-
Cisco ASA 5500 Series Command Reference, 8.3
-
About this Guide
-
Using the Command Line Interface
- A though B Commands
- C Commands
- D though F Commands
- G though I Commands
- J through L Commands
- M though O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config wccp
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
nac-policy through override-svc-download Commands
name (dynamic-filter blacklist or whitelist)
nbns-server (tunnel-group webvpn attributes mode)
ospf network point-to-point non-broadcast
nac-policy through override-svc-download Commands
nac-policy
To create or access a Cisco Network Admission Control (NAC) policy, and specify its type, use the nac-policy command in global configuration mode. To remove the NAC policy from the configuration, use the no form of this command.
nac-policy nac-policy-name nac-framework
[no] nac-policy nac-policy-name nac-framework
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command once for each NAC Appliance to be assigned to a group policy. Then use the nac-settings command to assign the NAC policy to each applicable group policy. Upon the setup of an IPSec or Cisco AnyConnect VPN tunnel, the adaptive security appliance applies the NAC policy associated with the group policy in use.
You cannot use the no nac-policy name command to remove a NAC policy if it is already assigned to one or more group policies.
Examples
The following command creates and accesses a NAC Framework policy named nac-framework1:
hostname(config)# nac-policy nac-framework1 nac-frameworkhostname(config-nac-policy-nac-framework)The following command removes the NAC Framework policy named nac-framework1:
hostname(config)# no nac-policy nac-framework1hostname(config-nac-policy-nac-framework)Related Commands
nac-settings
To assign a NAC policy to a group policy, use the nac-settings command in group-policy configuration mode, as follows:
nac-settings {value nac-policy-name | none}
[no] nac-settings {value nac-policy-name | none}
Syntax Description
Defaults
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the nac-policy command to specify the name and type of the NAC policy, then use this command to assign it to a group policy.
The show running-config nac-policy command displays the name and configuration of each NAC policy.
The adaptive security appliance automatically enables NAC for a group policy when you assign a NAC policy to it.
Examples
The following command removes the nac-policy-name from the group policy. The group policy inherits the nac-settings value from the default group policy:
hostname(config-group-policy)#no nac-settingshostname(config-group-policy)The following command removes the nac-policy-name from the group policy and disables the use of a NAC policy for this group policy. The group policy does not inherit the nac-settings value from the default group policy.
hostname(config-group-policy)# nac-settings nonehostname(config-group-policy)Related Commands
name
To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
name ip_address name [description text]]
no name ip_address [name [description text]]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.
To disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
The name command does not support assigning a name to a network mask. For example, this command would be rejected:
hostname(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
name (dynamic-filter blacklist or whitelist)
To add a domain name to the Botnet Traffic Filter blacklist or whitelist, use the name command in dynamic-filter blacklist or whitelist configuration mode. To remove the name, use the no form of this command. The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist or blacklist.
name domain_name
no name domain_name
Syntax Description
domain_name
Adds a name to the blacklist. You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist entries.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-filter blacklist or whitelist configuration
•
•
•
•
—
Command History
Usage Guidelines
After you enter the dynamic-filter whitelist or blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist or bad names in a blacklist using the address and name commands.
You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist and 1000 whitelist entries.
When you add a domain name to the static database, the adaptive security appliance waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the adaptive security appliance).
If you do not have a domain name server configured for the adaptive security appliance, or it is unavailable, then you can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). With DNS snooping, when an infected host sends a DNS request for a name on the static database, the adaptive security appliance looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache. See the inspect dns dynamic-filter-snooping command for information about the DNS reverse lookup cache.
Entries in the DNS host cache have a time to live (TTL) value provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server provides a larger TTL, it is truncated to 1 day maximum.
For the DNS host cache, after an entry times out, the adaptive security appliance periodically requests a refresh for the entry.
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255Related Commands
nameif
To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the adaptive security appliance instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.
nameif name
no nameif
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0(1)
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.
You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
Examples
The following example configures the names for two interfaces to be "inside" and "outside:"
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/0hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
names
To enable the association of a name with an IP address, use the names command in global configuration mode. You can associate only one name with an IP address. To disable displaying name values, use the no names command.
names
no names
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
To disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
name-separator
To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.
name-separator [symbol]
no name-separator
Syntax Description
symbol
(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
Defaults
The default is ":" (colon).
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
The name separator must be different from the server separator.
Examples
The following example shows how to set a hash (#) as the name separator for POP3S:
hostname(config)#pop3shostname(config-pop3s)# name-separator #Related Commands
name-server
To identify one or more DNS servers, use the name-server command in dns server-group configuration mode. To remove a server or servers, use the no form of this command. The adaptive security appliance uses DNS to resolve server names in your SSL VPN configuration or certificate configuration (see "Usage Guidelines" for a list of supported commands). Other features that define server names (such as AAA) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command.
name-server ip_address [ip_address2] [...] [ip_address6]
no name-server ip_address [ip_address2] [...] [ip_address6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
dns server-group configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable DNS lookup, configure the domain-name command in dns server-group configuration mode. If you do not enable DNS lookup, the DNS servers are not used.
SSL VPN commands that support DNS resolution include the following:
•
•
•
•
•
Certificate commands that support DNS resolution include the following:
•
•
You can manually enter names and IP addresses using the name command.
Examples
The following example adds three DNS servers to the group "dnsgroup1":
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.1.1.1 10.2.3.4 192.168.5.5The adaptive security appliance saves the configuration as separate commands, as follows:
name-server 10.1.1.1name-server 10.2.3.4name-server 192.168.5.5To add two additional servers, you can enter them as one command:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.5.1.1 10.8.3.8To verify the dns server group configuration, enter the show running-config dns command in global configuration mode:
hostname(config)# show running-config dnsname-server 10.1.1.1name-server 10.2.3.4name-server 192.168.5.5name-server 10.5.1.1name-server 10.8.3.8...Or you can enter them as two separate commands:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.5.1.1hostname(config)# name-server 10.8.3.8To delete multiple servers you can enter them as multiple commands or as one command, as follows:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# no name-server 10.5.1.1 10.8.3.8Related Commands
nat (global)
To configure twice NAT, use the nat command in global configuration mode. To remove the twice NAT configuration, use the no form of this command.
For static NAT:
nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}]
source static {real_obj | any} {mapped_obj | interface | any}}
[destination static {mapped_obj | interface} {real_obj | any}]
[service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]no nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}]
source static {real_obj | any} {mapped_obj | interface | any}}
[destination static {mapped_obj | interface} {real_obj | any}]
[service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]For dynamic NAT:
nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}]
source dynamic {real_obj | any} {mapped_obj [interface] | interface}
[destination static {mapped_obj | interface} {real_obj | any}]
[service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]no nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}]
source dynamic {real_obj | any} {mapped_obj [interface] | interface}
[destination static {mapped_obj | interface} {real_obj | any}]
[service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]or
no nat {line | after-auto line}
Syntax Description
(real_ifc,mapped_ifc)
(Optional) Specifies the real and mapped interfaces. If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. In transparent mode, you must specify the real and mapped interfaces; you cannot use any.
Because twice NAT can translate both the source and destination addresses, these interfaces are better understood to be the source and destination interfaces.
after-auto
Inserts the rule at the end of section 3 of the NAT table, after the network object NAT rules. By default, twice NAT rules are added to section 1. You can insert a rule anywhere in section 3 using the line argument.
any
(Optional) Specifies a wildcard value. The main uses for any are:
•
•
•
For static NAT, although any is also available for the real source port/mapped destination port, or for the source or destination real address (without any as the mapped address), these uses might result in unpredictable behavior.
description desc
(Optional) Provides a description up to 200 characters.
destination
(Optional) Configures translation for the destination address. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
dns
(Optional) Translates DNS replies. Be sure DNS inspection is enabled (inspect dns) (it is enabled by default). You cannot configure the dns keyword if you configure a destination address. See the Cisco ASA 5500 Series Configuration Guide using the CLI for more information.
dynamic
Configures dynamic NAT or PAT for the source addresses. The destination translation is always static.
inactive
(Optional) To make this rule inactive without having to remove the command, use the inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
interface
(Optional) Uses the interface IP address as the mapped address.
For the dynamic NAT source mapped address, if you specify a mapped object or group followed by the interface keyword, then the IP address of the mapped interface is only used if all other mapped addresses are already allocated.
For dynamic PAT, you can specify interface alone for the source mapped address.
For static NAT with port translation (source or destination), be sure to also configure the service keyword.
For this option, you must configure a specific interface for the mapped_ifc.
This option is not available in transparent mode.
line
(Optional) Inserts a rule anywhere in section 1 of the NAT table. By default, the NAT rule is added to the end of section 1 (see the Cisco ASA 5500 Series Configuration Guide using the CLI for more information). If you want to add the rule into section 3 instead (after the network object NAT rules), then use the after-auto line option.
mapped_dest_svc_obj
(Optional) For dynamic NAT/PAT, specifies the mapped destination port (the destination translation is always static). See the service keyword for more information.
mapped_object
Identifies the mapped network object or object group (object network or object-group network).
For dynamic NAT, you typically configure a larger group of addresses to be mapped to a smaller group.
Note
You can share this mapped IP address across different dynamic NAT rules, if desired.For dynamic PAT, configure a group of addresses to be mapped to a single address. You can either translate the real addresses to a single mapped address of your choosing, or you can translate them to the mapped interface address. If you want to use the interface address, do not configure a network object for the mapped address; instead use the interface keyword.
For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
mapped_src_real_dest_svc_obj
(Optional) For static NAT, specifies either the mapped source port, the real destination port, or both together. See the service keyword for more information.
real_dest_svc_obj
(Optional) For dynamic NAT/PAT, specifies the real destination port (the destination translation is always static). See the service keyword for more information.
real_ifc
(Optional) Specifies the name of the interface where packets may originate. For source option. For the source option, the origin_ifc is the real interface. For the destination option, the real_ifc is the mapped interface.
real_object
Identifies the real network object or object group (object network or object-group network).
real_src_mapped_dest_svc_obj
(Optional) For static NAT, specifies the either the real source port, the mapped destination port, or both together. See the service keyword for more information.
service
(Optional) Specifies the port translation.
•
•
For source port translation, the objects must specify the source service. The order of the service objects in the command in this case is service real mapped. For destination port translation, the objects must specify the destination service. The order of the service objects in this case is service mapped real. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source port/mapped destination port; the second service object contains the mapped source port/real destination port. See the "Usage Guidelines" section for more information about "source" and "destination" terminology.
For identity port translation, simply use the same service object for both the real and mapped ports (source and/or destination ports, depending on your configuration). The "not equal" (neq) operator is not supported.
NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP).
source
Configures translation for the source address.
static
Configures static NAT or static NAT with port translation.
unidirectional
(Optional) For static NAT, makes the translarion unidirection from the source to the destination; the destination addresses cannot initiate traffic to the source addresses. This option might be useful for testing purposes.
Defaults
By default, the rule is added to the end of section 1 of the NAT table.
The default value of real_ifc and mapped_ifc is any, which applies the rule to all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.
Note
The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.
Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition.
For detailed information about the differences between twice NAT and network object NAT, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Mapped Address Guidelines
The mapped IP address pool cannot include:
•
•
•
•
Prerequisites
•
•
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
Clearing Translation Sessions
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
The following example includes a host on the 10.1.2.0/24 network that accesses two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.
hostname(config)# object network myInsideNetworkhostname(config-network-object)# subnet 10.1.2.0 255.255.255.0hostname(config)# object network DMZnetwork1hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224hostname(config)# object network PATaddress1hostname(config-network-object)# host 209.165.202.129hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1
hostname(config)# object network DMZnetwork2hostname(config-network-object)# subnet 209.165.200.224 255.255.255.224hostname(config)# object network PATaddress2hostname(config-network-object)# host 209.165.202.130hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2
The following example shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port.
hostname(config)# object network myInsideNetworkhostname(config-network-object)# subnet 10.1.2.0 255.255.255.0hostname(config)# object network TelnetWebServerhostname(config-network-object)# host 209.165.201.11hostname(config)# object network PATaddress1hostname(config-network-object)# host 209.165.202.129hostname(config)# object service TelnetObjhostname(config-service-object)# service tcp destination eq telnethostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj
hostname(config)# object network PATaddress2hostname(config-network-object)# host 209.165.202.130hostname(config)# object service HTTPObjhostname(config-service-object)# service tcp destination eq httphostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2 destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj
The following example shows the use of static interface NAT with port translation. Hosts on the outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500 through :65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is "any." Because static NAT is bidirectional, "source" and "destination" refers primarily to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the "source" address and port of the FTP server is actually the destination address and port in the originating packet.
hostname(config)# object service FTP_PASV_PORT_RANGE
hostname(config-service-obvject)# service tcp source range 65000 65004
hostname(config)# object network HOST_FTP_SERVER
hostname(config-network-obvject)# host 192.168.10.100
hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
Related Commands
nat (object)
To configure NAT for a network object, use the nat command in object network configuration mode. To remove the NAT configuration, use the no form of this command.
For dynamic NAT and PAT:
nat [(real_ifc,mapped_ifc)] dynamic
{mapped_inline_host_ip [interface] | mapped_obj [interface] | interface} [dns]no nat [(real_ifc,mapped_ifc)] dynamic
{mapped_host_ip [interface] | mapped_obj [interface] | interface} [dns]For static NAT and static NAT with port translation:
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} {dns | service {tcp | udp} real_port mapped_port]
no nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} {dns | service {tcp | udp} real_port mapped_port]
Syntax Description
(real_ifc,mapped_ifc)
(Optional) For static NAT, specifies the real and mapped interfaces. If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. Be sure to include the parentheses in your command. In transparent mode, you must specify the real and mapped interfaces; you cannot use any.
dns
(Optional) Translates DNS replies. Be sure DNS inspection (inspect dns) is enabled (it is enabled by default). This option is not available if you specify the service keyword (for static NAT). For more information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
dynamic
Configures dynamic NAT or PAT.
interface
(Optional) For dynamic NAT, if you specify a mapped IP address, object, or group followed by the interface keyword, then the IP address of the mapped interface is only used if all of the other mapped addresses are already allocated.
For dynamic PAT, if you specify the interface keyword instead of a mapped IP address, object, or group, then you use the interface IP address for the mapped IP address. You must use this keyword when you want to use the interface IP address; you cannot enter it inline or as an object.
For static NAT with port translation, you can specify the interface keyword if you also configure the service keyword.
For this option, you must configure a specific interface for the mapped_ifc.
You cannot specify interface in transparent mode.
mapped_inline_host_ip
Specifies the mapped address as an inline value. If you specify dynamic, then using a host IP address configures dynamic PAT.
mapped_inline_ip
For static NAT, specifies the mapped IP address as an inline value. The netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6.
mapped_obj
Specifies the mapped IP address(es) as a network object (object network) or object group (object-group network).
For dynamic NAT, the object or group cannot contain a subnet. You can share this mapped object across different dynamic NAT rules, if desired. See the "Mapped Address Guidelines" section for information about disallowed mapped IP addresses.
For static NAT, typically you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
mapped_port
(Optional) Specifies the mapped TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.
real_port
(Optional) For static NAT, specifies the real TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.
service {tcp | udp}
(Optional) For static NAT with port translation, specifies the protocol for port translation. Only TCP and UDP are supported.
static
Configures static NAT or static NAT with port translation.
Defaults
The default value of real_ifc and mapped_ifc is any, which applies the rule to all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Object network configuration
•
•
•
•
—
Command History
Usage Guidelines
When a packet enters the adaptive security appliance, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.
Because the rules are never paired, you cannot specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).
For detailed information about the differences between twice NAT and network object NAT, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Depending on the configuration, you can configure the mapped address inline if desired or you can create a network object or network object group for the mapped address (the object network or object-group network command). Network object groups are particularly useful for creating a mapped address pool with discontinous IP address ranges or multiple hosts or subnets.
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules, you need to create multiple objects that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.
Mapped Address Guidelines
The mapped IP address pool cannot include:
•
•
•
•
Clearing Translation Sessions
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
Dynamic NAT Examples
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 2.2.2.1-2.2.2.10:
hostname(config)# object network my-range-objhostname(config-network-object)# range 2.2.2.1 2.2.2.10hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic my-range-objThe following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network nat-range1hostname(config-network-object)# range 10.10.10.10 10.10.10.20hostname(config-network-object)# object network pat-ip1hostname(config-network-object)# host 10.10.10.21hostname(config-network-object)# object-group network nat-pat-grphostname(config-network-object)# network-object object nat-range1hostname(config-network-object)# network-object object pat-ip1hostname(config-network-object)# object network my_net_obj5hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interfaceDynamic PAT Example
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 2.2.2.2:
hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic 2.2.2.2The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic interfaceStatic NAT Examples
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1hostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dnsThe following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-objhostname(config-network-object)# host 2.2.2.2hostname(config-network-object)# object network my-host-obj1hostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static my-mapped-objThe following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the outside interface at port 2121.
hostname(config)# object network my-ftp-serverhostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121Identity NAT Examples
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
Related Commands
nat (vpn load-balancing)
To set the IP address to which NAT translates the IP address of this device, use the nat command in VPN load-balancing configuration mode. To disable this NAT translation, use the no form of this command.
nat ip-address
no nat [ip-adddress]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
In the no nat form of the command, if you specify the optional ip-address value, the IP address must match the existing NAT IP address in the running configuration.
Examples
The following is an example of a VPN load-balancing command sequence that includes a nat command that sets the NAT-translated address to 192.168.10.10:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
nat-rewrite
To enable NAT rewrite for IP addressess embedded in the A-record of a DNS response, use the nat-rewrite command in parameters configuration mode. To disable this feature, use the no form of this command.
nat-rewrite
no nat-rewrite
Syntax Description
This command has no arguments or keywords.
Defaults
NAT rewrite is enabled by default. This feature can be enabled when inspect dns is configured even if a policy-map type inspect dns is not defined. To disable, no nat-rewrite must explicitly be stated in the policy map configuration. If inspect dns is not configured, NAT rewrite is not performed.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This feature performs NAT translation of A-type Resource Record (RR) in a DNS response.
Examples
The following example shows how to enable NAT rewrite in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# parametershostname(config-pmap-p)# nat-rewriteRelated Commands
nbns-server (tunnel-group webvpn attributes mode)
To configure an NBNS server, use the nbns-server command in tunnel-group webvpn configuration mode. To remove the NBNS server from the configuration, use the no form of this command.
The adaptive security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.
nbns-server {ipaddr | hostname} [master] [timeout timeout] [retry retries]
no nbns-server
Syntax Description
Defaults
No NBNS server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
Moved from webvpn mode to tunnel-group webvpn configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes configuration mode.
Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.
Use the no option to remove the matching entry from the configuration.
Examples
The following example shows how to configure the tunnel-group "test" with an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.
hostname(config)#tunnel-group test type webvpnhostname(config)#tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8hostname(config-tunnel-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8hostname(config-tunnel-webvpn)#Related Commands
nbns-server (webvpn mode)
To configure an NBNS server, use the nbns-server command in tunnel-group webvpn configuration mode. To remove the NBNS server from the configuration, use the no form of this command.
The adaptive security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.
nbns-server {ipaddr | hostname} [master] [timeout timeout] [retry retries]
no nbns-server
Syntax Description
Defaults
No NBNS server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
Moved from webvpn mode to tunnel-group webvpn configuration mode.
Usage Guidelines
This command is deprecated in webvpn configuration mode. The nbns-server command in tunnel-group webvpn-attributes configuration mode replaces it. In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes mode.
Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.
Use the no option to remove the matching entry from the configuration.
Examples
The following example shows how to configure an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.
hostname(config)#webvpnhostname(config-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8hostname(config-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8neighbor
To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.
neighbor ip_address [interface name]
no neighbor ip_address [interface name]
Syntax Description
interface name
(Optional) The interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.
The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.
Examples
The following example defines a neighbor router with an address of 192.168.1.1:
hostname(config-router)# neighbor 192.168.1.1Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
neighbor (EIGRP)
To define an EIGRP neighbor router with which to exchange routing information, use the neighbor command in router configuration mode. To remove a neighbor entry, use the no form of this command.
neighbor ip_address interface name
no neighbor ip_address interface name
Syntax Description
interface name
The interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You can use multiple neighbor statements to establish peering sessions with specific EIGRP neighbors. The interface through which EIGRP exchanges routing updates must be specified in the neighbor statement. The interfaces through which two EIGRP neighbors exchange routing updates must be configured with IP addresses from the same network.
Note
EIGRP hello messages are sent as unicast messages to neighbors defined using the neighbor command.
Examples
The following example configures EIGRP peering sessions with the 192.168.1.1 and 192.168.2.2 neighbors:
hostname(config)# router eigrp 100hostname(config-router)# network 192.168.0.0hostname(config-router)# neighbor 192.168.1.1 interface outsidehostname(config-router)# neighbor 192.168.2.2 interface branch_officeRelated Commands
debug eigrp neighbors
Displays debug information for EIGRP neighbor messages.
show eigrp neighbors
Displays the EIGRP neighbor table.
nem
To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.
nem {enable | disable}
no nem
Syntax Description
Defaults
Network extension mode is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policyconfiguration
•
—
•
—
—
Usage Guidelines
Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the adaptive security appliance. PAT does not apply. Therefore, devices behind the adaptive security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Command History
Examples
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)# nem enablenetwork
To specify a list of networks for the RIP routing process, use the network command in router configuration mode. To remove a network definition, use the no form of this command.
network ip_addr
no network ip_addr
Syntax Description
ip_addr
The IP address of a directly connected network. The interface connected to the specified network will participate in the RIP routing process.
Defaults
No networks are specified.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The network number specified must not contain any subnet information. There is no limit to the number of network commands you can use on the router. RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP update.
Examples
The following example defines RIP as the routing protocol to be used on all interfaces connected to networks 10.0.0.0 and 192.168.7.0:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# network 192.168.7.0Related Commands
router rip
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network (EIGRP)
To specify a list of networks for the EIGRP routing process, use the network command in router configuration mode. To remove a network definition, use the no form of this command.
network ip_addr [mask]
no network ip_addr [mask]
Syntax Description
Defaults
No networks are specified.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The network command starts EIGRP on all interfaces with at least one IP address in the specified network. It inserts the connected subnet from the specified network in the EIGRP topology table.
The adaptive security appliance then establishes neighbors through the matched interfaces. There is no limit to the number of network commands that can be configured on the adaptive security appliance.
Examples
The following example defines EIGRP as the routing protocol to be used on all interfaces connected to networks 10.0.0.0 and 192.168.7.0:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0 255.0.0.0hostname(config-router)# network 192.168.7.0 255.255.255.0Related Commands
show eigrp interfaces
Displays information about interfaces configured for EIGRP.
show eigrp topology
Displays the EIGRP topology table.
network-acl
To specify a firewall ACL name that you configured previously using the access-list command, use the network-acl command in dynamic-access-policy-record configuration mode. To remove an existing network ACL, use the no form of this command. To remove all network ACL, use the command without arguments.
network-acl name
no network-acl [name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-access-policy-record configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command multiple time to assign multiple firewall ACLs to the DAP record.
The adaptive security appliance verifies each of the ACLs you specify to make sure they contain only permit rules or only deny rules for the access-list entries. If any of the specified ACLs contain mixed permit and deny rules, then the adaptive security appliance rejects the command.
The following example shows how to apply a network ACL called Finance Restrictions to the DAP record named Finance.
hostname(config)#dynamic-access-policy-record Financehostname(config-dynamic-access-policy-record)#network-acl Finance Restrictionshostname(config-dynamic-access-policy-record)#Related Commands
network area
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.
network addr mask area area_id
no network addr mask area area_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.
There is no limit to the number of network area commands you can use on the adaptive security appliance.
Examples
The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:
hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network-object
To add a host object, a network object, or a subnet object to a network object group, use the network-object command in network configuration mode. To remove network objects, use the no form of this command.
network-object host host_addr | host_name
[no] network-object host host_addr | host_name
network-object net_addr netmask
[no] network-object net_addr netmask
network-object object net_obj_name
[no] network-object object net_obj_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Network configuration
•
•
•
•
—
Command History
Usage Guidelines
The network-object command is used with the object-group command to define a host object, a network object, or a subnet object in network configuration mode.
Examples
The following example shows how to use the network-object command in network configuration mode to create a new host object in a network object group:
hostname(config)# object-group network sjj_eng_ftp_servershostname(config-network-object-group)# network-object host sjj.eng.ftphostname(config-network-object-group)# network-object host 172.16.56.195hostname(config-network-object-group)# network-object 192.168.1.0 255.255.255.224hostname(config-network-object-group)# group-object sjc_eng_ftp_servershostname(config-network-object-group)# quithostname(config)#Related Commands
nop
To define an action when the No Operation IP option occurs in a packet with IP Options inspection, use the nop command in parameters configuration mode. To disable this feature, use the no form of this command.
nop action {allow | clear}
no nop action {allow | clear}
Syntax Description
Defaults
By default, IP Options inspection, drops packets containing the No Operation IP option.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IP Options inspection policy map.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the adaptive security appliance. Configuring this inspection instructs the adaptive security appliance to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.
The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the No Operation (NOP) or IP Option 1 is used as "internal padding" to align the options on a 32-bit boundary.
Examples
The following example shows how to set up an action for IP Options inspection in a policy map:
hostname(config)# policy-map type inspect ip-options ip-options_maphostname(config-pmap)# parametershostname(config-pmap-p)# eool action allowhostname(config-pmap-p)# nop action allowhostname(config-pmap-p)# router-alert action allowRelated Commands
nt-auth-domain-controller
To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in aaa-server host configuration mode. To remove this specification, use the no form of this command:
nt-auth-domain-controller string
no nt-auth-domain-controller
Syntax Description
string
Specify the name, up to 16 characters long, of the Primary Domain Controller for this server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for NT Authentication AAA servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.
Examples
The following example configures the name of the NT Primary Domain Controller for this server as "primary1".
hostname(config)#aaa-server svrgrp1 protocol nthostname(configaaa-sesrver-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#nt-auth-domain-controller primary1hostname(config-aaa-server-host)#Related Commands
ntp authenticate
To enable authentication with an NTP server, use the ntp authenticate command in global configuration mode. To disable NTP authentication, use the no form of this command.
ntp authenticate
no ntp authenticate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
If you enable authentication, the adaptive security appliance only communicates with an NTP server if it uses the correct trusted key in the packets (see the ntp trusted-key command). The adaptive security appliance also uses an authentication key to synchronize with the NTP server (see the ntp authentication-key command).
Examples
The following example configures the adaptive security appliance to synchronize only to systems that provide authentication key 42 in their NTP packets:
hostname(config)# ntp authenticatehostname(config)# ntp authentication-key 42 md5 aNiceKeyhostname(config)# ntp trusted-key 42Related Commands
ntp authentication-key
To set a key to authenticate with an NTP server, use the ntp authentication-key command in global configuration mode. To remove the key, use the no form of this command.
ntp authentication-key key_id md5 key
no ntp authentication-key key_id [md5 [0 | 8] key]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp server
To identify an NTP server to set the time on the adaptive security appliance, use the ntp server command in global configuration mode. To remove the server, use the no form of this command. You can identify multiple servers; the adaptive security appliance uses the most accurate server. In multiple context mode, set the NTP server in the system configuration only.
ntp server ip_address [key key_id] [source interface_name] [prefer]
no ntp server ip_address [key key_id] [source interface_name] [prefer]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Examples
The following example identifies two NTP servers and enables authentication for the key IDs 1 and 2:
hostname(config)# ntp server 10.1.1.1 key 1 preferhostname(config)# ntp server 10.2.1.1 key 2hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp trusted-key
To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, use the ntp trusted-key command in global configuration mode. To remove the trusted key, use the no form of this command. You can enter multiple trusted keys for use with multiple servers.
ntp trusted-key key_id
no ntp trusted-key key_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command. To synchronize with a server, set the authentication key for the key ID using the ntp authentication-key command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
num-packets
To specify the number of request packets sent during an SLA operation, use the num-packets command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.
num-packets number
no num-packets number
Syntax Description
Defaults
The default number of packets sent for echo types is 1.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor protocol configuration
•
—
•
—
—
Command History
Usage Guidelines
Increase the default number of packets sent to prevent incorrect reachability information due to packet loss.
Examples
The following example configures an SLA operation with an ID of 123 that uses an ICMP echo request/response time probe operation. It sets the payload size of the echo request packets to 48 bytes and the number of echo requests sent during an SLA operation to 5.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# num-packets 5hostname(config-sla-monitor-echo)# request-data-size 48hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
object-group
To define object groups that you can use to optimize your configuration, use the object-group command in global configuration mode. Use the no form of this command to remove object groups from the configuration. This command supports IPv4 and IPv6 addresses.
object-group {protocol | network | icmp-type} grp_name
no object-group {protocol | network | icmp-type} grp_name
object-group service grp_name [tcp | udp | tcp-udp]
no object-group service grp_name [tcp | udp | tcp-udp]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.
When you define a group with the object-group command and then use any adaptive security appliance command, the command applies to every item in that group. This feature can significantly reduce your configuration size.
Once you define an object group, you must use the object-group keyword before the group name in all applicable adaptive security appliance commands as follows:
hostname# show running-config object-group group_namewhere group_name is the name of the group.
This example shows the use of an object group once it is defined:
hostname(config)# access-list access_list_name permit tcp any object-group group_nameIn addition, you can group access list command arguments:
protocol
object-group protocol
host and subnet
object-group network
service
object-group service
icmp_type
object-group icmp_type
You can group commands hierarchically; an object group can be a member of another object group.
To use object groups, you must do the following:
•
hostname(config)# access-list acl permit tcp object-group remotes object-group locals object-group eng_svcwhere remotes and locals are sample object group names.
•
•
After you enter a main object-group command, the command mode changes to its corresponding mode. The object group is defined in the new mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:
hostname(config)#where hostname is the name of the adaptive security appliance.
However, when you enter the object-group command, the prompt appears as follows:
hostname(config-type)#where hostname is the name of the adaptive security appliance, and type is the object-group type.
Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group mode and exit the object-group main command.
The show running-config object-group command displays all defined object groups by their grp_id when the show running-config object-group grp_id command is entered, and by their group type when you enter the show running-config object-group grp_type command. When you enter the show running-config object-group command without an argument, all defined object groups are shown.
Use the clear configure object-group command to remove a group of previously defined object-group commands. Without an argument, the clear configure object-group command lets you to remove all defined object groups that are not being used in a command. The grp_type argument removes all defined object groups that are not being used in a command for that group type only.
You can use all other adaptive security appliance commands in an object-group mode, including the show running-config and clear configure commands.
Commands within the object-group mode appear indented when displayed or saved by the show running-config object-group, write, or config commands.
Commands within the object-group mode have the same command privilege level as the main command.
When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked together, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.
The starting position of the description text is the character right after the white space (a blank or a tab) following the description keyword.
Examples
The following example shows how to use the object-group icmp-type mode to create a new icmp-type object group:
hostname(config)# object-group icmp-type icmp-allowedhostname(config-icmp-object-group)# icmp-object echohostname(config-icmp-object-group)# icmp-object time-exceededhostname(config-icmp-object-group)# exitThe following example shows how to use the object-group network command to create a new network object group:
hostname(config)# object-group network sjc_eng_ftp_servershostname(config-network-object-group)# network-object host sjc.eng.ftp.servcershostname(config-network-object-group)# network-object host 172.23.56.194hostname(config-network-object-group)# network-object 192.1.1.0 255.255.255.224hostname(config-network-object-group)# exitThe following example shows how to use the object-group network command to create a new network object group and map it to an existing object-group:
hostname(config)# object-group network sjc_ftp_servershostname(config-network-object-group)# network-object host sjc.ftp.servershostname(config-network-object-group)# network-object host 172.23.56.195hostname(config-network-object-group)# network-object 193.1.1.0 255.255.255.224hostname(config-network-object-group)# group-object sjc_eng_ftp_servershostname(config-network-object-group)# exitThe following example shows how to use the object-group protocol mode to create a new protocol object group:
hostname(config)# object-group protocol proto_grp_1hostname(config-protocol-object-group)# protocol-object udphostname(config-protocol-object-group)# protocol-object ipsechostname(config-protocol-object-group)# exithostname(config)# object-group protocol proto_grp_2hostname(config-protocol-object-group)# protocol-object tcphostname(config-protocol-object-group)# group-object proto_grp_1hostname(config-protocol-object-group)# exitThe following example shows how to use the object-group service mode to create a new port (service) object group:
hostname(config)# object-group service eng_service tcphostname(config-service-object-group)# group-object eng_www_servicehostname(config-service-object-group)# port-object eq ftphostname(config-service-object-group)# port-object range 2000 2005hostname(config-service-object-group)# exitThe following example shows how to add and remove a text description to an object group:
hostname(config)# object-group protocol protos1hostname(config-protocol-object-group)# description This group of protocols is for our internal networkhostname(config-protocol-object-group)# show running-config object-group id protos1object-group protocol protos1description: This group of protocols is for our internal networkhostname(config-protocol-object-group)# no descriptionhostname(config-protocol-object-group)# show running-config object-group id protos1object-group protocol protos1The following example shows how to use the group-object mode to create a new object group that consists of previously defined objects:
hostname(config)# object-group network host_grp_1hostname(config-network-object-group)# network-object host 192.168.1.1hostname(config-network-object-group)# network-object host 192.168.1.2hostname(config-network-object-group)# exithostname(config)# object-group network host_grp_2hostname(config-network-object-group)# network-object host 172.23.56.1hostname(config-network-object-group)# network-object host 172.23.56.2hostname(config-network-object-group)# exithostname(config)# object-group network all_hostshostname(config-network-object-group)# group-object host_grp_1hostname(config-network-object-group)# group-object host_grp_2hostname(config-network-object-group)# exithostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftphostname(config)#access-list grp_2 permit tcp object-group host_grp_2 any eq smtphostname(config)#access-list all permit tcp object-group all_hosts any eq wwwWithout the group-object command, you need to define the all_hosts group to include all the IP addresses that have already been defined in host_grp_1 and host_grp_2. With the group-object command, the duplicated definitions of the hosts are eliminated.
The following examples show how to use object groups to simplify the access list configuration:
hostname(config)# object-group network remotehostname(config-network-object-group)# network-object host kqk.suu.dri.ixxhostname(config-network-object-group)# network-object host kqk.suu.pyl.gnlhostname(config)# object-group network localshostname(config-network-object-group)# network-object host 209.165.200.225hostname(config-network-object-group)# network-object host 209.165.200.230hostname(config-network-object-group)# network-object host 209.165.200.235hostname(config-network-object-group)# network-object host 209.165.200.240hostname(config)# object-group service eng_svc tcphostname(config-service-object-group)# port-object eq wwwhostname(config-service-object-group)# port-object eq smtphostname(config-service-object-group)# port-object range 25000 25100This grouping enables the access list to be configured in 1 line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:
hostname(config)# access-list acl permit tcp object-group remote object-group locals object-group eng_svcThe following example shows how to use the service-object subcommand, which is useful for grouping TCP and UDP services:
hostname(config)# object-group network remotehostname(config-network-object-group)# network-object host kqk.suu.dri.ixxhostname(config-network-object-group)# network-object host kqk.suu.pyl.gnlhostname(config)# object-group network localshostname(config-network-object-group)# network-object host 209.165.200.225hostname(config-network-object-group)# network-object host 209.165.200.230hostname(config-network-object-group)# network-object host 209.165.200.235hostname(config-network-object-group)# network-object host 209.165.200.240hostname(config)# object-group service usr_svchostname(config-service-object-group)# service-object tcp destination eq wwwhostname(config-service-object-group)# service-object tcp destination eq httpshostname(config-service-object-group)# service-object tcp destination eq pop3hostname(config-service-object-group)# service-object udp destination eq ntphostname(config-service-object-group)# service-object udp destination eq domainhostname(config)# access-list acl permit object-group usr_svc object-group locals object-group remote
Note
Related Commands
object-group search
To enable ACL optimization, use the object-group search access-control command in global configuration mode. Use the no form of this command to disable ACL optimization.
object-group-search access-control
[no] object-group-search access-control
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The object-group-search command optimizes all ACLs in the inbound direction.
When the object-group-search command is enabled, all of the old NP rules are removed from the soft-NP and reinserted with object-group IDs. When the command is disabled, all of the old rules are removed from the soft-NP and reinserted by expanding the object groups.
Examples
The following example shows how to use the object-group-search command to enable ACL optimization:
hostname(config)# object-group-search access-controlThe following is sample output from the show access-list command when object-group-search is not enabled:
hostname# show access-list KH-BLK-Tunnelaccess-list KH-BLK-Tunnel; 9 elementsaccess-list KH-BLK-Tunnel line 1 extended permit ip object-group KH-LAN object-group BLK-LAN 0x724c956baccess-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0 192.168.4.0 255.255.255.0 (hitcnt=10) 0x30fe29a6access-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0 192.168.4.0 255.255.255.0 (hitcnt=4) 0xc6ef2338access-list KH-BLK-Tunnel line 1 extended permit ip 192.168.97.0 255.255.255.0 14.14.14.0 255.255.255.0 (hitcnt=2) 0xce8596ecaccess-list KH-BLK-Tunnel line 1 extended permit ip 13.13.13.0 255.255.255.0 14.14.14.0 255.255.255.0 (hitcnt=0) 0x9a2f1c4daccess-list KH-BLK-Tunnel line 2 extended permit ospf interface pppoe1 host 87.139.87.200 (hitcnt=0) 0xb62d5832access-list KH-BLK-Tunnel line 3 extended permit ip interface pppoe1 any (hitcnt=0) 0xa2c9ed34access-list KH-BLK-Tunnel line 4 extended permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6baccess-list KH-BLK-Tunnel line 5 extended deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0) 0x9d979934access-list KH-BLK-Tunnel line 6 extended permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0) 0xa52a0761The following is sample output from the show access-list command when object-group-search is enabled:
hostname# show access-list KH-BLK-Tunnelaccess-list KH-BLK-Tunnel; 6 elementsaccess-list KH-BLK-Tunnel line 1 extended permit ip object-group KH-LAN(1) object-group BLK-LAN(2)(hitcount=16) 0x724c956baccess-list KH-BLK-Tunnel line 2 extended permit ospf interface pppoe1 host 87.139.87.200 (hitcnt=0) 0xb62d5832access-list KH-BLK-Tunnel line 3 extended permit ip interface pppoe1 any (hitcnt=0) 0xa2c9ed34access-list KH-BLK-Tunnel line 4 extended permit ip host 1.1.1.1 any (hitcnt=0) 0xd06f7e6baccess-list KH-BLK-Tunnel line 5 extended deny ip 1.1.0.0 255.255.0.0 any (hitcnt=0) 0x9d979934access-list KH-BLK-Tunnel line 6 extended permit ip 1.1.1.0 255.255.255.0 any (hitcnt=0) 0xa52a0761
Related Commands
object network
To configure a named network object that is reflected in all configurations in which the object is used, use the object network command in object configuration mode. Use the no form of this command to remove the object from the configuration.
object network object name [rename new_obj_name] {host ip_addr | subnet net_addr net_mask | range ip_addr_1 ip_addr2} description text
[no] object network object name [rename new_obj_name] {host ip_addr | subnet net_addr net_mask | range ip_addr_1 ip_addr2} description text
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The network object can contain a host, a network, or a range IP addresses. You can also enable NAT rules on this network object.
Note
The object name is a required parameter that identifies the service object. The name can be from 1 to 64 characters in length, consisting of letters, numbers, and the following special characters: underscore, hyphen, comma, forward slash, and period.
A network object and a network object group should share the same namespace. If an network object exists with the name abc, then you cannot create a network object group with the name abc. If necessary, you can rename the network object with the rename keyword.
A network object name should be associated with only one IP address/mask pair.
A network object should support NAT parameters.
If you configure an existing network object with a different IP address/mask pair, the new configuration will replace the existing configuration.
Examples
The following example shows how to create a network object:
hostname (config)# object network OBJECT1hostname (config-network-object)# host 1.1.1.1hostname (config-network-object)# object network OBJECT1hostname (config-network-object)# host 2.2.2.2Related Commands
object service
To configure a service object that is automatically reflected in all configurations in which the object is used, use the object service command in service-object configuration mode. Use the no form of this command to remove the object.
object service object name [rename new_obj_name] {protocol | icmp icmp-type | icmp6 icmp6-type | tcp | udp | [source [operator] begin-port [end-port]] [[operator] begin-port [end-port]]}
[no] object service object name [rename new_obj_name] {protocol | icmp icmp-type | icmp6 icmp6-type | tcp | udp | [source [operator] begin-port [end-port]] [[operator] begin-port [end-port]]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Service object configuration
•
•
•
•
—
Command History
Usage Guidelines
The service object can contain a protocol, ICMP, ICMPv6, TCP or UDP port or port ranges.
The object name is a required parameter that identifies the service object. The name can be from 1 to 64 characters in length, consisting of letters, numbers, and the following special characters: underscore, hyphen, comma, and period. The object name must start with a letter.
A service object name should be associated with only one protocol and port (or ports).
If you configure an existing service object with a different protocol and port (or ports), the new configuration replaces the existing protocol and port (or ports) with the new ones.
Operators, such as eq, neq, lt, gt, and range support configuring a port for a given protocol. If no operator is specified, the default operator is eq.
Examples
The following example shows how to create a service object:
hostname(config)# object service SERVOBJECT1hostname(config-service-object)# service tcp source eq www destination eq sshRelated Commands
ocsp disable-nonce
To disable the nonce extension, use the ocsp disable-nonce command in crypto ca trustpoint configuration mode. By default, OCSP requests include a nonce extension, which cryptographically binds requests with responses to avoid replay attacks. However, some OCSP servers use pre-generated responses that do not contain this matching nonce extension. To use OCSP with these servers, you must disable the nonce extension. To re-enable the nonce extension, use the no form of this command.
ocsp disable-nonce
no ocsp disable-nonce
Syntax Description
This command has no keywords or arguments.
Defaults
By default, OCSP requests include a nonce extension.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
When you use this command, the OCSP request does not include the OCSP nonce extension, and the adaptive security appliance does not check it.
Examples
The following example shows how to disable the nonce extension for a trustpoint called newtrust.
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# ocsp disable-noncehostname(config-ca-trustpoint)#Related Commands
ocsp url
To configure an OCSP server for the adaptive security appliance to use to check all certificates associated with a trustpoint rather than the server specified in the AIA extension of the client certificate, use the ocsp url command in crypto ca trustpoint configuration mode. To remove the server from the configuration, use the no form of this command.
ocsp url URL
no ocsp url
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
The adaptive security appliance supports only HTTP URLs, and you can specify only one URL per trustpoint.
The adaptive security appliance provides three ways to define an OCSP server URL, and it attempts to use OCSP servers according to how you define them, in the following order:
•
•
•
If you do not configure an OCSP URL via the match certificate command or the ocsp url command, the adaptive security appliance uses the OCSP server in the AIA extension of the client certificate. If the certificate does not have an AIA extension, revocation status checking fails.
Examples
The following example shows how to configure an OCSP server with the URL http://10.1.124.22.
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# ocsp url http://10.1.124.22hostname(config-ca-trustpoint)#Related Commands
onscreen-keyboard
To insert an onscreen keyboard into the logon pane or all panes with a login/password requirement, use the onscreen-keyboard command in webvpn mode. To remove a previously configured onscreen keyboard, use the no version of the command.
onscreen-keyboard {logon | all}
no onscreen-keyboard [logon | all]
Syntax Description
logon
Inserts the onscreen keyboard for the logon pane.
all
Inserts the onscreen keyboard for the logon pane, and for all other panes with a login/password requirement.
Defaults
No onscreen keyboard.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The onscreen keyboard lets you enter user credentials without keystrokes.
Examples
The following example shows how to enable the onscreen keyboard for the logon page:
hostname(config)#webvpnhostname(config-webvpn)#onscreen-keyboard logonhostname(config-webvpn)#Related Commands
webvpn
Enters webvpn mode, which lets you configure attributes for clientless SSLVPN connections.
ospf authentication
To enable the use of OSPF authentication, use the ospf authentication command in interface configuration mode. To restore the default authentication stance, use the no form of this command.
ospf authentication [message-digest | null]
no ospf authentication
Syntax Description
message-digest
(Optional) Specifies to use OSPF message digest authentication.
null
(Optional) Specifies to not use OSPF authentication.
Defaults
By default, OSPF authentication is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Before using the ospf authentication command, configure a password for the interface using the ospf authentication-key command. If you use the message-digest keyword, configure the message-digest key for the interface with the ospf message-digest-key command.
For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication).
When this command is used without any options, simple password authentication is enabled.
Examples
The following example shows how to enable simple password authentication for OSPF on the selected interface:
hostname(config-if)# ospf authenticationhostname(config-if)#Related Commands
ospf authentication-key
Specifies the password used by neighboring routing devices.
ospf message-digest-key
Enables MD5 authentication and specifies the MD5 key.
ospf authentication-key
To specify the password used by neighboring routing devices, use the ospf authentication-key command in interface configuration mode. To remove the password, use the no form of this command.
ospf authentication-key [0 | 8] password
no ospf authentication-key
Syntax Description<
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The password created by this command is used as a key that is inserted directly into the OSPF header when routing protocol packets are originated. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
ExamplesNote
The following example shows how to specify a password for OSPF authentication:
hostname(config-if)# ospf authentication-key 8 yWIvi0qJAnGK5MRWQzrhIohkGP1wKbRelated Commands
area authentication
Enables OSPF authentication for the specified area.
ospf authentication
Enables the use of OSPF authentication.
ospf cost
To specify the cost of sending a packet through the interface, use the ospf cost command in interface configuration mode. To reset the interface cost to the default value, use the no form of this command.
ospf cost interface_cost
no ospf cost
Syntax Description
Defaults
The default interface_cost is 10.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf cost command lets you explicitly specify the cost of sending a packet on an interface. The interface_cost parameter is an unsigned integer value from 0 to 65535.
The no ospf cost command allows you to reset the path cost to the default value.
Examples
The following example show how to specify the cost of sending a packet on the selected interface:
hostname(config-if)# ospf cost 4Related Commands
show running-config interface
Displays the configuration of the specified interface.
ospf database-filter
To filter out all outgoing LSAs to an OSPF interface during synchronization and flooding, use the ospf database-filter command in interface configuration mode. To restore the LSAs, use the no form of this command.
ospf database-filter all out
no ospf database-filter all out
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf database-filter command filters outgoing LSAs to an OSPF interface. The no ospf database-filter all out command restores the forwarding of LSAs to the interface.
Examples
The following example shows how to use the ospf database-filter command to filter outgoing LSAs:
hostname(config-if)# ospf database-filter all outRelated Commands
ospf dead-interval
To specify the interval before neighbors declare a router down, use the ospf dead-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ospf dead-interval seconds
no ospf dead-interval
Syntax Description
seconds
The length of time during which no hello packets are seen. The default for seconds is four times the interval set by the ospf hello-interval command (which ranges from 1 to 65535).
Defaults
The default value for seconds is four times the interval set by the ospf hello-interval command.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf dead-interval command lets you set the dead interval before neighbors to declare the router down (the length of time during which no hello packets are seen). The seconds argument specifies the dead interval and must be the same for all nodes on the network. The default for seconds is four times the interval set by the ospf hello-interval command from 1 to 65535.
The no ospf dead-interval command lets restores the default interval value.
Examples
The following example sets the OSPF dead interval to 1 minute:
hostname(config-if)# ospf dead-interval 60Related Commands
ospf hello-interval
Specifies the interval between hello packets sent on an interface.
show ospf interface
Displays OSPF-related interface information.
ospf hello-interval
To specify the interval between hello packets sent on an interface, use the ospf hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.
ospf hello-interval seconds
no ospf hello-interval
Syntax Description
seconds
Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.
Defaults
The default value for hello-interval seconds is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
This value is advertised in the hello packets. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.
Examples
The following example sets the OSPF hello interval to 5 seconds:
hostname(config-if)# ospf hello-interval 5Related Commands
ospf dead-interval
Specifies the interval before neighbors declare a router down.
show ospf interface
Displays OSPF-related interface information.
ospf message-digest-key
To enable OSPF MD5 authentication, use the ospf message-digest-key command in interface configuration mode. To remove an MD5 key, use the no form of this command.
ospf message-digest-key key-id md5 [0 | 8] key
no ospf message-digest-key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf message-digest-key command lets you enable MD5 authentication. The no form of the command let you remove an old MD5 key. key_id is a numerical identifier from 1 to 255 for the authentication key. key is an alphanumeric password of up to 16 bytes. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Examples
The following example shows how to specify an MD5 key for OSPF authentication:
hostname(config-if)# ospf message-digest-key 3 md5 8 yWIvi0qJAnGK5MRWQzrhIohkGP1wKbRelated Commands
area authentication
Enables OSPF area authentication.
ospf authentication
Enables the use of OSPF authentication.
ospf mtu-ignore
To disable OSPF maximum transmission unit (MTU) mismatch detection on receiving database packets, use the ospf mtu-ignore command in interface configuration mode. To restore MTU mismatch detection, use the no form of this command.
ospf mtu-ignore
no ospf mtu-ignore
Syntax Description
This command has no arguments or keywords.
Defaults
By default, ospf mtu-ignore is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange Database Descriptor (DBD) packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.The ospf mtu-ignore command disables OSPF MTU mismatch detection on receiving DBD packets. It is enabled by default.
Examples
The following example shows how to disable the ospf mtu-ignore command:
hostname(config-if)# ospf mtu-ignoreRelated Commands
ospf network point-to-point non-broadcast
To configure the OSPF interface as a point-to-point, non-broadcast network, use the ospf network point-to-point non-broadcast command in interface configuration mode. To remove this command from the configuration, use the no form of this command. The ospf network point-to-point non-broadcast command lets you to transmit OSPF routes over VPN tunnels.
ospf network point-to-point non-broadcast
no ospf network point-to-point non-broadcast
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When the interface is specified as point-to-point, the OSPF neighbors have to be manually configured; dynamic discovery is not possible. To manually configure OSPF neighbors, use the neighbor command in router configuration mode.
When an interface is configured as point-to-point, the following restrictions apply:
•
•
•
•
•
Examples
The following example shows how to configure the selected interface as a point-to-point, non-broadcast interface:
hostname(config-if)# ospf network point-to-point non-broadcasthostname(config-if)#Related Commands
neighbor
Specifies manually configured OSPF neighbors.
show interface
Displays interface status information.
ospf priority
To change the OSPF router priority, use the ospf priority command in interface configuration mode. To restore the default priority, use the no form of this command.
ospf priority number
no ospf priority [number]
Syntax Description
Defaults
The default value for number is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. Router priority is configured only for interfaces to multiaccess networks (in other words, not to point-to-point networks).
Examples
The following example shows how to change the OSPF priority on the selected interface:
hostname(config-if)# ospf priority 4hostname(config-if)#Related Commands
ospf retransmit-interval
To specify the time between LSA retransmissions for adjacencies belonging to the interface, use the ospf retransmit-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ospf retransmit-interval seconds
no ospf retransmit-interval [seconds]
Syntax Description
seconds
Specifies the time between LSA retransmissions for adjacent routers belonging to the interface; valid values are from 1 to 65535 seconds.
Defaults
The default value of retransmit-interval seconds is 5 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgment message. If the router receives no acknowledgment, it will re-send the LSA.
The setting of this parameter should be conservative, or needless retransmission will result. The value should be larger for serial lines and virtual links.
Examples
The following example shows how to change the retransmit interval for LSAs:
hostname(config-if)# ospf retransmit-interval 15hostname(config-if)#Related Commands
ospf transmit-delay
To set the estimated time required to send a link-state update packet on the interface, use the ospf transmit-delay command in interface configuration mode. To restore the default value, use the no form of this command.
ospf transmit-delay seconds
no ospf transmit-delay [seconds]
Syntax Description
seconds
Sets the estimated time required to send a link-state update packet on the interface. The default value is 1 second with a range from 1 to 65535 seconds.
Defaults
The default value of seconds is 1 second.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
LSAs in the update packet must have their ages incremented by the amount specified in the seconds argument before transmission. The value assigned should take into account the transmission and propagation delays for the interface.
If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. This setting has more significance on very low-speed links.
Examples
The following example sets the transmit delay to 3 seconds for the selected interface:
hostname(config-if)# ospf restransmit-delay 3hostname(config-if)#Related Commands
otp expiration
To specify the duration in hours that an issued One-Time Password (OTP) for the local Certificate Authority (CA) enrollment page is valid, use the otp expiration command in CA server configuration mode. To reset the duration to the default number of hours, use the no form of this command.
otp expiration timeout
no otp expiration
Syntax Description
timeout
Specifies the time in hours users have to enroll for a certificate from the local CA before the OTP for the enrollment page expires. Valid values range from 1 to 720 hours (30 days).
Defaults
By default, a OTP expiration for certificate enrollment is 72 hours (3 days).
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
The OTP expiration period specifies the number of hours that a user has to login to the enrollment page of the CA server. Once the user logs in and enrolls for a certificate, the time period specified by the enrollment retrieval command starts.
Note
Examples
The following example specifies that the OTP for the enrollment page applies for 24 hours:
hostname(config)# crypto ca serverhostname(config-ca-server)# otp expiration 24hostname(config-ca-server)#The following example resets the OTP duration to the default of 72 hours:
hostname(config)# crypto ca serverhostname(config-ca-server))# no otp expirationhostname(config-ca-server)#Related Commands
outstanding
To limit the number of unauthenticated e-mail proxy sessions, use the outstanding command in the applicable e-mail proxy configuration mode. To remove the attribute from the configuration, use the no version of this command.
outstanding {number}
no outstanding
Syntax Description
Defaults
The default is 20.
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
Use the no version of this command to remove the attribute from the configuration, which permits an unlimited number of unauthenticated sessions. This also limit s DOS attacks on the e-mail ports.
E-mail proxy connections have three states:
1.
2.
3.
If the number of connections in the unauthenticated state exceeds the configured limit, the adaptive security appliance terminates the oldest unauthenticated connection, preventing overload. It does not terminate authenticated connections.
Examples
The following example shows how to set a limit of 12 unauthenticated sessions for POP3S e-mail proxy.
hostname(config)#pop3shostname(config-pop3s)#outstanding 12override-account-disable
To override an account-disabled indication from a AAA server, use the override-account-disable command in tunnel-group general-attributes configuration mode. To disable an override, use the no form of this command.
override-account-disable
no override-account-disable
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is valid for servers, such as RADIUS with NT LDAP, and Kerberos, that return an "account-disabled" indication.
You can configure this attribute for IPSec RA and WebVPN tunnel-groups.
Examples
The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup":
hostname(config)# tunnel-group testgroup type webvpnhostname(config)# tunnel-group testgroup general-attributeshostname(config-tunnel-general)# override-account-disablehostname(config-tunnel-general)#The following example allows overriding the "account-disabled" indicator from the AAA server for the IPSec remote access tunnel group "QAgroup":
hostname(config)# tunnel-group QAgroup type ipsec-rahostname(config)# tunnel-group QAgroup general-attributeshostname(config-tunnel-general)# override-account-disablehostname(config-tunnel-general)#Related Commands
override-svc-download
To configure the connection profile to override the group policy or username attributes configuration for downloading an AnyConnect or SSL VPN client, use the override-svc-download command from tunnel-group webvpn attributes configuration mode. To remove the command from the configuration, use the no form of the command:
override-svc-download enable
no override-svc-download enable
Defaults
The default is disabled. The adaptive security appliance does not override the group policy or username attributes configuration for downloading the client.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The security appliance allows clientless, AnyConnect, or SSL VPN client connections for remote users based on whether clientless and/or SSL VPN is enabled in the group policy or username attributes with the vpn-tunnel-protocol command. The svc ask command further modifies the client user experience by prompting the user to download the client or return to the WebVPN home page.
However, you may want clientless users logging in under specific tunnel groups to not experience delays waiting for the download prompt to expire before being presented with the clientless SSL VPN home page. You can prevent delays for these users at the connection profile level with the override-svc-download command. This command causes users logging through a connection profile to be immediately presented with the clientless SSL VPN home page regardless of the vpn-tunnel-protocol or svc ask command settings.
Examples
In the following example, the user enters tunnel-group webvpn attributes configuration mode for the connection profile engineering and enables the connection profile to override the group policy and username attribute settings for client download prompts:
hostname(config)# tunnel-group engineering webvpn-attributeshostname(config-tunnel-webvpn)# override-svc-downloadRelated Commands
