Table Of Contents

mac address through multicast-routing Commands

mac address

mac-address

mac-address auto

mac-address-table aging-time

mac-address-table static

mac-learn

mac-list

mail-relay

management-access

management-only

map-name

map-value

mask

mask-banner

mask-syst-reply

match access-list

match active-ftp

match any

match apn

match body

match called-party

match calling-party

match certificate

match cmd

match default-inspection-traffic

match dns-class

match dns-type

match domain-name

match dscp

match ehlo-reply-parameter

match filename

match filetype

match flow ip destination-address

match header

match header-flag

match im-subscriber

match invalid-recipients

match ip address

match ip next-hop

match ip route-source

match login-name

match media-type

match message id

match message length

match message-path

match mime

match passive-ftp

match peer-ip-address

match peer-login-name

match port

match precedence

match protocol

match question

match req-resp

match request-command

match request-method

match request method

match route-type

match rtp

match sender-address

match server

match service

match third-party-registration

match tunnel-group

match uri

match url-filter

match username

match version

max-failed-attempts

max-forwards-validation

max-header-length

max-object-size

max-retry-attempts

max-uri-length

mcc

media-termination

media-type

member

member-interface

memberof

memory delayed-free-poisoner enable

memory delayed-free-poisoner validate

memory caller-address

memory profile enable

memory profile text

memory-size

message-length

mfib forwarding

min-object-size

mkdir

mode

monitor-interface

more

mount (CIFS)

mount (FTP)

mroute

mschapv2-capable

msie-proxy except-list

msie-proxy local-bypass

msie-proxy method

msie-proxy pac-url

msie-proxy server

mtu

multicast boundary

multicast-routing

mac address through multicast-routing Commands

---

mac address

To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.

mac address phy_if [active_mac] [standby_mac]

no mac address phy_if [active_mac] [standby_mac]

Syntax Description

phy_if	The physical name of the interface to set the MAC address.
active_mac	The virtual MAC address for the active unit. The MAC address must be entered in h.h.h format, where h is a 16-bit hexadecimal number.
standby_mac	The virtual MAC address for the standby unit. The MAC address must be entered in h.h.h format, where h is a 16-bit hexadecimal number.

Defaults

The defaults are as follows:

•Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.

•Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Failover group configuration	•	•	—	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If the virtual MAC addresses are not defined for the failover group, the default values are used.

If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.

Examples

The following partial example shows a possible configuration for a failover group:

hostname(config)# failover group 1 

hostname(config-fover-group)# primary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# exit

hostname(config)# failover group 2

hostname(config-fover-group)# secondary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012 

hostname(config-fover-group)# exit

hostname(config)#

Related Commands

Command	Description
failover group	Defines a failover group for Active/Active failover.
failover mac address	Specifies a virtual MAC address for a physical interface.

mac-address

To manually assign a private MAC address to an interface or subinterface, use the mac-address command in interface configuration mode. In multiple context mode, this command can assign a different MAC address to the interface in each context. To revert the MAC address to the default, use the no form of this command.

mac-address mac_address [standby mac_address]

no mac-address [mac_address [standby mac_address]]

Syntax Description

mac_address	Sets the MAC address for this interface in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. If you use failover, this MAC address is the active MAC address.
standby mac_address	(Optional) Sets the standby MAC address for failover. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Defaults

The default MAC address is the burned-in MAC address of the physical interface. Subinterfaces inherit the physical interface MAC address. Some commands set the physical interface MAC address (including this command in single mode), so the inherited address depends on that configuration.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the adaptive security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the Cisco ASA 5500 Series Configuration Guide using the CLI for more information.

You can assign each MAC address manually with this command, or you can automatically generate MAC addresses for shared interfaces in contexts using the mac-address auto command. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.

For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.

You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:

1. mac-address command in interface configuration mode.

This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.

2. failover mac address command for Active/Standby failover in global configuration mode.

This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

3. mac address command for Active/Active failover in failover group configuration mode.

This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

4. mac-address auto command in global configuration mode (multiple context mode only).

This command applies to shared interfaces in contexts.

5. For Active/Active failover, auto-generation of active and standby MAC addresses for physical interfaces.

This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

6. Burned-in MAC address. This method applies to physical interfaces.

Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

Examples

The following example configures the MAC address for GigabitEthernet 0/1.1:

hostname/contextA(config)# interface gigabitethernet0/1.1

hostname/contextA(config-if)# nameif inside

hostname/contextA(config-if)# security-level 100

hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0

hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE

hostname/contextA(config-if)# no shutdown

Related Commands

Command	Description
failover mac address	Sets the active and standby MAC address of a physical interface for Active/Standby failover.
mac address	Sets the active and standby MAC address of a physical interface for Active/Active failover.
mac-address auto	Auto-generates MAC addresses (active and standby) for shared interfaces in multiple context mode.
mode	Sets the security context mode to multiple or single.
show interface	Shows the interface characteristics, including the MAC address.

mac-address auto

To automatically assign private MAC addresses to each shared context interface, use the mac-address auto command in global configuration mode. To disable automatic MAC addresses, use the no form of this command.

mac-address auto

no mac-address auto

Syntax Description

This command has no arguments or keywords.

Defaults

Auto-generation is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	—	—	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

For use with failover, the adaptive security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. Because the mac-address auto command only sets shared interfaces, you should still set virtual MAC addresses for unshared interfaces in an Active/Standby configuration using the mac-address or failover mac address command (Active/Active failover automatically assigns virtual MAC addresses to physical interfaces).

When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.

The MAC address is generated using the following format:

•Active unit MAC address: 12_slot.port_subid.contextid.

•Standby unit MAC address: 02_slot.port_subid.contextid.

For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:

•Active: 1200.0131.0001

•Standby: 0200.0131.0001

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.

You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:

1. mac-address command in interface configuration mode.

This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.

2. failover mac address command for Active/Standby failover in global configuration mode.

This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

3. mac address command for Active/Active failover in failover group configuration mode.

This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

4. mac-address auto command in global configuration mode (multiple context mode only).

This command applies to shared interfaces in contexts.

5. For Active/Active failover, auto-generation of active and standby MAC addresses for physical interfaces.

This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

6. Burned-in MAC address. This method applies to physical interfaces.

Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.

Examples

The following example enables automatic MAC address generation:

hostname(config)# mac-address auto

Related Commands

Command	Description
failover mac address	Sets the active and standby MAC address of a physical interface for Active/Standby failover.
mac address	Sets the active and standby MAC address of a physical interface for Active/Active failover.
mac-address	Manually sets the MAC address (active and standby) for a physical interface or subinterface. In multiple context mode, you can set different MAC addresses in each context for the same interface.
mode	Sets the security context mode to multiple or single.
show interface	Shows the interface characteristics, including the MAC address.

mac-address-table aging-time

To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.

mac-address-table aging-time timeout_value

no mac-address-table aging-time

Syntax Description

timeout_value

The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.

Defaults

The default timeout is 5 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

No usage guidelines.

Examples

The following example sets the MAC address timeout to 10 minutes:

hostname(config)# mac-address-timeout aging time 10

Related Commands

Command	Description
arp-inspection	Enables ARP inspection, which compares ARP packets to static ARP entries.
firewall transparent	Sets the firewall mode to transparent.
mac-address-table static	Adds static MAC address entries to the MAC address table.
mac-learn	Disables MAC address learning.
show mac-address-table	Shows the MAC address table, including dynamic and static entries.

mac-address-table static

To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the adaptive security appliance drops the traffic and generates a system message.

mac-address-table static interface_name mac_address

no mac-address-table static interface_name mac_address

Syntax Description

interface_name	The source interface.
mac_address	The MAC address you want to add to the table.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example adds a static MAC address entry to the MAC address table:

hostname(config)# mac-address-table static inside 0010.7cbe.6101

Related Commands

Command	Description
arp	Adds a static ARP entry.
firewall transparent	Sets the firewall mode to transparent.
mac-address-table aging-time	Sets the timeout for dynamic MAC address entries.
mac-learn	Disables MAC address learning.
show mac-address-table	Shows MAC address table entries.

mac-learn

To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the adaptive security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.

mac-learn interface_name disable

no mac-learn interface_name disable

Syntax Description

interface_name	The interface on which you want to disable MAC learning.
disable	Disables MAC learning.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	—	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example disables MAC learning on the outside interface:

hostname(config)# mac-learn outside disable

Related Commands

Command	Description
clear configure mac-learn	Sets the mac-learn configuration to the default.
firewall transparent	Sets the firewall mode to transparent.
mac-address-table static	Adds static MAC address entries to the MAC address table.
show mac-address-table	Shows the MAC address table, including dynamic and static entries.
show running-config mac-learn	Shows the mac-learn configuration.

mac-list

To specify a list of MAC addresses to be used to exempt MAC addresses from authentication and/or authorization, use the mac-list command in global configuration mode. To remove a MAC list entry, use the no form of this command.

mac-list id {deny | permit} mac macmask

no mac-list id {deny | permit} mac macmask

Syntax Description

deny	Indicates that traffic matching this MAC address does not match the MAC list and is subject to both authentication and authorization when specified in the aaa mac-exempt command. You might need to add a deny entry to the MAC list if you permit a range of MAC addresses using a MAC address mask such as ffff.ffff.0000, and you want to force a MAC address in that range to be authenticated and authorized.
id	Specifies a hexadecimal MAC access list number. To group a set of MAC addresses, enter the mac-list command as many times as needed with the same ID value. The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry, be sure to enter the deny entry before the permit entry.
mac	Specifies the source MAC address in 12-digit hexadecimal form; that is, nnnn.nnnn.nnnn
macmask	Specifies the portion of the MAC address that should be used for matching. For example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
permit	Indicates that traffic matching this MAC address matches the MAC list and is exempt from both authentication and authorization when specified in the aaa mac-exempt command.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

To enable MAC address exemption from authentication and authorization, use the aaa mac-exempt command. You can only add one instance of the aaa mac-exempt command, so be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.

Examples

The following example bypasses authentication for a single MAC address:

hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff

hostname(config)# aaa mac-exempt match abc

The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3:

hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000

hostname(config)# aaa mac-exempt match acd

The following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched.

hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff

hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000

hostname(config)# aaa mac-exempt match 1

Related Commands

Command	Description
aaa authentication	Enables user authentication.
aaa authorization	Enables user authorization services.
aaa mac-exempt	Exempts a list of MAC addresses from authentication and authorization.
clear configure mac-list	Removes a list of MAC addresses previously specified by the mac-list command.
show running-config mac-list	Displays a list of MAC addresses previously specified in the mac-list command.

mail-relay

To configure a local domain name, use the mail-relay command in parameters configuration mode. To disable this feature, use the no form of this command.

mail-relay domain_name action {drop-connection | log}

no mail-relay domain_name action {drop-connection | log}

Syntax Description

domain_name	Specifies the domain name.
drop-connection	Closes the connection.
log	Generates a system log message.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a mail relay for a specific domain:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# mail-relay mail action drop-connection

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

management-access

To allow management access to an interface other than the one from which you entered the adaptive security appliance when using VPN, use the management-access command in global configuration mode. To disable management access, use the no form of this command.

management-access mgmt_if

no management-access mgmt_if

Syntax Description

mgmt_if

Specifies the name of the management interface you want to access when entering the adaptive security appliance from another interface.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

This command allows you to connect to an interface other than the one you entered the adaptive security appliance from when using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel. For example, if you enter the adaptive security appliance from the outside interface, this command lets you connect to the inside interface using Telnet; or you can ping the inside interface when entering from the outside interface.

You can define only one management-access interface.

---

Note Do not apply a static NAT statement to the management access interface; if you do so, then remote VPN users will not be able to access the management interface.

---

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface:

hostname(config)# management-access inside

hostname(config)# show management-access

management-access inside

Related Commands

Command	Description
clear configure management-access	Removes the configuration of an internal interface for management access of the adaptive security appliance.
show management-access	Displays the name of the internal interface configured for management access.

management-only

To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.

management-only

no management-only

Syntax Description

This command has no arguments or keywords.

Defaults

The Management 0/0 interface on the ASA 5510 and higher adaptive security appliance is set to management-only mode by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the adaptive security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the adaptive security appliance or context, and not to individual interfaces.

Examples

The following example disables management-only mode on the management interface:

hostname(config)# interface management0/0

hostname(config-if)# no management-only

The following example enables management-only mode on a subinterface:

hostname(config)# interface gigabitethernet0/2.1

hostname(config-subif)# management-only

Related Commands

Command	Description
interface	Configures an interface and enters interface configuration mode.

map-name

To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.

To remove this mapping, use the no form of this command.

map-name user-attribute-name Cisco-attribute-name

no map-name user-attribute-name Cisco-attribute-name

Syntax Description

Syntax DescriptionSyntax Description

user-attribute-name	Specifies the user-defined attribute name that you are mapping to the Cisco attribute.
Cisco-attribute-name	Specifies the Cisco attribute name that you are mapping to the user-defined name.

Defaults

By default, no name mappings exist.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
ldap-attribute-map configuration	•	•	•	•	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

With the map-name command, you can create map yourown attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:

1. Use the ldap attribute-map command in global configuration mode to create an unpopulated attribute map. This commands enters ldap-attribute-map mode.

2. Use the map-name and map-value commands in ldap-attribute-map mode to populate the attribute map.

3. Use the ldap-attribute-map command in aaa-server host mode to bind the attribute map to an LDAP server. Note the hyphen after "ldap" in this command.

---

Note To use the attribute mapping features correctly, you need to understand both the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.

---

Examples

The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:

hostname(config)# ldap attribute-map myldapmap

hostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hours

hostname(config-ldap-attribute-map)#

Within ldap-attribute-map mode, you can enter "?" to display the complete list of Cisco LDAP attribute names, as shown in the following example:

hostname(config-ldap-attribute-map)# map-name ?

ldap mode commands/options:

cisco-attribute-names:

  cVPN3000-Access-Hours                                  

  cVPN3000-Allow-Network-Extension-Mode                  

  cVPN3000-Auth-Service-Type                             

  cVPN3000-Authenticated-User-Idle-Timeout               

  cVPN3000-Authorization-Required                        

  cVPN3000-Authorization-Type                            

	:

	:

  cVPN3000-X509-Cert-Data

hostname(config-ldap-attribute-map)# 

Related Commands

Command	Description
ldap attribute-map (global configuration mode)	Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names.
ldap-attribute-map (aaa-server host mode)	Binds an LDAP attribute map to an LDAP server.
map-value	Maps a user-defined attribute value to a Cisco attribute.
show running-config ldap attribute-map	Displays a specific running LDAP attribute map or all running attribute maps.
clear configure ldap attribute-map	Removes all LDAP attribute maps.

map-value

To map a user-defined value to a Cisco LDAP attribute, use the map-value command in ldap-attribute-map configuration mode. To delete an entry within a map, use the no form of this command.

map-value user-attribute-name user-value-string Cisco-value-string

no map-value user-attribute-name user-value-string Cisco-value-string

Syntax Description

cisco-value-string	Specifies the Cisco value string for the Cisco attribute.
user-attribute-name	Specifies the user-defined attribute name that you are mapping to the Cisco attribute name.
user-value-string	Specifies the user-defined value string that you are mapping to the Cisco attribute value.

Defaults

By default, there are no user-defined values mapped to Cisco attributes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
ldap-attribute-map configuration	•	•	•	•	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

With the map-value command, you can map your own attribute values to Cisco attribute names and values. You can tthen bind the resulting attribute map to an LDAP server. Your typical steps would include:

1. Use the ldap attribute-map command in global configuration mode to create an unpopulated attribute map. This commands enters ldap-attribute-map mode.

2. Use the map-name and map-value commands in ldap-attribute-map mode to populate the attribute map.

3. Use the ldap-attribute-map command in aaa-server host mode to bind the attribute map to an LDAP server. Note the hyphen after "ldap" in this command.

---

Note To use the attribute mapping features correctly, you need to understand both the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.

---

Examples

The following example, entered in ldap-attribute-map mode, sets the user-defined value of the user attribute Hours to a user-defined time policy named workDay and a Cisco-defined time policy named Daytime:

hostname(config)# ldap attribute-map myldapmap

hostname(config-ldap-attribute-map)# map-value Hours workDay Daytime

hostname(config-ldap-attribute-map)#

Related Commands

Command	Description
ldap attribute-map (global configuration mode)	Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names.
ldap-attribute-map (aaa-server host mode)	Binds an LDAP attribute map to an LDAP server.
map-name	Maps a user-defined LDAP attribute name with a Cisco LDAP attribute name.
show running-config ldap attribute-map	Displays a specific running LDAP attribute map or all running attribute maps.
clear configure ldap attribute-map	Removes all LDAP maps.

mask

When using the Modular Policy Framework, mask out part of the packet that matches a match command or class map by using the mask command in match or class configuration mode. This mask action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. For example, you can you use mask command for the DNS application inspection to mask a header flag before allowing the traffic through the adaptive security appliance. To disable this action, use the no form of this command.

mask [log]

no mask [log]

Syntax Description

log	Logs the match. The system log message number depends on the application.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Match and class configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the mask command to mask part of the packet that matches the match command or class command.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.

Examples

The following example masks the RD and RA flags in the DNS header before allowing the traffic through the adaptive security appliance:

hostname(config-cmap)# policy-map type inspect dns dns-map1

hostname(config-pmap-c)# match header-flag RD

hostname(config-pmap-c)# mask log

hostname(config-pmap-c)# match header-flag RA

hostname(config-pmap-c)# mask log

Related Commands

Commands	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
policy-map type inspect	Defines special actions for application inspection.
show running-config policy-map	Display all current policy map configurations.

mask-banner

To obfuscate the server banner, use the mask-banner command in parameters configuration mode. To disable this feature, use the no form of this command.

mask-banner

no mask-banner

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to mask the server banner:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# mask-banner

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

mask-syst-reply

To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.

mask-syst-reply

no mask-syst-reply

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
FTP map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.

Examples

The following example causes the adaptive security appliance to replace the FTP server replies to the syst command with Xs:

hostname(config)# ftp-map inbound_ftp

hostname(config-ftp-map)# mask-syst-reply

hostname(config-ftp-map)#

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
ftp-map	Defines an FTP map and enables FTP map configuration mode.
inspect ftp	Applies a specific FTP map to use for application inspection.
policy-map	Associates a class map with specific security actions.
request-command deny	Specifies FTP commands to disallow.

match access-list

When using the Modular Policy Framework, use an access list to identify traffic to which you want to apply actions by using the match access-list command in class-map configuration mode. To remove the match access-list command, use the no form of this command.

match access-list access_list_name

no match access-list access_list_name

Syntax Description

access_list_name

Specifies the name of an access list to be used as match criteria.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Configuring Modular Policy Framework consists of four tasks:

1. Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map command.

After you enter the class-map command, you can enter the match access-list command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match port command. You can only include one match access-list command in the class map, and you cannot combine it with other types of match commands. The exception is if you define the match default-inspection-traffic command which matches the default TCP and UDP ports used by all applications that the adaptive security appliance can inspect, then you can narrow the traffic to match using a match access-list command. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.

2. (Application inspection only) Define special actions for application inspection traffic using the policy-map type inspect command.

3. Apply actions to the Layer 3 and 4 traffic using the policy-map command.

4. Activate the actions on an interface using the service-policy command.

Examples

The following example creates three Layer 3/4 class maps that match three access lists:

hostname(config)# access-list udp permit udp any any

hostname(config)# access-list tcp permit tcp any any

hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255

hostname(config)# class-map all_udp

hostname(config-cmap)# description "This class-map matches all UDP traffic"

hostname(config-cmap)# match access-list udp

hostname(config-cmap)# class-map all_tcp

hostname(config-cmap)# description "This class-map matches all TCP traffic"

hostname(config-cmap)# match access-list tcp

hostname(config-cmap)# class-map to_server

hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"

hostname(config-cmap)# match access-list host_foo

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match active-ftp

To configure a match condition for the active FTP traffic commands PORT and EPRT for FTP transfer, use the match active-ftp command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] active-ftp

no match [not] active-ftp

Syntax Description

There are no arguments or keywords for this command.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.

Strict FTP inspection must be used for this functionality to be available. See the strict keyword in the inspect ftp command for more information.

Examples

The following settings globally deny all active FTP traffic by resetting the connection, permitting, and logging all passive FTP connections:

hostname(config)# class-map inspection_default

hostname(config-cmap)# match default-inspection-traffic

hostname(config-cmap)# exit

hostname(config)# policy-map type inspect ftp inspect-strict-ftp

hostname(config-pmap)# parameters

hostname(config-pmap-p)# match active-ftp 

hostname(config-pmap-p)# reset

hostname(config-pmap-p)# match passive-ftp

hostname(config-pmap-p)# reset log

hostname(config-pmap-p)# exit

hostname(config)# policy-map global_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect ftp strict inspect-strict-ftp

hostname(config-pmap-c)# exit

hostname(config)# service-policy global_policy global

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match any

When using the Modular Policy Framework, match all traffic to which you want to apply actions by using the match any command in class-map configuration mode. To remove the match any command, use the no form of this command.

match any

no match any

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Configuring Modular Policy Framework consists of four tasks:

1. Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map command.

After you enter the class-map command, you can enter the match any command to identify all traffic. Alternatively, you can enter a different type of match command, such as the match port command. You cannot combine the match any command with other types of match commands.

2. (Application inspection only) Define special actions for application inspection traffic using the policy-map type inspect command.

3. Apply actions to the Layer 3 and 4 traffic using the policy-map command.

4. Activate the actions on an interface using the service-policy command.

Examples

This example shows how to define a traffic class using a class map and the match any command:

hostname(config)# class-map cmap

hostname(config-cmap)# match any

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match access-list	Matches traffic according to an access list.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match apn

To configure a match condition for an access point name in GTP messages, use the match apn command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] apn regex [regex_name | class regex_class_name]

no match [not] apn regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.

Examples

The following example shows how to configure a match condition for an access point name in an GTP inspection class map:

hostname(config-cmap)# match apn class gtp_regex_apn

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match body

To configure a match condition on the length or length of a line of an ESMTP body message, use the match body command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.

match [not] body [length | line length] gt bytes

no match [not] body [length | line length] gt bytes

Syntax Description

length	Specifies the length of an ESMTP body message.
line length	Specifies the length of a line of an ESMTP body message.
bytes	Specifies the number to match in bytes.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for a body line length in an ESMTP inspection policy map:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# match body line length gt 1000

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match called-party

To configure a match condition on the H.323 called party, use the match called-party command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] called-party [regex regex]

no match [not] match [not] called-party [regex regex]

Syntax Description

regex regex

Specifies to match on the regular expression.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for the called party in an H.323 inspection class map:

hostname(config-cmap)# match called-party regex caller1

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match calling-party

To configure a match condition on the H.323 calling party, use the match calling-party command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] calling-party [regex regex]

no match [not] match [not] calling-party [regex regex]

Syntax Description

regex regex

Specifies to match on the regular expression.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for the calling party in an H.323 inspection class map:

hostname(config-cmap)# match calling-party regex caller1

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match certificate

During the PKI certificate validation process, the adaptive security appliance checks certificate revocation status to maintain security. It can use either CRL checking or Online Certificate Status Protocol (OCSP) to accomplish this task. With CRL checking, the adaptive security appliance retrieves, parses, and caches Certificate Revocation Lists, which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status in that it localizes certificate status on a Validation Authority, which it queries for the status of a specific certificate.

Certificate match rules let you configure OCSP URL overrides, which specify a URL to check for revocation status, rather than the URL in the AIA field of the remote user certificate. Match rules also let you configure trustpoints to use to validate OCSP responder certificates, which lets the adaptive security appliance validate responder certificates from any CA, including self-signed certificates and certificates external to the validation path of the client certificate.

To configure a certificate match rule, use the match certificate command in crypto ca trustpoint mode. To remove the rule from the configuration, use the no form of this command.

match certificate map-name override ocsp [trustpoint trustpoint-name] seq-num url URL

no match certificate map-name override ocsp

Syntax Description

map-name	Specifies the name of the certificate map to match to this rule. You must configure the certificate map prior to configuring a match rule. Maximum 65 characters.
match certificate	Specifies the certificate map for this match rule.
override ocsp	Specifies that the purpose of the rule is to override an OCSP URL in a certificate.
seq-num	Sets the priority for this match rule. Range is 1 to 10000. The adaptive security appliance evaluates the match rule with the lowest sequence number first, followed by higher numbers until it finds a match.
trustpoint	(Optional) Specifies using a trustpoint for verifying the OCSP responder certificate.
trustpoint-name	(Optional) Identifies the trustpoint. to use with the override to validate responder certificates.
url	Specifies accessing a URL for OCSP revocation status.
URL	Identifies the URL to access for OCSP revocation status.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
crypto ca trustpoint mode	•	•	•	•	•

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Be aware of the following tips when configuring OCSP:

•You can configure multiple match rules within a trustpoint configuration, but you can have only one match rule for each crypto ca certificate map. You can, however, configure multiple crypto ca certificate maps and associate them with the same trustpoint.

•You must configure the certificate map before configuring a match rule.

•To configure a trustpoint to validate a self-signed OCSP responder certificates, you import the self-signed responder certificate into its own trustpoint as a trusted CA certificate. Then you configure the match certificate command in the client certificate validating trustpoint to use the trustpoint that contains the self-signed OCSP responder certificate to validate the responder certificate. The same applies for validating responder certificates external to the validation path of the client certificate.

•A trustpoint can validate both the client certificate and the responder certificate if the same CA issues both of them. But if different CAs issue the client and responder certificates, you need to configure two trustpoints, one trustpoint for each certificate.

•The OCSP server (responder) certificate typically signs the OCSP response. After receiving the response, the adaptive security appliance tries to verify the responder certificate. The CA normally sets the lifetime of its OCSP responder certificate to a relatively short period to minimize the chance of it being compromised.The CA typically also includes an ocsp-no-check extension in the responder certificate indicating that this certificate does not need revocation status checking. But if this extension is not present, the adaptive security appliance tries to check its revocation status using the same method specified in the trustpoint. If the responder certificate is not verifiable, revocation checks fails. To avoid this possibility, configure revocation-check none in the responder certificate validating trustpoint, while configuring revocation-check ocsp for the client certificate.

•If the adaptive security appliance does not find a match, it uses the URL in the ocsp url command. If you have not configured the ocsp url command, it uses the AIA field of the remote user certificate. If the certificate does not have an AIA extension, revocation status checking fails.

Examples

The following example shows how to create a certificate match rule for a trustpoint called newtrust. The rule has a map name called mymap, sequence number of 4, a trustpoint called mytrust, and specifies a URL of 10.22.184.22.

hostname(config)# crypto ca trustpoint newtrust

hostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 
url 10.22.184.22

hostname(config-ca-trustpoint)#

The next example shows step-by-step how to configure a crypto ca certificate map, and then a match certificate rule to identify a trustpoint that contains a CA certificate to validate the responder certificate. This is necessary if the CA identified in the newtrust trustpoint does not issue an OCSP responder certificate.

---

Step 1 Configure the certificate map that identifies the client certificates to which the map rule applies. In this example the name of the certificate map is mymap and the sequence number is 1. Any client certificate with a subject-name that contains a CN attribute equal to mycert matches the mymap entry.

hostname(config)# crypto ca certificate map mymap 1 subject-name attr cn eq mycert

hostname(config-ca-cert-map)# subject-name attr cn eq mycert

hostname(config-ca-cert-map)#

Step 2 Configure a trustpoint that contains the CA certificate to use to validate the OCSP responder certificate. In the case of self-signed certificates, this is the self-signed certificate itself, which is imported and locally trusted. You can also obtain a certificate for this purpose through external CA enrollment. When prompted to do so, paste in the CA certificate.

hostname(config-ca-cert-map)# exit

hostname(config)# crypto ca trustpoint mytrust

hostname(config-ca-trustpoint)# enroll terminal

hostname(config-ca-trustpoint)# crypto ca authenticate mytrust

Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself

MIIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu 
NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE 
AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 
7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/b 
v8RqzqpmZYguveV9cLQK5tsxqW3DysMU/4/qUGPfkVZ0iKPCgpIAWmq2ojhCFPyx 
ywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB 
gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk 
tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN 
e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== 
quit

INFO: Certificate has the following attributes:

Fingerprint:     7100d897 05914652 25b2f0fc e773df42 

Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

% Certificate successfully imported

Step 3 Configure the original trustpoint, newtrust, with OCSP as the revocation checking method. Then set a match rule that includes the certificate map, mymap, and the self-signed trustpoint, mytrust, configured in Step 2.

hostname(config)# crypto ca trustpoint newtrust

hostname(config-ca-trustpoint)# enroll terminal

hostname(config-ca-trustpoint)# crypto ca authenticate newtrust

Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself

ywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB 
gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk 
AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 
7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/b

gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk 
tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN 
NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE 
OPIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu 
e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== 
quit

INFO: Certificate has the following attributes:

Fingerprint:     9508g897 82914638 435f9f0fc x9y2p42 

Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

% Certificate successfully imported

hostname(config)# crypto ca trustpoint newtrust

hostname(config-ca-trustpoint)# revocation-check ocsp

hostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 
url 10.22.184.22

Any connection that uses the newtrust trustpoint for client certificate authentication checks to see if the client certificate matches the attribute rules specified in the mymap certificate map. If so, the adaptive security appliance accesses the OCSP responder at 10.22.184.22 for certificate revocation status. It then uses the mytrust trustpoint to validate the responder certificate.

---

Note The newtrust trustpoint is configured to perform revocation checking via OCSP for the client certificates. However, the mytrust trustpoint is configured for the default revocation-check method which is none, so no revocation checking is performed on the OCSP responder certificate.

---

Related Commands

Command	Description
crypto ca certificate map	Creates crypto ca certificate maps. Use this command in global configuration mode.
crypto ca trustpoint	Enters crypto ca trustpoint mode. Use this command in global configuration mode.
ocsp disable-nonce	Disables the nonce extension of the OCSP request.
ocsp url	Specifies the OCSP server to use to check all certificates associated with a trustpoint.
revocation-check	Specifies the method(s) to use for revocation checking, and the order in which to try them.

match cmd

To configure a match condition on the ESMTP command verb, use the match cmd command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]

no match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]

Syntax Description

verb verb	Specifies the ESMTP command verb.
line length gt bytes	Specifies the length of a line.
RCPT count gt recipients_number	Specifies the number of recipient email addresses.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition in an ESMTP inspection policy map for the verb (method) NOOP exchanged in the ESMTP transaction:

hostname(config-pmap)# match cmd verb NOOP

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match default-inspection-traffic

To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.

match default-inspection-traffic

no match default-inspection-traffic

Syntax Description

This command has no arguments or keywords.

Defaults

See the Usage Guidelines section for the default traffic of each inspection.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.

The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.

For instance, port 65535 specified in the example below is ignored:

hostname(config)# class-map cmap

hostname(config-cmap)# match default-inspection-traffic

hostname(config-cmap)# match port 65535

Default traffic for inspections are as follows:

Inspection Type	Protocol Type	Source Port	Destination Port
ctiqbe	tcp	N/A	1748
dcerpc	tcp	N/A	135
dns	udp	53	53
ftp	tcp	N/A	21
gtp	udp	2123,3386	2123,3386
h323 h225	tcp	N/A	1720
h323 ras	udp	N/A	1718-1719
http	tcp	N/A	80
icmp	icmp	N/A	N/A
ils	tcp	N/A	389
im	tcp	N/A	1-65539
ipsec-pass-thru	udp	N/A	500
mgcp	udp	2427,2727	2427,2727
netbios	udp	137-138	N/A
rpc	udp	111	111
rsh	tcp	N/A	514
rtsp	tcp	N/A	554
sip	tcp,udp	N/A	5060
skinny	tcp	N/A	2000
smtp	tcp	N/A	25
sqlnet	tcp	N/A	1521
tftp	udp	N/A	69
xdmcp	udp	177	177

Examples

The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:

hostname(config)# class-map cmap

hostname(config-cmap)# match default-inspection-traffic

hostname(config-cmap)# 

Related Commands

Command	Description
class-map	Applies a traffic class to an interface.
clear configure class-map	Removes all of the traffic map definitions.
match access-list	Identifies access list traffic within a class map.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match dns-class

To configure a match condition for the Domain System Class in a DNS Resource Record or Question section, use the match dns-class command in class-map or policy-map configuration mode. To remove a configured class, use the no form of this command.

match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}

no match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}

Syntax Description

eq	Specifies an exact match.
c_well_known	Specifies DNS class by well-known name, IN.
c_val	Specifies an arbitrary value in the DNS class field (0-65535).
range	Specifies a range.
c_val1 c_val2	Specifies values in a range match. Each value between 0 and 65535.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

By default, this command inspects all fields (questions and RRs) of a DNS message and matches the specified class. Both DNS query and response are examined.

The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.

This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.

Examples

The following example shows how to configure a match condition for a DNS class in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map

hostname(config-pmap)# match dns-class eq IN

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match dns-type

To configure a match condition for a DNS type, including Query type and RR type, use the match dns-type command in class-map or policy-map configuration mode. To remove a configured dns type, use the no form of this command.

match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}

no match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}

Syntax Description

eq	Specifies an exact match.
t_well_known	Specifies DNS type by well-known name: A, NS, CNAME, SOA, TSIG, IXFR, or AXFR.
t_val	Specifies an arbitrary value in the DNS type field (0-65535).
range	Specifies a range.
t_val1 t_val2	Specifies values in a range match. Each value between 0 and 65535.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

By default, this command inspects all sections of a DNS message (questions and RRs) and matches the specified type. Both DNS query and response are examined.

The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.

This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.

Examples

The following example shows how to configure a match condition for a DNS type in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map

hostname(config-pmap)# match dns-type eq a

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match domain-name

To configure a match condition for a DNS message domain name list, use the match domain-name command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.

match [not] domain-name regex regex_id

match [not] domain-name regex class class_id

no match [not] domain-name regex regex_id

no match [not] domain-name regex class class_id

Syntax Description

regex	Specifies a regular expression.
regex_id	Specifies the regular expression ID.
class	Specifies the class map that contains multiple regular expression entries.
class_id	Specifies the regular expression class map ID.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command matches domain names in the DNS message against predefined list. Compressed domain names will be expanded before matching. The match condition can be narrowed down to a particular field in conjunction with other DNS match commands.

This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.

Examples

The following example shows how to match the DNS domain name in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map

hostname(config-pmap)# match domain-name regex

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match dscp

To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.

match dscp {values}

no match dscp {values}

Syntax Description

values

Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.

Examples

The following example shows how to define a traffic class using a class map and the match dscp command:

hostname(config)# class-map cmap

hostname(config-cmap)# match dscp af43 cs1 ef

hostname(config-cmap)# 

Related Commands

Command	Description
class-map	Applies a traffic class to an interface.
clear configure class-map	Removes all of the traffic map definitions.
match access-list	Identifies access list traffic within a class map.
match port	Specifies the TCP/UDP ports as the comparison criteria for packets received on that interface.
show running-config class-map	Displays the information about the class map configuration.

match ehlo-reply-parameter

To configure a match condition on the ESMTP ehlo reply parameter, use the match ehlo-reply-parameter command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] ehlo-reply-parameter parameter

no match [not] ehlo-reply-parameter parameter

Syntax Description

parameter

Specifies the ehlo reply parameter.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for an ehlo reply parameter in an ESMTP inspection policy map:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# match ehlo-reply-parameter auth

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match filename

To configure a match condition for a filename for FTP transfer, use the match filename command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] filename regex [regex_name | class regex_class_name]

no match [not] filename regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.

Examples

The following example shows how to configure a match condition for an FTP transfer filename in an FTP inspection class map:

hostname(config)# class-map type inspect ftp match-all ftp_class1

hostname(config-cmap)# description Restrict FTP users ftp1, ftp2, and ftp3 from accessing 
/root

hostname(config-cmap)# match username regex class ftp_regex_user

hostname(config-cmap)# match filename regex ftp-file

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match filetype

To configure a match condition for a filetype for FTP transfer, use the match filetype command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.

match [not] filetype regex [regex_name | class regex_class_name]

no match [not] filetype regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.

Examples

The following example shows how to configure a match condition for an FTP transfer filetype in an FTP inspection policy map:

hostname(config-pmap)# match filetype class regex ftp-regex-filetype

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match flow ip destination-address

To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.

match flow ip destination-address

no match flow ip destination-address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.

Examples

The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:

hostname(config)# class-map cmap

hostname(config-cmap)# match tunnel-group

hostname(config-cmap)# match flow ip destination-address

hostname(config-cmap)# exit

hostname(config)# policy-map pmap

hostname(config-pmap)# class cmap

hostname(config-pmap)# police 56000

hostname(config-pmap)# exit

hostname(config)# service-policy pmap global

hostname(config)# 

Related Commands

Command	Description
class-map	Applies a traffic class to an interface.
clear configure class-map	Removes all of the traffic map definitions.
match access-list	Identifies access list traffic within a class map.
show running-config class-map	Displays the information about the class map configuration.
tunnel-group	Creates and manages the database of connection-specific records for VPN.

match header

To configure a match condition on the ESMTP header, use the match header command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]

no match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]

Syntax Description

length gt bytes	Specifies to match on the length of the ESMTP header message.
line length gt bytes	Specifies to match on the length of a line of an ESMTP header message.
to-fields count gt to_fields_number	Specifies to match on the number of To: fields.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for a header in an ESMTP inspection policy map:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# match header length gt 512

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match header-flag

To configure a match condition for a DNS header flag, use the match header-flag command in class-map or policy-map configuration mode. To remove a configured header flag, use the no form of this command.

match [not] header-flag [eq] {f_well_known | f_value}

no match [not] header-flag [eq] {f_well_known | f_value}

Syntax Description

eq	Specifies an exact match. If not configured, specifies a match-all bit mask match.
f_well_known	Specifies DNS header flag bits by well-known name. Multiple flag bits may be entered and logically OR'd. QR (Query, note: QR=1, indicating a DNS response) AA (Authoritative Answer) TC (TrunCation) RD (Recursion Desired) RA (Recursion Available)
f_value	Specifies an arbitrary 16-bit value in hexidecimal form.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a DNS class map or policy map. Only one entry can be entered in a DNS class map.

Examples

The following example shows how to configure a match condition for a DNS header flag in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map

hostname(config-pmap)# match header-flag AA

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match im-subscriber

To configure a match condition for a SIP IM subscriber, use the match im-subscriber command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.

match [not] im-subscriber regex [regex_name | class regex_class_name]

no match [not] im-subscriber regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.

Examples

The following example shows how to configure a match condition for a SIP IM subscriber in a SIP inspection class map:

hostname(config-cmap)# match im-subscriber regex class im_sender

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match invalid-recipients

To configure a match condition on the ESMTP invalid recipient address, use the match invalid-recipients command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] invalid-recipients count gt number

no match [not] invalid-recipients count gt number

Syntax Description

count gt number

Specifies to match on the invalid recipient number.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for invalid recipients count in an ESMTP inspection policy map:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# match invalid-recipients count gt 1000

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match ip address

To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.

match ip address {acl...}

no match ip address {acl...}

Syntax Description

acl	Name an access list. Multiple access lists can be specified.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Route-map configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

Examples

The following example shows how to redistribute internal routes:

hostname(config)# route-map name 

hostname(config-route-map)# match ip address acl_dmz1 acl_dmz2

Related Commands

Command	Description
match interface	Distributes distribute any routes that have their next hop out one of the interfaces specified,
match ip next-hop	Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.
match metric	Redistributes routes with the metric specified.
route-map	Defines the conditions for redistributing routes from one routing protocol into another.
set metric	Specifies the metric value in the destination routing protocol for a route map.

match ip next-hop

To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.

match ip next-hop {acl...} | prefix-list prefix_list

no match ip next-hop {acl...} | prefix-list prefix_list

Syntax Description

acl	Name of an ACL. Multiple ACLs can be specified.
prefix-list prefix_list	Name of prefix list.

Defaults

Routes are distributed freely, without being required to match a next-hop address.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Route-map configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.

Examples

The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:

hostname(config)# route-map name

hostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2

Related Commands

Command	Description
match interface	Distributes distribute any routes that have their next hop out one of the interfaces specified.
match ip next-hop	Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.
match metric	Redistributes routes with the metric specified.
route-map	Defines the conditions for redistributing routes from one routing protocol into another.
set metric	Specifies the metric value in the destination routing protocol for a route map.

match ip route-source

To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.

match ip route-source {acl...} | prefix-list prefix_list

no match ip route-source {acl...}

Syntax Description

acl	Name of an ACL. Multiple ACLs can be specified.
prefix_list	Name of prefix list.

Defaults

No filtering on a route source.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Route-map configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.

Examples

The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:

hostname(config)# route-map name 

hostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2

Related Commands

Command	Description
match interface	Distributes distribute any routes that have their next hop out one of the interfaces specified.
match ip next-hop	Distributes any routes that have a next-hop router address that is passed by one of the ACLs specified.
match metric	Redistributes routes with the metric specified.
route-map	Defines the conditions for redistributing routes from one routing protocol into another.
set metric	Specifies the metric value in the destination routing protocol for a route map.

match login-name

To configure a match condition for a client login name for instant messaging, use the match login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] login-name regex [regex_name | class regex_class_name]

no match [not] login-name regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.

Examples

The following example shows how to configure a match condition for a client login name in an instant messaging class map:

hostname(config)# class-map type inspect im im_class

hostname(config-cmap)# match login-name regex login

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match media-type

To configure a match condition on the H.323 media type, use the match media-type command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] media-type [audio | data | video]

no match [not] media-type [audio | data | video]

Syntax Description

audio	Specifies to match audio media type.
data	Specifies to match data media type.
video	Specifies to match video media type.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for audio media type in an H.323 inspection class map:

hostname(config-cmap)# match media-type audio

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match message id

To configure a match condition for a GTP message ID, use the match message id command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] message id [message_id | range lower_range upper_range]

no match [not] message id [message_id | range lower_range upper_range]

Syntax Description

message_id	Specifies an alphanumeric identifier between 1 and 255.
range lower_range upper_range	Specifies a lower and upper range of IDs.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.

Examples

The following example shows how to configure a match condition for a message ID in a GTP inspection class map:

hostname(config-cmap)# match message id 33

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match message length

To configure a match condition for a GTP message ID, use the match message length command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] message length min min_length max max_length

no match [not] message length min min_length max max_length

Syntax Description

min min_length	Specifies a minimum message ID length. Value is between 1 and 65536.
max max_length	Specifies a maximum message ID length. Value is between 1 and 65536.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.

Examples

The following example shows how to configure a match condition for a message length in a GTP inspection class map:

hostname(config-cmap)# match message length min 8 max 200

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match message-path

To configure a match condition for the path taken by a SIP message as specified in the Via header field, use the match message-path command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.

match [not] message-path regex [regex_name | class regex_class_name]

no match [not] message-path regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.

Examples

The following example shows how to configure a match condition for the path taken by a SIP message in a SIP inspection class map:

hostname(config-cmap)# match message-path regex class sip_message

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match mime

To configure a match condition on the ESMTP mime encoding type, mime filename length, or mime file type, use the match mime command in policy-map configuration mode. To disable this feature, use the no form of this command.

match [not] mime [encoding type | filename length gt bytes | filetype regex]

no match [not] mime [encoding type | filename length gt bytes | filetype regex]

Syntax Description

encoding type	Specifies to match on the encoding type.
filename length gt bytes	Specifies to match on the filename length.
filetype regex	Specifies to match on the file type.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure a match condition for a mime filename length in an ESMTP inspection policy map:

hostname(config)# policy-map type inspect esmtp esmtp_map

hostname(config-pmap)# match mime filename length gt 255

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match passive-ftp

To configure a match condition for the passive FTP traffic commands PASV and EPSV for FTP transfer, use the match active-ftp command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] passive-ftp

no match [not] passive-ftp

Syntax Description

There are no arguments or keywords for this command.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.

Strict FTP inspection must be used for this functionality to be available. See the strict keyword in the inspect ftp command for more information.

Examples

The following settings globally deny all active FTP traffic by resetting the connection, permitting, and logging all passive FTP connections:

hostname(config)# class-map inspection_default

hostname(config-cmap)# match default-inspection-traffic

hostname(config-cmap)# exit

hostname(config)# policy-map type inspect ftp inspect-strict-ftp

hostname(config-pmap)# parameters

hostname(config-pmap-p)# match active-ftp 

hostname(config-pmap-p)# reset

hostname(config-pmap-p)# match passive-ftp

hostname(config-pmap-p)# reset log

hostname(config-pmap-p)# exit

hostname(config)# policy-map global_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect ftp strict inspect-strict-ftp

hostname(config-pmap-c)# exit

hostname(config)# service-policy global_policy global

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
match port	Identifies a specific port number in a class map.
show running-config class-map	Displays the information about the class map configuration.

match peer-ip-address

To configure a match condition for the peer IP address for instant messaging, use the match peer-ip-address command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] peer-ip-address ip_address ip_address_mask

no match [not] peer-ip-address ip_address ip_address_mask

Syntax Description

ip_address	Specifies a hostname or IP address of the client or server.
ip_address_mask	Specifies the netmask for the client or server IP address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.

Examples

The following example shows how to configure a match condition for the peer IP address in an instant messaging class map:

hostname(config)# class-map type inspect im im_class

hostname(config-cmap)# match peer-ip-address 10.1.1.0 255.255.255.0

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match peer-login-name

To configure a match condition for the peer login name for instant messaging, use the match peer-login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] peer-login-name regex [regex_name | class regex_class_name]

no match [not] peer-login-name regex [regex_name | class regex_class_name]

Syntax Description

regex_name	Specifies a regular expression.
class regex_class_name	Specifies a regular expression class map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.

Examples

The following example shows how to configure a match condition for the peer login name in an instant messaging class map:

hostname(config)# class-map type inspect im im_class

hostname(config-cmap)# match peer-login-name regex peerlogin

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match port

When using the Modular Policy Framework, match the TCP or UDP ports to which you want to apply actions by using the match port command in class-map configuration mode. To remove the match port command, use the no form of this command.

match port {tcp | udp} {eq port | range beg_port end_port}

no match port {tcp | udp} {eq port | range beg_port end_port}

Syntax Description

eq port	Specifies a single port name or number.
range beg_port end_port	Specifies beginning and ending port range values between 1 and 65535.
tcp	Specifies a TCP port.
udp	Specifies a UDP port.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Configuring Modular Policy Framework consists of four tasks:

1. Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map or class-map type management command.

After you enter the class-map command, you can enter the matchport command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match access-list command (the class-map type management command only allows the match port command). You can only include one match port command in the class map, and you cannot combine it with other types of match commands.

2. (Application inspection only) Define special actions for application inspection traffic using the policy-map type inspect command.

3. Apply actions to the Layer 3 and 4 traffic using the policy-map command.

4. Activate the actions on an interface using the service-policy command.

Examples

The following example shows how to define a traffic class using a class map and the match port command:

hostname(config)# class-map cmap

hostname(config-cmap)# match port tcp eq 8080

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match access-list	Matches traffic according to an access list.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match precedence

To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.

match precedence value

no match precedence value

Syntax Description

value

Specifies up to four precedence values separated by a space. Range is 0 to 7.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Use the match precedence command to specify the value represented by the TOS byte in the IP header.

Examples

The following example shows how to define a traffic class using a class map and the match precedence command:

hostname(config)# class-map cmap

hostname(config-cmap)# match precedence 1

hostname(config-cmap)# 

Related Commands

Command	Description
class-map	Applies a traffic class to an interface.
clear configure class-map	Removes all of the traffic map definitions.
match access-list	Identifies access list traffic within a class map.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match protocol

To configure a match condition for a specific instant messaging protocol, such as MSN or Yahoo, use the match protocol command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.

match [not] protocol {msn-im | yahoo-im}

no match [not] protocol {msn-im | yahoo-im}

Syntax Description

msn-im	Specifies to match the MSN instant messaging protocol.
yahoo-im	Specifies to match the Yahoo instant messaging protocol.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Class-map or policy map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.

Examples

The following example shows how to configure a match condition for the Yahoo instant messaging protocol in an instant messaging class map:

hostname(config)# class-map type inspect im im_class

hostname(config-cmap)# match protocol yahoo-im

Related Commands

Command	Description
class-map	Creates a Layer 3/4 class map.
clear configure class-map	Removes all class maps.
match any	Includes all traffic in the class map.
show running-config class-map	Displays the information about the class map configuration.

match question

To configure a match condition for a DNS question or resource record, use the match question command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.

match {question | {resource-record answer | authority | additional}}

no match {question | {resource-record answer | authority | additional}}

Syntax Description