null  null
C H A P T E R
21
packet-tracer through pwd Commands
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-1
Chapter 21
packet-tracer through pwd Commands
packet-tracer
packet-tracer
To enable packet tracing capabilities for packet sniffing and network fault isolation, use the
packet-tracer commandin privileged EXEC configuration mode. To disable packet capture capabilities,
use the no form of this command.
packet-tracer input [1-255] [src_int] protocol src_addr src_port dest_addr dest_port [detailed]
[xml]
no packet-tracer
Syntax Description
1-255
Specifies the IP protocol ID or next header range.
input src_int
Specifies the source interface for the packet trace.
protocol
Specifies the protocol type for the packet trace. Available protocol type keywords
are icmp, rawip, tcp or udp.
src_addr
Specifies the source address for the packet trace.
src_port
Specifies the source port for the packet trace.
dest_addr
Specifies the destination address for the packet trace.
dest_port
Specifies the destination port for the packet trace.
detailed
(Optional) Provides detailed packet trace information.
xml
(Optional) Displays the trace capture in XML format.
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Priveleged EXEC mode
Command History
•
Transparent Single
—
Release
Modification
7.2(1)
This command was introduced.
•
Context
•
System
•
Cisco ASA 5500 Series Command Reference
21-2
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
packet-tracer
Usage Guidelines
In addition to capturing packets, it is possible to trace the lifespan of a packet through the security
appliance to see if it is behaving as expected. The packet-tracer command lets you do the following:
•
Debug all packet drops in production network.
•
Verify the configuration is working as intended.
•
Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
•
Show a time line of packet changes in a data path.
•
Inject tracer packets into the data path.
The packet-tracer command provides detailed information about the packets and how they are
processed by the security appliance. In the instance that a command from the configuration did not cause
the packet to drop, the packet-tracer command will provide information about the cause in an easily
readable manner. For example if a packet was dropped because of an invalid header validation, a message
is displayed that says, “packet dropped due to bad ip header (reason).”
Examples
To enable packet tracing from inside host 10.2.25.3 to external host 209.165.202.158 with detailed
information, enter the following:
hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed
Related Commands
Command
Description
capture
Captures packet information, including trace packets.
show capture
Displays the capture configuration when no options are specified.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-3
Chapter 21
packet-tracer through pwd Commands
page style
page style
To customize the WebVPN page displayed to WebVPN users when they connect to the security
appliance, use the page style command in webvpn customization configuration mode. To remove the
command from the configuration and cause the value to be inherited, use the no form of this command.
page style value
[no] page style value
Syntax Description
value
Defaults
The default page style is background-color:white;font-family:Arial,Helv,sans-serif
Command Modes
The following table shows the modes in which you can enter the command:
Cascading Style Sheet (CSS) parameters (maximum 256 characters).
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Webvpn customization
configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.1(1)
This command was introduced.
•
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these
parameters is beyond the scope of this document. For more information about CSS parameters, consult
CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of
the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at
www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
Note
•
You can use a comma-separated RGB value, an HTML color value, or the name of the color if
recognized in HTML.
•
RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the
comma separated entry indicates the level of intensity of each color to combine with the others.
•
HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the
third and fourth green, and the fifth and sixth represent blue.
To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient
features for configuring style elements, including color swatches and preview capabilities.
Cisco ASA 5500 Series Command Reference
21-4
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
page style
Examples
The following example customizes the page style to large:
F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# page style font-size:large
Related Commands
Command
Description
logo
Customizes the logo on the WebVPN page.
title
Customizes the title of the WebVPN page
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-5
Chapter 21
packet-tracer through pwd Commands
pager
pager
To set the default number of lines on a page before the “---more---” prompt appears for Telnet sessions,
use the pager command in global configuration mode.
pager [lines] lines
Syntax Description
[lines] lines
Defaults
The default is 24 lines.
Command Modes
The following table shows the modes in which you can enter the command:
Sets the number of lines on a page before the “---more---” prompt appears. The
default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The
lines keyword is optional and the command is the same with or without it.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Transparent Single
•
•
Context
•
System
•
Release
Modification
7.0(1)
This command was changed from a privileged EXEC mode command to a
global configuration mode command. The terminal pager command was
added as the privileged EXEC mode command.
This command changes the default pager line setting for Telnet sessions. If you want to temporarily
change the setting only for the current session, use the terminal pager command.
If you Telnet to the admin context, then the pager line setting follows your session when you change to
other contexts, even if the pager command in a given context has a different setting. To change the
current pager setting, enter the terminal pager command with a new setting, or you can enter the pager
command in the current context. In addition to saving a new pager setting to the context configuration,
the pager command applies the new setting to the current Telnet session.
Examples
The following example changes the number of lines displayed to 20:
hostname(config)# pager 20
Related Commands
Cisco ASA 5500 Series Command Reference
21-6
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pager
Command
Description
clear configure terminal
Clears the terminal display width setting.
show running-config terminal
Displays the current terminal settings.
terminal
Allows system log messsages to display on the Telnet session.
terminal pager
Sets the number of lines to display in a Telnet session before the
“---more---” prompt. This command is not saved to the
configuration.
terminal width
Sets the terminal display width in global configuration mode.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-7
Chapter 21
packet-tracer through pwd Commands
parameters
parameters
To enter parameters configuration mode to set parameters for an inspection policy map, use the
parameters command in policy-map configuration mode.
parameters
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Policy-map configuration
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
7.2(1)
This command was introduced.
•
Context
•
System
—
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine using the inspect command in the Layer 3/4 policy map (the
policy-map command), you can also optionally enable actions as defined in an inspection policy map
created by the policy-map type inspect command. For example, enter the inspect dns dns_policy_map
command where dns_policy_map is the name of the inspection policy map.
An inspection policy map may support one or more parameters commands. Parameters affect the
behavior of the inspection engine. The commands available in parameters configuration mode depend
on the application.
Cisco ASA 5500 Series Command Reference
21-8
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
parameters
Examples
The following example shows how to set the maximum message length for DNS packets in the default
inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# message-length maximum 512
Related Commands
Command
Description
class
Identifies a class map name in the policy map.
class-map type
inspect
Creates an inspection class map to match traffic specific to an application.
policy-map
Creates a Layer 3/4 policy map.
show running-config Display all current policy map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-9
Chapter 21
packet-tracer through pwd Commands
participate
participate
To force the device to participate in the virtual load-balancing cluster, use the participate command in
VPN load-balancing configuration mode. To remove a device from participation in the cluster, use the
no form of this command.
participate
no participate
Syntax Description
This command has no arguments or keywords.
Defaults
The default behavior is that the device does not participate in the vpn load-balancing cluster.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
VPN load-balancing
configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
You must first configure the interface using the interface and nameif commands, and use the vpn
load-balancing command to enter VPN load-balancing mode. You must also have previously configured
the cluster IP address using the cluster ip command and configured the interface to which the virtual
cluster IP address refers.
This command forces this device to participate in the virtual load-balancing cluster. You must explicitly
issue this command to enable participation for a device.
All devices that participate in a cluster must share the same cluster-specific values: ip address,
encryption settings, encryption key, and port.
Note
When using encryption, you must have previously configured the command isakmp enable inside,
where inside designates the load-balancing inside interface. If isakmp is not enabled on the
load-balancing inside interface, you get an error message when you try to configure cluster encryption.
If isakmp was enabled when you configured the cluster encryption command, but was disabled before
you configured the participate command, you get an error message when you enter the participate
command, and the local device will not participate in the cluster.
Cisco ASA 5500 Series Command Reference
21-10
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
participate
Examples
The following is an example of a VPN load-balancing command sequence that includes a participate
command that enables the current device to participate in the vpn load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1
hostname(config-if)# ip address 209.165.202.159 255.255.255.0
hostname(config)# nameif test
hostname(config)# interface GigabitEthernet 0/2
hostname(config-if)# ip address 209.165.201.30 255.255.255.0
hostname(config)# nameif foo
hostname(config)# vpn load-balancing
hostname(config-load-balancing)# interface lbpublic test
hostname(config-load-balancing)# interface lbprivate foo
hostname(config-load-balancing)# cluster ip address 209.165.202.224
hostname(config-load-balancing)# participate
Related Commandsh
Command
Description
vpn load-balancing
Enter VPN load-balancing mode.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-11
Chapter 21
packet-tracer through pwd Commands
passive-interface
passive-interface
To disable the transmission of RIP routing updates on an interface, use the passive-interface command
in router configuration mode. To reenable RIP routing updates on an interface, use the no form of this
command.
passive-interface {default | if_name}
no passive-interface {default | if_name}
Syntax Description
Defaults
default
(Optional) Set all interfaces to passive mode.
if_name
(Optional) Sets the specified interface to passive mode.
All interfaces are enabled for active RIP when RIP is enabled.
If an interface or the default keyword is not specified, the commands defaults to default and appears in
the configuration as passive-interface default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Router configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.2(1)
This command was introduced.
•
Enables passive RIP on the interface. The interface listens for RIP routing broadcasts and uses that
information to populate the routing tables but does not broadcast routing updates.
Cisco ASA 5500 Series Command Reference
21-12
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
passive-interface
Examples
The following example sets the outside interface to passive RIP. The other interfaces on the security
appliance send and receive RIP updates.
hostname(config)# router rip
hostname(config-router)# network 10.0.0.0
hostname(config-router)# passive-interface outside
Related Commands
Command
Description
clear configure rip
Clears all RIP commands from the running configuration.
router rip
Enables the RIP routing process and enters RIP router configuration mode.
show running-config
rip
Displays the RIP commands in the running configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-13
Chapter 21
packet-tracer through pwd Commands
passive-interface (EIGRP)
passive-interface (EIGRP)
To disable the sending and receiving of EIGRP routing updates on an interface, use the passive-interface
command in router configuration mode. To reenable routing updates on an interface, use the no form of
this command.
passive-interface {default | if_name}
no passive-interface {default | if_name}
Syntax Description
default
(Optional) Set all interfaces to passive mode.
if_name
(Optional) The name of the interface, as specified by the nameif command, to
passive mode.
Defaults
All interfaces are enabled for active routing (sending and receiving routing updates) when routing is
enabled for that interface.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Router configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.2(1)
This command was introduced.
8.0(2)
Support for EIGRP routing was added.
Enables passive routing on the interface. For EIGRP, this disables the transmission and reception of
routing updates on that interface.
You can have more than one passive-interface command in the EIGRP configuration. You can use the
passive-interface default command to disable EIGRP routing on all interfaces, and then use the no
passive-interface command to enable EIGRP routing on specific interfaces.
Cisco ASA 5500 Series Command Reference
21-14
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
passive-interface (EIGRP)
Examples
The following example sets the outside interface to passive EIGRP. The other interfaces on the security
appliance send and receive EIGRP updates.
hostname(config)# router eigrp 100
hostname(config-router)# network 10.0.0.0
hostname(config-router)# passive-interface outside
The following example sets all interfaces except the inside interface to passive EIGRP. Only the inside
interface will send and receive EIGRP updates.
hostname(config)# router
hostname(config-router)#
hostname(config-router)#
hostname(config-router)#
Related Commands
eigrp 100
network 10.0.0.0
passive-interface default
no passive-interface inside
Command
Description
show running-config
router
Displays the router configuration commands in the running configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-15
Chapter 21
packet-tracer through pwd Commands
passwd
passwd
To set the login password, use the passwd command in global configuration mode. To set the password
back to the default of “cisco,” use the no form of this command. You are prompted for the login password
when you access the CLI as the default user using Telnet or SSH. After you enter the login password,
you are in user EXEC mode.
{passwd | password} password [encrypted]
no {passwd | password} password
Syntax Description
encrypted
(Optional) Specifies that the password is in encrypted form. The password is
saved in the configuration in encrypted form, so you cannot view the original
password after you enter it. If for some reason you need to copy the password
to another adaptive security appliance but do not know the original
password, you can enter the passwd command with the encrypted password
and this keyword. Normally, you only see this keyword when you enter the
show running-config passwd command.
passwd | password
You can enter either command; they are aliased to each other.
password
Sets the password as a case-sensitive string of up to 80 characters. The
password must not contains spaces.
Defaults
The default password is “cisco.”
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Transparent Single
•
Release
Modification
Preexisting
This command was preexisting.
•
Context
•
System
—
Usage Guidelines
This login password is for the default user. If you configure CLI authentication per user for Telnet or
SSH using the aaa authentication console command, then this password is not used.
Examples
The following example sets the password to Pa$$w0rd:
hostname(config)# passwd Pa$$w0rd
Cisco ASA 5500 Series Command Reference
21-16
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
passwd
The following example sets the password to an encrypted password that you copied from another
adaptive security appliance:
hostname(config)# passwd jMorNbK0514fadBh encrypted
Related Commands
Command
Description
clear configure passwd Clears the login password.
enable
Enters privileged EXEC mode.
enable password
Sets the enable password.
show curpriv
Shows the currently logged in username and the user privilege level.
show running-config
passwd
Shows the login password in encrypted form.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-17
Chapter 21
packet-tracer through pwd Commands
password (crypto ca trustpoint)
password (crypto ca trustpoint)
To specify a challenge phrase that is registered with the CA during enrollment, use the password
command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate
a subsequent revocation request. To restore the default setting, use the no form of the command.
password string
no password
Syntax Description
string
Defaults
The default setting is to not include a password.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the name of the password as a character string. The first character
cannot be a number. The string can contain any alphanumeric characters,
including spaces, up to 80 characters. You cannot specify the password in
the format number-space-anything. The space after the number causes
problems. For example, “hello 21” is a legal password, but “21 hello” is not.
The password checking is case sensitive. For example, the password
“Secret” is different from the password “secret”.
Firewall Mode
Security Context
Multiple
Command Mode
Crypto ca trustpoint
configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
7.0
This command was introduced.
•
Context
•
System
•
This command lets you specify the revocation password for the certificate before actual certificate
enrollment begins. The specified password is encrypted when the updated configuration is written to
NVRAM by the adaptive security appliance.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and
includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# password zzxxyy
Cisco ASA 5500 Series Command Reference
21-18
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
password (crypto ca trustpoint)
Related Commands
Command
Description
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-19
Chapter 21
packet-tracer through pwd Commands
password-management
password-management
To enable password management, use the password-management command in tunnel-group
general-attributes configuration mode. To disable password management, use the no form of this
command. To reset the number of days to the default value, use the no form of the command with the
password-expire-in-days keyword specified.
password-management [password-expire-in-days days]
no password-management
no password-management password-expire-in-days [days]
Syntax Description
days
Specifies the number of days (0 through 180) before the current password
expires. This parameter is required if you specify the
password-expire-in-days keyword.
password-expire-indays
(Optional) Indicates that the immediately following parameter specifies the
number of days before the current password expires that the adaptive
security appliance starts warning the user about the pending expiration. This
option is valid only for LDAP servers. See the Usage Notes section for more
information.
Defaults
If you do not specify this command, no password management occurs. If you do not specify the
password-expire-in-days keyword, the default length of time to start warning before the current
password expires is 14 days.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group general-attributes
configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.1(1)
This command was introduced.
•
The adaptive security appliance supports password management for the RADIUS and LDAP protocols.
It supports the “password-expire-in-days” option for LDAP only.
You can configure password management for IPSec remote access and SSL VPN tunnel-groups.
Cisco ASA 5500 Series Command Reference
21-20
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
password-management
When you configure the password-management command, the adaptive security appliance notifies the
remote user at login that the user’s current password is about to expire or has expired. The adaptive
security appliance then offers the user the opportunity to change the password. If the current password
has not yet expired, the user can still log in using that password.
This command is valid for AAA servers that support such notification. The adaptive security appliance
ignores this command if RADIUS or LDAP authentication has not been configured.
Note
Some RADIUS servers that support MSCHAP currently do not support MSCHAPv2. This command
requires MSCHAPv2 so please check with your vendor.
The adaptive security appliance, releases 7.1 and later, generally supports password management for the
following connection types when authenticating with LDAP or with any RADIUS configuration that
supports MS-CHAPv2:
•
AnyConnect VPN Client
•
IPSec VPN Client
•
Clientless SSL VPN
Password management is not supported for any of these connection types for Kerberos/Active Directory
(Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS) could proxy the
authentication request to another authentication server. However, from the adaptive security appliance
perspective, it is talking only to a RADIUS server.
Note
For LDAP, the method to change a password is proprietary for the different LDAP servers on the market.
Currently, the adaptive security appliance implements the proprietary password management logic only
for Microsoft Active Directory and Sun LDAP servers.
Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do
password management for LDAP. By default, LDAP uses port 636.
Note that this command does not change the number of days before the password expires, but rather, the
number of days ahead of expiration that the adaptive security appliance starts warning the user that the
password is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The adaptive security
appliance does not notify the user of the pending expiration, but the user can change the password after
it expires.
Examples
The following example sets the days before password expiration to begin warning the user of the pending
expiration to 90 for the WebVPN tunnel group “testgroup”:
hostname(config)# tunnel-group testgroup type webvpn
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-tunnel-general)# password-management password-expire-in-days 90
hostname(config-tunnel-general)#
The following example uses the default value of 14 days before password expiration to begin warning
the user of the pending expiration for the IPSec remote access tunnel group “QAgroup”:
hostname(config)# tunnel-group QAgroup type ipsec-ra
hostname(config)# tunnel-group QAgroup general-attributes
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-21
Chapter 21
packet-tracer through pwd Commands
password-management
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
Related Commands
Command
Description
clear configure passwd Clears the login password.
passwd
Sets the login password.
radius-with-expiry
Enables negotiation of password update during RADIUS authentication
(Deprecated).
show running-config
passwd
Shows the login password in encrypted form.
tunnel-group
general-attributes
Configures the tunnel-group general-attributes values.
Cisco ASA 5500 Series Command Reference
21-22
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
password-parameter
password-parameter
To specify the name of the HTTP POST request parameter in which a user password must be submitted
for SSO authentication, use the password-parameter command in aaa-server- host configuration mode.
This is an SSO with HTTP Forms command.
password-parameter string
Note
To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of
authentication and HTTP protocol exchanges.
Syntax Description
string
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
The name of the password parameter included in the HTTP POST request. The
maximum password length is 128 characters.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Aaa-server-host configuration
Command History
Usage Guidelines
Note
Examples
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.1(1)
This command was introduced.
The WebVPN server of the adaptive security appliance uses an HTTP POST request to submit a single
sign-on authentication request to an authenticating web server. The required command
password-parameter specifies that the POST request must include a user password parameter for SSO
authentication.
At login, the user enters the actual password value which is entered into the POST request and passed
on to the authenticating web server.
The following example, entered in aaa-server-host configuration mode, specifies a password parameter
named user_password:
hostname(config)# aaa-server testgrp1 host example.com
hostname(config-aaa-server-host)# password-parameter user_password
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-23
Chapter 21
packet-tracer through pwd Commands
password-parameter
Related Commands
Command
Description
action-uri
Specifies a web server URI to receive a username and password
for single sign-on authentication.
auth-cookie-name
Specifies a name for the authentication cookie.
hidden-parameter
Creates hidden parameters for exchange with the authenticating
web server.
start-url
Specifies the URL at which to retrieve a pre-login cookie.
user-parameter
Specifies the name of the HTTP POST request parameter in
which a username must be submitted for SSO authentication.
Cisco ASA 5500 Series Command Reference
21-24
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
password-prompt
password-prompt
To customize the password prompt of the WebVPN page login box that is displayed to WebVPN users
when they connect to the security appliance, use the password-prompt command from webvpn
customization mode:
password-prompt {text | style} value
[no] password-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of
the command.
Syntax Description
Defaults
text
Specifies you are changing the text.
style
Specifies you are changing the style.
value
The actual text to display (maximum 256 characters), or Cascading Style Sheet
(CSS) parameters (maximum 256 characters).
The default text of the password prompt is “PASSWORD:”.
The default style of the password prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Webvpn customization
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.1(1)
This command was introduced.
•
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these
parameters is beyond the scope of this document. For more information about CSS parameters, consult
CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of
the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at
www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
You can use a comma-separated RGB value, an HTML color value, or the name of the color if
recognized in HTML.
•
RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the
comma separated entry indicates the level of intensity of each color to combine with the others.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-25
Chapter 21
packet-tracer through pwd Commands
password-prompt
•
Note
Examples
HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the
third and fourth green, and the fifth and sixth represent blue.
To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient
features for configuring style elements, including color swatches and preview capabilities.
In the following example, the text is changed to “Corporate Password:”, and the default style is changed
with the font weight increased to bolder:
F1-asa1(config)# webvpn
F1-asa1(config-webvpn)# customization cisco
F1-asa1(config-webvpn-custom)# password-prompt text Corporate Username:
F1-asa1(config-webvpn-custom)# password-prompt style font-weight:bolder
Related Commands
Command
Description
group-prompt
Customizes the group prompt of the WebVPN page
username-prompt
Customizes the username prompt of the WebVPN page
Cisco ASA 5500 Series Command Reference
21-26
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
password-storage
password-storage
To let users store their login passwords on the client system, use the password-storage enable command
in group-policy configuration mode or username configuration mode. To disable password storage, use
the password-storage disable command.
To remove the password-storage attribute from the running configuration, use the no form of this
command. This enables inheritance of a value for password-storage from another group policy.
password-storage {enable | disable}
no password-storage
Syntax Description
disable
Disables password storage.
enable
Enables password storage.
Defaults
Password storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Usage Guidelines
Routed
Transparent Single
Context
System
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Release
Modification
7.0
This command was introduced.
Enable password storage only on systems that you know to be in secure sites.
This command has no bearing on interactive hardware client authentication or individual user
authentication for hardware clients.
Examples
The following example shows how to enable password storage for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# password-storage enable
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-27
Chapter 21
packet-tracer through pwd Commands
peer-id-validate
peer-id-validate
To specify whether to validate the identity of the peer using the peer’s certificate, use the
peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the
no form of this command.
peer-id-validate option
no peer-id-validate
Syntax Description
option
Specifies one of the following options:
•
req: required
•
cert: if supported by certificate
•
nocheck: do not check
Defaults
The default setting for this command is req.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group ipsec attributes
Command History
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0.1
This command was introduced.
•
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, requires validating the peer using
the identity of the peer’s certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)#
Related Commands
Cisco ASA 5500 Series Command Reference
21-28
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
peer-id-validate
Command
Description
clear-configure
tunnel-group
Clears all configured tunnel groups.
show running-config
tunnel-group
Shows the tunnel group configuration for all tunnel groups or for a
particular tunnel group.
tunnel-group
ipsec-attributes
Configures the tunnel-group ipsec-attributes for this group.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-29
Chapter 21
packet-tracer through pwd Commands
perfmon
perfmon
To display performance information, use the perfmon command in privileged EXEC mode.
perfmon {verbose | interval seconds | quiet | settings} [detail]
Syntax Description
verbose
Displays performance monitor information at the adaptive security appliance
console.
interval seconds
Specifies the number of seconds before the performance display is refreshed on
the console.
quiet
Disables the performance monitor displays.
settings
Displays the interval and whether it is quiet or verbose.
detail
Displays detailed information about performance.
Defaults
The seconds is 120 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command History
Usage Guidelines
Command Mode
Routed
Transparent Single
Context
Privileged EXEC
•
•
•
•
System
Release
Modification
7.0
Support for this command was introduced on the adaptive security appliance.
7.2(1)
Support for the detail keyword was added.
The perfmon command allows you to monitor the performance of the adaptive security appliance. Use
the show perfmon command to display the information immediately. Use the perfmon verbose
command to display the information every 2 minutes continuously. Use the perfmon interval seconds
command with the perfmon verbose command to display the information continuously every number
of seconds that you specify.
An example of the performance information is displayed as follows:
PERFMON STATS: Current
Average
Xlates
20/s
33/s
Connections
110/s
10/s
TCP Conns
50/s
42/s
WebSns Req
4/s
2/s
TCP Fixup
20/s
15/s
Cisco ASA 5500 Series Command Reference
21-30
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
perfmon
HTTP Fixup
5/s
5/s
FTP Fixup
7/s
4/s
AAA Authen
10/s
5/s
AAA Author
9/s
5/s
AAA Account
3/s
3/s
This information lists the number of translations, connections, Websense requests, address translations
(called “fixups”), and AAA transactions that occur each second.
Examples
This example shows how to display the performance monitor statistics every 30 seconds on the adaptive
security appliance console:
hostname(config)# perfmon interval 120
hostname(config)# perfmon quiet
hostname(config)# perfmon settings
interval: 120 (seconds)
quiet
Related Commands
Command
Description
show perfmon
Displays performance information.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-31
Chapter 21
packet-tracer through pwd Commands
periodic
periodic
To specify a recurring (weekly) time range for functions that support the time-range feature, use the
periodic command in time-range configuration mode. To disable, use the no form of this command.
periodic days-of-the-week time to [days-of-the-week] time
no periodic days-of-the-week time to [days-of-the-week] time
Syntax Description
days-of-the-week (Optional) The first occurrence of this argument is the starting day or day of the
week that the associated time range is in effect. The second occurrence is the ending
day or day of the week the associated statement is in effect.
This argument is any single day or combinations of days: Monday, Tuesday,
Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are:
•
daily—Monday through Sunday
•
weekdays—Monday through Friday
•
weekend—Saturday and Sunday
If the ending days of the week are the same as the starting days of the week, you
can omit them.
time
Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00
is 8:00 p.m.
to
Entry of the to keyword is required to complete the range “from start-time to
end-time.”
Defaults
If a value is not entered with the periodic command, access to the adaptive security appliance as defined
with the time-range command is in effect immediately and always on.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Time-range configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
7.0(1)
This command was introduced.
•
Context
•
System
—
To implement a time-based ACL, use the time-range command to define specific times of the day and
week. Then use the with the access-list extended time-range command to bind the time range to an
ACL.
Cisco ASA 5500 Series Command Reference
21-32
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
periodic
The periodic command is one way to specify when a time range is in effect. Another way is to specify
an absolute time period with the absolute command. Use either of these commands after the time-range
global configuration command, which specifies the name of the time range. Multiple periodic entries
are allowed per time-range command.
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands
are evaluated only after the absolute start time is reached, and are not further evaluated after the
absolute end time is reached.
The time-range feature relies on the system clock of the adaptive security appliance; however, the feature
works best with NTP synchronization.
Examples
Some examples follow:
If you want:
Enter this:
Monday through Friday, 8:00 a.m. to 6:00 p.m. only
periodic weekdays 8:00 to 18:00
Every day of the week, from 8:00 a.m. to 6:00 p.m. only
periodic daily 8:00 to 18:00
Every minute from Monday 8:00 a.m. to Friday 8:00 p.m.
periodic monday 8:00 to friday 20:00
All weekend, from Saturday morning through Sunday night
periodic weekend 00:00 to 23:59
Saturdays and Sundays, from noon to midnight
periodic weekend 12:00 to 23:59
The following example shows how to allow access to the adaptive security appliance on Monday through
Friday, 8:00 a.m. to 6:00 p.m. only:
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
hostname(config-time-range)#
The following example shows how to allow access to the adaptive security appliance on specific days
(Monday, Tuesday, and Friday), 10:30 a.m. to 12:30 p.m.:
hostname(config-time-range)# periodic Monday Tuesday Friday 10:30 to 12:30
hostname(config-time-range)#
Related Commands
Command
Description
absolute
Defines an absolute time when a time range is in effect.
access-list extended
Configures a policy for permitting or denying IP traffic through the adaptive
security appliance.
default
Restores default settings for the time-range command absolute and
periodic keywords.
time-range
Defines access control to the adaptive security appliance based on time.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-33
Chapter 21
packet-tracer through pwd Commands
permit errors
permit errors
To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, use the
permit errors command in GTP map configuration mode, which is accessed by using the gtp-map
command. To return to the default behavior, where all invalid packets or packets that failed, during
parsing, are dropped. use the no form of this command.
permit errors
no permit errors
Syntax Description
This command has no arguments or keywords.
Defaults
By default, all invalid packets or packets that failed, during parsing, are dropped.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
GTP map configuration
Command History
Usage Guidelines
Examples
Routed
•
Transparent Single
•
Release
Modification
7.0(1)
This command was introduced.
•
Context
•
System
—
Use the permit errors command in GTP map configuration mode to allow any packets that are invalid
or encountered an error during inspection of the message to be sent through the adaptive security
appliance instead of being dropped.
The following example permits traffic containing invalid packets or packets that failed, during parsing:
hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# permit errors
Related Commands
Commands
Description
clear service-policy
inspect gtp
Clears global GTP statistics.
gtp-map
Defines a GTP map and enables GTP map configuration mode.
inspect gtp
Applies a specific GTP map to use for application inspection.
Cisco ASA 5500 Series Command Reference
21-34
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
permit errors
Commands
Description
permit response
Supports load-balancing GSNs.
show service-policy
inspect gtp
Displays the GTP configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-35
Chapter 21
packet-tracer through pwd Commands
permit response
permit response
To support load-balancing GSNs, use the permit response command in GTP map configuration mode,
which is accessed by using the gtp-map command. Use the no form of this command to allow the
adaptive security appliance to drop GTP responses from GSNs other than the host to which the request
was sent.
permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
no permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
Syntax Description
from-object-group
from_obj_group_id
Specifies the name of the object-group configured with the object-group
command which can send responses to the set of GSNs in the object-group
specified by the to_obj_group_id argument. The adaptive security
appliance supports only object-groups containing network-objects with
IPv4 addresses. IPv6 addresses are currently not supported with GTP.
to-object-group
to_obj_group_id
Specifies the name of the object-group configured with the object-group
command which can receive responses from the set of GSNs in the
object-group specified by the from_obj_group_id argument. The adaptive
security appliance supports only object-groups containing network-objects
with IPv4 addresses. IPv6 addresses are currently not supported with GTP.
Defaults
By default, the adaptive security appliance drops GTP responses from GSNs other than the host to which
the request was sent.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
GTP map configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
7.0(4)
This command was introduced.
•
Context
•
System
—
Use the permit response command in GTP map configuration mode to support load-balancing GSNs.
The permit response command configures the GTP map to allow GTP responses from a different GSN
than the response was sent to.
You identify the pool of load-balancing GSNs as a network object. Likewise, you identify the SGSN as
a network object. If the GSN responding belongs to the same object group as the GSN that the GTP
request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a
GTP response to, the adaptive security appliance permits the response.
Cisco ASA 5500 Series Command Reference
21-36
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
permit response
Examples
The following example permits GTP responses from any host on the 192.168.32.0 network to the host
with the IP address 192.168.112.57:
hostname(config)# object-group network gsnpool32
hostname(config-network)# network-object 192.168.32.0 255.255.255.0
hostname(config)# object-group network sgsn1
hostname(config-network)# network-object host 192.168.112.57
hostname(config-network)# exit
hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# permit response to-object-group sgsn1 from-object-group gsnpool32
Related Commands
Commands
Description
clear service-policy
inspect gtp
Clears global GTP statistics.
gtp-map
Defines a GTP map and enables GTP map configuration mode.
inspect gtp
Applies a specific GTP map to use for application inspection.
permit errors
Allow invalid GTP packets.
show service-policy
inspect gtp
Displays the GTP configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-37
Chapter 21
packet-tracer through pwd Commands
pfs
pfs
To enable PFS, use the pfs enable command in group-policy configuration mode. To disable PFS, use
the pfs disable command. To remove the PFS attribute from the running configuration, use the no form
of this command.
pfs {enable | disable}
no pfs
Syntax Description
disable
Disables PFS.
enable
Enables PFS.
Defaults
PFS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Group-policy configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
The PFS setting on the VPN Client and the adaptive security appliance must match.
use the no form of this command to allow the inheritance of a value for PFS from another group policy.
In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Examples
The following example shows how to set PFS for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# pfs enable
Cisco ASA 5500 Series Command Reference
21-38
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
phone-proxy
phone-proxy
To configure the Phone Proxy instance, use the phone-proxy command in global configuration mode.
To remove the Phone Proxy instance, use the no form of this command.
phone-proxy phone_proxy_name
no phone-proxy phone_proxy_name
Syntax Description
phone_proxy_name
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the name of the Phone Proxy instance.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
8.0(4)
The command was introduced.
•
Only one Phone Proxy instance can be configured on the adaptive security appliance.
If NAT is configured for the HTTP proxy server, the global or mapped IP address of the HTTP proxy
server with respect to the IP phones is written to the Phone Proxy configuration file.
Examples
The following example shows the use of the phone-proxy command to configure the Phone Proxy
instance:
hostname(config)# phone-proxy
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
hostname(config-phone-proxy)#
asa_phone_proxy
tftp-server address 128.106.254.8 interface outside
media-termination address 192.0.2.25 interface inside
media-termination address 128.106.254.3 interface outside
tls-proxy asa_tlsp
ctl-file asactl
cluster-mode nonsecure
timeout secure-phones 00:05:00
disable service-settings
Related Commands
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-39
Chapter 21
packet-tracer through pwd Commands
phone-proxy
Command
Description
ctl-file (global)
Specifies the CTL file to create for Phone Proxy configuration or the CTL file
to parse from Flash memory.
ctl-file
(phone-proxy)
Specifies the CTL file to use for Phone Proxy configuration.
tls-proxy
Configures the TLS proxy instance.
Cisco ASA 5500 Series Command Reference
21-40
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim
pim
To re-enable PIM on an interface, use the pim command in interface configuration mode. To disable
PIM, use the no form of this command.
pim
no pim
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Interface configuration
Command History
Usage Guidelines
Note
Examples
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
The multicast-routing command enables PIM on all interfaces by default. Only the no form of the pim
command is saved in the configuration.
PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols
that use ports.
The following example disables PIM on the selected interface:
hostname(config-if)# no pim
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-41
Chapter 21
packet-tracer through pwd Commands
pim accept-register
pim accept-register
To configure the adaptive security appliance to filter PIM register messages, use the pim accept-register
command in global configuration mode. To remove the filtering, use the no form of this command.
pim accept-register {list acl | route-map map-name}
no pim accept-register
Syntax Description
list acl
Specifies an access list name or number. Use only extended host ACLs with
this command.
route-map map-name
Specifies a route-map name. Use extended host ACLs in the referenced
route-map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
Usage Guidelines
This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized
source sends a register message to the RP, the adaptive security appliance will immediately send back a
register-stop message.
Examples
The following example restricts PIM register messages to those from sources defined in the access list
named “no-ssm-range”:
hostname(config)# pim accept-register list no-ssm-range
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
21-42
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim bidir-neighbor-filter
pim bidir-neighbor-filter
To control which bidir-capable neighbors can participate in the DF election, use the pim
bidir-neighbor-filter command in interface configuration mode. To remove the filtering, use the no
form of this command.
pim bidir-neighbor-filter acl
no pim bidir-neighbor-filter acl
Syntax Description
acl
Defaults
All routers are considered to be bidir capable.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies an access list name or number. The access list defines the
neighbors that can participate in bidir DF elections. Use only standard
ACLs with this command; extended ACLs are not supported.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.2(1)
This command was introduced.
Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers
in a segment must be bidirectionally enabled for bidir to elect a DF.
The pim bidir-neighbor-filter command enables the transition from a sparse-mode-only network to a
bidir network by letting you specify the routers that should participate in DF election while still allowing
all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from
among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the
non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir
subset cloud.
When the pim bidir-neighbor-filter command is enabled, the routers that are permitted by the ACL are
considered to be bidir-capable. Therefore:
•
If a permitted neighbor does not support bidir, the DF election does not occur.
•
If a denied neighbor supports bidir, then DF election does not occur.
•
If a denied neighbor does not support bidir, the DF election can occur.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-43
Chapter 21
packet-tracer through pwd Commands
pim bidir-neighbor-filter
Examples
The following example allows 10.1.1.1 to become a PIM bidir neighbor:
hostname(config)# access-list bidir_test permit 10.1.1.1 255.255.255.55
hostname(config)# access-list bidir_test deny any
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim bidir-neighbor-filter bidir_test
Related Commands
Command
Description
multicast boundary
Defines a multicast boundary for administratively-scoped multicast
addresses.
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
21-44
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim dr-priority
pim dr-priority
To configure the neighbor priority on the adaptive security appliance used for designated router election,
use the pim dr-priority command in interface configuration mode. To restore the default priority, use
the no form of this command.
pim dr-priority number
no pim dr-priority
Syntax Description
number
Defaults
The default value is 1.
Command Modes
The following table shows the modes in which you can enter the command:
A number from 0 to 4294967294. This number is used to determine the
priority of the device when determining the designated router. Specifying 0
prevents the adaptive security appliance from becoming the designated
router.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
Usage Guidelines
The device with the largest priority value on an interface becomes the PIM designated router. If multiple
devices have the same designated router priority, then the device with the highest IP address becomes
the DR. If a device does not include the DR-Priority Option in hello messages, it is regarded as the
highest-priority device and becomes the designated router. If multiple devices do not include this option
in their hello messages, then the device with the highest IP address becomes the designated router.
Examples
The following example sets the DR priority for the interface to 5:
hostname(config-if)# pim dr-priority 5
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-45
Chapter 21
packet-tracer through pwd Commands
pim hello-interval
pim hello-interval
To configure the frequency of the PIM hello messages, use the pim hello-interval command in interface
configuration mode. To restore the hello-interval to the default value, use the no form of this command.
pim hello-interval seconds
no pim hello-interval [seconds]
Syntax Description
seconds
Defaults
30 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
The number of seconds that the adaptive security appliance waits before
sending a hello message. Valid values range from 1 to 3600 seconds. The
default value is 30 seconds.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Examples
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
The following example sets the PIM hello interval to 1 minute:
hostname(config-if)# pim hello-interval 60
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
21-46
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim join-prune-interval
pim join-prune-interval
To configure the PIM join/prune interval, use the pim join-prune-interval command in interface
configuration mode. To restore the interval to the default value, use the no form of this command.
pim join-prune-interval seconds
no pim join-prune-interval [seconds]
Syntax Description
seconds
Defaults
60 seconds
Command Modes
The following table shows the modes in which you can enter the command:
The number of seconds that the adaptive security appliance waits before
sending a join/prune message. Valid values range from 10 to 600 seconds.
60 seconds is the default.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Examples
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
The following example sets the PIM join/prune interval to 2 minutes:
hostname(config-if)# pim join-prune-interval 120
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-47
Chapter 21
packet-tracer through pwd Commands
pim neighbor-filter
pim neighbor-filter
To control which neighbor routers can participate in PIM, use the pim neighbor-filter command in
interface configuration mode. To remove the filtering, use the no form of this command.
pim neighbor-filter acl
no pim neighbor-filter acl
Syntax Description
acl
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies an access list name or number. Use only standard ACLs with this
command; extended ACLs are not supported.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.2(1)
This command was introduced.
•
This command defines which neighbor routers can participate in PIM. If this command is not present in
the configuration then there are no restrictions.
Multicast routing and PIM must be enabled for this command to appear in the configuration. If you
disable multicast routing, this command is removed from the configuration.
Examples
The following example allows the router with the IP address 10.1.1.1 to become a PIM neighbor on
interface GigabitEthernet0/2:
hostname(config)# access-list pim_filter permit 10.1.1.1 255.255.255.55
hostname(config)# access-list pim_filter deny any
hostname(config)# interface gigabitEthernet0/2
hostname(config-if)# pim neighbor-filter pim_filter
Related Commands
Cisco ASA 5500 Series Command Reference
21-48
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim neighbor-filter
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-49
Chapter 21
packet-tracer through pwd Commands
pim old-register-checksum
pim old-register-checksum
To allow backward compatibility on a rendezvous point (RP) that uses old register checksum
methodology, use the pim old-register-checksum command in global configuration mode. To generate
PIM RFC-compliant registers, use the no form of this command.
pim old-register-checksum
no pim old-register-checksum
Syntax Description
This command has no arguments or keywords.
Defaults
The adaptive security appliance generates PIM RFC-compliant registers.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Examples
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
The adaptive security appliance software accepts register messages with checksum on the PIM header
and only the next 4 bytes rather than using the Cisco IOS method—accepting register messages with the
entire PIM message for all PIM message types. The pim old-register-checksum command generates
registers compatible with Cisco IOS software.
The following example configures the adaptive security appliance to use the old checksum calculations:
hostname(config)# pim old-register-checksum
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
21-50
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim rp-address
pim rp-address
To configure the address of a PIM rendezvous point (RP), use the pim rp-address command in global
configuration mode. To remove an RP address, use the no form of this command.
pim rp-address ip_address [acl] [bidir]
no pim rp-address ip_address
Syntax Description
acl
(Optional) The name or number of a standard access list that defines which
multicast groups the RP should be used with. Do not use a host ACL with
this command.
bidir
(Optional) Indicates that the specified multicast groups are to operate in
bidirectional mode. If the command is configured without this option, the
specified groups operate in PIM sparse mode.
ip_address
IP address of a router to be a PIM RP. This is a unicast IP address in
four-part dotted-decimal notation.
Defaults
No PIM RP addresses are configured.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Note
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
All routers within a common PIM sparse mode (PIM-SM) or bidir domain require knowledge of the
well-known PIM RP address. The address is statically configured using this command.
The adaptive security appliance does not support Auto-RP; you must use the pim rp-address command
to specify the RP address.
You can configure a single RP to serve more than one group. The group range specified in the access list
determines the PIM RP group mapping. If the an access list is not specified, the RP for the group is
applied to the entire IP multicast group range (224.0.0.0/4).
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-51
Chapter 21
packet-tracer through pwd Commands
pim rp-address
Note
Examples
The adaptive security appliance always advertises the bidir capability in the PIM hello messages
regardless of the actual bidir configuration.
The following example sets the PIM RP address to 10.0.0.1 for all multicast groups:
hostname(config)# pim rp-address 10.0.0.1
Related Commands
Command
Description
pim accept-register
Configures candidate RPs to filter PIM register messages.
Cisco ASA 5500 Series Command Reference
21-52
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pim spt-threshold infinity
pim spt-threshold infinity
To change the behavior of the last hop router to always use the shared tree and never perform a
shortest-path tree (SPT) switchover, use the pim spt-threshold infinity command in global
configuration mode. To restore the default value, use the no form of this command.
pim spt-threshold infinity [group-list acl]
no pim spt-threshold
Syntax Description
group-list acl
Defaults
The last hop PIM router switches to the shortest-path source tree by default.
Command Modes
The following table shows the modes in which you can enter the command:
(Optional) Indicates the source groups restricted by the access list. The acl
argument must specify a standard ACL; extended ACLs are not supported.
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
Usage Guidelines
If the group-list keyword is not used, this command applies to all multicast groups.
Examples
The following example causes the last hop PIM router to always use the shared tree instead of switching
to the shortest-path source tree:
hostname(config)# pim spt-threshold infinity
Related Commands
Command
Description
multicast-routing
Enables multicast routing on the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-53
Chapter 21
packet-tracer through pwd Commands
ping
ping
To determine if other IP addresses are visible from the adaptive security appliance, use the ping
command in privileged EXEC mode.
ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Syntax Description
data pattern
(Optional) Specifies the 16-bit data pattern in hexidecimal.
host
Specifies the IPv4 or IPv6 address or name of the host to ping. The name can be a
DNS name or a name assigned with the name command. The maximum number of
characters for DNA names is 128, and the maximum number of characters for
names created with the name command is 63.
if_name
(Optional) Specifies the interface name, as configured by the nameif command, by
which the host is accessible. If not supplied, then the host is resolved to an IP
address and then the routing table is consulted to determine the destination
interface.
repeat count
(Optional) Specifies the number of times to repeat the ping request.
size bytes
(Optional) Specifies the datagram size in bytes.
timeout seconds
(Optional) Specifies the the number of seconds to wait before timing out the ping
request.
validate
(Optional) Specifies to validate reply data.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
Preexisting
This command was preexisting.
7.2(1)
Support for DNS names added.
•
Context
•
System
•
The ping command allows you to determine if the adaptive security appliance has connectivity or if a
host is available on the network. If the adaptive security appliance has connectivity, ensure that the icmp
permit any interface command is configured. This configuration is required to allow the adaptive
security appliance to respond and accept messages generated from the ping command. The ping
command output shows if the response was received. If a host is not responding, when you enter the ping
command, a message similar to the following displays:
Cisco ASA 5500 Series Command Reference
21-54
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
ping
hostname(config)# ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Use the show interface command to ensure that the adaptive security appliance is connected to the
network and is passing traffic. The address of the specified if_name is used as the source address of the
ping.
If you want internal hosts to ping external hosts, you must do one of the following:
•
Create an ICMP access-list command for an echo reply; for example, to give ping access to all hosts,
use the access-list acl_grp permit icmp any any command and bind the access-list command to
the interface that you want to test using the access-group command.
•
Configure the ICMP inspection engine using the inspect icmp command. For example, adding the
inspect icmp command to the class default_inspection class for the global service policy allows
echo replies through the adaptive security appliance for echo requests initiated by internal hosts.
You can also perform an extended ping, which allows you to enter the keywords one line at a time.
If you are pinging through the adaptive security appliance between hosts or routers, but the pings are not
successful, use the capture command to monitor the success of the ping.
The adaptive security appliance ping command does not require an interface name. If you do not specify
an interface name, the adaptive security appliance checks the routing table to find the address that you
specify. You can specify an interface name to indicate through which interface the ICMP echo requests
are sent.
Examples
The following example shows how to determine if other IP addresses are visible from the adaptive
security appliance:
hostname# ping 171.69.38.1
Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
The following example specifies a host using a DNS name:
hostname# ping www.example.com
Sending 5, 100-byte ICMP Echos to www.example.com, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
The following is an example of an extended ping:
hostname# ping
Interface: outside
Target IP address: 171.69.38.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Related Commands
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-55
Chapter 21
packet-tracer through pwd Commands
ping
Command
Description
capture
Captures packets at an interface
icmp
Configures access rules for ICMP traffic that terminates at an interface.
show interface
Displays information about the VLAN configuration.
Cisco ASA 5500 Series Command Reference
21-56
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
police
police
To apply QoS policing to a class map, use the police command in class configuration mode. To remove
the rate-limiting requirement, use the no form of this command. Policing is a way of ensuring that no
traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic
flow can take over the entire resource. When traffic exceeds the maximum rate, the adaptive security
appliance drops the excess traffic. Policing also sets the largest single burst of traffic allowed.
police {output | input} conform-rate [conform-burst] [conform-action [drop | transmit]
[exceed-action [drop | transmit]]]
no police
Syntax Description
conform-burst
Specifies the maximum number of instantaneous bytes allowed in a
sustained burst before throttling to the conforming rate value, between 1000
and 512000000 bytes.
conform-action
Sets the action to take when the rate is less than the conform_burst value.
conform-rate
Sets the rate limit for this traffic flow; between 8000 and 2000000000 bits
per second.
drop
Drops the packet.
exceed-action
Sets the action to take when the rate is between the conform-rate value and
the conform-burst value.
input
Enables policing of traffic flowing in the input direction.
output
Enables policing of traffic flowing in the output direction.
transmit
Transmits the packet.
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
7.2(1)
Added the input option. Policing traffic in the inbound direction is now supported.
To enable policing, use the Modular Policy Framework:
1.
class-map—Identify the traffic on which you want to perform policing.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-57
Chapter 21
packet-tracer through pwd Commands
police
2.
policy-map—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. police—Enable policing for the class map.
3.
service-policy—Assigns the policy map to an interface or globally.
Note
The police command merely enforces the maximum speed and burst rate, forcing them to the conforming
rate value. It does not enforce the conform-action or the exceed-action specification if these are present.
Note
When the conform-burst parameter is omitted, the default value is assumed to be 1/32 of the
conform-rate in bytes (that is, with a conform rate of 100,000, the default conform-burst value would be
100,000/32 = 3,125). Note that the conform-rate is in bits/second, whereas the conform-burst is in bytes.
You can configure each of the QoS features alone if desired for the adaptive security appliance. Often,
though, you configure multiple QoS features on the adaptive security appliance so you can prioritize
some traffic, for example, and prevent other traffic from causing bandwidth problems.
See the following supported feature combinations per interface:
•
Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic).
You cannot configure priority queueing and policing for the same set of traffic.
•
Traffic shaping (for all traffic on an interface) + Hierarchical priority queueing (for a subset of
traffic).
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the
adaptive security appliance does not restrict you from configuring this.
See the following guidelines:
Examples
•
QoS is applied unidirectionally; only traffic that enters the interface to which you apply the policy
map is affected (or exits the interface, depending on the whether you specify input or output).
•
If a service policy is applied or removed from an interface that has existing traffic already
established, the QoS policy is not applied or removed from the traffic stream. To apply or remove
the QoS policy for such connections, you must clear the connections and re-establish them. See the
clear conn command.
•
To-the-box traffic is not supported.
•
Traffic to and from a VPN tunnel bypass interface is not supported.
•
When you match a tunnel group class map, only outbound policing is supported.
The following is an example of a police command for the output direction that sets the conform rate to
100,000 bits per second, a burst value of 20,000 bytes, and specifies that traffic that exceeds the burst
rate will be dropped:
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class-map firstclass
hostname(config-cmap)# class localclass
hostname(config-pmap-c)# police output 100000 20000 exceed-action drop
hostname(config-cmap-c)# class class-default
hostname(config-pmap-c)#
The following example shows how to do rate-limiting on traffic destined to an internal web server.
Cisco ASA 5500 Series Command Reference
21-58
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
police
hostname# access-list http_traffic permit tcp any 10.1.1.0 255.255.255.0 eq 80
hostname# class-map http_traffic
hostname(config-cmap)# match access-list http_traffic
hostname(config-cmap)# policy-map outside_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# police input 56000
hostname(config-pmap-c)# service-policy outside_policy interface outside
hostname(config)#
Related Commands
class
Specifies a class-map to use for traffic classification.
clear configure
policy-map
Remove all policy-map configuration, except that if a policy-map is in use in
a service-policy command, that policy-map is not removed.
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
show running-config Display all current policy-map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-59
Chapter 21
packet-tracer through pwd Commands
policy
policy
To specify the source for retrieving the CRL, use the policy command in ca-crl configuration mode.
policy {static | cdp | both}
Syntax Description
both
Specifies that if obtaining a CRL using the CRL distribution point fails,
retry using static CDPs up to a limit of five.
cdp
Uses the CDP extension embedded within the certificate being checked. In
this case, the adaptive security appliance retrieves up to five CRL
distributions points from the CDP extension of the certificate being verified
and augments their information with the configured default values, if
necessary. If the adaptive security appliance attempt to retrieve a CRL using
the primary CDP fails, it retries using the next available CDP in the list.
This continues until either the adaptive security appliance retrieves a CRL
or exhausts the list.
static
Uses up to five static CRL distribution points. If you specify this option,
specify also the LDAP or HTTP URLs with the protocol command.
Defaults
The default setting is cdp.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
CRL configuration
Command History
Examples
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
7.0
This command was introduced.
•
The following example enters ca-crl configuration mode, and configures CRL retrieval to occur using
the CRL distribution point extension in the certificate being checked or if that fails, to use static CDPs:
hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# policy both
Related Commands
Command
Description
crl configure
Enters ca-crl configuration mode.
Cisco ASA 5500 Series Command Reference
21-60
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy
Command
Description
crypto ca trustpoint
Enters trustpoint configuration mode.
url
Creates and maintains a list of static URLs for retrieving CRLs.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-61
Chapter 21
packet-tracer through pwd Commands
policy-map
policy-map
When using the Modular Policy Framework, assign actions to traffic that you identified with a Layer 3/4
class map (the class-map or class-map type management command) by using the policy-map
command (without the type keyword) in global configuration mode. To remove a Layer 3/4 policy map,
use the no form of this command.
policy-map name
no policy-map name
Syntax Description
name
Defaults
By default, the configuration includes a policy that matches all default application inspection traffic and
applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled
by default. You can only apply one global policy, so if you want to alter the global policy, you need to
either edit the default policy or disable it and apply a new one. (An interface policy overrides the global
policy for a particular feature.)
Specifies the name for this policy map up to 40 characters in length. All types of policy
maps use the same name space, so you cannot reuse a name already used by another
type of policy map.
The default policy includes the following application inspections:
•
DNS inspection for the maximum message length of 512 bytes
•
FTP
•
H323 (H225)
•
H323 (RAS)
•
RSH
•
RTSP
•
ESMTP
•
SQLnet
•
Skinny (SCCP)
•
SunRPC
•
XDMCP
•
SIP
•
NetBios
•
TFTP
•
IP Options
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
Cisco ASA 5500 Series Command Reference
21-62
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
7.0(1)
This command was introduced.
•
Context
•
System
—
Configuring Modular Policy Framework consists of four tasks:
1.
Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map or
class-map type management command.
2.
(Application inspection only) Define special actions for application inspection traffic using the
policy-map type inspect command.
3.
Apply actions to the Layer 3 and 4 traffic using the policy-map command.
4.
Activate the actions on an interface using the service-policy command.
The maximum number of policy maps is 64, but you can only apply one policy map per interface. You
can apply the same policy map to multiple interfaces. You can identify multiple Layer 3/4 class maps in
a Layer 3/4 policy map (see the class command), and you can assign multiple actions from one or more
feature types to each class map.
Feature Directionality
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features
that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy
map is affected if the traffic matches the class map for both directions.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-63
Chapter 21
packet-tracer through pwd Commands
policy-map
Note
When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 21-1 for the directionality of each feature.
Table 21-1
Feature Directionality
Feature
Single Interface Direction Global Direction
Application inspection (multiple types)
Bidirectional
Ingress
CSC
Bidirectional
Ingress
IPS
Bidirectional
Ingress
NetFlow Secure Event Logging filtering
N/A
Ingress
QoS input policing
Ingress
Ingress
QoS output policing
Egress
Egress
QoS standard priority queue
Egress
Egress
QoS traffic shaping, hierarchical priority
queue
Egress
Egress
TCP and UDP connection limits and timeouts, Bidirectional
and TCP sequence number randomization
Ingress
TCP normalization
Bidirectional
Ingress
TCP state bypass
Bidirectional
Ingress
Feature Matching Within a Service Policy
See the following information for how a packet matches class maps in a policy map for a given interface:
1.
A packet can match only one class map in the policy map for each feature type.
2.
When the packet matches a class map for a feature type, the adaptive security appliance does not
attempt to match it to any subsequent class maps for that feature type.
3.
If the packet matches a subsequent class map for a different feature type, however, then the adaptive
security appliance also applies the actions for the subsequent class map , if supported. See the
“Incompatibility of Certain Feature Actions” section on page 21-66 for more information about
unsupported combinations.
For example, if a packet matches a class map for connection limits, and also matches a class map for
application inspection, then both actions are applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes
HTTP inspection, then the second class map actions are not applied.
Note
Application inspection includes multiple inspection types, and each inspection type is a separate feature
when you consider the matching guidelines above.
Cisco ASA 5500 Series Command Reference
21-64
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map.
Note
NetFlow Secure Event Logging filtering is order-independent.
Actions are performed in the following order:
1.
QoS input policing
2.
TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.
Note
When a the adaptive security appliance performs a proxy service (such as AAA or CSC) or it
modifies the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode,
where it is applied before and after the proxy or payload modifying service.
3.
CSC
4.
Application inspection (multiple types)
The order of application inspections applied when a class of traffic is classified for multiple
inspections is as follows. Only one inspection type can be applied to the same traffic. WAAS
inspection is an exception, because it can be applied along with other inspections for the same
traffic. See the “Incompatibility of Certain Feature Actions” section on page 21-66 for more
information.
a. CTIQBE
b. DNS
c. FTP
d. GTP
e. H323
f. HTTP
g. ICMP
h. ICMP error
i. ILS
j. MGCP
k. NetBIOS
l. PPTP
m. Sun RPC
n. RSH
o. RTSP
p. SIP
q. Skinny
r. SMTP
s. SNMP
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-65
Chapter 21
packet-tracer through pwd Commands
policy-map
t. SQL*Net
u. TFTP
v. XDMCP
w. DCERPC
x. Instant Messaging
Note
RADIUS accounting is not listed because it is the only inspection allowed on management
traffic. WAAS is not listed because it can be configured along with other inspections for the
same traffic.
5.
IPS
6.
QoS output policing
7.
QoS standard priority queue
8.
QoS traffic shaping, hierarchical priority queue
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. For example, you cannot configure
QoS priority queueing and QoS policing for the same set of traffic. Also, most inspections should not be
combined with another inspection, so the adaptive security appliance only applies one inspection if you
configure multiple inspections for the same traffic. In this case, the feature that is applied is the higher
priority feature in the list in the “Order in Which Multiple Feature Actions are Applied” section on
page 21-65.
For information about compatibility of each feature, see the chapter or section for your feature.
Note
The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the adaptive security appliance, then the adaptive
security appliance applies the TFTP inspection; when TCP traffic for port 21 arrives, then the adaptive
security appliance applies the FTP inspection. So in this case only, you can configure multiple
inspections for the same class map. Normally, the adaptive security appliance does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In Example 21-1, traffic destined to port 21 is
mistakenly configured for both FTP and HTTP inspection. In Example 21-2, traffic destined to port 80
is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration
examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of
inspections applied.
Example 21-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
policy-map test
[it should be 80]
Cisco ASA 5500 Series Command Reference
21-66
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map
class ftp
inspect ftp
class http
inspect http
Example 21-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp eq 80
class-map http
match port tcp eq 80
policy-map test
class http
inspect http
class ftp
inspect ftp
[it should be 21]
Feature Matching for Multiple Service Policies
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies
operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that
matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a
policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while
the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound,
but will match virtual sensor 2 inbound.
Examples
The following is an example of a policy-map command for connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-67
Chapter 21
packet-tracer through pwd Commands
policy-map
hostname(config-pmap-c)# set connection timeout tcp 0:10:0
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
hostname(config-pmap)# class telnet_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:0:0
hostname(config-pmap-c)# set connection conn-max 100
hostname(config-pmap)# class ftp_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:5:0
hostname(config-pmap-c)# set connection conn-max 50
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# set connection timeout tcp 2:0:0
hostname(config-pmap-c)# set connection conn-max 2000
When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the adaptive
security appliance does not make this match because they previously matched other classes.
NetFlow events are configured through Modular Policy Framework. If Modular Policy Framework is not
configured for NetFlow, no events are logged. Traffic is matched based on the order in which classes are
configured. After a match is detected, no other classes are checked. For NetFlow events, the
configuration requirements are as follows:
•
A flow-export destination is uniquely identified by its IP address.
•
Supported event types are flow-create, flow-teardown, flow-denied, and all, which include the three
previously listed event types.
•
Flow-export actions are not supported in interface policies.
•
Flow-export actions are only supported in the class-default command and in classes with the match
any or match access-list command.
•
If no NetFlow collector has been defined, no configuration actions occur.
The following example exports all NetFlow events between hosts 10.1.1.1 and 20.1.1.1 to destination
15.1.1.1.
hostname(config)# access-list flow_export_acl permit ip host 10.1.1.1 host 20.1.1.1
hostname(config)# class-map flow_export_class
hostname(config-cmap)# match access-list flow_export_acl
hostname(config)# policy-map global_policy
hostname(config-pmap)# class flow_export_class
hostname(config-pmap-c)# flow-export event-type all destination 15.1.1.1
Related Commands
Command
Description
class
Identifies a class map name in the policy map.
clear configure
policy-map
Removes all policy map configuration. If a policy map is in use in a
service-policy command, that policy map is not removed.
Cisco ASA 5500 Series Command Reference
21-68
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map
class-map
Defines a traffic class map.
service-policy
Assigns the policy map to an interface or globally to all interfaces.
show running-config Display all current policy map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-69
Chapter 21
packet-tracer through pwd Commands
policy-map type inspect
policy-map type inspect
When using the Modular Policy Framework, define special actions for inspection application traffic by
using the policy-map type inspect command in global configuration mode. To remove an inspection
policy map, use the no form of this command.
policy-map type inspect application policy_map_name
no policy-map [type inspect application] policy_map_name
Cisco ASA 5500 Series Command Reference
21-70
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map type inspect
Syntax Description
application
policy_map_name
Defaults
Specifies the type of application traffic you want to act upon. Available types
include:
•
ctiqbe
•
dcerpc
•
dns
•
esmtp
•
ftp
•
gtp
•
h323
•
http
•
icmp
•
icmp error
•
ils
•
im
•
ip-options
•
ipsec pass-through
•
mgcp
•
mmp
•
netbios
•
pptp
•
radius-accounting
•
rsh
•
rtsp
•
sip
•
skinny
•
snmp
•
sqlnet
•
sunrpc
•
tftp
•
waas
•
xdmcp
Specifies the name for this policy map up to 40 characters in length. Names that
begin with “_internal” or “_default” are reserved and cannot be used. All types of
policy maps use the same name space, so you cannot reuse a name already used
by another type of policy map.
No default behaviors or values.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-71
Chapter 21
packet-tracer through pwd Commands
policy-map type inspect
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
7.2(1)
This command was introduced.
•
Context
•
System
—
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine using the inspect command in the Layer 3/4 policy map (the
policy-map command), you can also optionally enable actions as defined in an inspection policy map
created by the policy-map type inspect command. For example, enter the inspect http
http_policy_map command where http_policy_map is the name of the inspection policy map.
An inspection policy map consists of one or more of the following commands entered in policy-map
configuration mode. The exact commands available for an inspection policy map depends on the
application.
•
match command—You can define a match command directly in the inspection policy map to match
application traffic to criteria specific to the application, such as a URL string. Then you enable
actions in match configuration mode such as drop, reset, log, and so on. The match commands
available depend on the application.
•
class command—This command identifies an inspection class map in the policy map (see the
class-map type inspect command to create the inspection class map). An inspection class map
includes match commands that match application traffic with criteria specific to the application,
such as a URL string, for which you then enable actions in the policy map. The difference between
creating a class map and using a match command directly in the inspection policy map is that you
can group multiple matches, and you can reuse class maps.
•
parameters command—Parameters affect the behavior of the inspection engine. The commands
available in parameters configuration mode depend on the application.
You can specify multiple class or match commands in the policy map.
Some match commands can specify regular expressions to match text inside a packet. See the regex
command and the class-map type regex command, which groups multiple regular expressions.
The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
If a packet matches multiple different match or class commands, then the order in which the adaptive
security appliance applies the actions is determined by internal adaptive security appliance rules, and not
by the order they are added to the policy map. The internal rules are determined by the application type
and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP
traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the
Cisco ASA 5500 Series Command Reference
21-72
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-map type inspect
Request Method field occurs before the action for the Header Host Length field. For example, the
following match commands can be entered in any order, but the match request method get command
is matched first.
hostname(config-pmap)# match request header host length gt 100
hostname(config-pmap-c)# reset
hostname(config-pmap-c)# match request method get
hostname(config-pmap-c)# log
If an action drops a packet, then no further actions are performed. For example, if the first action is to
reset the connection, then it will never match any further match commands. If the first action is to log
the packet, then a second action, such as resetting the connection, can occur. (You can configure both the
reset (or drop-connection, and so on.) and the log action for the same match command, in which case
the packet is logged before it is reset for a given match.)
If a packet matches multiple match or class commands that are the same, then they are matched in the
order they appear in the policy map. For example, for a packet with the header length of 1001, it will
match the first command below, and be logged, and then will match the second command and be reset.
If you reverse the order of the two match commands, then the packet will be dropped and the connection
reset before it can match the second match command; it will never be logged.
hostname(config-pmap)# match request header length gt 100
hostname(config-pmap-c)# log
hostname(config-pmap-c)# match request header length gt 1000
hostname(config-pmap-c)# reset
A class map is determined to be the same type as another class map or match command based on the
lowest priority match command in the class map (the priority is based on the internal rules). If a class
map has the same type of lowest priority match command as another class map, then the class maps are
matched according to the order they are added to the policy map. If the lowest priority command for each
class map is different, then the class map with the higher priority match command is matched first.
See the following guidelines when modifying an inspection policy-map:
•
HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map (policy-map
type inspect http), you must remove and reapply the inspect http map action for the changes to
take effect. For example, if you modify the “http-map” inspection policy map, you must remove and
readd the inspect http http-map command from the layer 3/4 policy:
hostname(config)# policy-map test
hostname(config-pmap)# class httpO
hostname(config-pmap-c)# no inspect http http-map
hostname(config-pmap-c)# inspect http http-map
•
All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove the inspect protocol map command, and readd it with the new map.
For example:
hostname(config)# policy-map test
hostname(config-pmap)# class sip
hostname(config-pmap-c)# no inspect sip sip-map1
hostname(config-pmap-c)# inspect sip sip-map2
Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy
map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
hostname(config)# class-map type regex match-any URLs
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-73
Chapter 21
packet-tracer through pwd Commands
policy-map type inspect
hostname(config-cmap)# match regex example
hostname(config-cmap)# match regex example2
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#
class-map type inspect http match-all http-traffic
match req-resp content-type mismatch
match request body length gt 1000
match not request uri regex class URLs
hostname(config-cmap)# policy-map type inspect http http-map1
hostname(config-pmap)# class http-traffic
hostname(config-pmap-c)# drop-connection log
hostname(config-pmap-c)# match req-resp content-type mismatch
hostname(config-pmap-c)# reset log
hostname(config-pmap-c)# parameters
hostname(config-pmap-p)# protocol-violation action log
hostname(config-pmap-p)# policy-map test
hostname(config-pmap)# class test (a Layer 3/4 class
hostname(config-pmap-c)# inspect http http-map1
map not shown)
hostname(config-pmap-c)# service-policy inbound_policy interface outside
Related Commands
Command
Description
class
Identifies a class map name in the policy map.
class-map type
inspect
Creates an inspection class map to match traffic specific to an application.
parameters
Enters parameter configuration mode for an inspection policy map.
policy-map
Creates a Layer 3/4 policy map.
show running-config Display all current policy map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
21-74
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
policy-server-secret
policy-server-secret
To configure a secret key used to encrypt authentication requests to a SiteMinder SSO server, use the
policy-server-secret command in webvpn-sso-siteminder configuration mode. To remove a secret key,
use the no form of this command.
policy-server-secret secret-key
no policy-server-secret
Note
This command is required for SiteMinder SSO authentication.
Syntax Description
secret-key
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
The character string used as a secret key to encrypt authentication
communications. There is no minimum or maximum number of characters.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Config-webvpn-sso-siteminder
configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.1(1)
This command was introduced.
Single sign-on support, available only for WebVPN, lets users access different secure services on
different servers without entering a username and password more than once. You first create the SSO
server using the sso-server command. For SiteMinder SSO servers, the policy-server-secret command
secures authentication communications between the adaptive security appliance and the SSO server.
The command argument, secret-key, is similar to a password: you create it, save it, and configure it. It is
configured on both the adaptive security appliance using the policy-server-secret command and on
the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme.
This command applies only to the SiteMinder type of SSO server.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-75
Chapter 21
packet-tracer through pwd Commands
policy-server-secret
Examples
The following command, entered in config-webvpn-sso-siteminder mode and including a random
character string as an argument, creates a secret key for SiteMinder SSO server authentication
communications:
hostname(config-webvpn)# sso-server my-sso-server type siteminder
hostname(config-webvpn-sso-siteminder)# policy-server-secret @#ET&
hostname(config-webvpn-sso-siteminder)#
Related Commands
Command
Description
max-retry-attempts
Configures the number of times the adaptive security appliance
retries a failed SSO authentication attempt.
request-timeout
Specifies the number of seconds before a failed SSO
authentication attempt times out.
show webvpn sso-server
Displays the operating statistics for all SSO servers configured
on the security device
sso-server
Creates a single sign-on server.
test sso-server
Tests an SSO server with a trial authentication request.
web-agent-url
Specifies the SSO server URL to which the adaptive security
appliance makes SiteMinder SSO authentication requests.
Cisco ASA 5500 Series Command Reference
21-76
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
polltime interface
polltime interface
To specify the data interface poll and hold times in an Active/Active failover configuration, use the
polltime interface command in failover group configuration mode. To restore the default value, use the
no form of this command.
polltime interface [msec] time [holdtime time]
no polltime interface [msec] time [holdtime time]
Syntax Description
Defaults
holdtime time
(Optional) Sets the time during which a data interface must receive a hello
message from the peer interface, after which the peer interface is declared
failed. Valid values are from 5 to 75 seconds.
interface time
Specifies data interface polling period. Valid values are from 3 to 15
seconds. If the optional msec keyword is used, the valid values are from 500
to 999 milliseconds.
msec
(Optional) Specifies that the given time is in milliseconds.
The poll time is 5 seconds.
The holdtime time is 5 times the poll time.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Failover group configuration
Command History
Usage Guidelines
•
Transparent Single
—
•
Context
—
System
•
Release
Modification
7.0(1)
This command was introduced.
7.2(1)
The command was changed to include the optional holdtime time value and
the ability to specify the poll time in milliseconds.
Use the polltime interface command to change the frequency that hello packets are sent out on
interfaces associated with the specified failover group. This command is available for Active/Active
failover only. Use the failover polltime interface command in Active/Standby failover configurations.
You cannot enter a holdtime value that is less than 5 times the poll time. With a faster poll time, the
adaptive security appliance can detect failure and trigger failover faster. However, faster detection can
cause unnecessary switchovers when the network is temporarily congested. Interface testing begins
when a hello packet is not heard on the interface for over half the hold time.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-77
Chapter 21
packet-tracer through pwd Commands
polltime interface
You can include both failover polltime unit and failover polltime interface commands in the
configuration.
Note
Examples
When CTIQBE traffic is passed through a adaptive security appliance in a failover configuration, you
should decrease the failover hold time on the adaptive security appliance to below 30 seconds. The
CTIQBE keepalive timeout is 30 seconds and may time out before failover occurs in a failover situation.
If CTIQBE times out, Cisco IP SoftPhone connections to Cisco CallManager are dropped, and the IP
SoftPhone clients need to reregister with the CallManager.
The following partial example shows a possible configuration for a failover group. The interface poll
time is set to 500 milliseconds and the hold time to 5 seconds for data interfaces in failover group 1.
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# polltime interface msec 500 holdtime 5
hostname(config-fover-group)# exit
hostname(config)#
Related Commands
Command
Description
failover group
Defines a failover group for Active/Active failover.
failover polltime
Specifies the unit failover poll and hold times.
failover polltime
interface
Specifies the interface poll and hold times for Active/Standby failover
configurations.
Cisco ASA 5500 Series Command Reference
21-78
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pop3s
pop3s
To enter POP3S configuration mode, use the pop3s command in global configuration mode. To remove
any commands entered in POP3S command mode, use the no version of this command.
POP3 is a client/server protocol in which your Internet server receives and holds e-mail for you.
Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any
mail. This standard protocol is built into most popular e-mail products. POP3S lets you receive e-mail
over an SSL connection.
pop3s
no pop3
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
Examples
•
Transparent Single
—
•
Release
Modification
7.0
This command was introduced.
Context
—
System
•
The following example shows how to enter POP3S configuration mode:
hostname(config)# pop3s
hostname(config-pop3s)#
Related Commands
Command
Description
clear configure pop3s
Removes the POP3S configuration.
show running-config pop3s
Displays the running configuration for POP3S.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-79
Chapter 21
packet-tracer through pwd Commands
port
port
To specify the port an e-mail proxy listens to, use the port command in the applicable e-mail proxy
command mode. To revert to the default value, use the no version of this command.
port {portnum}
no port
Syntax Description
portnum
Defaults
The default ports for e-mail proxies are as follows:
Command Modes
The port for the e-mail proxy to use. To avoid conflicts with local TCP
services, use port numbers in the range 1024 to 65535.
E-mail Proxy
Default Port
IMAP4S
993
POP3S
995
SMTPS
988
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Command History
Routed
Transparent Single
Context
System
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Release
Modification
7.0(1)
This command was introduced.
Usage Guidelines
To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Examples
The following example shows how to set port 1066 for the IMAP4S e-mail proxy:
hostname(config)# imap4s
hostname(config-imap4s)# port 1066
Cisco ASA 5500 Series Command Reference
21-80
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
port-forward
port-forward
To configure the set of applications that users of clientless SSL VPN session can access over forwarded
TCP ports, use the port-forward command in webvpn configuration mode.
port-forward {list_name local_port remote_server remote_port description}
To configure access to multiple applications, use this command with the same list_name multiple times,
once for each application.
To remove a configured application from a list, use the no port-forward list_name local_port command
(you need not include the remote_server and remote_port parameters).
no port-forward listname localport
To remove an entire configured list, use the no port-forward list_name command.
no port-forward list_name
Syntax Description
description
Provides the application name or short description that displays on the end
user Port Forwarding Java applet screen. Maximum 64 characters.
list_name
Groups the set of applications (forwarded TCP ports) users of clientless
SSL VPN sessions can access. Maximum 64 characters.
local_port
Specifies the local port that listens for TCP traffic for an application. You
can use a local port number only once for a list_name. Enter a port number
in the range 1-65535. To avoid conflicts with existing services, use a port
number greater than 1024.
remote_port
Specifies the port to connect to for this application on the remote server.
This is the actual port the application uses. Enter a port number in the range
1-65535 or port name.
remote_server
Provides the DNS name or IP address of the remote server for an
application. If you enter the IP address, you may enter it in either IPv4 or
IPv6 format. We recommend using a host name so that you do not have to
configure the client applications for a specific IP addresses. The dns
server-group command name-server must resolve the host name to an IP
address.
Defaults
There is no default port forwarding list.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
webvpn configuration mode
Routed
•
Transparent Single
Context
System
—
—
—
•
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-81
Chapter 21
packet-tracer through pwd Commands
port-forward
Command History
Release
Modification
7.0
This command was introduced.
8.0(2)
The command mode was changed to webvpn.
Usage Guidelines
The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. Neither port
forwarding nor the smart tunnel feature that provides application access through a clientless SSL VPN
session supports MAPI. For Microsoft Outlook Exchange communication using the MAPI protocol,
remote users must use AnyConnect.
Examples
The following table shows the values used for example applications.
Application
Local Port
Server DNS Name
Remote Port
Description
IMAP4S e-mail
20143
IMAP4Sserver
143
Get Mail
SMTPS e-mail
20025
SMTPSserver
25
Send Mail
DDTS over SSH
20022
DDTSserver
22
DDTS over SSH
Telnet
20023
Telnetserver
23
Telnet
The following example shows how to create a port forwarding list called SalesGroupPorts that provides
access to these applications:
hostname(config)# webvpn
hostname(config-webvpn)#
hostname(config-webvpn)#
hostname(config-webvpn)#
hostname(config-webvpn)#
Related Commands
Command
port-forward
port-forward
port-forward
port-forward
SalesGroupPorts
SalesGroupPorts
SalesGroupPorts
SalesGroupPorts
20143
20025
20022
20023
IMAP4Sserver 143 Get Mail
SMTPSserver 25 Send Mail
DDTSserver 22 DDTS over SSH
Telnetserver 23 Telnet
Description
port-forward auto-start Entered in group-policy webvpn or username webvpn mode, this command
starts port forwarding automatically and assigns the specified port
forwarding list when the user logs onto a clientless SSL VPN session.
port-forward enable
Entered in group-policy webvpn or username webvpn mode, this command
starts assigns the specified port forwarding list when the user logs on, but
requires the user to start port forwarding manually, using the Application
Access > Start Applications button on the clientless SSL VPN portal page.
port-forward disable
Entered in group-policy webvpn or username webvpn mode, this command
turns off port forwarding.
Cisco ASA 5500 Series Command Reference
21-82
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
port-forward-name
port-forward-name
To configure the display name that identifies TCP port forwarding to end users for a particular user or
group policy, use the port-forward-name command in webvpn mode, which you enter from
group-policy or username mode. To delete the display name, including a null value created by using the
port-forward-name none command, use the no form of the command. The no option restores the
default name, “Application Access.” To prevent a display name, use the port-forward none command.
port-forward-name {value name | none}
no port-forward-name
Syntax Description
none
Indicates that there is no display name. Sets a null value, thereby
disallowing a display name. Prevents inheriting a value.
value name
Describes port forwarding to end users. Maximum of 255 characters.
Defaults
The default name is “Application Access.”
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Webvpn
Command History
Examples
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0
This command was introduced.
The following example shows how to set the name, “Remote Access TCP Applications,” for the group
policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# port-forward-name value Remote Access TCP Applications
Related Commands
Command
Description
webvpn
Use in group-policy configuration mode or in username configuration
mode. Lets you enter webvpn mode to configure parameters that apply to
group policies or usernames.
webvpn
Use in global configuration mode. Lets you configure global settings for
WebVPN.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-83
Chapter 21
packet-tracer through pwd Commands
port-object
port-object
To add a port object to a service object group, use the port-object command in service configuration
mode. To remove port objects, use the no form of this command.
port-object eq service
no port-object eq service
port-object range begin_service end_service
no port-object range begin_service end_service
Syntax Description
begin_service
Specifies the decimal number or name of a TCP or UDP port that is the
beginning value for a range of services. This value must be between 0 and
65535.
end_service
Specifies the decimal number or name of a TCP or UDP port that is the
ending value for a range of services. ervices. This value must be between 0
and 65535.
eq service
Specifies the decimal number or name of a TCP or UDP port for a service
object.
range
Specifies a range of ports (inclusive).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Service configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
Preexisting
This command was preexisting.
•
Context
•
System
—
The port-object command is used with the object-group command to define an object that is either a
specific service (port) or a range of services (ports) in service configuration mode.
If a name is specified for a TCP or UDP service, it must be one of the supported TCP or/and UDP names,
and must be consistent with the protocol type of the object group. For instance, for a protocol types of
tcp, udp, and tcp-udp, the names must be a valid TCP service name, a valid UDP service name, or a valid
TCP and UDP service name, respectively.
Cisco ASA 5500 Series Command Reference
21-84
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
port-object
If a number is specified, translation to its corresponding name (if one exists) based on the protocol type
will be made when showing the object.
The following service names are supported:
TCP
UDP
TCP and UDP
bgp
biff
discard
chargen
bootpc
domain
cmd
bootps
echo
daytime
dnsix
pim-auto-rp
exec
nameserver
sunrpc
finger
mobile-ip
syslog
ftp
netbios-ns
tacacs
ftp-data
netbios-dgm
talk
gopher
ntp
ident
rip
irc
snmp
h323
snmptrap
hostname
tftp
http
time
klogin
who
kshell
xdmcp
login
isakmp
lpd
nntp
pop2
pop3
smtp
sqlnet
telnet
uucp
whois
www
Examples
This example shows how to use the port-object command in service configuration mode to create a new
port (service) object group:
hostname(config)# object-group service eng_service tcp
hostname(config-service)# port-object eq smtp
hostname(config-service)# port-object eq telnet
hostname(config)# object-group service eng_service udp
hostname(config-service)# port-object eq snmp
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-85
Chapter 21
packet-tracer through pwd Commands
port-object
hostname(config)# object-group service eng_service tcp-udp
hostname(config-service)# port-object eq domain
hostname(config-service)# port-object range 2000 2005
hostname(config-service)# quit
Related Commands
Command
Description
clear configure
object-group
Removes all the object-group commands from the configuration.
group-object
Adds network object groups.
network-object
Adds a network object to a network object group.
object-group
Defines object groups to optimize your configuration.
show running-config
object-group
Displays the current object groups.
Cisco ASA 5500 Series Command Reference
21-86
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
portal-access-rule
portal-access-rule
This command allows customers to configure a global clientless SSL VPN access policy to permit or
deny clientless SSL VPN sessions based on the data present in HTTP header. If denied, an error code is
returned to the clients. This denial is performed before user authentication and thus minimizes the use
of processing resources.
portal-access-rule none
portal-access-rule priority [{permit | deny [code code]} {any | user-agent match string}
no portal-access-rule priority [{permit | deny [code code]} {any | user-agent match string}]
clear configure webvpn portal-access-rule
Syntax Description
none
Removes all portal access rules. Clientless SSL VPN
sessions will not restricted based on HTTP header.
priority
Priority of rule. Range: 1-65535.
permit
Permit access based upon HTTP header.
deny
Deny access based upon HTTP header.
code
Permit or deny access based on a returned HTTP status
code. Default: 403.
code
The HTTP status code number based on which you want
to permit or deny access. Range: 200-599.
any
Match any HTTP header string.
user-agent match
Enable comparison of strings in HTTP headers.
string
Specify the string to match in the HTTP header. Surround
the string you are searching for with wildcards (*) for a
match that contains your string or do not use wildcards to
specify an exact match of your string.
Note
We recommend using wildcards in your search
string. Without them, the rule may not match any
strings or many fewer than you expect.
If the string you are searching for has a space in it, the
string must be enclosed in quotations; for example, “a
string”. When using both quotations and wild cards, your
search string would look like this: “*a string*”.
no portal-access-rule
Use to delete a single portal-access-rule.
clear configure webvpn portal-access-rule
Equivalent to portal-access-rule none command.
Defaults
portal-access-rule none
Command Modes
The following table shows the modes in which you can enter the command:
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-87
Chapter 21
packet-tracer through pwd Commands
portal-access-rule
Firewall Mode
Security Context
Multiple
Command Mode
Routed
webvpn configuration mode
Command History
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
8.2(5)
This command was introduced simultaneously in ASA 8.2.5 and 8.4(2)
8.4(2)
This command was introduced simultaneously in ASA 8.2.5 and 8.4(2)
Usage Guidelines
This check is performed prior to user authentication.
Examples
The following example creates three portal access rules:
•
Portal access rule 1 denies attempted clientless SSL VPN connections when the ASA returns code
403 and Thunderbird is in the HTTP header.
•
Portal access rule 10 permits attempted clientless SSL VPN connections when MSIE 8.0 (Microsoft
Internet Explorer 8.0) is in the HTTP header.
•
Portal access rule 65535 permits all other attempted clientless SSL VPN connections.
hostname(config)# webvpn
hostname(config-webvpn)# portal-access-rule 1 deny code 403 user-agent match *Thunderbird*
hostname(config-webvpn)# portal-access-rule 10 permit user-agent match "*MSIE 8.0*"
hostname(config-webvpn)# portal-access-rule 65535 permit any
Related Commands
Command
Description
show run webvpn
Displays webvpn configuration including all
portal-access-rules.
show vpn-sessiondb detail webvpn Display information about VPN sessions. The command
includes options for displaying information in full or in detail,
lets you specify type of sessions to display, and provides options
to filter and sort the information.
debug webvpn request n
Enables logging of debug messages at a particular level of
debugging. Default: 1. Range: 1-255.
Cisco ASA 5500 Series Command Reference
21-88
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
post-max-size
post-max-size
To specify the maximum size allowed for an object to post, use the post-max-size command in
group-policy webvpn configuration mode. To remove this object from the configuration, use the no
version of this command.
post-max-size <size>
no post-max-size
Syntax Description
size
Defaults
The default size is 2147483647.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the maximum size allowed for a posted object. The range is 0
through 2147483647.
Firewall Mode
Security Context
Multiple
Command Mode
Group-policy webvpn
configuration mode
Command History
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
8.0(2)
This command was introduced.
Usage Guidelines
Setting the size to 0 effectively disallows object posting.
Examples
The following example sets the maximum size for a posted object to 1500 bytes:
hostname(config)# group-policy test attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# post-max-size 1500
Related Commands
Command
Description
download-max-size
Specifies the maximum size of an object to download.
upload-max-size
Specifies the maximum size of an object to upload.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-89
Chapter 21
packet-tracer through pwd Commands
post-max-size
Command
Description
webvpn
Use in group-policy configuration mode or in username
configuration mode. Lets you enter webvpn mode to
configure parameters that apply to group policies or
usernames.
webvpn
Use in global configuration mode. Lets you configure global
settings for WebVPN.
Cisco ASA 5500 Series Command Reference
21-90
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pppoe client route distance
pppoe client route distance
To configure an administrative distance for routes learned through PPPoE, use the pppoe client route
distance command in interface configuration mode. To restore teh default setting, use the no form of
this command.
pppoe client route distance distance
no pppoe client route distance distance
Syntax Description
distance
Defaults
Routes learned through PPPoE are given an administrative distance of 1 by default.
Command Modes
The following table shows the modes in which you can enter the command:
The administrative distance to apply to routes learned through PPPoE. Valid
values are from 1 to 255.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.2(1)
This command was introduced.
The pppoe client route distance command is checked only when a route is learned from PPPoE. If the
pppoe client route distance command is entered after a route is learned from PPPoE, the administrative
distance specified does not affect the existing learned route. Only routes learned after the command was
entered have the specified administrative distance.
You must specify the setroute option on the ip address pppoe command to obtain routes through
PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command
on each of the interfaces to indicate the priority of the installed routes. Enablgin PPPoE clients on
multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is
tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway
off of the outside interface. If the SLA operation fails, then the secondary route obtained on
GigabitEthernet0/3 through PPPoE is used.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-91
Chapter 21
packet-tracer through pwd Commands
pppoe client route distance
hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# interface GigabitEthernet0/2
hostname(config-if)# pppoe client route track 1
hostname(config-if)# ip address pppoe setroute
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pppoe client secondary track 1
hostname(config-if)# pppoe client route distance 254
hostname(config-if)# ip address pppoe setroute
Related Commands
Command
Description
ip address pppoe
Configures the specified interface with an IP address obtained through
PPPoE.
ppoe client secondary
Configures tracking for secondary PPPoE client interface.
pppoe client route
track
Associates routes learned through PPPoE with a tracking entry object.
sla monitor
Defines an SLA monitoring operation.
track rtr
Creates a tracking entry to poll the SLA.
Cisco ASA 5500 Series Command Reference
21-92
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pppoe client route track
pppoe client route track
To configure the PPPoE client to associate added routes with a specified tracked object number, use the
pppoe client route track command in interface configuration mode. To remove the PPPoE route
tracking, use the no form of this command.
pppoe client route track number
no pppoe client route track
Syntax Description
number
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
The tracking entry object ID. Valid values are from 1 to 500.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.2(1)
This command was introduced.
The pppoe client route track command is checked only when a route is learned from PPPoE. If the
pppoe client route track command is entered after a route is learned from PPPoE, the existing learned
routes are not associated with a tracking object. Only routes learned after the command was entered are
associated with the specified tracking object.
You must specify the setroute option on the ip address pppoe command to obtain routes through
PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command
on each of the interfaces to indicate the priority of the installed routes. Enabling PPPoE clients on
multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is
tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway
off of the outside interface. If the SLA operation fails, then the secondary route obtained on
GigabitEthernet0/3 through PPPoE is used.
hostname(config)# sla monitor 123
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-93
Chapter 21
packet-tracer through pwd Commands
pppoe client route track
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# interface GigabitEthernet0/2
hostname(config-if)# pppoe client route track 1
hostname(config-if)# ip address pppoe setroute
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pppoe client secondary track 1
hostname(config-if)# pppoe client route distance 254
hostname(config-if)# ip address pppoe setroute
Related Commands
Command
Description
ip address pppoe
Configures the specified interface with an IP address obtained through
PPPoE.
ppoe client secondary
Configures tracking for secondary PPPoE client interface.
pppoe client route
distance
Assigns an administrative distance to routes learned through PPPoE.
sla monitor
Defines an SLA monitoring operation.
track rtr
Creates a tracking entry to poll the SLA.
Cisco ASA 5500 Series Command Reference
21-94
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pppoe client secondary
pppoe client secondary
To configure the PPPoE client to register as a client of a tracked object and to be brought up or down
based on the tracking state, use the pppoe client secondary command in interface configuration mode.
To remove the client registration, use the no form of this command.
pppoe client secondary track number
no pppoe client secondary track
Syntax Description
number
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
The tracking entry object ID. Valid values are from 1 to 500.
Firewall Mode
Security Context
Multiple
Command Mode
Interface configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.2(1)
This command was introduced.
The pppoe client secondary command is checked only when PPPoE session starts. If the pppoe client
route track command is entered after a route is learned from PPPoE, the existing learned routes are not
associated with a tracking object. Only routes learned after the command was entered are associated with
the specified tracking object.
You must specify the setroute option on the ip address pppoe command to obtain routes through
PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command
on each of the interfaces to indicate the priority of the installed routes. Enabling PPPoE clients on
multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is
tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway
off of the outside interface. If the SLA operation fails, then the secondary route obtained on
GigabitEthernet0/3 through PPPoE is used.
hostname(config)# sla monitor 123
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-95
Chapter 21
packet-tracer through pwd Commands
pppoe client secondary
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# interface GigabitEthernet0/2
hostname(config-if)# pppoe client route track 1
hostname(config-if)# ip address pppoe setroute
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pppoe client secondary track 1
hostname(config-if)# pppoe client route distance 254
hostname(config-if)# ip address pppoe setroute
Related Commands
Command
Description
ip address pppoe
Configures the specified interface with an IP address obtained through
PPPoE.
ppoe client secondary
Configures tracking for secondary PPPoE client interface.
pppoe client route
distance
Assigns an administrative distance to routes learned through PPPoE.
pppoe client route
track
Associates routes learned through PPPoE with a tracking entry object.
sla monitor
Defines an SLA monitoring operation.
Cisco ASA 5500 Series Command Reference
21-96
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pre-fill-username
pre-fill-username
To enable extracting a username from a client certificate for use in authentication and authorization, use
the pre-fill-username command in tunnel-group webvpn-attributes mode. To remove the attribute from
the configuration, use the no form of this command.
pre-fill-username {ssl-client | clientless}
no pre-fill-username
Syntax Description
ssl-client
Enables this feature for AnyConnect VPN client connections.
clientless
Enables this feature for clientless connections.
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group webvpn-attributes
configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
8.0(4)
This command was introduced.
The pre-fill-username command enables the use of a username extracted from the certificate field
specified in the username-from-certificate command as the username for username/password
authentication and authorization. To use this pre-fill username from certificate feature, you must
configure both commands.
To enable this feature, you must also configure the username-from-certificate command in
tunnel-group general-attributes mode.
Note
Examples
In Releases 8.0.4 and 8.1.2, the username is not pre-filled; instead, any data sent in the username field
is ignored.
The following example, entered in global configuration mode, creates an IPSec remote access tunnel
group named remotegrp and specifies that the name for an authentication or authorization query for an
SSL VPN client must be derived from a digital certificate:
hostname(config)# tunnel-group remotegrp type ipsec_ra
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-97
Chapter 21
packet-tracer through pwd Commands
pre-fill-username
hostname(config)# tunnel-group remotegrp webvpn-attributes
hostname(config-tunnel-webvpn)# pre-fill-username ssl-client
hostname(config-tunnel-webvpn)#
Related Commands
Command
Description
pre-fill-username
Enables the pre-fill username feature.
show running-config
tunnel-group
Shows the indicated tunnel-group configuration.
tunnel-group
general-attributes
Specifies the general attributes for the named tunnel-group.
username-from-certificate Specifies the field in a certificate to use as the username for
authorization.
Cisco ASA 5500 Series Command Reference
21-98
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
preempt
preempt
To cause the unit to become active on boot if it has the higher priority, use the preempt command in
failover group configuration mode. To remove the preemption, use the no form of this command.
preempt [delay]
no preempt [delay]
Syntax Description
seconds
Defaults
By default, there is no delay.
Command Modes
The following table shows the modes in which you can enter the command:
The wait time, in seconds, before the peer is preempted. Valid values are
from 1 to 1200 seconds.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Failover group configuration
Command History
Usage Guidelines
Note
Examples
•
Transparent Single
—
•
Release
Modification
7.0(1)
This command was introduced.
Context
—
System
•
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously (within a unit polltime). However, if one unit
boots before the other, then both failover groups become active on that unit. When the other unit comes
online, any failover groups that have the second unit as a priority do not become active on the second
unit unless the failover group is configured with the preempt command or is manually forced to the other
unit with the no failover active command. If the failover group is configured with the preempt
command, the failover group automatically becomes active on the designated unit.
If Stateful Failover is enabled, the preemption is delayed until the connections are replicated from the
unit on which the failover group is currently active.
The following example configures failover group 1 with the primary unit as the higher priority and
failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with
the preempt command with a wait time of 100 seconds, so the groups will automatically become active
on their preferred unit 100 seconds after the units become available.
hostname(config)# failover group 1
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-99
Chapter 21
packet-tracer through pwd Commands
preempt
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012
hostname(config-fover-group)# exit
hostname(config)#
Related Commands
Command
Description
failover group
Defines a failover group for Active/Active failover.
primary
Gives the primary unit in a failover pair priority for the failover group being
configured.
secondary
Gives the secondary unit in a failover pair priority for the failover group
being configured.
Cisco ASA 5500 Series Command Reference
21-100
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
prefix-list
prefix-list
To create an entry in a prefix list for ABR type 3 LSA filtering, use the prefix-list command in global
configuration mode. To remove a prefix list entry, use the no form of this command.
prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le
max_value]
no prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le
max_value]
Syntax Description
/
A required separator between the network and len values.
deny
Denies access for a matching condition.
ge min_value
(Optional) Specifies the minimum prefix length to be matched. The value of
the min_value argument must be greater than the value of the len argument
and less than or equal to the max_value argument, if present.
le max_value
(Optional) Specifies the maximum prefix length to be matched. The value
of the max_value argument must be greater than or equal to the value of the
min_value argument, if present, or greater than the value of the len
argument if the min_value argument is not present.
len
The length of the network mask. Valid values are from 0 to 32.
network
The network address.
permit
Permits access for a matching condition.
prefix-list-name
The name of the prefix list. The prefix-list name cannot contain spaces.
seq seq_num
(Optional) Applies the specified sequence number to the prefix list being
created.
Defaults
If you do not specify a sequence number, the first entry in a prefix list is assigned a sequence number of
5, and the sequence number for each subsequent entry is increased by 5.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
Preexisting
This command was preexisting.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-101
Chapter 21
packet-tracer through pwd Commands
prefix-list
Usage Guidelines
The prefix-list commands are ABR type 3 LSA filtering commands. ABR type 3 LSA filtering extends
the capability of an ABR that is running OSPF to filter type 3 LSAs between different OSPF areas. Once
a prefix list is configured, only the specified prefixes are sent from one area to another area. All other
prefixes are restricted to their OSPF area. You can apply this type of area filtering to traffic going into
or coming out of an OSPF area, or to both the incoming and outgoing traffic for that area.
When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence number
is used. The adaptive security appliance begins the search at the top of the prefix list, with the entry with
the lowest sequence number. Once a mach is made, the adaptive security appliance does not go through
the rest of the list. For efficiency, you may want to put the most common matches or denials near the top
of the list by manually assigning them a lower sequence number.
By default, the sequence numbers are automatically generated. They can be suppressed with the no
prefix-list sequence-number command. Sequence numbers are generated in increments of 5. The first
sequence number generated in a prefix list would be 5. The next entry in that list would have a sequence
number of 10, and so on. If you specify a value for an entry, and then do not specify values for subsequent
entries, the generated sequence numbers are increased from the specified value in increments of 5. For
example, if you specify that the first entry in the prefix list has a sequence number of 3, and then add
two more entries without specifying a sequence number for the additional entries, the automatically
generated sequence numbers for those two entries would be 8 and 13.
You can use the ge and le keywords to specify the range of the prefix length to be matched for prefixes
that are more specific than the network/len argument. Exact match is assumed when neither the ge or le
keywords are specified. The range is from min_value to 32 if only the ge keyword is specified.The range
is from len to max_value if only the le keyword is specified.
The value of the min_value and max_value arguments must satisfy the following condition:
len < min_value <= max_value <= 32
Use the no form of the command to remove specific entries from the prefix list. Use the clear configure
prefix-list command to remove a prefix list. The clear configure prefix-list command also removes the
associated prefix-list description command, if any, from the configuration.
Examples
The following example denies the default route 0.0.0.0/0:
hostname(config)# prefix-list abc deny 0.0.0.0/0
The following example permits the prefix10.0.0.0/8:
hostname(config)# prefix-list abc permit 10.0.0.0/8
The following example shows how to accept a mask length of up to 24 bits in routes with the prefix
192/8:
hostname(config)# prefix-list abc permit 192.168.0.0/8 le 24
The following example shows how to deny mask lengths greater than 25 bits in routes with a prefix of
192/8:
hostname(config)# prefix-list abc deny 192.168.0.0/8 ge 25
The following example shows how to permit mask lengths from 8 to 24 bits in all address space:
hostname(config)# prefix-list abc permit 0.0.0.0/0 ge 8 le 24
The following example shows how to deny mask lengths greater than 25 bits in all address space:
hostname(config)# prefix-list abc deny 0.0.0.0/0 ge 25
Cisco ASA 5500 Series Command Reference
21-102
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
prefix-list
The following example shows how to deny all routes with a prefix of 10/8:
hostname(config)# prefix-list abc deny 10.0.0.0/8 le 32
The following example shows how to deny all masks with a length greater than 25 bits for routes with a
prefix of 192.168.1/24:
hostname(config)# prefix-list abc deny 192.168.1.0/24 ge 25
The following example shows how to permit all routes with a prefix of 0/0:
hostname(config)# prefix-list abc permit 0.0.0.0/0 le 32
Related Commands
Command
Description
clear configure
prefix-list
Removes the prefix-list commands from the running configuration.
prefix-list description
Lets you to enter a description for a prefix list.
prefix-list
sequence-number
Enables prefix list sequence numbering.
show running-config
prefix-list
Displays the prefix-list commands in the running configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-103
Chapter 21
packet-tracer through pwd Commands
prefix-list description
prefix-list description
To add a description to a prefix list, use the prefix-list description command in global configuration
mode. To remove a prefix list description, use the no form of this command.
prefix-list prefix-list-name description text
no prefix-list prefix-list-name description [text]
Syntax Description
prefix-list-name
The name of a prefix list.
text
The text of the prefix list description. You can enter a maximum of 80
characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
Preexisting
This command was preexisting.
•
You can enter prefix-list and prefix-list description commands in any order for a particular prefix list
name; you do not need to create the prefix list before entering a prefix list description. The prefix-list
description command will always appear on the line before the associated prefix list in the
configuration, no matter what order you enter the commands.
If you enter a prefix-list description command for a prefix list entry that already has a description, the
new description replaces the original description.
You do not need to enter the text description when using the no form of this command.
Examples
The following example adds a description for a prefix list named MyPrefixList. The show
running-config prefix-list command shows that although the prefix list description has been added to
the running configuration, the prefix-list itself has not been configured.
hostname(config)# prefix-list MyPrefixList description A sample prefix list description
hostname(config)# show running-config prefix-list
!
prefix-list MyPrefixList description A sample prefix list description
Cisco ASA 5500 Series Command Reference
21-104
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
prefix-list description
!
Related Commands
Command
Description
clear configure
prefix-list
Removes the prefix-list commands from the running configuration.
prefix-list
Defines a prefix list for ABR type 3 LSA filtering.
show running-config
prefix-list
Displays the prefix-list commands in the running configuration.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-105
Chapter 21
packet-tracer through pwd Commands
prefix-list sequence-number
prefix-list sequence-number
To enable prefix list sequence numbering, use the prefix-list sequence-number command in global
configuration mode. To disable prefix list sequence numbering, use the no form of this command.
prefix-list sequence-number
Syntax Description
This command has no arguments or keywords.
Defaults
Prefix list sequence numbering is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
Preexisting
This command was preexisting.
•
Only the no form of this command appears in the configuration. When the no form of this command is
in the configuration, the sequence numbers, including the manually configured ones, are removed from
the prefix-list commands in the configuration and new prefix lists entries are not assigned a sequence
number.
When prefix list sequence numbering is enabled, all prefix list entries are assigned sequence numbers
using the default numbering method (starting with 5 and incrementing each number by 5). If a sequence
number was manually assigned to a prefix list entry before numbering was disabled, the manually
assigned number is restored. Sequence numbers that are manually assigned while automatic numbering
is disabled are also restored, even though they are not displayed while numbering is disabled.
Examples
The following example disables prefix list sequence numbering:
hostname(config)# no prefix-list sequence-number
Related Commands
Command
Description
prefix-list
Defines a prefix list for ABR type 3 LSA filtering.
show running-config
prefix-list
Displays the prefix-list commands in the running configuration.
Cisco ASA 5500 Series Command Reference
21-106
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pre-shared-key
pre-shared-key
To specify a preshared key to support IKE connections based on preshared keys, use the pre-shared-key
command in tunnel-group ipsec-attributes configuration mode. To return to the default value, use the no
form of this command.
pre-shared-key key
no pre-shared-key
Syntax Description
key
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies an alphanumeric key between 1 and 128 characters.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Tunnel-group ipsec-attributes
configuration
Command History
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following command entered in config-ipsec configuration mode, specifies the preshared key XYZX
to support IKE connections for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-ipsec)#
Related Commands
Command
Description
clear-configure
tunnel-group
Clears all configured tunnel groups.
show running-config
tunnel-group
Shows the tunnel group configuration for all tunnel groups or for a
particular tunnel group.
tunnel-group
ipsec-attributes
Configures the tunnel-group ipsec-attributes for this group.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-107
Chapter 21
packet-tracer through pwd Commands
primary
primary
To give the primary unit higher priority for a failover group, use the primary command in failover group
configuration mode. To restore the default value, use the no form of this command.
primary
no primary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Failover group configuration
Command History
•
Transparent Single
•
Release
Modification
7.0(1)
This command was introduced.
—
Context
—
System
•
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously (within a unit polltime). If one unit boots before
the other, then both failover groups become active on that unit. When the other unit comes online, any
failover groups that have the second unit as a priority do not become active on the second unit unless the
failover group is configured with the preempt command or is manually forced to the other unit with the
no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and
failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with
the preempt command, so the groups will automatically become active on their preferred unit as the
units become available.
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012
hostname(config-fover-group)# exit
Cisco ASA 5500 Series Command Reference
21-108
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
primary
hostname(config)#
Related Commands
Command
Description
failover group
Defines a failover group for Active/Active failover.
preempt
Forces the failover group to become active on its preferred unit when the
unit becomes available.
secondary
Gives the secondary unit a higher priority than the primary unit.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-109
Chapter 21
packet-tracer through pwd Commands
priority
priority
To enable QoS priority queueing, use the priority command in class configuration mode. For critical
traffic that cannot tolerate latency, such as voice over IP (VoIP), you can identify traffic for low latency
queueing (LLQ) so that it is always transmitted at a minimum rate. To remove the priority requirement,
use the no form of this command.
priority
no priority
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Class
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
7.0(1)
This command was introduced.
•
Context
System
—
—
LLQ priority queueing lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice
and video) ahead of other traffic.
The adaptive security appliance supports two types of priority queueing:
•
Standard priority queueing—Standard priority queueing uses an LLQ priority queue on an interface
(see the priority-queue command), while all other traffic goes into the “best effort” queue. Because
queues are not of infinite size, they can fill and overflow. When a queue is full, any additional
packets cannot get into the queue and are dropped. This is called tail drop. To avoid having the queue
fill up, you can increase the queue buffer size. You can also fine-tune the maximum number of
packets allowed into the transmit queue. These options let you control the latency and robustness of
the priority queuing. Packets in the LLQ queue are always transmitted before packets in the best
effort queue.
•
Hierarchical priority queueing—Hierarchical priority queueing is used on interfaces on which you
enable a traffic shaping queue (the shape command). A subset of the shaped traffic can be
prioritized. The standard priority queue is not used. See the following guidelines about hierarchical
priority queueing:
– Priority packets are always queued at the head of the shape queue so they are always transmitted
ahead of other non-priority queued packets.
Cisco ASA 5500 Series Command Reference
21-110
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
priority
– Priority packets are never dropped from the shape queue unless the sustained rate of priority
traffic exceeds the shape rate.
– For IPSec-encrypted packets, you can only match traffic based on the DSCP or precedence
setting.
– IPSec-over-TCP is not supported for priority traffic classification.
Configuring QoS with Modular Policy Framework
To enable priority queueing, use the Modular Policy Framework. You can use standard priority queueing
or hierarchical priority queueing.
For standard priority queueing, perform the following tasks:
1.
class-map—Identify the traffic on which you want to perform priority queueing.
2.
policy-map—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. priority—Enable priority queueing for the class map.
3.
service-policy—Assigns the policy map to an interface or globally.
For hierarchical priority-queueing, perform the following tasks:
1.
class-map—Identify the traffic on which you want to perform priority queueing.
2.
policy-map (for priority queueing)—Identify the actions associated with each class map.
a. class—Identify the class map on which you want to perform actions.
b. priority—Enable priority queueing for the class map. You can only include the priority
command in this policy map if you want to use is hierarchically.
3.
policy-map (for traffic shaping)—Identify the actions associated with the class-default class map.
a. class class-default—Identify the class-default class map on which you want to perform
actions.
b. shape—Apply traffic shaping to the class map.
c. service-policy—Call the priority queueing policy map in which you configured the priority
command so you can apply priority queueing to a subset of shaped traffic.
4.
Examples
service-policy—Assigns the policy map to an interface or globally.
The following is an example of the priority command in policy-map mode:
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class firstclass
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# class class-default
hostname(config-pmap-c)#
Related Commands
class
Specifies a class map to use for traffic classification.
clear configure
policy-map
Remove all policy-map configuration, except that if a policy-map is in use in
a service-policy command, that policy-map is not removed.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-111
Chapter 21
packet-tracer through pwd Commands
priority
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
show running-config Display all current policy-map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
21-112
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
priority (vpn load balancing)
priority (vpn load balancing)
To set the priority of the local device participating in the virtual load-balancing cluster, use the priority
command in VPN load-balancing mode. To revert to the default priority specification, use the no form
of this command.
priority priority
no priority
Syntax Description
priority
Defaults
The default priority depends on the model number of the device:
Command Modes
The priority, in the range of 1 to 10, that you want to assign to this device.
Model Number
Default Priority
5520
5
5540
7
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
VPN load-balancing
Command History
Usage Guidelines
Routed
—
Transparent Single
Context
System
—
—
—
Release
Modification
7.0(1)
This command was introduced.
•
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
This command sets the priority of the local device participating in the virtual load-balancing cluster.
The priority must be an integer in the range of 1 (lowest) to 10 (highest).
The priority is used in the master-election process as one way to determine which of the devices in a
VPN load-balancing cluster becomes the master or primary device for the cluster. See Cisco ASA 5500
Series Configuration Guide using the CLI for details about the master-election process.
The no form of the command reverts the priority specification to the default value.
Examples
The following is an example of a VPN load-balancing command sequence that includes a priority
command that sets the priority of the current device to 9:
hostname(config)# interface GigabitEthernet 0/1
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-113
Chapter 21
packet-tracer through pwd Commands
priority (vpn load balancing)
hostname(config-if)# ip address 209.165.202.159 255.255.255.0
hostname(config)# nameif test
hostname(config)# interface GigabitEthernet 0/2
hostname(config-if)# ip address 209.165.201.30 255.255.255.0
hostname(config)# nameif foo
hostname(config)# vpn load-balancing
hostname(config-load-balancing)# priority 9
hostname(config-load-balancing)# interface lbpublic test
hostname(config-load-balancing)# interface lbprivate foo
hostname(config-load-balancing)# cluster ip address 209.165.202.224
hostname(config-load-balancing)# participate
Related Commandsh
Command
Description
vpn load-balancing
Enter VPN load-balancing mode.
Cisco ASA 5500 Series Command Reference
21-114
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
priority-queue
priority-queue
To create a standard priority queue on an interface for use with the priority command, use the
priority-queue command in global configuration mode. To remove the queue, use the no form of this
command.
priority-queue interface-name
no priority queue interface-name
Syntax Description
interface-name
Defaults
By default, priority queuing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the name of the physical interface on which you want to enable
the priority queue, or for the ASA 5505, the name of the VLAN interface.
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.0(1)
This command was introduced.
LLQ priority queueing lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice
and video) ahead of other traffic.
The adaptive security appliance supports two types of priority queueing:
•
Standard priority queueing—Standard priority queueing uses an LLQ priority queue on an interface
that yopu create using the priority-queue command, while all other traffic goes into the “best
effort” queue. Because queues are not of infinite size, they can fill and overflow. When a queue is
full, any additional packets cannot get into the queue and are dropped. This is called tail drop. To
avoid having the queue fill up, you can increase the queue buffer size (the queue-limit command).
You can also fine-tune the maximum number of packets allowed into the transmit queue (the
tx-ring-limit command). These options let you control the latency and robustness of the priority
queuing. Packets in the LLQ queue are always transmitted before packets in the best effort queue.
•
Hierarchical priority queueing—Hierarchical priority queueing is used on interfaces on which you
enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. The standard priority
queue is not used.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-115
Chapter 21
packet-tracer through pwd Commands
priority-queue
On ASA Model 5505 (only), configuring priority-queue on one interface overwrites the same
configuration on all other interfaces. That is, only the last applied configuration is present on all
interfaces. Further, if the priority-queue configuration is removed from one interface, it is removed from
all interfaces.
To work around this issue, configure the priority-queue command on only one interface. If different
interfaces need different settings for the queue-limit and/or tx-ring-limit commands, use the largest of
all queue-limits and smallest of all tx-ring-limits on any one interface (CSCsi13132).
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit
of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue test
hostname(priority-queue)# queue-limit 30000
hostname(priority-queue)# tx-ring-limit 256
hostname(priority-queue)#
Related Commands
Command
Description
queue-limit
Specifies the maximum number of packets that can be enqueued to a priority
queue before it drops data.
tx-ring-limit
Sets the maximum number of packets that can be queued at any given time
in the Ethernet transmit driver.
policy-map
Configures a policy; that is, an association of a traffic class and one or more
actions.
clear configure
priority-queue
Removes the current priority queue configuration.
show running-config
[all] priority-queue
Shows the current priority queue configuration. If you specify the all
keyword, this command displays all the current priority queue, queue-limit,
and tx-ring-limit configuration values.
Cisco ASA 5500 Series Command Reference
21-116
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
privilege
privilege
To configure command privilege levels for use with command authorization (local, RADIUS, and LDAP
(mapped) only), use the privilege command in global configuration mode. To disallow the configuration,
use the no form of this command.
privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command
command
Syntax Description
clear
(Optional) Sets the privilege only for the clear form of the command. If you
do not use the clear, show, or configure keywords, all forms of the
command are affected.
command command
Specifies the command you are configuring. You can only configure the
privilege level of the main command. For example, you can configure the
level of all aaa commands, but not the level of the aaa authentication
command and the aaa authorization command separately.
Also, you cannot configure the privilege level of subcommands separately
from the main command. For example, you can configure the context
command, but not the allocate-interface command, which inherits the
settings from the context command.
Defaults
configure
(Optional) Sets the privilege only for the configure form of the command.
The configure form of the command is typically the form that causes a
configuration change, either as the unmodified command (without the show
or clear prefix) or as the no form. If you do not use the clear, show, or
configure keywords, all forms of the command are affected.
level level
Specifies the privilege level; valid values are from 0 to 15. Lower privilege
level numbers are lower privilege levels.
mode enable
(Optional) If a command can be entered in user EXEC/privileged EXEC
mode as well as configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these modes
separately. The mode enable keyword specifies both user EXEC mode and
privileged EXEC mode.
mode configure
(Optional) If a command can be entered in user EXEC/privileged EXEC
mode as well as configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these modes
separately. The mode configure keyword specifies configuration mode,
accessed using the configure terminal command.
show
(Optional) Sets the privilege only for the show form of the command. If you
do not use the clear, show, or configure keywords, all forms of the
command are affected.
By default, the following commands are assigned to privilege level 0. All other commands are at
level 15.
•
show checksum
•
show curpriv
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-117
Chapter 21
packet-tracer through pwd Commands
privilege
•
enable
•
help
•
show history
•
login
•
logout
•
pager
•
show pager
•
clear pager
•
quit
•
show version
If you move any configure mode commands to a lower level than 15, be sure to move the configure
command to that level as well, otherwise, the user will not be able to enter configuration mode.
To view all privilege levels, see the show running-config all privilege all command.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Global configuration
Command History
•
Transparent Single
•
•
Context
•
System
—
Release
Modification
8.0(2)
Support for RADIUS users with Cisco VSA CVPN3000-Privilege-Level was added.
LDAP users are supported if you map the LDAP attribute to the
CVPN3000-Privilege-Level using the ldap map-attributes command.
Usage Guidelines
The privilege command lets you set privilege levels for adaptive security appliance commands when you
configure the aaa authorization command LOCAL command. Even though the command uses the
LOCAL keyword, this keyword enables local, RADIUS, and LDAP (mapped) authorization.
Examples
For example, the filter command has the following forms:
•
filter (represented by the configure option)
•
show running-config filter
•
clear configure filter
You can set the privilege level separately for each form, or set the same privilege level for all forms by
omitting this option. For example, set each form separately as follows.
hostname(config)# privilege show level 5 command filter
hostname(config)# privilege clear level 10 command filter
hostname(config)# privilege cmd level 10 command filter
Cisco ASA 5500 Series Command Reference
21-118
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
privilege
Alternatively, you can set all filter commands to the same level:
hostname(config)# privilege level 5 command filter
The show privilege command separates the forms in the display.
The following example shows the use of the mode keyword. The enable command must be entered from
user EXEC mode, while the enable password command, which is accessible in configuration mode,
requires the highest privilege level.
hostname(config)# privilege cmd level 0 mode enable command enable
hostname(config)# privilege cmd level 15 mode cmd command enable
hostname(config)# privilege show level 15 mode cmd command enable
This example shows an additional command, the configure command, that uses the mode keyword:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
Note
Related Commands
privilege
privilege
privilege
privilege
show level 5 mode cmd command configure
clear level 15 mode cmd command configure
cmd level 15 mode cmd command configure
cmd level 15 mode enable command configure
This last line is for the configure terminal command.
Command
Description
clear configure privilege
Remove privilege command statements from the configuration.
show curpriv
Display current privilege level.
show running-config
privilege
Display privilege levels for commands.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-119
Chapter 21
packet-tracer through pwd Commands
profile
profile
To enter profile call-home configuration submode, use the profile command in call-home configuration
mode.
profile profile_name
Syntax Description
profile_name
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Specifies the profile name.
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Call-home configuration
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
8.2(2)
We introduced this command.
•
Context
—
System
•
When you enter the profile profile_name command in call-home mode, the prompt changes to
hostname(cfg-call-home-profile)#, and you have access to the following profile configuration
commands:
•
active
•
destination address
•
destination message-size-limit bytes
•
destination preferred-msg-format
•
destination transport-method
•
end
•
exit
•
email-subject
•
subscribe-to-alert-group configuration
•
subscribe-to-alert-group diagnostic
•
subscribe-to-alert-group environment
•
subscribe-to-alert-group inventory
•
subscribe-to-alert-group snapshot
Cisco ASA 5500 Series Command Reference
21-120
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
profile
Examples
•
subscribe-to-alert-group syslog
•
subscribe-to-alert-group telemetry
•
subscribe-to-alert-group threat
The following example shows how to create and configure a user-defined call-home profile:
hostname(config)# call-home
hostname(cfg-call-home)# profile cisco
hostname(cfg-call-home-profile)# destination transport-method http
hostname(cfg-call-home-profile)# destination address http
https://172.17.46.17/its/service/oddce/services/DDCEService
hostname(cfg-call-home-profile)# subscribe-to-alert-group configuration
hostname(cfg-call-home-profile)# subscribe-to-alert-group diagnostic severity normal
hostname(cfg-call-home-profile)# subscribe-to-alert-group environment severity
notification
hostname(cfg-call-home-profile)# subscribe-to-alert-group syslog severity notification
pattern "UPDOWN"
hostname(cfg-call-home-profile)# subscribe-to-alert-group inventory periodic daily 21:12
Related Commands
Command
Description
profile
Enters profile call-home configuration submode
destination address
Configures the destination e-mail address or URL to which Call Home
messages will be sent.
destination
message-size-limit bytes
Configures a maximum destination message size for the destination
profile.
destination
preferred-msg-format
Configures a preferred message format.
destination
transport-method
Enables the message transport method.
subscribe-to-alert-group
configuration
Subscribes this destination profile to the Configuration alert group.
subscribe-to-alert-group
diagnostic
Subscribes this destination profile to the Diagnostic alert group.
subscribe-to-alert-group
environment
Subscribes this destination profile to the Environment alert group.
subscribe-to-alert-group
inventory
Subscribes this destination profile to the Inventory alert group.
subscribe-to-alert-group
syslog
Subscribes this destination profile to the Syslog alert group.
subscribe-to-alert-group
threat
Subscribes this destination profile to the Threat alert group.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-121
Chapter 21
packet-tracer through pwd Commands
prompt
prompt
To customize the CLI prompt, use the prompt command in global configuration mode. To revert to the
default prompt, use the no form of this command.
prompt {[hostname] [context] [domain] [slot] [state] [priority]}
no prompt [hostname] [context] [domain] [slot] [state] [priority]
Syntax Description
context
(Multiple mode only) Displays the current context.
domain
Displays the domain name.
hostname
Displays the hostname.
priority
Displays the failover priority as pri (primary) or sec (secondary). Set the
priority using the failover lan unit command.
state
Displays the traffic-passing state of the unit. The following values are
displayed for the state keyword:
•
act—Failover is enabled, and the unit is actively passing traffic.
•
stby— Failover is enabled, and the unit is not passing traffic and is in a
standby, failed, or other non-active state.
•
actNoFailover—Failover is not enabled, and the unit is actively passing
traffic.
•
stbyNoFailover—Failover is not enabled, and the unit is not passing
traffic. This might happen when there is an interface failure above the
threshold on the standby unit.
Defaults
The default prompt is the hostname. In multiple context mode, the hostname is followed by the current
context name (hostname/context).
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Global configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
7.2(1)
This command was introduced.
•
Context
—
System
•
The order in which you enter the keywords determines the order of the elements in the prompt, which
are separated by a slash (/).
Cisco ASA 5500 Series Command Reference
21-122
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
prompt
In multiple context mode, you can view the extended prompt when you log in to the system execution
space or the admin context. Within a non-admin context, you only see the default prompt, which is the
hostname and the context name.
The ability to add information to a prompt allows you to see at-a-glance which adaptive security
appliance you are logged into when you have multiple modules. During a failover, this feature is useful
when both adaptive security appliances have the same hostname.
Examples
The following example shows all available elements in the prompt:
hostname(config)# prompt hostname context priority state
The prompt changes to the following string:
hostname/admin/pri/act(config)#
Related Commands
Command
Description
clear configure prompt
Clears the configured prompt.
show running-config prompt Displays the configured prompt.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-123
Chapter 21
packet-tracer through pwd Commands
protocol-enforcement
protocol-enforcement
To enable the domain name, label length, and format check, including compression and looped pointer
check, use the protocol-enforcement command in parameters configuration mode. To disable protocol
enforcement, use the no form of this command.
protocol-enforcement
no protocol-enforcement
Syntax Description
This command has no arguments or keywords.
Defaults
Protocol enforcement is enabled by default. This feature can be enabled when inspect dns is configured
even if a policy-map type inspect dns is not defined. To disable, no protocol-enforcement must
explicitly be stated in the policy map configuration. If inspect dns is not configured, NAT rewrite is not
performed.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Parameters configuration
Command History
Usage Guidelines
•
Transparent Single
•
Release
Modification
7.2(1)
This command was introduced.
•
Context
•
System
—
Under certain conditions, protocol enforcement is performed even if the command is disabled. This
occurs when parsing a DNS resource record is required for other purposes, such as DNS resource record
classification, NAT or TSIG check.
Cisco ASA 5500 Series Command Reference
21-124
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
protocol-enforcement
Examples
The following example shows how to enable protocol enforcement in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# protocol-enforcement
Related Commands
Command
Description
class
Identifies a class map name in the policy map.
class-map type
inspect
Creates an inspection class map to match traffic specific to an application.
policy-map
Creates a Layer 3/4 policy map.
show running-config Display all current policy map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-125
Chapter 21
packet-tracer through pwd Commands
protocol http
protocol http
To specify HTTP as a permitted distribution point protocol for retrieving a CRL, use the protocol http
command in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point
determines the retrieval method (HTTP, LDAP, and/or SCEP). To remove HTTP as the permitted method
of CRL retrieval, use the no form of this command.
protocol http
no protocol http
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is to permit HTTP.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Ca-CRL configuration
Command History
Routed
•
Transparent Single
•
Release
Modification
7.0
This command was introduced.
•
Context
•
System
•
Usage Guidelines
If you use this command, be sure to assign HTTP rules to the public interface filter.
Examples
The following example enters ca-crl configuration mode, and permits HTTP as a distribution point
protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# protocol http
Related Commands
Command
Description
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs.
protocol scep
Specifies SCEP as a retrieval method for CRLs.
Cisco ASA 5500 Series Command Reference
21-126
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
protocol ldap
protocol ldap
To specify LDAP as a distribution point protocol for retrieving a CRL, use the protocol ldap command
in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point determines
the retrieval method (HTTP, LDAP, and/or SCEP).
To remove the LDAP protocol as the permitted method of CRL retrieval, use the no form of this
command.
protocol ldap
no protocol ldap
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is to permit LDAP.
Command Modes
The following table shows the modes in which you can enter thecommand:
Firewall Mode
Security Context
Multiple
Command Mode
CRL configuration
Command History
Examples
Routed
•
Transparent Single
•
•
Release
Modification
7.0
This command was introduced.
Context
•
System
•
The following example enters ca-crl configuration mode, and permits LDAP as a distribution point
protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# protocol ldap
Related Commands
Command
Description
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol http
Specifies HTTP as a retrieval method for CRLs
protocol scep
Specifies SCEP as a retrieval method for CRLs
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-127
Chapter 21
packet-tracer through pwd Commands
protocol scep
protocol scep
To specify SCEP as a distribution point protocol for retrieving a CRL, use the protocol scep command
in crl configure mode. Subject to permission, the content of the CRL distribution point determines the
retrieval method (HTTP, LDAP, and/or SCEP).
To remove the SCEP protocol as the permitted method of CRL retrieval, use the no form of this
command.
protocol scep
no protocol scep
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is to permit SCEP.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
CRL configuration
Command History
Examples
Routed
•
Transparent Single
•
Release
Modification
7.0
This command was introduced.
•
Context
•
System
•
The following example enters ca-crl configuration mode, and permits SCEP as a distribution point
protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# protocol scep
hostname(ca-crl)#
Related Commands
Command
Description
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol http
Specifies HTTP as a retrieval method for CRLs
protocol ldap
Specifies LDAP as a retrieval method for CRLs
Cisco ASA 5500 Series Command Reference
21-128
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
protocol-object
protocol-object
To add a protocol object to a protocol object group, use the protocol-object command in protocol
configuration mode. To remove port objects, use the no form of this command.
protocol-object protocol
no protocol-object protocol
Syntax Description
protocol
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol name or number.
Firewall Mode
Security Context
Multiple
Command Mode
Protocol configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
•
Release
Modification
Preexisting
This command was preexisting.
Context
•
System
—
The protocol-object command is used with the object-group command to define a protocol object in
protocol configuration mode.
You can specify an IP protocol name or number using the protocol argument. The udp protocol number
is 17, the tcp protocol number is 6, and the egp protocol number is 47.
Examples
The following example shows how to define protocol objects:
hostname(config)# object-group protocol proto_grp_1
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# exit
hostname(config)# object-group protocol proto_grp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# group-object proto_grp_1
hostname(config-protocol)# exit
hostname(config)#
Related Commands
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-129
Chapter 21
packet-tracer through pwd Commands
protocol-object
Command
Description
clear configure
object-group
Removes all the object group commands from the configuration.
group-object
Adds network object groups.
network-object
Adds a network object to a network object group.
object-group
Defines object groups to optimize your configuration.
show running-config
object-group
Displays the current object groups.
Cisco ASA 5500 Series Command Reference
21-130
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
protocol-violation
protocol-violation
To define actions when a protocol violation occurs with HTTP and NetBIOS inspection, use the
protocol-violation command in parameters configuration mode. To disable this feature, use the no form
of this command.
protocol-violation action [drop [log] | log]
no protocol-violation action [drop [log] | log]
Syntax Description
drop
Specifies to drop packets that do not conform to the protocol.
log
Specifies to log the protocol violations.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Parameters configuration
Command History
•
Transparent Single
•
Release
Modification
7.2(1)
This command was introduced.
•
Context
•
System
—
Usage Guidelines
This command can be configured in an HTTP or NetBIOS policy map. A syslog is issued when the HTTP
or NetBIOS parser cannot detect a valid HTTP or NetBIOS message in the first few bytes of the message.
This occurs, for instance, when a chunked encoding is malformed and the message cannot be parsed.
Examples
The following example shows how to set up an action for protocol violation in a policy map:
hostname(config)# policy-map type inspect http http_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# protocol-violation action drop
Related Commands
Command
Description
class
Identifies a class map name in the policy map.
class-map type
inspect
Creates an inspection class map to match traffic specific to an application.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-131
Chapter 21
packet-tracer through pwd Commands
protocol-violation
Command
Description
policy-map
Creates a Layer 3/4 policy map.
show running-config Display all current policy map configurations.
policy-map
Cisco ASA 5500 Series Command Reference
21-132
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
proxy-auth
proxy-auth
To flag the tunnel-group as a specific proxy authentication tunnel group, use the proxy-auth command
in webvpn configuration mode.
proxy-auth [sdi]
Syntax Descriptionl
sdi
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parses RADIUS/TACACS SDI proxy messages into native SDI directives.
Firewall Mode
Security Context
Multiple
Command Mode
WebVPN configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.1(1)
This command was introduced.
Use the proxy-auth command for enabling the parsing of aaa-server proxy authentication text messages
into native protocol directives.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-133
Chapter 21
packet-tracer through pwd Commands
proxy-bypass
proxy-bypass
To configure the adaptive security appliance to perform minimal content rewriting, and to specify the
types of content to rewrite—external links and/or XML—use the proxy-bypass command in webvpn
configuration mode. To disable proxy bypass, use the no form of the command.
proxy-bypass interface interface name {port port number| path-mask path mask} target url
[rewrite {link | xml | none}]
no proxy-bypass interface interface name {port port number| path-mask path mask} target url
[rewrite {link | xml | none}]
Syntax Descriptionl
host
Identifies the host to forward traffic to. Use either the host IP address or a
hostname.
interface
Identifies the ASA interface for proxy bypass.
interface name
Specifies an ASA interface by name.
link
Specifies rewriting of absolute external links.
none
Specifies no rewriting.
path-mask
Specifies the pattern to match.
path-mask
Specifies a pattern to match that can contain a regular expression. You can
use the following wildcards:
* — Matches everything. You cannot use this wildcard by itself. It must
accompany an alphanumeric string.
? —Matches any single character.
[!seq] — Matches any character not in sequence.
[seq] — Matches any character in sequence.
Maximum 128 bytes.
Defaults
port
Identifies the port reserved for proxy bypass.
port number
Specifies a high numbered port reserved for proxy bypass. The port range is
20000-21000. You can use a port for one proxy bypass rule only.
rewrite
(Optional) Specifies the additional rules for rewriting: none or a combination
of XML and links.
target
Identifies the remote server to forward the traffic to.
url
Enter the URL in the format http(s)://fully_qualified_domain_name[:port].
Maximum 128 bytes. The port for HTTP is 80 and for HTTPS it is 443,
unless you specify another port.
xml
Specifies rewriting XML content.
No default behavior or values.
Cisco ASA 5500 Series Command Reference
21-134
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
proxy-bypass
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
WebVPN configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
•
Release
Modification
7.1(1)
This command was introduced.
Use proxy bypass for applications and web resources that work better with minimum content rewriting.
The proxy-bypass command determines how to treat specific web applications that travel through the
adaptive security appliance.
You can use this command multiple times. The order in which you configure entries is unimportant. The
interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network
configuration, you might need to change your firewall configuration to allow these ports access to the
adaptive security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks
can change, so you might need to use multiple pathmask statements to exhaust the possibilities.
A path is everything in a URL after the .com or .org or other types of domain name. For example, in the
URL www.mycompany.com/hrbenefits, hrbenefits is the path. Similarly, for the URL
www.mycompany.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr
sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*.
Examples
The following example shows how to configure the adaptive security appliance to use port 20001 for
proxy bypass over the webvpn interface, using HTTP and its default port 80, to forward traffic to
mycompany.site.com and to rewrite XML content.
hostname(config)# webvpn
hostname(config-webvpn)# proxy-bypass interface webvpn port 20001 target
http://mycompany.site.com rewrite xml
The next example shows how to configure the adaptive security appliance to use the path mask mypath/*
for proxy bypass on the outside interface, using HTTP and its default port 443 to forward traffic to
mycompany.site.com, and to rewrite XML and link content.
hostname(config)# webvpn
hostname(config-webvpn)# proxy-bypass interface outside path-mask /mypath/* target
https://mycompany.site.com rewrite xml,link
Related Commands-
Command
Description
apcf
Specifies nonstandard rules to use for a particular application
rewrite
Determines whether traffic travels through the adaptive security appliance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-135
Chapter 21
packet-tracer through pwd Commands
proxy-ldc-issuer
proxy-ldc-issuer
To issue TLS proxy local dynamic certificates, use the proxy-ldc-issuer command in crypto ca
trustpoint configuration mode. To remove the configuration, use the no form of this command.
proxy-ldc-issuer
no proxy-ldc-issuer
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Crypto ca trustpoint
configuration
Command History
Usage Guidelines
Routed
•
Transparent Single
•
Release
Modification
8.0(2)
This command was introduced.
•
Context
•
System
—
Use the proxy-ldc-issuer command to issue TLS proxy local dynamic certificates. The proxy-ldc-issuer
command grants a crypto trustpoint the role as local CA to issue the LDC and can be accessed from
crypto ca trustpoint configuration mode.
The proxy-ldc-issuer command defines the local CA role for the trustpoint to issue dynamic certificates
for TLS proxy. This command can only be configured under a trustpoint with “enrollment self.”
Examples
The following example shows how to create an internal local CA to sign the LDC for phones. This local
CA is created as a regular self-signed trustpoint with proxy-ldc-issuer enabled.
hostname(config)# crypto ca trustpoint ldc_server
hostname(config-ca-trustpoint)# enrollment self
hostname(config-ca-trustpoint)# proxy-ldc-issuer
hostname(config-ca-trustpoint)# fqdn my _ldc_ca.example.com
hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200
hostname(config-ca-trustpoint)# keypair ldc_signer_key
hostname(config)# crypto ca enroll ldc_server
Cisco ASA 5500 Series Command Reference
21-136
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
proxy-ldc-issuer
Related Commands
Commands
Description
ctl-provider
Defines a CTL provider instance and enters provider configuration mode.
server trust-point
Specifies the proxy trustpoint certificate to be presented during the TLS
handshake.
show tls-proxy
Shows the TLS proxies.
tls-proxy
Defines a TLS proxy instance and sets the maximum sessions.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-137
Chapter 21
packet-tracer through pwd Commands
proxy-server
proxy-server
To configure an HTTP proxy for the Phone Proxy feature that is written into the IP phone's configuration
file under the <proxyServerURL> tag, use the proxy-server command in phone-proxy configuration
mode. To remove the HTTP proxy configuration from the Phone Proxy, use the no form of this
command.
proxy-server address ip_address [listen_port] interface ifc
no proxy-server address ip_address [listen_port] interface ifc
Syntax Description
interface ifc
Specifies the interface on which the HTTP proxy resides on the adaptive
security appliance.
ip_address
Specifies the IP address of the HTTP proxy.
listen_port
Specifies the listening port of the HTTP proxy. If not specified, the default will
be 8080.
Defaults
If the listen port is not specified, the port is configured to be 8080 by default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Routed
Phone-proxy configuration
Command History
Usage Guidelines
•
Transparent Single
Context
System
—
—
—
Release
Modification
8.0(4)
The command was introduced.
•
Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the DMZ
or external network in which all the IP phone URLs are directed to the proxy server for services on the
phones. This setting accommodates nonsecure HTTP traffic, which is not allowed back into the
corporate network.
The ip_address you enter should be the global IP address based on where the IP phone and HTTP proxy
server is located.
If the proxy server is located in a DMZ and the IP phones are located outside the network, the adaptive
security appliance does a lookup to see if there is a NAT rule and uses the global IP address to write into
the configuration file.
You can enter a hostname in the ip_address argument when that hostname can be resolved to an IP
address by the adaptive security appliance (for example, DNS lookup is configured) because the adaptive
security appliance will resolve the hostname to an IP address.
Cisco ASA 5500 Series Command Reference
21-138
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
proxy-server
By default, the Phone URL Parameters configured under the Enterprise Parameters use an FQDN in the
URLs. The parameters might need to be changed to use an IP address if the DNS lookup for the HTTP
proxy does not resolve the FQDNs.
To make sure the proxy server URL was written correctly to the IP phones configuration files, check the
URL on an IP phone under Settings > Device Configuration > HTTP configuration >Proxy Server URL.
The Phone Proxy does not inspect this HTTP traffic to the proxy server.
If the adaptive security appliance is in the path of the IP phone and the HTTP proxy server, use existing
debugging techniques (such as syslogs and captures) to troubleshoot the proxy server.
You can configure only one proxy server while the Phone Proxy is in use; however, if the IP phones have
already downloaded their configuration files after you have configured the proxy server, you must restart
the IP phones so that they get the configuration file with the proxy server’s address in the file.
Examples
The following example shows the use of the proxy-server command to configure the HTTP proxy server
for the Phone Proxy:
hostname(config-phone-proxy)# proxy-server 192.168.1.2 interface inside
Related Commands
Command
Description
phone-proxy
Configures the Phone Proxy instance.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-139
Chapter 21
packet-tracer through pwd Commands
publish-crl
publish-crl
To allow other adaptive security appliances to validate the revocation status of certificates issued by the
Local CA, use the publish-crl command in config-ca-server configuration mode to allow downloading
of the CRL directly from and interface on the adaptive security appliance. To make the CRL unavailable
for downloading, use the no form of this command.
[ no ] publish-crl interface interface [ port portnumber ]
Syntax Description
interface interface
Specifies the nameif used for the interface, such as gigabitethernet0/1. See
the interface command for details.
port portnumber
Optional. Specifies the port on which the interface device expects to
download the CRL. Port numbers can be in the range 1-65535.
Defaults
The default publish-crl status is no publish. TCP port 80 is the default for HTTP.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
config-ca-server
Command History
Usage Guidelines
Routed
•
Transparent Single
Context
System
—
—
—
Release
Modification
8.0(2)
This command was introduced.
•
The CRL is inaccessible by default. You must enable access to the CRL file on the interface and port
required.
TCP port 80 is the HTTP default port number. If you configure a non-default port (other than port 80),
be sure the cdp-url configuration includes the new port number so other devices know to access this
specific port.
The CRL Distribution Point (CDP) is the location of the CRL on the Local CA adaptive security
appliance. The URL you configure with the cdp-url command is embedded into any issued certificates.
If you do not configure a specific location for the CDP, the default CDP url is:
http://hostname.domain/+CSCOCA+/asa_ca.crl.
An HTTP redirect and a CRL download request are handled by the same HTTP listener, if Clientless SSL
VPN is enabled on the same interface. The listener checks for the incoming URL and if it matches the
one configured with the cdp-url command, the CRL file downloads. If the URL does not match the
cdp-url, the connection is redirected to HTTPS (if 'http redirect' is enabled).
Cisco ASA 5500 Series Command Reference
21-140
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
publish-crl
Examples
This publish-crl command example, entered in config-ca-server mode, enables port 70 of the outside
interface for CRL download:
This publish-crl command example, entered in config-ca-server mode, enables port 70 for the outside
for CRL download:
hostname(config)# crypto ca server
hostname (config-ca-server)#publish-crl outside 70
hostname(config-ca-server)#
Related Commands
Command
Description
cdp-url
Specifies a particular location for the automatically generated CRL.
show interface
Displays the runtime status and statistics of interfaces.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-141
Chapter 21
packet-tracer through pwd Commands
pwd
pwd
To display the current working directory, use the pwd command in privileged EXEC mode.
pwd
Syntax Description
This command has no arguments or keywords.
Defaults
The root directory (/) is the default.
Command Modes
The following table shows the modes in which you can enter the command:
Firewall Mode
Security Context
Multiple
Command Mode
Privileged EXEC
Command History
Routed
•
Transparent Single
•
Release
Modification
7.0
This command was introduced.
•
Context
—
Usage Guidelines
This command is similar in functionality to the dir command.
Examples
The following example shows how to display the current working directory:
System
•
hostname# pwd
disk0:/
hostname# pwd
flash:
Cisco ASA 5500 Series Command Reference
21-142
OL-18972-02
Chapter 21
packet-tracer through pwd Commands
pwd
Related Commands
Command
Description
cd
Changes the current working directory to the one specified.
dir
Displays the directory contents.
more
Displays the contents of a file.
Cisco ASA 5500 Series Command Reference
OL-18972-02
21-143
Chapter 21
packet-tracer through pwd Commands
Cisco ASA 5500 Series Command Reference
21-144
OL-18972-02
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement