-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
-
About This Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
activation-key through auto-update timeout
-
backup-servers through bridge-group
-
cache-time through clear capture
-
clear configure through clear configure virtual
-
clear console-output through clear xlate
-
client-access-rule through crl-configure
-
crypto ca authenticate through crypto map set trustpoint
-
debug aaa through debug xdmcp
-
default through drop
-
email through ftp-map
-
gateway through http-map
-
icmp through ignore lsa mospf
-
inspect ctiqbe through inspect xdmcp
-
interface through issuer-name
-
join-failover-group through kill
-
ldap-base-dn through log-adj-changes
-
logging asdm through logout
-
mac-address-table aging-time through multicast-routing
-
name through ospf transmit-delay
-
pager through pwd
-
quit through router-id
-
same-security-traffic through show asdm sessions
-
show asp drop through show curpriv
-
show debug through show ipv6 traffic
-
show isakmp sa through show route
-
show running-config through show running-config isakmp
-
show running-config logging through show running-config vpn-sessiondb
-
show service-policy through show xlate
-
shun through sysopt uauth allow-http-cache
-
telnet through tunnel-limit
-
upgrade-mp through write terminal
-
Table Of Contents
quit through router-id Commands
remote-access threshold session-threshold-exceeded
quit through router-id Commands
quit
To exit the current configuration mode, or to log out from privileged or user EXEC modes, use the quit command.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the quit command in privileged or user EXEC modes, you log out from the FWSM. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the quit command to exit global configuration mode, and then logout from the session:
hostname(config)# quithostname# quitLogoffThe following example shows how to use the quit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# quithostname# disablehostname>Related Commands
radius-common-pw
To specify a common password to be used for all users whose VPN access is authorized by a RADIUS authorization server, use the radius-common-pw command in AAA-server host mode. To remove this specification, use the no form of this command:
radius-common-pw password
no radius-common-pw
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for RADIUS authorization servers.
The RADIUS authorization server requires a password and username for each connecting user. The FWSM provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this FWSM. Be sure to provide this information to your RADIUS server administrator.
If you do not specify a common user password, each user password is the username of the user. For example, the default RADIUS authorization for a user with the username "jsmith" is "jsmith". If you are using usernames for the common user passwords, as a security precaution do not use this RADIUS server for authorization anywhere else on your network.
Note
Examples
The following example configures a RADIUS AAA server group named "svrgrp1" on host "1.2.3.4", sets the timeout interval to 9 seconds, sets the retry interval to 7 seconds, and configures the RADIUS commnon password as "allauthpw".
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# radius-common-pw allauthpwRelated Commands
radius-with-expiry
To have the FWSM use MS-CHAPv2 to negotiate a password update with the user during authentication, use the radius-with-expiry command in tunnel-group ipsec-attributes configuration mode. The FWSM ignores this command if RADIUS authentication has not been configured.
To return to the default value, use the no form of this command.
radius-with-expiry
no radius-with-expiry
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec-attributes configuration
•
•
•
•
—
Command History
Usage Guidelines
You can apply this attribute to IPSec remote-access tunnel-group type only.
Examples
The following example entered in config-ipsec configuration mode, configures Radius with Expiry for the remote-access tunnel group named remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-ipsec)# radius-with-expiryhostname(config-ipsec)#Related Commands
reactivation-mode
To specify the method (reactivation policy) by which failed servers in a group are reactivated, use the reactivation-mode command in AAA-server group mode. To remove this specification, use the no form of this command:
reactivation-mode depletion [deadtime minutes]
reactivation-mode timed
no reactivation-mode
Syntax Description
Defaults
The default reactivation mode is depletion, and the default deadtime value is 10. The supported range of values for deadtime is 0-1440 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server group
•
•
•
•
—
Command History
Usage Guidelines
Each server group has an attribute that specifies the reactivation policy for its servers.
In depletion mode, when a server is deactivated, it remains inactive until all other servers in the group are inactive. When and if this occurs, all servers in the group are reactivated. This approach minimizes the occurrence of connection delays due to failed servers. When depletion mode is in use, you can also specify the deadtime parameter. The deadtime parameter specifies the amount of time (in minutes) that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This parameter is meaningful only when the server group is being used in conjunction with the local fallback feature.
In timed mode, failed servers are reactivated after 30 seconds of down time. This is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible. This policy breaks down in the case of UDP servers. Because UDP is a connectionless protocol, the FWSM cannot determine if the server is present; therefore, UDP servers are put back on line blindly. This could lead to slowed connection times or connection failures if a server list contains multiple servers that are not reachable.
Accounting server groups that have simultaneous accounting enabled are forced to use the timed mode. This implies that all servers in a given list are equivalent.
Examples
The following example configures a TACACS+ AAA server named "svrgrp1" to use the depletion reactivation mode, with a deadtime of 15 minutes:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-sersver-group)# reactivation-mode depletion deadtime 15The following example configures a TACACS+ AAA server named "svrgrp1" to use timed reactivation mode:
hostname(config)# aaa-server svrgrp2 protocol tacacs+hostname(config-aaa-server)# reactivation-mode timedRelated Commands
redistribute
To redistribute routes from one routing domain into another routing domain, use the redistribute command in router configuration mode. To remove the redistribution, use the no form of this command.
redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
no redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Examples
This example shows how to redistribute static routes into the current OSPF process:
hostname(config-router)# redistribute ospf staticRelated Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
reload
To reboot and reload the configuration, use the reload command in privileged EXEC mode.
reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
·
·
·
—
·
Command History
3.1(1)
This command was modified to add the following new arguments and keywords: day, hh, mm, month, quick, save-config, and text.
Usage Guidelines
The command lets you reboot the FWSM and reload the configuration from Flash.
By default, the reload command is interactive. The FWSM first checks whether the configuration has been modified but not saved. If so, the FWSM prompts you to save the configuration. In multiple context mode, the FWSM prompts for each context with an unsaved configuration. If you specify the save-config parameter, the configuration is saved without prompting you. The FWSM then prompts you to confirm that you really want to reload the system. Only a response of y or pressing the Enter key causes a reload. Upon confirmation, the FWSM starts or schedules the reload process, depending upon whether you have specified a delay parameter (in or at).
By default, the reload process operates in "graceful" (also known as "nice") mode. All registered subsystems are notified when a reboot is about to occur, allowing these subsystems to shut down properly before the reboot. To avoid waiting until for such a shutdown to occur, specify the max-hold-time parameter to specify a maximum time to wait. Alternatively, you can use the quick parameter to force the reload process to begin abruptly, without notifying the affected subsystems or waiting for a graceful shutdown.
You can force the reload command to operate noninteractively by specifying the noconfirm parameter. In this case, the FWSM does not check for an unsaved configuration unless you have specified the save-config parameter. The FWSM does not prompt the user for confirmation before rebooting the system. It starts or schedules the reload process immediately, unless you have specified a delay parameter, although you can specify the max-hold-time or quick parameters to control the behavior or the reload process.
Use reload cancel to cancel a scheduled reload. You cannot cancel a reload that is already in progress.
Note
Examples
This example shows how to reboot and reload the configuration:
hostname# reloadProceed with ? [confirm] yRebooting...XXX Bios VX.X...Related Commands
remote-access threshold session-threshold-exceeded
To set threshold values, use the remote-access threshold session-threshold-exceeded command in global configuration mode. To remove threshold values, use the no version of this command. This command specifies the number of remote access sessions that need to be active for the FWSM to send traps.
remote-access threshold session-threshold-exceeded {threshold-value}
no remote-access threshold session-threshold-exceeded
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
—
Command History
Examples
The following example shows how to set a threshold value of 1500:
hostname# remote-access threshold session-threshold-exceeded 1500Related Commands
rename
To rename a file or a directory from the source filename to the destination filename, use the rename command in privileged EXEC mode.
rename [/noconfirm] [flash:] source-path [flash:] destination-path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The rename flash: flash: command prompts you to enter a source and destination filename.
You cannot rename a file or directory across file systems.
For example:
hostname# rename flash: disk1:Source filename []? new-configDestination filename []? old-config%Cannot rename between filesystemsExamples
The following example shows how to rename a file named "test" to "test1":
hostname# rename flash: flash:Source filename [running-config]? testDestination filename [n]? test1Related Commands
mkdir
Creates a new directory.
rmdir
Removes a directory.
show file
Displays information about the file system.
replication http
To enable HTTP connection replication for the failover group, use the replication http command in failover group configuration mode. To disable HTTP connection replication, use the no form of this command.
replication http
no replication http
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
By default, the FWSM does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.
This command is available for Active/Active failover only. It provides the same functionality as the failover replication http command for Active/Standby failover, except for failover groups in Active/Active failover configurations.
Examples
The following example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# replication httphostname(config-fover-group)# exitRelated Commands
failover group
Defines a failover group for Active/Active failover.
failover replication http
Configures Stateful Failover to replicate HTTP connections.
request-command deny
To disallow specific commands within FTP requests, use the request-command deny command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
request-command deny { appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou }
no request-command deny { appe | cdup | help | retr | rnfr | rnto | site | stor | stou }
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is used for controlling the commands allowed within FTP requests traversing the FWSM when using strict FTP inspection.
Examples
The following example causes the FWSM to drop FTP requests containing stor, stou, or appe commands:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# request-command deny put stou appeRelated Commands
request-method
To restrict HTTP traffic based on the HTTP request method, use the request-method command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of the command.
request-method {{ ext ext_methods | default} | { rfc rfc_methods | default}} action {allow | reset | drop} [log]
no request-method { ext ext_methods | rfc rfc_methods } action {allow | reset | drop} [log]
Syntax Description
action
Identifies the action taken when a message fails this command inspection.
allow
Allows the message.
default
Specifies the default action taken by the FWSM when the traffic contains a supported request method that is not on a configured list.
drop
Closes the connection.
ext
Specifies extension methods.
ext-methods
Identifies one of the extended methods you want to allow to pass through the FWSM.
log
(Optional) Generates a syslog.
reset
Sends a TCP reset message to client and server.
rfc
Specifies RFC 2616 supported methods.
rfc-methods
Identifies one of the RFC methods you want to allow to pass through the FWSM (see Table 23-1).
Defaults
This command is disabled by default. When the command is enabled and a supported request method is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable the request-method command, the FWSM applies the specified action to HTTP connections for each supported and configured request method.
The FWSM applies the default action to all traffic that does not match the request methods on the configured list. The default action is to allow connections without logging. Given this preconfigured default action, if you specify one or more request methods with the action of drop and log, the FWSM drops connections containing the configured request methods, logs each connection, and allows all connections containing other supported request methods.
If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted method with the allow action.
Enter the request-method command once for each setting you wish to apply. You use one instance of the request-method command to change the default action or to add a single request method to the list of configured methods.
When you use the no form of the command to remove a request method from the list of configured methods, any characters in the command line after the request method keyword are ignored.
Table 23-1 lists the methods defined in RFC 2616 that you can add to the list of configured methods:
Examples
The following example provides a permissive policy, using the preconfigured default, which allows all supported request methods that are not specifically prohibited.
hostname(config)# http-map inbound_httphostname(config-http-map)# request-method rfc options drop loghostname(config-http-map)# request-method rfc post drop logIn this example, only the options and post request methods are dropped and the events are logged.
The following example provides a restrictive policy, with the default action changed to reset the connection and log the event for any request method that is not specifically allowed.
hostname(config)# http-map inbound_httphostname(config-http-map)# request-method rfc default action reset loghostname(config-http-map)# request-method rfc get allowhostname(config-http-map)# request-method rfc put allowIn this case, the get and put request methods are allowed. When traffic is detected that uses any other methods, the FWSM resets the connection and creates a syslog entry.
Related Commands
