|
Table Of Contents
same-security-traffic through show asdm sessions Commands
set connection advanced-options
same-security-traffic through show asdm sessions Commands
same-security-traffic
To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.
same-security-traffic permit {inter-interface | intra-interface}
no same-security-traffic permit {inter-interface | intra-interface}
Syntax Description
inter-interface
Permits communication between different interfaces that have the same security level.
intra-interface
Permits communication in and out of the same interface.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
•
—
Command History
Release Modification7.0(1)
This command was introduced.
7.2(1)
The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic.
Usage Guidelines
Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) provides the following benefits:
•You can configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).
•You can allow traffic to flow freely between all same security interfaces without access lists.
The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.
Note All traffic allowed by the same-security-traffic intra-interface command is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the security appliance.
Examples
The following example shows how to enable the same-security interface communication:
hostname(config)# same-security-traffic permit inter-interfaceThe following example shows how to enable traffic to enter and exit the same interface:
hostname(config)# same-security-traffic permit intra-interfaceRelated Commands
Command Descriptionshow running-config same-security-traffic
Displays the same-security-traffic configuration.
sasl-mechanism
To specify a SASL (Simple Authentication and Security Layer) mechanism for authenticating an LDAP client to an LDAP server, use the sasl-mechanism command in aaa-server host configuration mode. The SASL authentication mechanism options are digest-md5 and kerberos.
To disable an authentication mechanism, use the no form of this command.
sasl-mechanism {digest-md5 | kerberos server-group-name}
no sasl-mechanism {digest-md5 | kerberos server-group-name}
Note Because the security appliance serves as a client proxy to the LDAP server for VPN users, the LDAP client referred to here is the security appliance.
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values. The security appliance passes the authentication parameters to the LDAP server in plain text.
Note We recommend that you secure LDAP communications with SSL using the ldap-over-ssl command if you have not configured SASL.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context Systemaaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
Use this command to specify security appliance authentication to an LDAP server using SASL mechanisms.
Both the security appliance and the LDAP server can support multiple SASL authentication mechanisms. When negotiating SASL authentication, the security appliance retrieves the list of SASL mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism configured on both the security appliance and the server. The Kerberos mechanism is stronger than the Digest-MD5 mechanism. To illustrate, if both the LDAP server and the security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the mechanisms.
When disabling the SASL mechanisms, you must enter a separate no command for each mechanism you want to disable because they are configured independently. Mechanisms that you do not specifically disable remain in effect. For example, you must enter both of the following commands to disable both SASL mechanisms:
no sasl-mechanism digest-md5
no sasl-mechanism kerberos <server-group-name>
Examples
The following examples, entered in aaa-server host configuration mode, enable the SASL mechanisms for authentication to an LDAP server named ldapsvr1 with an IP address of 10.10.0.1. This example enables the SASL digest-md5 authentication mechanism:
hostname(config)# aaa-server ldapsvr1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
hostname(config-aaa-server-host)# sasl-mechanism digest-md5
The following example enables the SASL Kerberos authentication mechanism and specifies kerb-servr1 as the Kerberos AAA server:
hostname(config)# aaa-server ldapsvr1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
hostname(config-aaa-server-host)# sasl-mechanism kerberos kerbsvr1
Related Commands
secondary
To give the secondary unit higher priority in a failover group, use the secondary command in failover group configuration mode. To restore the default, use the no form of this command.
secondary
no secondary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemFailover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simulataneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available.
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012
hostname(config-fover-group)# exit
hostname(config)#Related Commands
secondary-color
To set a secondary color for the WebVPN login, home page, and file access page, use the secondary-color command in webvpn mode. To remove a color from the configuration and reset the default, use the no form of this command.
secondary-color [color]
no secondary-color
Syntax Description
Defaults
The default secondary color is HTML #CCCCFF, a lavender shade.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemWebvpn
•
•
—
—
•
Command History
Usage Guidelines
The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.
Examples
The following example shows how to set an HTML color value of #5F9EAO, which is a teal shade:
hostname(config)# webvpnhostname(config-webvpn)# secondary-color #5F9EAORelated Commands
Command Descriptiontitle-color
Sets a color for the WebVPN title bar on the login, home page, and file access page
secondary-text-color
To set the secondary text color for the WebVPN login, home page and file access page, use the secondary-text-color command in webvpn mode. To remove the color from the configuration and reset the default, use the no form of this command.
secondary-text-color [black | white]
no secondary-text-color
Syntax Description
Defaults
The default secondary text color is black.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemWebvpn
•
—
•
—
—
Command History
Examples
The following example shows how to set the secondary text color to white:
hostname(config)# webvpn
hostname(config-webvpn)# secondary-text-color whiteRelated Commands
Command Descriptiontext-color
Sets a color for text in the WebVPN title bar on the login, home page and file access page
secure-unit-authentication
To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.
Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password.
Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.
secure-unit-authentication {enable | disable}
no secure-unit-authentication
Syntax Description
Defaults
Secure unit authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGroup-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use.
If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Examples
The following example shows how to enable secure unit authentication for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# secure-unit-authentication enable
Related Commands
security-level
To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two.
security-level number
no security-level
Syntax Description
Defaults
By default, the security level is 0.
If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100 (see the nameif command). You can change this level if desired.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemInterface configuration
•
•
•
•
—
Command History
Release Modification7.0(1)
This command was moved from a keyword of the nameif command to an interface configuration mode command.
Usage Guidelines
The level controls the following behavior:
•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.
•Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
–NetBIOS inspection engine—Applied only for outbound connections.
–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.
•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).
For same security interfaces, you can filter traffic in either direction.
•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
•established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.
For same security interfaces, you can configure established commands for both directions.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Examples
The following example configures the security levels for two interfaces to be 100 and 0:
hostname(config)# interface gigabitethernet0/0
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
Related Commands
send response
To send a RADIUS Accounting-Response Start and Accounting-Response Stop message to the sender of the RADIUS Accounting-Request Start and Stop messages, use the send response command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command.
This option is disabled by default.
send response
no send response
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemRadius-accounting parameter configuration
•
•
•
•
—
Command History
Examples
The following example shows how to send a response with RADIUS accounting:
hostname(config)# policy-map type inspect radius-accounting ra
hostname(config-pmap)# send responsehostname(config-pmap-p)# send responseRelated Commands
Commands Descriptioninspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
serial-number
To include the security appliance serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
serial-number
no serial-number
Syntax Description
Defaults
The default setting is to not include the serial number.
Command Modes
The following table shows the modes in which you can enter the command
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemCrypto ca trustpoint configuration
•
•
•
•
•
:
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the security appliance serial number in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# serial-number
Related Commands
server
To specify a default e-mail proxy server, use the server command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command. The security appliance sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server. If you do not configure a default server, and a user does not specify a server, the security appliance returns an error.
server {ipaddr or hostname}
no server
Syntax Description
hostname
The DNS name of the default e-mail proxy server.
ipaddr
The IP address of the default e-mail proxy server.
Defaults
There is no default e-mail proxy server by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPop3s
•
•
—
—
•
Imap4s
•
•
—
—
•
Smtps
•
•
—
—
•
Command History
Examples
The following example shows how to set a default POP3S e-mail server with an IP address. of 10.1.1.7:
hostname(config)# pop3shostname(config-pop3s)# server 10.1.1.7server (tls-proxy)
To specify the proxy trustpoint certificate presented during TLS handshake, use the server command in TLS proxy configuration mode. To remove the configuration, use the no form of this command.
server trust-point p_tp
no server trust-point p_tp
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemTLS proxy configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the server command in TLS proxy configuration mode to control the TLS handshake parameters for the security appliance as the TLS server role in TLS proxy. It specifies the proxy trustpoint certificate presented during TLS handshake. This value corresponds to the trustpoint defined by the crypto ca trustpoint command. It can be self-signed or enrolled with a certificate authority.
The server command takes precedence over the global ssl trust-point command.
Examples
The following example shows how to create a TLS proxy instance:
hostname(config)# tls-proxy my_proxyhostname(config-tlsp)# server trust-point ccm_proxyhostname(config-tlsp)# client ldc issuer ldc_server
hostname(config-tlsp)# client ldc keypair phone_common
Related Commands
server-port
To configure a AAA server port for a host, use the server-port command in aaa-server host mode. To remove the designated server port, use the no form of this command:
server-port port-number
no server-port
Syntax Description
Defaults
The default server ports are as follows:
•SDI—5500
•LDAP—389
•Kerberos—88
•NT—139
•TACACS+—49
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemAaa-server group
•
•
•
•
—
Command History
Examples
The following example configures an SDI AAA server named "srvgrp1" to use server port number 8888:
hostname(config)# aaa-server srvgrp1 protocol sdihostname(config-aaa-server-group)# aaa-server srvgrp1 host 192.168.10.10hostname(config-aaa-server-host)# server-port 8888Related Commands
server-separator
To specify a character as a delimiter between the e-mail and VPN server names, use server-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no form of this command.
server-separator {symbol}
no server-separator
Syntax Description
symbol
The character that separates the e-mail and VPN server names. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
Defaults
The default is "@" (at).
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
The server separator must be different from the name separator.
Examples
The following example shows how to set a pipe (|) as the server separator for IMAP4S:
hostname(config)# imap4shostname(config-imap4s)# server-separator |Related Commands
server-type
To manually configure the LDAP server model, use the server-type command in aaa-server host configuration mode. The security appliance supports the following server models:
•Microsoft Active Directory
•Sun Microsystems JAVA System Directory Server, formerly named the Sun ONE Directory Server
•Generic LDAP directory servers that comply with LDAPv3 (no password management)
To disable this command, use the no form of this command.
server-type {auto-detect | microsoft | sun | generic | openldap | novell}
no server-type {auto-detect | microsoft | sun | generic | openldap | novell}
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, auto-detection attempts to determine the server type.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemAaa-server host configuration
•
•
•
•
—
Command History
Release Modification7.1(1)
This command was introduced.
8.0(2)
Support for the OpenLDAP and Novell server types was added.
Usage Guidelines
The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System Directory Server, the Microsoft Active Directory, and other LDAPv3 directory servers.
Note•Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
•Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.
•Generic—Password management features are not supported.
By default, the security appliance auto-detects whether it is connected to a Microsoft directory server, a Sun LDAP directory server, or a generic LDAPv3 server. However, if auto-detection fails to determine the LDAP server type and if you know the server is either a Microsoft or Sun server, you can use the server-type command to manually configure the server as either a Microsoft or a Sun Microsystems LDAP server.
Examples
The following example, entered in aaa-server host configuration mode, configures the server type for the LDAP server ldapsvr1 at IP address 10.10.0.1. The first example configures a Sun Microsystems LDAP server.
hostname(config)# aaa-server ldapsvr1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
hostname(config-aaa-server-host)# server-type sun
The following example specifies that the security appliance use auto-detection to determine the server type:
hostname(config)# aaa-server ldapsvr1 protocol LDAP
hostname(config-aaa-server-group)# aaa-server ldapsvr1 host 10.10.0.1
hostname(config-aaa-server-host)# server-type auto-detect
Related Commands
service
To enable resets for denied TCP connections, use the service command in global configuration mode. To disable resets, use the no form of this command.
service {resetinbound [interface interface_name] | resetoutbound [interface interface_name] | resetoutside}
no service {resetinbound [interface interface_name] | resetoutbound [interface interface_name] | resetoutside}
Syntax Description
Defaults
By default, service resetoutbound is enabled for all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
•
—
Command History
Usage Guidelines
You might want to explicitly send resets for inbound traffic if you need to reset identity request (IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host, the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out. Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting the SYN until the IDENT times out, so the service resetinbound command might improve performance.
Examples
The following example disables outbound resets for all interfaces except for the inside interface:
hostname(config)# no service resetoutboundhostname(config)# service resetoutbound interface insideThe following example enables inbound resets for all interfaces except for the DMZ interface:
hostname(config)# service resetinboundhostname(config)# no service resetinbound interface dmzThe following example enables resets for connections that terminate on the outside interface:
hostname(config)# service resetoutsideRelated Commands
service (ctl-provider)
To specify the port to which the Certificate Trust List provider listens, use the service command in CTL provider configuration mode. To remove the configuration, use the no form of this command.
service port listening_port
no service port listening_port
Syntax Description
Defaults
Default port is 2444.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemCTL provider configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the service command in CTL provider configuration mode to specify the port to which the CTL provider listens. The port must be the one listened to by the CallManager servers in the cluster (as configured under Enterprise Parameters on the CallManager administration page). The default port is 2444.
Examples
The following example shows how to create a CTL provider instance:
hostname(config)# ctl-provider my_ctl
hostname(config-ctl-provider)# client interface inside 172.23.45.1
hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encrypted
hostname(config-ctl-provider)# export certificate ccm_proxy
hostname(config-ctl-provider)# ctl install
Related Commands
service password-recovery
To enable password recovery, use the service password-recovery command in global configuration mode. To disable password recovery, use the no form of this command. Password recovery is enabled by default, but you might want to disable it to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance.
service password-recovery
no service password-recovery
Syntax Description
This command has no arguments or keywords.
Defaults
Password recovery is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
—
•
Command History
Usage Guidelines
On the ASA 5500 series adaptive security appliance, if you forget the passwords, you can boot the security appliance into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the security appliance to ignore the startup configuration by changing the configuration register (see the config-register command). For example if your configuration register is the default 0x1, then change the value to 0x41 by entering the confreg 0x41 command. After reloading the security appliance, it loads a default configuration, and you can enter privileged EXEC mode using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the security appliance to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode.
On the PIX 500 series security appliance, boot the security appliance into monitor mode by pressing the Escape key on the terminal keyboard when prompted during startup. Then download the PIX password tool to the security appliance, which erases all passwords and aaa authentication commands.
On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.
On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.
Examples
The following example disables password recovery for the ASA 5500 series adaptive security appliance:
hostname(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.The following example disables password recovery for the PIX 500 series security appliance:
hostname(config)# no service password-recovery
WARNING: Saving "no service password-recovery" in the startup-config will disable password recovery via the npdisk application. The only means of recovering from lost or forgotten passwords will be for npdisk to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the Monitor Mode command line.The following example for the ASA 5500 series adaptive security appliance shows when to enter ROMMON at startup and how to complete a password recovery operation.
Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot interrupted.Use ? for help.rommon #0> confregCurrent Configuration Register: 0x00000001Configuration Summary:boot default image from FlashDo you wish to change this configuration? y/n [n]: nrommon #1> confreg 0x41Update Config Register (0x41) in NVRAM...rommon #2> bootLaunching BootLoader...Boot configuration file contains 1 entry.Loading disk0:/ASA_7.0.bin... Booting...###################...Ignoring startup configuration as instructed by configuration register.Type help or '?' for a list of available commands.hostname> enablePassword:hostname# configure terminalhostname(config)# copy startup-config running-configDestination filename [running-config]?Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9892 bytes copied in 6.300 secs (148 bytes/sec)hostname(config)# enable password NewPasswordhostname(config)# config-register 0x1Related Commands
Command Descriptionconfig-register
Sets the security appliance to ignore the startup configuration when it reloads.
enable password
Sets the enable password.
password
Sets the login password.
service-policy
To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in global configuration mode. To disable the service policy, use the no form of this command. Use the service-policy command to enable a set of policies on an interface.
service-policy policymap_name [ global | interface intf ]
no service-policy policymap_name [ global | interface intf ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
•
—
Command History
Usage Guidelines
Interface service policies take precedence over the global service policy.
By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one.
The default service policy includes the following command:
service-policy global_policy globalExamples
The following example shows how to enable the inbound_policy policy map on the outside interface:
hostname(config)# service-policy inbound_policy interface outsideThe following commands disable the default global policy, and enables a new one called new_global_policy on all other security appliance interfaces:
hostname(config)# no service-policy global_policy globalhostname(config)# service-policy new_global_policy globalRelated Commands
session
To establish a Telnet session to an intelligent SSM, such as an AIP SSM or a CSC SSM, use the session command in privileged EXEC mode.
session slot [do | ip]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
—
•
Command History
Release Modification7.0(1)
This command was introduced.
7.1(1)
The do and ip keywords were added. These keywords are for use only when advised to do so by Cisco TAC.
Usage Guidelines
This command is only available when the SSM is in the Up state. See the show module command for state information.
To end a session, enter exit or Ctrl-Shift-6 then the X key.
Examples
The following example sessions to an SSM in slot 1:
hostname# session 1
Opening command session with slot 1.Connected to slot 1. Escape character sequence is 'CTRL-^X'.Related Commands
set connection
To specify connection values within a policy map for a traffic class, use the set connection command in class configuration mode. Use this command to specify the maximum number of simultaneous connections and to specify whether TCP sequence number randomization is enabled. To remove these specifications, thereby allowing unlimited connections, use the no form of this command.
set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}
no set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}
Syntax Description
Defaults
For the conn-max, embryonic-conn-max, per-client-embryonic-max, and per-client-max parameters, the default value of n is 0, which allows unlimited connections.
Sequence number randomization is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemClass configuration
•
•
•
•
—
Command History
Usage Guidelines
You can set limits for connections that go through the security appliance (see the class-map command), or for management connections to the security appliance (see the class-map type management command).
You can enter this command with multiple parameters or you can enter each parameter as a separate command. The security appliance combines the commands into one line in the running configuration. For example, if you entered the following two commands in Class configuration mode:
hostname(config-pmap-c)# set connection conn-max 600hostname(config-pmap-c)# set connection embryonic-conn-max 50the output of the show running-config policy-map command would display the result of the two commands in a single, combined command:
set connection conn-max 600 embryonic-conn-max 50The set connection command parameters (conn-max, embryonic-conn-max, per-client-embryonic-max, per-client-max, random-sequence-number) can co-exist with any nat or static command; that is, you can configure connection parameters either through the nat and static commands using max-conn, emb_limit, or noramdomseq keywords, or through the Modular Policy Framework set connection command using conn-max, embryonic-conn-max, per-client-embryonic-max, per-client-max or random-sequence-number parameters. A mixed configuration is not recommended, but if one exists, it behaves in the following ways:
•When a traffic class is subject to a connection limit or embryonic connection limit from both the Modular Policy Framework set connection command and the nat or static command, then whichever limit is reached, that limit is applied.
•When a TCP traffic class is configured to have sequence number randomization disabled by either the Modular Policy Framework set connection command or the nat or static command, then sequence number randomization is disabled.
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.
The per-client-embryonic-max and per-client-max parameters limit the maximum number of connections that a client can open. If particular clients use more network resources simultaneously than is desired, you can use these parameters to limit the number of connections that the security appliance will allow specific clients.
By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the security appliance from processing the packets for WebVPN. WebVPN requires the ability to process the 3-way handshake packets to provide selective ACK and other TCP options for WebVPN connections. To disable TCP Intercept for management traffic, you can set the embryoinic connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled.
Examples
The following is an example of the use of the set connection command configure the maximum number of simultaneous connections as 256 and to disable TCP sequence number randomization:
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection conn-max 256 random-sequence-number disable
hostname(config-pmap-c)#The following is an example of the use of the set connection command in a service policy that diverts traffic to a CSC SSM. The set connection command restricts each client whose traffic the CSC SSM scans to a maximum of five connections.
hostname(config)# policy-map csc_policy
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection per-client-max 5
hostname(config-pmap-c)# csc fail-close
hostname(config-pmap-c)#Related Commands
set connection advanced-options
To specify advanced TCP connection options within a policy-map for a traffic class, use the set connection advanced-options command in class mode. To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.
set connection advanced-options tcp-mapname
no set connection advanced-options tcp-mapname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemClass
•
•
—
—
•
Command History
Usage Guidelines
You must have configured the policy-map command and the class command, as well as the TCP map name, before issuing this command. See the description of the tcp-map command for detailed information.
Examples
The following example shows the use of the set connection advanced-options command to specify the use of a TCP map named localmap:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit
hostname(config)# tcp-map localmap
hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection advanced-options localmap
hostname(config-pmap-c)#Related Commands
set connection decrement-ttl
To decrement the time to live value within a policy map for a traffic class, use the set connection decrement-ttl command in class configuration mode. To not decrement the time to live, use the no form of this command.
set connection decrement-ttl
no set connection decrement-ttl
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the security appliance does not decrement the time to live.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemClass configuration
•
•
•
•
—
Command History
Usage Guidelines
This command, along with the icmp unreachable command, is required to allow a traceroute through the security appliance that shows the security appliance as one of the hops.
Examples
The following example enables time to live decrements and sets the ICMP unreachable rate limit:
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection decrement-ttl
hostname(config-pmap-c)# exithostname(config)# icmp unreachable rate-limit 50 burst-size 6Related Commands
set connection timeout
To configure the timeout period, after which an idle TCP connection is disconnected, use the set connection timeout command in class configuration mode. To remove the timeout, use the no form of this command.
set connection timeout {tcp <value> [reset]] [half-close <value>] [embryonic <value>] [dcd [<retry-interval> [max-retries]]]}
no set connection timeout {tcp <value> [reset]] [half-close <value>] [embryonic <value>] [dcd [<retry-interval> [max-retries]]]}
Syntax Description
Defaults
The default embryonic value is 30 seconds.
The default half-closed value is 10 minutes.
The default max-retries value is 5.
The default retry-interval value is 15 seconds.
The default tcp value is 1 hour.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemClass configuration
•
•
—
—
•
Command History
Usage Guidelines
You must have configured the policy-map command and the class command before issuing this command.
A TCP connection for which a three-way handshake is not complete is an embryonic connection. For the embryonic connection timeout value, use 0:0:0 to specify that the connection never times out. Otherwise, the timeout duration must be at least 5 seconds.
When the TCP connection is in the closing state, use the half-closed parameter to configure the length of time until the connection is freed. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.
The tcp inactive connection timeout configures the period after which an idle TCP connection in the established state is disconnected. Use 0:0:0 to specify that the connection never times out. The minimum timeout duration is 5 minutes.
The reset keyword is used to send a TCP RST packet to both end systems once an idle TCP connection has timed out. Some applications require a TCP RST after a timeout to perform properly.
Enabling DCD changes the behavior of idle-timeout handling in the TCP normalizer. Dead connection detection (DCD) probing resets the idle timeout on the connections seen in the show conn command. To determine when a connection that has exceeded the configured timeout value in the timeout command but is kept alive due to DCD probing, the show service-policy command includes counters to show the amount of activity from DCD.
Examples
The following example of a set connection timeout command specifies an embryonic connection timeout of two minutes:
ASA Version 7.2(0)80!hostname ciscoasadomain-name default.domain.invalidenable password 8Ry2YjIyt7RRXU24 encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.0.1 255.255.0.0 standby 192.168.0.2!interface Vlan2backup interface Vlan4nameif outsidesecurity-level 0ip address 17.12.9.1 255.255.0.0 standby 17.12.9.2!interface Vlan4nameif backifxsecurity-level 0ip address 172.23.62.137 255.255.255.0 standby 172.23.62.136!interface Vlan150description LAN Failover Interface!interface Vlan160nameif dmzsecurity-level 50ip address 172.16.0.1 255.255.0.0 standby 172.16.0.2!interface Ethernet0/0switchport access vlan 2no nameifno security-levelno ip address!interface Ethernet0/1no nameifno security-levelno ip address!interface Ethernet0/2switchport access vlan 160no nameifno security-levelno ip address!interface Ethernet0/3no nameifno security-levelno ip address!interface Ethernet0/4no nameifno security-levelno ip address!interface Ethernet0/5switchport access vlan 150no nameifno security-levelno ip address!interface Ethernet0/6switchport access vlan 4no nameifno security-levelno ip address!interface Ethernet0/7switchport access vlan 4no nameifno security-levelno ip address!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/cdisk.7.2.0.80ftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidaccess-list outside-acl extended permit ip any anyaccess-list inside_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.192access-list outside_cryptomap extended permit ip any 192.168.0.128 255.255.255.192pager lines 24logging enablelogging buffered debugginglogging asdm informationalmtu inside 1500mtu outside 1500mtu backifx 1500mtu dmz 1500ip local pool vpnpool 192.168.0.150-192.168.0.160 mask 255.255.0.0no failoverfailover lan unit primaryfailover lan interface fover Vlan150failover interface ip fover 150.1.1.1 255.255.255.0 standby 150.1.1.2asdm image disk0:/asdm-5211.binno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0static (inside,outside) 17.12.9.51 192.168.0.3 netmask 255.255.255.255static (inside,outside) 17.12.9.52 192.168.0.10 netmask 255.255.255.255static (inside,outside) 17.12.9.54 192.168.0.4 netmask 255.255.255.255static (inside,dmz) 172.16.0.13 192.168.0.3 netmask 255.255.255.255static (inside,dmz) 172.16.0.14 192.168.0.100 netmask 255.255.255.255static (dmz,outside) 17.12.9.53 172.16.0.20 netmask 255.255.255.255access-group outside-acl in interface outsideaccess-group outside-acl in interface dmzroute outside 0.0.0.0 0.0.0.0 17.12.0.1 1 track 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 ------------> ramain sametimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutegroup-policy vpngroup internalgroup-policy vpngroup attributeswins-server value 171.69.2.87dns-server value 171.70.168.183vpn-tunnel-protocol IPSecdefault-domain value cisco.comusername snoopy password wQO7//ZyQYDXv5q. encrypted privilege 15aaa authentication telnet console LOCALhttp server enablehttp 0.0.0.0 0.0.0.0 outsidehttp 0.0.0.0 0.0.0.0 insidehttp 192.168.0.0 255.255.0.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartsla monitor 10type echo protocol ipIcmpEcho 17.12.0.1 interface outsidefrequency 5sla monitor schedule 10 life forever start-time nowcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto dynamic-map outside0 20 set transform-set ESP-3DES-SHAcrypto map outside 20 ipsec-isakmp dynamic outside0crypto map outside interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400!track 1 rtr 10 reachabilitytunnel-group vpngroup type ipsec-ratunnel-group vpngroup general-attributesaddress-pool vpnpooldefault-group-policy vpngrouptunnel-group vpngroup ipsec-attributespre-shared-key *telnet 0.0.0.0 0.0.0.0 insidetelnet 0.0.0.0 0.0.0.0 outsidetelnet timeout 5ssh timeout 5console timeout 0!class-map dcdmatch access-list outside-aclclass-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect icmpclass dcdset connection timeout dcd!service-policy global_policy globaltftp-server outside 17.12.9.152 test1.cfgprompt hostname contextCryptochecksum:dc412a5fe2003621d7d723420da6e8d5: endciscoasa(config)#Related Commands
set metric
To set the metric value for a routing protocol, use the set metric command in route-map configuration mode. To return to the default metric value, use the no form of this command.
set metric value
no set metric value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemRoute-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The no set metric value command allows you to return to the default metric value. In this context, the value is an integer from 0 to 4294967295.
Examples
The following example shows how to configure a route map for OSPF routing:
hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# show route-map
route-map maptag1 permit 8set metric 5match metric 5hostname(config-route-map)# exithostname(config)#Related Commands
set metric-type
To specify the type of OSPF metric routes, use the set metric-type command in route-map configuration mode. To return to the default setting, use the no form of this command.
set metric-type {type-1 | type-2}
no set metric-type
Syntax Description
type-1
Specifies the type of OSPF metric routes that are external to a specified autonomous system.
type-2
Specifies the type of OSPF metric routes that are external to a specified autonomous system.
Defaults
The default is type-2.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemRoute-map configuration
•
—
•
—
—
Command History
Examples
The following example shows how to configure a route map for OSPF routing:
hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# set metric-type type-2
hostname(config-route-map)# show route-map
route-map maptag1 permit 8set metric 5set metric-type type-2match metric 5hostname(config-route-map)# exithostname(config)#Related Commands
setup
To configure a minimal configuration for the security appliance using interactive prompts, enter the setup command in global configuration mode. This configuration provides connectivity to use ASDM. See also the configure factory-default command to restore the default configuration.
setup
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
•
•
Command History
Usage Guidelines
The setup dialog automatically appears at boot time if there is no startup configuration in Flash memory.
Before you can use the setup command, you must have an inside interface already configured. The PIX 500 series default configuration includes an inside interface (Ethernet 1), but the ASA 550 series default configuration does not. Before using the setup command, enter the interface command for the interface you want to make inside, and then the nameif inside command.
In multiple context mode, you can use the setup command in the system execution space and for each context.
When you enter the setup command, you are asked for the information in Table 23-1. The system setup command includes a subset of these prompts. If there is already a configuration for the prompted parameter, it appears in barckets so you can either accept it as the default or override it by entering something new.
Examples
This example shows how to complete the setup command prompts:
hostname(config)# setupPre-configure Firewall now through interactive prompts [yes]? yesFirewall Mode [Routed]: routed
Enable password [<use current password>]: writer
Allow password recovery [yes]? yes
Clock (UTC):Year: 2005Month: NovDay: 15Time: 10:0:0Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: tech_pubs
Domain name: your_company.com
IP address of host running Device Manager: 10.1.1.1The following configuration will be used:Enable password: writerAllow password recovery: yesClock (UTC): 20:54:44 Sep 17 2005Firewall Mode: RoutedInside IP address: 192.168.1.1Inside network mask: 255.255.255.0Host name: tech_pubsDomain name: your_company.comIP address of host running Device Manager: 10.1.1.1Use this configuration and write to flash? yes
Related Commands
show aaa local user
To show the list of usernames that are currently locked, or to show details about the username, use the show aaa local user command in global configuration mode.
show aaa local user [locked]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemGlobal configuration
•
•
•
•
—
Command History
Usage Guidelines
If you omit the optional keyword locked, the security appliance displays the failed-attempts and lockout status details for all AAA local users.
You can specify a single user by using the username option or all users with the all option.
This command affects only the status of users that are locked out.
The administrator cannot be locked out of the device.
Examples
The following example shows use of the show aaa local user command to display the lockout status of all usernames:
This example shows the use of the show aaa local user command to display the number of failed authentication attempts and lockout status details for all AAA local users, after the limit has been set to 5:
hostname(config)# aaa local authentication attempts max-fail 5hostname(config)# show aaa local userLock-time Failed-attempts Locked User- 6 Y test- 2 N mona- 1 N cisco- 4 N newuserhostname(config)#This example shows the use of the show aaa local user command with the lockout keyword to display the number of failed authentication attempts and lockout status details only for any locked-out AAA local users, after the limit has been set to 5:
hostname(config)# aaa local authentication attempts max-fail 5hostname(config)# show aaa local userLock-time Failed-attempts Locked User- 6 Y testhostname(config)#Related Commands
show aaa-server
To display AAA server statistics for AAA servers, use the show aaa-server command in privileged EXEC mode.
show aaa-server [LOCAL | groupname [host hostname] | protocol protocol]
Syntax Description
Defaults
By default, all AAA server statistics display.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Release Modification7.1(1)
The http-form protocol was added.
8.0(2)
The server status now shows if the status was changed manually using the aaa-server active or fail command.
Examples
This example shows the use of the show aaa-server command to display statistics for a particular host in server group group1:
hostname(config)# show aaa-server group1 host 192.68.125.60
Server Group: group1Server Protocol: RADIUSServer Address: 192.68.125.60Server port: 1645Server status: ACTIVE. Last transaction (success) at 11:10:08 UTC Fri Aug 22Number of pending requests 20Average round trip time 4msNumber of authentication requests 20Number of authorization requests 0Number of accounting requests 0Number of retransmissions 1Number of accepts 16Number of rejects 4Number of challenges 5Number of malformed responses 0Number of bad authenticators 0Number of timeouts 0Number of unrecognized responses 0Field descriptions for the show aaa-server command are shown below:
Related Commands
show access-list
To display the counters for an access list, use the show access-list command in privileged EXEC mode.
show access-list id_1 [...[id_2]] [brief]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
You can display multiple access lists at one time by entering the access list identifiers in one command.
You can specify the brief keyword to display access list hit count and identifiers information in hexadecimal format. The configuration identifiers displayed in hexadecimal format are presented in two columns, and are the same identifiers used in syslog 106023 and 106100.
Examples
The following is sample output from the show access-list command:
hostname# show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)alert-interval 300access-list 101; 10 elementsaccess-list 101 line 1 extended permit tcp any eq www any (hitcnt=0) 0xa14fc533 access-list 101 line 2 extended permit tcp any eq www any eq www (hitcnt=0) 0xaa73834e access-list 101 line 3 extended permit tcp any eq www any range telnet www (hitcnt=0) 0x49ac02e6access-list 101 line 4 extended permit tcp any range telnet www any range telnet www (hitcnt=0) 0xa0021a9faccess-list 101 line 5 extended permit udp any range biff www any (hitcnt=0) 0xf89a7328access-list 101 line 6 extended permit udp any lt ntp any (hitcnt=0) 0x8983c43 access-list 101 line 7 extended permit udp any any lt ntp (hitcnt=0) 0xf361ffb6access-list 101 line 8 extended permit udp any any range ntp biff (hitcnt=0) 0x219581access-list 101 line 9 extended permit icmp any any (hitcnt=0) 0xe8fa08e1access-list 101 line 10 extended permit icmp any any echo (hitcnt=0) 0x2eb8deeaaccess-list 102; 1 elements access-list 102 line 1 extended permit icmp any any echo (hitcnt=0) 0x59e2fea8The output contains a unique hexamdecimal identifier for each access control entry at the end of each line.The following is sample output from the show access-list brief command:
hostname (config)# sh access-list abc brief
abc:28676dfa 00000000 00000001bbec063f f0109e02 000000a13afd0576 f0109e02 000000c2a83ddc02 f0109e02 00000021hostname (config)#The first two columns display identifiers in hexadecimal format, and the third column lists the hit count in hexadecimal format. The hit count value represents the number of times the rule has been hit by traffic. If the hit count is zero, no information is displayed.
Related Commands
show activation-key
To display the commands in the configuration for features that are enabled by your activation key, including the number of contexts allowed, use the show activation-key command in privileged EXEC mode.
show activation-key
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The show activation-key command output indicates the status of the activation key as follows:
•If the activation key in the security appliance Flash file system is the same as the activation key running on the security appliance, then the show activation-key output reads as follows:
The flash activation key is the SAME as the running key.•If the activation key in the security appliance Flash file system is different from the activation key running on the security appliance, then the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key.The flash activation key takes effect after the next reload.•If you downgrade your activation key, the display shows that the running key (the old key) differs from the key that is stored in the Flash (the new key). When you restart, the security appliance uses the new key.
•If you upgrade your key to enable extra features, the new key starts running immediately without a restart.
•For the PIX Firewall platform, if there is any change in the failover feature (R/UR/FO) between the new key and the old key, it prompts for confirmation. If the user enters n, it aborts the change; otherwise it updates the key in the Flash file system. When you restart the security appliance uses the new key.
•If you downgrade to an earlier release, your key for the current release might allow for more security contexts than the earlier release supports. When the value of the security contexts in the key exceeds the platform limit, the following message appears in the show activation-key output:
The Running Activation Key feature: 50 security contexts exceeds the limit in the platform, reduce to 20 security contexts.•If you downgrade to an earlier release, your key for the current release might enable GTP/GPRS even though it is not allowed in the earlier release. When the key enables GTP/GPRS but the software version does not allow it, the following message appears in the show activation-key output:
The Running Activation Key feature: GTP/GPRS is not allowed in the platform, disable GTP/GPRS.Examples
This example shows how to display the commands in the configuration for features that are enabled by your activation key:
hostname(config)# show activation-key
Serial Number: P3000000134 Running Activation Key: 0xyadayada 0xyadayada 0xyadayada 0xyadayada 0xyadayadaThe Running Activation Key feature: 50 security contexts exceeds the limit in the platform, reduce to 20 security contexts.The Running Activation Key feature: GTP/GPRS is not allowed in the platform, disable GTP/GPRS.License Features for this Platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 50Inside Hosts : UnlimitedFailover : EnabledVPN-DES : EnabledVPN-3DES-AES : DisabledCut-through Proxy : EnabledGuards : EnabledURL-filtering : EnabledSecurity Contexts : 20GTP/GPRS : DisabledVPN Peers : 5000Advanced Endpoint Assessment: DisabledThe flash activation key is the SAME as the running key.hostname(config)This example shows how to display the commands in the configuration for features on the ASA 5580 that are enabled by your activation key:
hostname(config)# show activation-key
Serial Number: JAB12345678Running Activation Key: 0xyadayada 0xyadayada 0xyadayada 0xyadayada 0xyadayadaLicensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 250Inside Hosts : UnlimitedFailover : Active/ActiveVPN-DES : EnabledVPN-3DES-AES : EnabledSecurity Contexts : 2GTP/GPRS : DisabledSSL VPN Peers : 10000Total VPN Peers : 10000AnyConnect Mobile : DisabledLinksys VPN phone : DisabledAdvanced Endpoint Assessment : EnabledLicensed Cores :8This platform has an ASA5580-40 VPN Premium license.The flash activation key is the SAME as the running key.Related Commands
show admin-context
To display the context name currently assigned as the admin context, use the show admin-context command in privileged EXEC mode.
show admin-context
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
—
—
•
Command History
Examples
The following is sample output from the show admin-context command. The following example shows the admin context called "admin" and stored in the root directory of flash:
hostname# show admin-context
Admin: admin flash:/admin.cfgRelated Commands
show arp
To view the ARP table, use the show arp command in privileged EXEC mode. This command shows dynamic and manual ARP entries, but does not identify the origin of each entry.
show arp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Examples
The following is sample output from the show arp command:
hostname# show arp
inside 10.86.195.205 0008.023b.9892inside 10.86.194.170 0001.023a.952dinside 10.86.194.172 0001.03cf.9e79inside 10.86.194.1 00b0.64ea.91a2inside 10.86.194.146 000b.fcf8.c4adinside 10.86.194.168 000c.ce6f.9b7eRelated Commands
show arp-inspection
To view the ARP inspection setting for each interface, use the show arp-inspection command in privileged EXEC mode.
show arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
—
•
•
•
—
Command History
Examples
The following is sample output from the show arp-inspection command:
hostname# show arp-inspection
interface arp-inspection miss----------------------------------------------------inside1 enabled floodoutside disabled -The miss column shows the default action to take for non-matching packets when ARP inspection is enabled, either "flood" or "no-flood."
Related Commands
show arp statistics
To view ARP statistics, use the show arp statistics command in privileged EXEC mode.
show arp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Examples
The following is sample output from the show arp statistics command:
hostname# show arp statistics
Number of ARP entries:ASA : 6Dropped blocks in ARP: 6Maximum Queued blocks: 3Queued blocks: 1Interface collision ARPs Received: 5ARP-defense Gratuitous ARPS sent: 4Total ARP retries: 15Unresolved hosts: 1Maximum Unresolved hosts: 2Table 2 shows each field description.
Related Commands
show asdm history
To display the contents of the ASDM history buffer, use the show asdm history command in privileged EXEC mode.
show asdm history [view timeframe] [snapshot] [feature feature] [asdmclient]
Syntax Description
Defaults
If no arguments or keywords are specified, all history information for all features is displayed.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
•
Command History
Release Modification7.0(1)
This command was changed from the show pdm history command to the show asdm history command.
Usage Guidelines
The show asdm history command displays the contents of the ASDM history buffer. Before you can view ASDM history information, you must enable ASDM history tracking using the asdm history enable command.
Examples
The following is sample output from the show asdm history command. It limits the output to data for the outside interface collected during the last 10 minutes.
hostname# show asdm history view 10m feature interface outside
Input KByte Count:[ 10s:12:46:41 Mar 1 2005 ] 62640 62636 62633 62628 62622 62616 62609Output KByte Count:[ 10s:12:46:41 Mar 1 2005 ] 25178 25169 25165 25161 25157 25151 25147Input KPacket Count:[ 10s:12:46:41 Mar 1 2005 ] 752 752 751 751 751 751 751Output KPacket Count:[ 10s:12:46:41 Mar 1 2005 ] 55 55 55 55 55 55 55Input Bit Rate:[ 10s:12:46:41 Mar 1 2005 ] 3397 2843 3764 4515 4932 5728 4186Output Bit Rate:[ 10s:12:46:41 Mar 1 2005 ] 7316 3292 3349 3298 5212 3349 3301Input Packet Rate:[ 10s:12:46:41 Mar 1 2005 ] 5 4 6 7 6 8 6Output Packet Rate:[ 10s:12:46:41 Mar 1 2005 ] 1 0 0 0 0 0 0Input Error Packet Count:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0No Buffer:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Received Broadcasts:[ 10s:12:46:41 Mar 1 2005 ] 375974 375954 375935 375902 375863 375833 375794Runts:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Giants:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0CRC:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Frames:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Overruns:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Underruns:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Output Error Packet Count:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Collisions:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0LCOLL:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Reset:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Deferred:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Lost Carrier:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Hardware Input Queue:[ 10s:12:46:41 Mar 1 2005 ] 128 128 128 128 128 128 128Software Input Queue:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Hardware Output Queue:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Software Output Queue:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0Drop KPacket Count:[ 10s:12:46:41 Mar 1 2005 ] 0 0 0 0 0 0 0hostname#The following is sample output from the show asdm history command. Like the previous example, it limits the output to data for the outside interface collected during the last 10 minutes. However, in this example the output is formatted for the ASDM client.
hostname# show asdm history view 10m feature interface outside asdmclient
MH|IBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|62439|62445|62453|62457|62464|6 2469|62474|62486|62489|62496|62501|62506|62511|62518|62522|62530|62534|62539|62542|62547|6 2553|62556|62562|62568|62574|62581|62585|62593|62598|62604|62609|62616|62622|62628|62633|6 2636|62640|62653|62657|62665|62672|62678|62681|62686|62691|62695|62700|62704|62711|62718|6 2723|62728|62733|62738|62742|62747|62751|62761|62770|62775|MH|OBC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|25023|25023|25025|25025|25025|2 5026|25026|25032|25038|25044|25052|25056|25060|25064|25070|25076|25083|25087|25091|25096|2 5102|25106|25110|25114|25118|25122|25128|25133|25137|25143|25147|25151|25157|25161|25165|2 5169|25178|25321|25327|25332|25336|25341|25345|25349|25355|25359|25363|25367|25371|25375|2 5381|25386|25390|25395|25399|25403|25410|25414|25418|25422|MH|IPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|749|749|749|749|749|750|750|750 |750|750|750|750|750|750|750|750|750|750|750|750|751|751|751|751|751|751|751|751|751|751|7 51|751|751|751|751|752|752|752|752|752|752|752|752|752|752|752|752|752|752|753|753|753|753 |753|753|753|753|753|753|753|MH|OPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|55|55|55|55|55|55|55|55|55|55|5 5|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|55|5 5|55|55|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|56|MH|IBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|7127|5155|6202|3545|5408|3979|4 381|9492|3033|4962|4571|4226|3760|5923|3265|6494|3441|3542|3162|4076|4744|2726|4847|4292|5 401|5166|3735|6659|3837|5260|4186|5728|4932|4515|3764|2843|3397|10768|3080|6309|5969|4472| 2780|4492|3540|3664|3800|3002|6258|5567|4044|4059|4548|3713|3265|4159|3630|8235|6934|4298|MH|OBR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|82791|57|1410|588|57|639|0|4698 |5068|4992|6495|3292|3292|3352|5061|4808|5205|3931|3298|3349|5064|3439|3356|3292|3343|3349 |5067|3883|3356|4500|3301|3349|5212|3298|3349|3292|7316|116896|5072|3881|3356|3931|3298|33 49|5064|3292|3349|3292|3292|3349|5061|3883|3356|3931|3452|3356|5064|3292|3349|3292|MH|IPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|8|6|5|7|5|6|14|5|7|7|5|6|9|5 |8|6|5|5|7|6|5|6|5|6|7|6|8|6|6|6|8|6|7|6|4|5|19|5|8|7|6|4|7|5|6|6|5|7|8|6|6|7|5|5|7|6|9|7| 6|MH|OPR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|12|0|1|0|0|0|0|4|0|2|2|0|0|0|0| 1|1|0|0|0|0|0|0|0|0|0|0|0|0|1|0|0|0|0|0|0|1|28|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |MH|IERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|NB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|RB|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|374874|374911|374943|374967|3750 10|375038|375073|375113|375140|375160|375181|375211|375243|375289|375316|375350|375373|375 395|375422|375446|375481|375498|375535|375561|375591|375622|375654|375701|375738|375761|37 5794|375833|375863|375902|375935|375954|375974|375999|376027|376075|376115|376147|376168|3 76200|376224|376253|376289|376315|376365|376400|376436|376463|376508|376530|376553|376583| 376614|376668|376714|376749|MH|RNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|GNT|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|CRC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|FRM|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|OR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|UR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|OERR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|COLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0| 0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|LCOLL|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |MH|RST|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|DEF|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|LCR|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|HIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|128|128|128|128|128|128|128|128 |128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|1 28|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128|128 |128|128|128|128|128|128|128|MH|SIQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|HOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|SOQ|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|MH|DPC|10|CURFACT|0|CURVAL|0|TIME|1109703031|MAX|60|NUM|60|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|hostname#The following is sample output from the show asdm history command using the snapshot keyword:
hostname# show asdm history view 10m snapshotAvailable 4 byte Blocks: [ 10s] : 100Used 4 byte Blocks: [ 10s] : 0Available 80 byte Blocks: [ 10s] : 100Used 80 byte Blocks: [ 10s] : 0Available 256 byte Blocks: [ 10s] : 2100Used 256 byte Blocks: [ 10s] : 0Available 1550 byte Blocks: [ 10s] : 7425Used 1550 byte Blocks: [ 10s] : 1279Available 2560 byte Blocks: [ 10s] : 40Used 2560 byte Blocks: [ 10s] : 0Available 4096 byte Blocks: [ 10s] : 30Used 4096 byte Blocks: [ 10s] : 0Available 8192 byte Blocks: [ 10s] : 60Used 8192 byte Blocks: [ 10s] : 0Available 16384 byte Blocks: [ 10s] : 100Used 16384 byte Blocks: [ 10s] : 0Available 65536 byte Blocks: [ 10s] : 10Used 65536 byte Blocks: [ 10s] : 0CPU Utilization: [ 10s] : 31Input KByte Count: [ 10s] : 62930Output KByte Count: [ 10s] : 26620Input KPacket Count: [ 10s] : 755Output KPacket Count: [ 10s] : 58Input Bit Rate: [ 10s] : 24561Output Bit Rate: [ 10s] : 518897Input Packet Rate: [ 10s] : 48Output Packet Rate: [ 10s] : 114Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 377331Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 0LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 0Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Drop KPacket Count: [ 10s] : 0Input KByte Count: [ 10s] : 3672Output KByte Count: [ 10s] : 4051Input KPacket Count: [ 10s] : 19Output KPacket Count: [ 10s] : 20Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 1458Runts: [ 10s] : 1Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 63LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 15Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Drop KPacket Count: [ 10s] : 0Input KByte Count: [ 10s] : 0Output KByte Count: [ 10s] : 0Input KPacket Count: [ 10s] : 0Output KPacket Count: [ 10s] : 0Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 0Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 0LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 0Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Drop KPacket Count: [ 10s] : 0Input KByte Count: [ 10s] : 0Output KByte Count: [ 10s] : 0Input KPacket Count: [ 10s] : 0Output KPacket Count: [ 10s] : 0Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 0Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 0LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 0Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Drop KPacket Count: [ 10s] : 0Available Memory: [ 10s] : 205149944Used Memory: [ 10s] : 63285512Xlate Count: [ 10s] : 0Connection Count: [ 10s] : 0TCP Connection Count: [ 10s] : 0UDP Connection Count: [ 10s] : 0URL Filtering Count: [ 10s] : 0URL Server Filtering Count: [ 10s] : 0TCP Fixup Count: [ 10s] : 0TCP Intercept Count: [ 10s] : 0HTTP Fixup Count: [ 10s] : 0FTP Fixup Count: [ 10s] : 0AAA Authentication Count: [ 10s] : 0AAA Authorzation Count: [ 10s] : 0AAA Accounting Count: [ 10s] : 0Current Xlates: [ 10s] : 0Max Xlates: [ 10s] : 0ISAKMP SAs: [ 10s] : 0IPSec SAs: [ 10s] : 0L2TP Sessions: [ 10s] : 0L2TP Tunnels: [ 10s] : 0hostname#Related Commands
show asdm image
To the current ASDM software image file, use the show asdm image command in privileged EXEC mode.
show asdm image
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
—
•
Command History
Release Modification7.0(1)
This command was changed from the show pdm image command to the show asdm image command.
Examples
The following is sample output from the show asdm image command:
hostname# show asdm image
Device Manager image file, flash:/ASDMRelated Commands
show asdm log_sessions
To display a list of active ASDM logging sessions and their associated session IDs, use the show asdm log_sessions command in privileged EXEC mode.
show asdm log_sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the security appliance. Each ASDM logging session is assigned a unique session ID. You can use this session ID with the asdm disconnect log_session command to terminate the specified session.
Note Because each ASDM session has at least one ASDM logging session, the output for the show asdm sessions and show asdm log_sessions may appear to be the same.
Examples
The following is sample output from the show asdm log_sessions command:
hostname# show asdm log_sessions
0 192.168.1.11 192.168.1.2Related Commands
show asdm sessions
To display a list of active ASDM sessions and their associated session IDs, use the show asdm sessions command in privileged EXEC mode.
show asdm sessions
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context SystemPrivileged EXEC
•
•
•
•
—
Command History
Release Modification7.0(1)
This command was changed from the show pdm sessions command to the show asdm sessions command.
Usage Guidelines
Each active ASDM session is assigned a unique session ID. You can use this session ID with the asdm disconnect command to terminate the specified session.
Examples
The following is sample output from the show asdm sessions command:
hostname# show asdm sessions
0 192.168.1.11 192.168.1.2Related Commands