CA server for 48 hours after the certificate is issued:
hostname(config)# crypto ca serverhostname(config-ca-server)# enrollment-retrieval 48hostname(config-ca-server)#The following example resets the retrieval time back to the default of 24 hours:
hostname(config)# crypto ca serverhostname(config-ca-server)# no enrollment-retrievalhostname(config-ca-server)#Related Commands
enrollment retry count
To specify a retry count, use the enrollment retry count command in crypto ca-trustpoint configuration mode. After requesting a certificate, the adaptive security appliance waits to receive a certificate from the CA. If the adaptive security appliance does not receive a certificate within the configured retry period, it sends another certificate request. The adaptive security appliance repeats the request until either it receives a response or reaches the end of the configured retry period. To restore the default setting of the retry count, use the no form of the command.
enrollment retry count number
no enrollment retry count
Syntax Description
number
The maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.
Defaults
The default setting for number is 0 (unlimited).
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca-trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry count 20hostname(ca-trustpoint)#Related Commands
enrollment retry period
To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. After requesting a certificate, the adaptive security appliance waits to receive a certificate from the CA. If the adaptive security appliance does not receive a certificate within the specified retry period, it sends another certificate request. To restore the default setting of the retry period, use the no form of the command.
enrollment retry period minutes
no enrollment retry period
Syntax Description
minutes
The number of minutes between attempts to send an enrollment request. The valid range is 1- 60 minutes.
Defaults
The default setting is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry period 10hostname(ca-trustpoint)#Related Commands
enrollment terminal
To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca-trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca-trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca-trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment terminalhostname(ca-trustpoint)#Related Commands
enrollment url
To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca-trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment url url
no enrollment url
Syntax Description
url
Specifies the name of the URL for automatic enrollment. The maximum length is 1K characters (effectively unbounded).
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca-trustpoint configuration
•
•
•
•
•
Command History
Examples
The following example enters crypto ca-trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url https://enrollsitehostname(ca-trustpoint)#Related Commands
enrollment-retrieval
To specify the time in hours that an enrolled user can retrieve a PKCS12 enrollment file, use the enrollment-retrieval command in local ca server configuration mode. To reset the time to the default number of hours (24), use the no form of this command.
enrollment-retrieval timeout
no enrollment-retrieval
Syntax Description
timeout
Specifies the number of hours users have to retrieve an issued certificate from the local CA enrollment web page. Valid timeout values range from one to 720 hours.
Defaults
By default, the PKCS12 enrollment file is stored and retrievable for 24 hours.
Command Modes
The following table shows the modes in which you can enter the command:
Ca server configuration
•
—
•
—
—
Command History
Usage Guidelines
A PKCS12 enrollment file contains an issued certificate and key pair. The file is stored on the local CA server and is available for retrieval from the enrollment web page for the time period specified with the enrollment-retrieval command.
When a user is marked as allowed to enroll, that user has otp expiration amount of time to enroll with that password. Once the user enrolls successfully, a PKCS12 file is generated, stored, and a copy is returned by way of the enrollment web page. The user can return for another copy of the file for any reason (such as when a download fails while trying enrollment) for the enrollment-retrieval command time period.
Note
Examples
The following example specifies that a PKCS12 enrollment file is available for retrieval from the local CA server for 48 hours after the certificate is issued:
hostname(config)# crypto ca serverhostname(config-ca-server)# enrollment-retrieval 48hostname(config-ca-server)#The following example resets the retrieval time back to the default of 24 hours:
hostname(config)# crypto ca serverhostname(config-ca-server)# no enrollment-retrievalhostname(config-ca-server)#Related Commands
eou allow
To enable clientless authentication in a NAC Framework configuration, use the eou allow command in global configuration mode. To remove the command from the configuration, use the no form of this command.
eou allow {audit | clientless | none}
no eou allow {audit | clientless | none}
Syntax Description
audit
An audit server performs clientless authentication.
clientless
A Cisco ACS performs clientless authentication.
none
Disables clientless authentication.
Defaults
The default configuration contains the eou allow clientless configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The adaptive security appliance uses this command only if both of the following are true:
•
•
Examples
The following example enables the use of an ACS to perform clientless authentication:
hostname(config)# eou allow clientlesshostname(config)#The following example shows how to configure the adaptive security appliance to use an audit server to perform clientless authentication:
hostname(config)# eou allow audithostname(config)#The following example shows how to disable the use of an audit server:
hostname(config)# no eou allow clientlesshostname(config)#Related Commands
eou clientless
To change the username and password to be sent to the Access Control Server for clientless authentication in a NAC Framework configuration, use the eou clientless command in global configuration mode. To use the default value, use the no form of this command.
eou clientless username username password password
no eou clientless username username password password
Syntax Description
Defaults
The default value for both the username and password attributes is clientless.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is effective only if all of the following are true:
•
•
•
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example changes the username for clientless authentication to sherlock:
hostname(config)# eou clientless username sherlockhostname(config)#The following example changes the username for clientless authentication to the default value, clientless:
hostname(config)# no eou clientless usernamehostname(config)#The following example changes the password for clientless authentication to secret:
hostname(config)# eou clientless password secrethostname(config)#The following example changes the password for clientless authentication to the default value, clientless:
hostname(config)# no eou clientless passwordhostname(config)#Related Commands
eou initialize
To clear the resources assigned to one or more NAC Framework sessions and initiate a new, unconditional posture validation for each of the sessions, use the eou initialize command in privileged EXEC mode.
eou initialize {all | group tunnel-group | ip ip-address}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Use this command if a change occurs in the posture of the remote peers or if the assigned access policies (that is, the downloaded ACLs) change, and you want to clear the resources assigned to the sessions. Entering this command purges the EAPoUDP associations and access policies used for posture validation. The NAC default ACL is effective during the revalidations, so the session initializations can disrupt user traffic. This command does not affect peers that are exempt from posture validation.
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example initializes all NAC Framework sessions:
hostname# eou initialize allhostnameThe following example initializes all NAC Framework sessions assigned to the tunnel group named tg1:
hostname# eou initialize group tg1hostnameThe following example initializes the NAC Framework session for the endpoint with the IP address 209.165. 200.225:
hostname# eou initialize 209.165.200.225hostnameRelated Commands
eou max-retry
To change the number of times the adaptive security appliance resends an EAP over UDP message to the remote computer, use the eou max-retry command in global configuration mode. To use the default value, use the no form of this command.
eou max-retry retries
no eou max-retry
Syntax Description
retries
Limits the number of consecutive retries sent in response to retransmission timer expirations. Enter a value in the range 1 to 3.
Defaults
The default value is 3.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is effective only if all of the following are true:
•
•
•
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example limits the number of EAP over UDP retransmissions to 1:
hostname(config)# eou max-retry 1hostname(config)#The following example changes the number of EAP over UDP retransmissions to its default value, 3:
hostname(config)# no eou max-retryhostname(config)#Related Commands
eou port
To change the port number for EAP over UDP communication with the Cisco Trust Agent in a NAC Framework configuration, use the eou port command in global configuration mode. To use the default value, use the no form of this command.
eou port port_number
no eou port
Syntax Description
Defaults
The default value is 21862.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example changes the port number for EAP over UDP communication to 62445:
hostname(config)# eou port 62445hostname(config)#The following example changes the port number for EAP over UDP communication to its default value:
hostname(config)# no eou porthostname(config)#Related Commands
eou revalidate
To force immediate posture revalidation of one or more NAC Framework sessions, use the eou revalidate command in privileged EXEC mode.
eou revalidate {all | group tunnel-group | ip ip-address}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Use this command if the posture of the peer or the assigned access policy (that is, the downloaded ACL, if any) has changed. The command initiates a new, unconditional posture validation. The posture validation and assigned access policy that were in effect before you entered the command remain in effect until the new posture validation succeeds or fails. This command does not affect peers that are exempt from posture validation.
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example revalidates all NAC Framework sessions:
hostname# eou revalidate allhostnameThe following example revalidates all NAC Framework sessions assigned to the tunnel group named tg-1:
hostname# eou revalidate group tg-1hostnameThe following example revalidates the NAC Framework session for the endpoint with the IP address 209.165. 200.225:
hostname# eou revalidate ip 209.165.200.225hostnameRelated Commands
eou timeout
To change the number of seconds to wait after sending an EAP over UDP message to the remote host in a NAC Framework configuration, use the eou timeout command in global configuration mode. To use the default value, use the no form of this command.
eou timeout {hold-period | retransmit} seconds
no eou timeout {hold-period | retransmit}
Syntax Description
Defaults
The default value of the hold-period attribute is 180.
The default value of the retransmit attribute is 3.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the Framework implementation of Cisco NAC.
Examples
The following example changes the wait period before initiating a new EAP over UDP association to 120 seconds:
hostname(config)# eou timeout hold-period 120hostname(config)#The following example changes the wait period before initiating a new EAP over UDP association to its default value:
hostname(config)# no eou timeout hold-periodhostname(config)#The following example changes the retransmission timer to 6 seconds:
hostname(config)# eou timeout retransmit 6hostname(config)#The following example changes the retransmission timer to its default value:
hostname(config)# no eou timeout retransmithostname(config)#Related Commands
erase
To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.
erase [disk0: | disk1: | flash:]
Syntax Description
Defaults
No default beahviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The erase command erases all data in the flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command..
Note
Examples
The following example erases and reformats the file system:
hostname# erase flash:Related Commands
delete
Removes all visible files, excluding hidden system files.
format
Erases all files (including hidden system files) and formats the file system.
esp
To specify parameters for esp and AH tunnels for IPSec Pass Thru inspection, use the esp command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
{esp | ah} [per-client-max num] [timeout time]
no {esp | ah} [per-client-max num] [timeout time]
Syntax Description
esp
Specifies parameters for esp tunnel.
ah
Specifies parameters for AH tunnel.
per-client-max num
Specifies maximum tunnels from one client.
timeout time
Specifies idle timeout for the esp tunnel.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to permit UDP 500 traffic:
hostname(config)# access-list test-udp-acl extended permit udp any any eq 500hostname(config)# class-map test-udp-classhostname(config-pmap-c)# match access-list test-udp-aclhostname(config)# policy-map type inspect ipsec-pass-thru ipsec-maphostname(config-pmap)# parametershostname(config-pmap-p)# esp per-client-max 32 timeout 00:06:00hostname(config-pmap-p)# ah per-client-max 16 timeout 00:05:00hostname(config)# policy-map test-udp-policyhostname(config-pmap)# class test-udp-classhostname(config-pmap-c)# inspect ipsec-pass-thru ipsec-mapRelated Commands
established
To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.
established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
no established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.
Usage Guidelines
The established command lets you permit return access for outbound connections through the adaptive security appliance. This command works with an original connection that is outbound from a network and protected by the adaptive security appliance and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
Caution
Examples
The following set of examples shows potential security violations could occur if you do not use the established command correctly.
This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
hostname(config)# established tcp 4000 0You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.
hostname(config)# established tcp 0 0
Note
You can use the established command with the nat 0 command (where there are no global commands).
Note
The adaptive security appliance supports XDMCP with assistance from the established command.
Caution
XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:
hostname(config)# established tcp 6000 0 permitto tcp 6000 permitfrom tcp 1024-65535Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the source_port field as 0 (wildcard). The dest_port should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:
hostname(config)# setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The adaptive security appliance performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.
The following example shows a connection between two hosts using protocol A destined for port B from source port C. To permit return connections through the adaptive security appliance and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.
hostname(config)# established A B C permitto D E permitfrom D FThe following example shows how a connection is started by an internal host to an external host using TCP destination port 6060 and any source port. The adaptive security appliance permits return traffic between the hosts through TCP destination port 6061 and any TCP source port.
hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 0The following example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The adaptive security appliance permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.
hostname(config)# established udp 6060 0 permitto tcp 6061 permitfrom tcp 1024-65535The following example shows how a local host starts a TCP connection on port 9999 to a foreign host. The example allows packets from the foreign host on port 4242 back to local host on port 5454.
hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242Related Commands
clear configure established
Removes all established commands.
show running-config established
Displays the allowed inbound connections that are based on established connections.
exceed-mss
To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode. To remove this specification, use the no form of this command.
exceed-mss {allow | drop}
no exceed-mss {allow | drop}
Syntax Description
allow
Allows packets that exceed the MSS. This setting is the default.
drop
Drops packets that exceed the MSS.
Defaults
Packets are allowed by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.2(4)/8.0(4)
The default was changed from drop to allow.
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the exceed-mss command in tcp-map configuration mode to drop TCP packets whose data length exceed the TCP maximum segment size set by the peer during a three-way handshake.
Examples
The following example drops flows on port 21 if they are in excess of MSS:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# exceed-mss drophostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq ftphostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
exempt-list
To add an entry to the list of remote computer types that are exempt from posture validation, use the exempt-list command in nac-policy-nac-framework configuration mode. To remove an entry from the exemption list, use the no form of this command and name the operating system, and ACL, in the entry to be removed.
exempt-list os "os-name" [ disable | filter acl-name [ disable ] ]
no exempt-list os "os-name" [ disable | filter acl-name [ disable ] ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
nac-policy-nac-framework configuration
•
—
•
—
—
Command History
Usage Guidelines
When the command specifies an operating system, it does not overwrite the previously added entry to the exception list; enter the command once for each operating system and ACL you want to exempt.
The no exempt-list command removes all exemptions from the NAC Framework policy. Specifying an entry when issuing the no form of the command removes the entry from the exemption list.
To remove all entries from the exemption list associated with this NAC policy, use the no form of this command without specifying additional keywords.
Examples
The following example adds all hosts running Windows XP to the list of computers that are exempt from posture validation:
hostname(config-group-policy)# exempt-list os "Windows XP"hostname(config-group-policy)The following example exempts all hosts running Windows XP and applies the ACL acl-1 to traffic from those hosts:
hostname(config-nac-policy-nac-framework)# exempt-list os "Windows XP" filter acl-1hostname(config-nac-policy-nac-framework)The following example removes the same entry from the exemption list:
hostname(config-nac-policy-nac-framework)# no exempt-list os "Windows XP" filter acl-1hostname(config-nac-policy-nac-framework)The following example removes all entries from the exemption list:
hostname(config-nac-policy-nac-framework)# no exempt-listhostname(config-nac-policy-nac-framework)Related Commands
exit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the exit command in privileged or user EXEC modes, you log out from the adaptive security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:
hostname(config)# exithostname# exitLogoffThe following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# exithostname# disablehostname>Related Commands
expiry-time
To configure an expiration time for caching objects without revalidating them, use the expiry-time command in cache configuration mode. To remove the expiration time from the configuration and reset it to the default value, use the no form of this command.
expiry-time time
no expiry-time
Syntax Description
time
The amount of time in minutes that the adaptive security appliance caches objects without revalidating them.
Defaults
One minute.
Command Modes
The following table shows the modes in which you enter the command:
Cache configuration
•
—
•
—
—
Command History
Usage Guidelines
The expiration time is the amount of time in minutes that the adaptive security appliance caches an object without revalidating it. Revalidation consists of rechecking the content.
Examples
The following example shows how to set an expiration time with a value of 13 minutes:
hostname(config)# webvpnhostname(config-webvpn)# cachehostname(config-webvpn-cache)#expiry-time 13hostname(config-webvpn-cache)#Related Commands
export
To specify the certificate to be exported to the client, use the export command in CTL provider configuration mode. To remove the configuration, use the no form of this command.
export certificate trustpoint_name
no export certificate [trustpoint_name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CTL provider configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the export command in CTL provider configuration mode to specify the certificate to be exported to the client. The trustpoint name is defined by the crypto ca trustpoint command. The certificate will be added to the Certificate Trust List file composed by the CTL client.
Examples
The following example shows how to create a CTL provider instance:
hostname(config)# ctl-provider my_ctlhostname(config-ctl-provider)# client interface inside 172.23.45.1hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encryptedhostname(config-ctl-provider)# export certificate ccm_proxyhostname(config-ctl-provider)# ctl installRelated Commands
export webvpn customization
To export a customization object that customizes screens visible to Clientless SSL VPN users, use the export webvpn customization command from privileged EXEC mode.
export webvpn customization name url
Syntax Description
name
The name that identifies the customization object. Maximum 64 characters.
url
Remote path and filename to export the XML customization object, in the form URL/filename (maximum 255 characters).
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
A customization object is an XML file that resides in cache memory, and customizes the screens visible to Clientless SSL VPN users, including logon and logout screens, the portal page, and available languages. When you export a customization object, an XML file containing XML tags is created at the URL you specify.
The XML file created by the customization object named Template contains empty XML tags, and provides the basis for creating new customization objects. This object cannot be changed or deleted from cache memory, but can be exported, edited, and imported back into the adaptive security appliance as a new customization object.
The content of Template is the same as the initial DfltCustomization object state.
You can export a customization object using the export webvpn customization command, make changes to the XML tags, and import the file as a new object using the import webvpn customization command.
Examples
The following example exports the default customization object (DfltCustomization) and creates the resulting XML file named dflt_custom:
hostname# export webvpn customization DfltCustomization tftp://209.165.200.225/dflt_custom!!!!!!!!!!!!!!!!INFO: Customization object 'DfltCustomization' was exported to tftp://10.86.240.197/dflt_customhostname#Related Commands
export webvpn translation-table
To export a translation table used to translate terms displayed to remote users establishing SSL VPN connections, use the export webvpn translation-table command from privileged EXEC mode.
export webvpn translation-table translation_domain {language language | template} url
Syntax Description
language
Specifies the name of a previously-imported translation table. Enter the value in the manner expressed by your browser language options.
translation_domain
The functional area and associated messages. Table 11-1 lists available translation domains.
url
Specifies the URL of the object.
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
The adaptive security appliance provides language translation for the portal and screens displayed to users that initiate browser-based, clientless SSL VPN connections, as well as the user interface displayed to AnyConnect VPN Client users.
Each functional area and its messages that is visible to remote users has its own translation domain and is specified by the translation_domain argument. Table 11-1 shows the translation domains and the functional areas translated.
Table 11-1
Translation Domains and Functional Areas Affected
A translation template is an XML file in the same format as the translation table, but has all the translations empty. The software image package for the adaptive security appliance includes a template for each domain that is part of the standard functionality. Templates for plug-ins are included with the plug-ins and define their own translation domains. Because you can customize the logon and logout pages, portal page, and URL bookmarks for clientless users, the adaptive security appliance generates the customization and url-list translation domain templates dynamically and the template automatically reflects your changes to these functional areas.
Exporting a previously-imported translation table creates an XML file of the table at the URL location. You can view a list of available templates and previously-imported tables using the show import webvpn translation-table command.
Download a template or translation table using the export webvpn translation-table command, make changes to the messages, and import the translation table using the import webvpn translation-table command.
Examples
The following example exports a template for the translation domain customization, which is used to translate the logon and logout pages, portal page, and all the messages customizable and visible to remote users establishing clientless SSL VPN connections. The adaptive security appliance creates the XML file with the name Sales:
hostname# export webvpn translation-table customization template tftp://209.165.200.225/Saleshostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The next example exports a previously-imported translation table for the Chinese language named zh, an abbreviation compatible with the abbreviation specified for Chinese in the Internet Options of the Microsoft Internet Explorer browser. The adaptive security appliance creates the XML file with the name Chinese:
hostname# export webvpn translation-table customization language zh tftp://209.165.200.225/Chinesehostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Related Commands
export webvpn url-list
To export a URL list to a remote location, use the export webvpn url-list command from privileged EXEC mode.
export webvpn url-list name url
Syntax Description
name
The name that identifies the URL list. Maximum 64 characters.
URL
Remote path to the source of the URL list. Maximum 255 characters.
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
No URL lists are present in WebVPN by default.
An object, Template, is available for downloading with the export webvpn url-list command. Template cannot be changed or deleted. The contents of Template can be edited and saved as a custom URL list, and imported with the import webvpn url-list command to add a custom URL list.
Exporting a previously-imported URL list creates an XML file of the list at the URL location. You can view a list of available templates and previously-imported tables using the show import webvpn url-list command.
Examples
The following example exports a URL list, servers:
hostname# export webvpn url-list servers2 tftp://209.165.200.225hostname#Related Commands
import webvpn url-list
Imports a URL list.
revert webvpn url-list
Removes URL lists from cache memory.
show import webvpn url-list
Displays information about imported URL lists.
export webvpn webcontent
To export previously-imported content in flash memory that is visible to remote Clientless SSL VPN users, use the export webvpn webcontent command from privileged EXEC mode.
export webvpn webcontent <source url> <destination url>
Syntax Description
<source url>
The URL in the adaptive security appliance flash memory where the content resides. See Maximum 64 characters.
<destination url>
The URL to export to. Maximum 255 characters.
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Content exported with the webcontent option is content visible to remote Clientless users. This includes previously-imported help content visible on the Clientless portal and logos used by customization objects.
You can see a list of content available for export by entering a question mark (?) after the export webvpn webcontent command. For example:
hostname# export webvpn webcontent ?Select webcontent to export:/+CSCOE+/help/en/app-access-hlp.inc/+CSCOU+/cisco_logo.gifExamples
The following example exports the file logo.gif, using tftp, to 209.165.200.225, as the filename logo_copy.gif:
hostname# export webvpn webcontent /+CSCOU+/logo.gif tftp://209.165.200.225/logo_copy.gif!!!!* Web resource `/+CSCOU+/logo.gif' was successfully initializedRelated Commands
failover
To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.
failover
no failover
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command was limited to enable or disable failover in the configuration (see the failover active command).
Usage Guidelines
Use the no form of this command to disable failover.
Caution
The ASA 5505 device allows only Stateless Failover, and only while not acting as an Easy VPN hardware client.
Examples
The following example disables failover:
hostname(config)# no failoverhostname(config)#Related Commands
failover active
To switch a standby adaptive security appliance or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active adaptive security appliance or failover group to standby, use the no form of this command.
failover active [group group_id]
no failover active [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using stateful failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.
Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.
Examples
The following example switches the standby group 1 to active:
hostname# failover active group 1Related Commands
failover reset
Moves a adaptive security appliance from a failed state to standby.
failover exec
To execute a command on a specific unit in a failover pair, use the failover exec command in privileged EXEC or global configuration mode.
failover exec {active | standby | mate} cmd_string
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can use the failover exec command to send commands to a specific unit in a failover pair.
Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged-in to. For example, if you are logged-in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.
Output from configuration, exec, and show commands is displayed in the current terminal session, so you can use the failover exec command to issue show commands on a peer unit and view the results in the current terminal.
You must have sufficient privileges to execute a command on the local unit to execute the command on the peer unit.
Command Modes
The failover exec command maintains a command mode state that is separate from the command mode of your terminal session. By default, the failover exec command mode is global configuration mode for the specified device. You can change that command mode by sending the appropriate command (such as the interface command) using the failover exec command.
Changing failover exec command modes for the specified device does not change the command mode for the session you are using to access the device. For example, if you are logged-in to the active unit of a failover pair, and you issue the following command from global configuration mode, you will remain in global configuration mode but any commands sent using the failover exec command will be executed in interface configuration mode:
hostname(config)# failover exec interface GigabitEthernet0/1hostname(config)#Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command. For example, if you are in interface configuration mode on the active unit, and you have not changed the failover exec command mode, the following command would be executed in global configuration mode:
hostname(config-if)# failover exec active router ospf 100hostname(config-if)#Use the show failover exec command to display the command mode on the specified device in which commands sent with the failover exec command are executed.
Security Considerations
The failover exec command uses the failover link to send commands to and receive the output of the command execution from the peer unit. You should use the failover key command to encrypt the failover link to prevent eavesdropping or man-in-the-middle attacks.
Limitations
•
•
•
•
–
–
•
•
•
•
Examples
The following example shows how to use the failover exec command to display failover information on the active unit. The unit on which the command is executed is the active unit, so the command is executed locally.
hostname(config)# failover exec active show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 3 secondsInterface Poll frequency 3 seconds, holdtime 15 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 09:31:50 jst May 2 2004This host: Primary - ActiveActive time: 2483 (sec)slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys)admin Interface outside (192.168.5.101): Normaladmin Interface inside (192.168.0.1): Normalslot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Other host: Secondary - Standby ReadyActive time: 0 (sec)slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys)admin Interface outside (192.168.5.111): Normaladmin Interface inside (192.168.0.11): Normalslot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Stateful Failover Logical Update StatisticsLink : failover GigabitEthernet0/3 (up)Stateful Obj xmit xerr rcv rerrGeneral 328 0 328 0sys cmd 329 0 329 0up time 0 0 0 0RPC services 0 0 0 0TCP conn 0 0 0 0UDP conn 0 0 0 0ARP tbl 0 0 0 0Xlate_Timeout 0 0 0 0Logical Update Queue InformationCur Max TotalRecv Q: 0 1 329Xmit Q: 0 1 329hostname(config)#The following example uses the failover exec command to display the failover status of the peer unit. The command is executed on the the primary unit, which is the active unit, so the information displayed is from the secondary, standby unit.
hostname(config)# failover exec mate show failoverFailover OnFailover unit SecondaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 3 secondsInterface Poll frequency 3 seconds, holdtime 15 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 09:19:59 jst May 2 2004This host: Secondary - Standby ReadyActive time: 0 (sec)slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys)admin Interface outside (192.168.5.111): Normaladmin Interface inside (192.168.0.11): Normalslot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Other host: Primary - ActiveActive time: 2604 (sec)slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys)admin Interface outside (192.168.5.101): Normaladmin Interface inside (192.168.0.1): Normalslot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Stateful Failover Logical Update StatisticsLink : failover GigabitEthernet0/3 (up)Stateful Obj xmit xerr rcv rerrGeneral 344 0 344 0sys cmd 344 0 344 0up time 0 0 0 0RPC services 0 0 0 0TCP conn 0 0 0 0UDP conn 0 0 0 0ARP tbl 0 0 0 0Xlate_Timeout 0 0 0 0Logical Update Queue InformationCur Max TotalRecv Q: 0 1 344Xmit Q: 0 1 344The following example uses the failover exec command to display the failover configuration of the failover peer. The command is executed on the primary unit, which is the active unit, so the information displayed is from the secondary, standby unit.
hostname(config)# failover exec mate show running-config failoverfailoverfailover lan interface failover GigabitEthernet0/3failover polltime unit 1 holdtime 3failover polltime interface 3 holdtime 15failover link failover GigabitEthernet0/3failover interface ip failover 10.0.5.1 255.255.255.0 standby 10.0.5.2ciscoasa(config)#The following example uses the failover exec command to create a context on the active unit from the standby unit. The command is replicated from the active unit back to the standby unit. Note the two "Creating context..." messages. One is from the failover exec command output from the peer unit when the context is created, and the other is from the local unit when the replicated command creates the context locally.
hostname(config)# show contextContext Name Class Interfaces URL*admin default GigabitEthernet0/0, disk0:/admin.cfgGigabitEthernet0/1Total active Security Contexts: 1! The following is executed in the system execution space on the standby unit.hostname(config)# failover exec active context textCreating context 'text'... Done. (2)Creating context 'text'... Done. (3)hostname(config)# show contextContext Name Class Interfaces URL*admin default GigabitEthernet0/0, disk0:/admin.cfgGigabitEthernet0/1text default (not entered)Total active Security Contexts: 2The following example shows the warning that is returned when you use the failover exec command to send configuration commands to a failover peer in the standby state:
hostname# failover exec mate static (inside,outside) 192.168.5.241 192.168.0.241**** WARNING ****Configuration Replication is NOT performed from Standby unit to Active unit.Configurations are no longer synchronized.hostname(config)#The following example uses the failover exec command to send the show interface command to the standby unit:
hostname(config)# failover exec standby show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is upHardware is i82546GB rev03, BW 1000 MbpsAuto-Duplex(Half-duplex), Auto-Speed(100 Mbps)MAC address 000b.fcf8.c290, MTU 1500IP address 192.168.5.111, subnet mask 255.255.255.0216 packets input, 27030 bytes, 0 no bufferReceived 2 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 L2 decode drops284 packets output, 32124 bytes, 0 underruns0 output errors, 0 collisions0 late collisions, 0 deferredinput queue (curr/max blocks): hardware (0/0) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/0)Traffic Statistics for "outside":215 packets input, 23096 bytes284 packets output, 26976 bytes0 packets dropped1 minute input rate 0 pkts/sec, 21 bytes/sec1 minute output rate 0 pkts/sec, 23 bytes/sec1 minute drop rate, 0 pkts/sec5 minute input rate 0 pkts/sec, 21 bytes/sec5 minute output rate 0 pkts/sec, 24 bytes/sec5 minute drop rate, 0 pkts/secInterface GigabitEthernet0/1 "inside", is up, line protocol is upHardware is i82546GB rev03, BW 1000 MbpsAuto-Duplex(Half-duplex), Auto-Speed(10 Mbps)MAC address 000b.fcf8.c291, MTU 1500IP address 192.168.0.11, subnet mask 255.255.255.0214 packets input, 26902 bytes, 0 no bufferReceived 1 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 L2 decode drops215 packets output, 27028 bytes, 0 underruns0 output errors, 0 collisions0 late collisions, 0 deferredinput queue (curr/max blocks): hardware (0/0) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/0)Traffic Statistics for "inside":214 packets input, 23050 bytes215 packets output, 23140 bytes0 packets dropped1 minute input rate 0 pkts/sec, 21 bytes/sec1 minute output rate 0 pkts/sec, 21 bytes/sec1 minute drop rate, 0 pkts/sec5 minute input rate 0 pkts/sec, 21 bytes/sec5 minute output rate 0 pkts/sec, 21 bytes/sec5 minute drop rate, 0 pkts/secInterface GigabitEthernet0/2 "failover", is up, line protocol is upHardware is i82546GB rev03, BW 1000 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)Description: LAN/STATE Failover InterfaceMAC address 000b.fcf8.c293, MTU 1500IP address 10.0.5.2, subnet mask 255.255.255.01991 packets input, 408734 bytes, 0 no bufferReceived 1 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 L2 decode drops1835 packets output, 254114 bytes, 0 underruns0 output errors, 0 collisions0 late collisions, 0 deferredinput queue (curr/max blocks): hardware (0/0) software (0/0)output queue (curr/max blocks): hardware (0/2) software (0/0)Traffic Statistics for "failover":1913 packets input, 345310 bytes1755 packets output, 212452 bytes0 packets dropped1 minute input rate 1 pkts/sec, 319 bytes/sec1 minute output rate 1 pkts/sec, 194 bytes/sec1 minute drop rate, 0 pkts/sec5 minute input rate 1 pkts/sec, 318 bytes/sec5 minute output rate 1 pkts/sec, 192 bytes/sec5 minute drop rate, 0 pkts/sec...The following example shows the error message returned when issuing an illegal command to the peer unit:
hostname# failover exec mate bad commandbad command^ERROR: % Invalid input detected at '^' marker.The following example shows the error message that is returned when you use the failover exec command when failover is disabled:
hostname(config)# failover exec mate show failoverERROR: Cannot execute command on mate because failover is disabledRelated Commands
failover group
To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.
failover group num
no failover group num
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can define a maximum of 2 failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.
Entering this command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, mac address, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.
Note
When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.
Note
Examples
The following partial example shows a possible configuration for two failover groups:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)#Related Commands
failover interface ip
To specify the IP address and mask for the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.
failover interface ip if_name ip_address mask standby ip_address
no failover interface ip if_name ip_address mask standby ip_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Failover and stateful failover interfaces are functions of Layer 3, even when the adaptive security appliance is operating in transparent firewall mode, and are global to the system.
In multiple context mode, you configure failover in the system context (except for the monitor-interface command).
This command must be part of the configuration when bootstrapping a adaptive security appliance for LAN failover.
Examples
The following example shows how to specify the IP address and mask for the failover interface:
hostname(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2Related Commands
failover interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.
failover interface-policy num[%]
no failover interface-policy num[%]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other adaptive security appliance is functioning properly, the adaptive security appliance marks itself as failed and a failover might occur (if the active adaptive security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Note
Examples
The following examples show two ways to specify the failover policy:
hostname(config)# failover interface-policy 20%hostname(config)# failover interface-policy 5Related Commands
failover key
To specify the key for encrypted and authenticated communication between units in a failover pair, use the failover key command in global configuration mode. To remove the key, use the no form of this command.
failover key {secret | hex key}
no failover key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command was modified from failover lan key to failover key.
7.0(4)
This command was modified to include the hex key keyword and argument.
Usage Guidelines
To encrypt and authenticate failover communications between the units, you must configure both units with a shared secret or hexadecimal key. If you do not specify a failover key, failover communication is transmitted in the clear.
Note
Caution
Examples
The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:
hostname(config)# failover key abcdefgThe following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:
hostname(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dcRelated Commands
show running-config failover
Displays the failover commands in the running configuration.
failover lan enable
To enable lan-based failover on the PIX adaptive security appliance, use the failover lan enable command in global configuration mode. To disable LAN-based failover, use the no form of this command.
failover lan enable
no failover lan enable
Syntax Description
This command has no arguments or keywords.
Defaults
Not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
When LAN-based failover is disabled using the no form of this command, cable-based failover is used if the failover cable is installed. This command is available on the PIX adaptive security appliance only.
Caution
Examples
The following example enables LAN-based failover:
hostname(config)# failover lan enableRelated Commands
failover lan interface
To specify the interface used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.
failover lan interface if_name {phy_if[.sub_if] | vlan_if]}
no failover lan interface [if_name {phy_if[.sub_if] | vlan_if]}]
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command was modified to include the phy_if argument.
7.2(1)
This command was modified to include the vlan_if argument.
Usage Guidelines
LAN failover requires a dedicated interface for passing failover traffic. However you can also use the LAN failover interface for the Stateful Failover link.
Note
You can use any unused Ethernet interface on the device as the failover interface. You cannot specify an interface that is currently configured with a name. The failover interface is not configured as a normal networking interface; it exists only for failover communications. This interface should only be used for the failover link (and optionally for the state link). You can connect the LAN-based failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover Ethernet cable to link the units directly.
Note
On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
The no form of this command also clears the failover interface IP address configuration.
This command must be part of the configuration when bootstrapping a adaptive security appliance for LAN failover.
Caution
Examples
The following example configures the failover LAN interface on a PIX 500 series adaptive security appliance:
hostname(config)# failover lan interface folink Ethernet4The following example configures the failover LAN interface using a subinterface on an ASA 5500 series adaptive adaptive security appliance (except for the ASA 5505 adaptive adaptive security appliance):
hostname(config)# failover lan interface folink GigabitEthernet0/3.1The following example configures the failover LAN interface on the ASA 5505 adaptive adaptive security appliance:
hostname(config)# failover lan interface folink Vlan6Related Commands
failover lan unit
To configure the adaptive security appliance as either the primary or secondary unit in a LAN failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.
failover lan unit {primary | secondary}
no failover lan unit {primary | secondary}
Syntax Description
primary
Specifies the adaptive security appliance as a primary unit.
secondary
Specifies the security appliance as a secondary unit.
Defaults
Secondary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:
•
•
If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to issue the no failover active command on the secondary (active) unit to force the primary unit back to active status.
For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).
This command must be part of the configuration when bootstrapping a adaptive security appliance for LAN failover.
Examples
The following example sets the adaptive security appliance as the primary unit in LAN-based failover:
hostname(config)# failover lan unit primaryRelated Commands
failover lan enable
Enables LAN-based failover on the PIX adaptive security appliance.
failover lan interface
Specifies the interface used for failover communication.
failover link
To specify the Stateful Failover interface, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.
failover link if_name [phy_if]
no failover link
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command was modified to include the phy_if argument.
7.0(4)
This command was modified to accept standard firewall interfaces.
Usage Guidelines
This command is not available on the ASA 5505 series adaptive adaptive security appliance, which does not support Stateful Failover.
The physical or logical interface argument is required when not sharing the failover communication or a standard firewall interface.
The failover link command enables Stateful Failover. Enter the no failover link command to disable Stateful Failover. If you are using a dedicated Stateful Failover interface, the no failover link command also clears the Stateful Failover interface IP address configuration.
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link:
•
•
•
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link.
Note
If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
If you use a data interface as the Stateful Failover link, you will receive the following warning when you specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing Stateful failover interface with regular data interface is nota recommended configuration due to performance and security concerns.******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
Caution
Examples
The following example shows how to specify a dedicated interface as the Stateful Failover interface. The interface in the example does not have an existing configuration.
hostname(config)# failover link stateful_if e4INFO: Non-failover interface config is cleared on Ethernet4 and its sub-interfacesRelated Commands
failover mac address
To specify the failover virtual MAC address for a physical interface, use the failover mac address command in global configuration mode. To remove the virtual MAC address, use the no form of this command.
failover mac address phy_if active_mac standby_mac
no failover mac address phy_if active_mac standby_mac
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The failover mac address command lets you configure virtual MAC addresses for an Active/Standby failover pair. If virtual MAC addresses are not defined, then when each failover unit boots it uses the burned-in MAC addresses for its interfaces and exchanges those addresses with its failover peer. The MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.
However, if both units are not brought online at the same time and the secondary unit boots first and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit, even if it comes online before the primary unit.
The failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. This command has no effect when the adaptive security appliance is configured for Active/Active failover.
When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the failover pair. If the virtual MAC address is added when there are active connections, then those connections stop. Also, you must write the complete configuration, including the failover mac address command, to the Flash memory of the secondary adaptive security appliance for the virtual MAC addressing to take effect.
If the failover mac address is specified in the configuration of the primary unit, it should also be specified in the bootstrap configuration of the secondary unit.
Note
Examples
The following example configures the active and standby MAC addresses for the interface named intf2:
hostname(config)# failover mac address Ethernet0/2 00a0.c969.87c8 00a0.c918.95d8Related Commands
failover polltime
To specify the failover unit poll and hold times, use the failover polltime command in global configuration mode. To restore the default poll and hold times, use th
