Corporate Headquarters Cisco Systems, Inc.
170 West Tasman Drive San Jose, CA 95134-1706 USA
http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 526-4100
Cisco Security Appliance Command Reference
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.1(1)
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Printed in the USA on recycled paper containing 10% postconsumer waste.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Le and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Cert Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShar SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United S and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationsh between Cisco and any other company. (0601R)
Cisco Security Appliance Command Reference Version 7.1(1) Copyright © 2006 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About This Guide xliii
Document Objectives
xliiiAudience
xlivDocument Organization
xlivDocument Conventions
xlviRelated Documentation
xlviObtaining Documentation
xlviiDocumentation Feedback
xlviiCisco Product Security Overview
xlviiiObtaining Technical Assistance
xlixObtaining Additional Publications and Information
lUsing the Command-Line Interface 1 - 1
Firewall Mode and Security Context Mode
1 - 1Command Modes and Prompts
1 - 2Syntax Formatting
1 - 3Abbreviating Commands
1 - 3Command-Line Editing
1 - 3Command Completion
1 - 3Command Help
1 - 4Filtering show Command Output
1 - 4Command Output Paging
1 - 5Adding Comments
1 - 5Text Configuration Files
1 - 6aaa accounting through accounting-server-group Commands 2 - 1
aaa accounting
2 - 2aaa accounting command 2 - 5
aaa accounting console 2 - 7
aaa accounting match
2 - 9aaa authentication
2 - 11aaa authentication console
2 - 17aaa authentication match
2 - 22Contents
aaa authentication secure-http-client
2 - 24aaa authorization
2 - 26aaa authorization command
2 - 30aaa authorization match
2 - 32aaa local authentication attempts max-fail
2 - 34aaa mac-exempt
2 - 36aaa proxy-limit
2 - 37aaa-server host
2 - 39aaa-server protocol
2 - 43absolute
2 - 45accept-subordinates
2 - 47access-group
2 - 48access-list alert-interval
2 - 50access-list deny-flow-max
2 - 52access-list ethertype
2 - 54access-list extended
2 - 56access-list remark
2 - 61access-list standard
2 - 63access-list webtype
2 - 65accounting-mode
2 - 67accounting-port
2 - 69accounting-server-group 2 - 71
accounting-server-group (webvpn)
2 - 73 2 - 75acl-netmask-convert through auto-update timeout Commands 3 - 1
acl-netmask-convert
3 - 2action-uri
3 - 4activation-key
3 - 6address-pool 3 - 7
admin-context
3 - 9alias
3 - 11allocate-interface
3 - 14apcf
3 - 17application-access
3 - 19application-access hide-details
Contents
area
3 - 22area authentication
3 - 24area default-cost
3 - 26area filter-list prefix
3 - 28area nssa
3 - 30area range
3 - 32area stub
3 - 34area virtual-link
3 - 36arp
3 - 39arp timeout
3 - 41arp-inspection
3 - 42asdm disconnect
3 - 44asdm disconnect log_session
3 - 46asdm group
3 - 48 3 - 49asdm history enable
3 - 50asdm image
3 - 51asdm location
3 - 53 3 - 54asr-group
3 - 55auth-cookie-name
3 - 57authentication
3 - 59authentication (tunnel-group webvpn configuration mode)
3 - 61authentication-port
3 - 63authentication-server-group (webvpn)
3 - 65authorization-dn-attributes 3 - 67
authorization-dn-attributes (tunnel-group general-attributes mode) 3 - 69
authorization-dn-attributes (webvpn)
3 - 71authorization-required 3 - 73
authorization-required (tunnel-group general-attributes mode) 3 - 75
authorization-required (webvpn)
3 - 77authorization-server-group 3 - 79
authorization-server-group (tunnel-group general-attributes mode) 3 - 81
authorization-server-group (webvpn)
3 - 83auth-prompt
3 - 85Contents
auto-signon
3 - 87auto-update device-id
3 - 89auto-update poll-period
3 - 91auto-update server
3 - 93auto-update timeout
3 - 95 3 - 97backup-servers through browse-networks Commands 4 - 1
backup-servers
4 - 2banner
4 - 4banner (group-policy)
4 - 6blocks
4 - 7boot
4 - 9border style
4 - 11browse-networks
4 - 13 4 - 15cache through clear compression Commands 5 - 1
cache
5 - 2cache-compressed
5 - 3cache-time
5 - 5call-agent
5 - 6capture
5 - 8cd
5 - 16certificate
5 - 17chain 5 - 19
changeto
5 - 21character-encoding
5 - 23checkheaps
5 - 25check-retransmission
5 - 27checksum-verification
5 - 29class (policy-map)
5 - 31class-map
5 - 33clear aaa local user fail-attempts
5 - 35clear aaa local user lockout
5 - 37clear aaa-server statistics
5 - 39Contents
clear access-list
5 - 42clear arp
5 - 43clear asp drop
5 - 44clear blocks
5 - 46clear-button
5 - 47clear capture
5 - 49clear compression
5 - 50 5 - 51clear configure through clear configure vpn-load-balancing Commands 6 - 1
clear configure
6 - 2clear configure aaa 6 - 4
clear configure aaa-server
6 - 5clear configure access-group
6 - 7clear configure access-list
6 - 8clear configure alias
6 - 10clear configure arp
6 - 11clear configure arp-inspection
6 - 12clear configure asdm
6 - 13clear configure auth-prompt 6 - 15
clear configure banner
6 - 16clear configure ca certificate map
6 - 17clear configure class-map
6 - 18clear configure client-update
6 - 19clear configure clock
6 - 20clear configure command-alias
6 - 21clear configure compression
6 - 22clear configure console
6 - 23clear configure context
6 - 24clear configure crypto
6 - 26clear configure crypto ca trustpoint
6 - 27clear configure crypto dynamic-map
6 - 28clear configure crypto map
6 - 29clear configure dhcpd
6 - 30clear configure dhcprelay
6 - 31clear configure dns
6 - 32Contents
clear configure established
6 - 33clear configure failover
6 - 34clear configure filter
6 - 35clear configure fips
6 - 36clear configure firewall
6 - 37clear configure fixup
6 - 38clear configure fragment
6 - 39clear configure ftp
6 - 41clear configure ftp-map
6 - 42clear configure global
6 - 43clear configure group-delimiter
6 - 44clear configure group-policy 6 - 45
clear configure gtp-map
6 - 46clear configure hostname
6 - 47clear configure http
6 - 48clear configure http-map
6 - 49clear configure icmp
6 - 50clear configure imap4s
6 - 51clear configure interface
6 - 52clear configure ip
6 - 54clear configure ip audit
6 - 55clear configure ip local pool
6 - 56clear configure ip verify reverse-path
6 - 57clear configure ipv6
6 - 58clear configure isakmp
6 - 59clear configure isakmp policy
6 - 60clear configure ldap attribute-map
6 - 61clear configure logging
6 - 62 6 - 64clear configure logging rate-limit
6 - 65clear configure mac-address-table
6 - 66clear configure mac-learn
6 - 67clear configure mac-list
6 - 68clear configure management-access
6 - 69clear configure mgcp-map
6 - 70Contents
clear configure monitor-interface
6 - 71clear configure mroute
6 - 72clear configure mtu
6 - 73clear configure multicast-routing
6 - 74clear configure name
6 - 75clear configure nat
6 - 76clear configure nat-control
6 - 77clear configure ntp
6 - 78clear configure object-group
6 - 79clear configure passwd
6 - 80clear configure pim
6 - 81clear configure policy-map
6 - 82clear configure pop3s
6 - 83clear configure port-forward 6 - 84
clear configure prefix-list
6 - 85clear configure priority-queue
6 - 86clear configure privilege
6 - 87clear configure rip
6 - 88clear configure route
6 - 89clear configure route-map
6 - 90clear configure router
6 - 91clear configure same-security-traffic
6 - 92clear configure service-policy
6 - 93clear configure smtps
6 - 94clear configure smtp-server
6 - 95clear configure snmp-map
6 - 96 6 - 97clear configure snmp-server
6 - 98clear configure ssh
6 - 99clear configure ssl
6 - 100clear configure static
6 - 101clear configure sunrpc-server
6 - 102clear configure sysopt
6 - 103clear configure tcp-map
6 - 104clear configure telnet
6 - 105Contents
clear configure terminal
6 - 106clear configure timeout
6 - 107clear configure time-range
6 - 108clear configure tunnel-group
6 - 109clear configure tunnel-group-map
6 - 110clear configure url-block
6 - 112clear configure url-cache
6 - 113clear configure url-list 6 - 114
clear configure url-server
6 - 115clear configure username
6 - 116clear configure virtual
6 - 117clear configure vpn-load-balancing 6 - 118 6 - 119
clear console-output through clear xlate Commands 7 - 1
clear console-output
7 - 2clear counters
7 - 3clear crashinfo
7 - 4clear crypto accelerator statistics
7 - 5clear crypto ca crls
7 - 6clear [crypto] ipsec sa
7 - 7clear crypto protocol statistics
7 - 9clear dhcpd
7 - 11clear dhcprelay statistics
7 - 12clear dns-hosts cache
7 - 13clear failover statistics
7 - 14clear fragment
7 - 15clear gc
7 - 16clear igmp counters
7 - 17clear igmp group
7 - 18clear igmp traffic
7 - 19clear interface
7 - 20clear ip audit count
7 - 22clear ip verify statistics
7 - 23clear ipsec sa
7 - 24clear ipv6 access-list counters
Contents
clear ipv6 neighbors
7 - 26clear ipv6 traffic
7 - 27clear isakmp sa
7 - 29clear local-host
7 - 30clear logging asdm
7 - 32clear logging buffer
7 - 33clear mac-address-table
7 - 34clear memory profile
7 - 35clear mfib counters
7 - 36clear module recover
7 - 37clear ospf
7 - 38clear pc
7 - 40clear pclu
7 - 41clear pim counters
7 - 42clear pim reset
7 - 43clear pim topology
7 - 44clear priority-queue statistics
7 - 45clear resource usage
7 - 46clear route
7 - 48clear service-policy
7 - 49clear service-policy inspect gtp
7 - 51clear shun
7 - 53clear startup-config errors
7 - 54clear sunrpc-server active
7 - 55clear traffic
7 - 56clear uauth
7 - 57clear url-block block statistics 7 - 59
clear url-cache statistics
7 - 61clear url-server
7 - 63clear xlate
7 - 64 7 - 66client-access-rule through crl configure Commands 8 - 1
client-access-rule
8 - 2client-firewall
8 - 4client-update 8 - 6
Contents
clock set
8 - 10clock summer-time
8 - 12clock timezone
8 - 14cluster encryption
8 - 16cluster ip address
8 - 18cluster key
8 - 20cluster port
8 - 22command-alias
8 - 24command-queue
8 - 26compatible rfc1583
8 - 28compression
8 - 29config-register
8 - 31configure factory-default
8 - 34configure http
8 - 37configure memory
8 - 39configure net
8 - 41configure terminal
8 - 43config-url
8 - 44console timeout
8 - 47content-length
8 - 48content-type-verification
8 - 50context
8 - 52copy
8 - 54copy capture
8 - 57crashinfo console disable
8 - 60crashinfo force
8 - 62crashinfo save disable
8 - 64crashinfo test
8 - 66crl
8 - 67crl configure
8 - 68 8 - 69crypto ca authenticate through customization Commands 9 - 1
crypto ca authenticate
9 - 2crypto ca certificate chain
9 - 4crypto ca certificate map
Contents
crypto ca crl request
9 - 7crypto ca enroll
9 - 8crypto ca export
9 - 10crypto ca import
9 - 12crypto ca trustpoint
9 - 14crypto dynamic-map match address
9 - 17crypto dynamic-map set nat-t-disable
9 - 18crypto dynamic-map set peer
9 - 19crypto dynamic-map set pfs
9 - 20crypto dynamic-map set reverse route
9 - 22crypto dynamic-map set transform-set
9 - 23crypto ipsec df-bit
9 - 25crypto ipsec fragmentation
9 - 27crypto ipsec security-association lifetime
9 - 29crypto ipsec transform-set
9 - 31crypto ipsec transform-set mode transport
9 - 34crypto key generate dsa
9 - 36crypto key generate rsa
9 - 38crypto key zeroize
9 - 40crypto map interface
9 - 41crypto map ipsec-isakmp dynamic
9 - 43crypto map match address
9 - 45crypto map set connection-type
9 - 47crypto map set inheritance
9 - 49crypto map set nat-t-disable
9 - 51crypto map set peer 9 - 52
crypto map set pfs
9 - 54crypto map set phase1 mode
9 - 56crypto map set reverse-route
9 - 58crypto map set security-association lifetime
9 - 59crypto map set transform-set
9 - 61crypto map set trustpoint
9 - 63csc
9 - 65csd enable
9 - 69csd image
9 - 71Contents
customization (tunnel-group webvpn configuration mode)
9 - 73 9 - 75debug aaa through debug xdmcp Commands 10 - 1
debug aaa
10 - 2debug appfw
10 - 4debug arp
10 - 5debug arp-inspection
10 - 6debug asdm history
10 - 7debug cmgr
10 - 8debug context
10 - 10debug cplane
10 - 11debug crypto ca
10 - 13debug crypto engine
10 - 14debug crypto ipsec
10 - 15debug crypto isakmp
10 - 16debug ctiqbe
10 - 17debug dhcpc
10 - 19debug dhcpd
10 - 21debug dhcprelay
10 - 23debug disk
10 - 25debug dns
10 - 27debug entity
10 - 28debug fixup
10 - 30debug fover
10 - 31debug fsm
10 - 33debug ftp client
10 - 35debug generic
10 - 37debug gtp
10 - 39debug h323
10 - 41debug http
10 - 43debug http-map
10 - 44debug icmp
10 - 45debug igmp
10 - 47debug ils
10 - 49debug imagemgr
Contents
debug ipsec-over-tcp
10 - 53debug ipv6
10 - 55debug iua-proxy
10 - 57debug kerberos
10 - 59debug ldap
10 - 61debug mac-address-table
10 - 63debug menu
10 - 65debug mfib
10 - 66debug mgcp
10 - 68debug module-boot
10 - 69debug mrib
10 - 71debug ntdomain
10 - 73debug ntp
10 - 75debug ospf
10 - 77debug parser cache
10 - 79debug pim
10 - 81debug pix pkt2pc
10 - 83debug pix process
10 - 84debug pptp
10 - 85debug radius
10 - 87debug rip
10 - 90debug rtsp
10 - 92debug sdi
10 - 94debug sequence
10 - 96debug session-command
10 - 98debug sip
10 - 99debug skinny
10 - 101debug smtp
10 - 103debug sqlnet
10 - 105debug ssh
10 - 107debug ssl
10 - 109debug sunrpc
10 - 111debug tacacs
10 - 113debug tcp-map
10 - 115debug timestamps
10 - 117Contents
debug vpn-sessiondb
10 - 119debug webvpn
10 - 121debug xdmcp
10 - 123 10 - 125default through duplex Commands 11 - 1
default
11 - 2default (crl configure)
11 - 4default (time-range)
11 - 5default enrollment
11 - 7default-domain
11 - 8default-group-policy 11 - 10
default-group-policy (webvpn)
11 - 12default-idle-timeout
11 - 15default-information originate
11 - 17delete
11 - 19deny-message (group-policy webvpn configuration mode)
11 - 20deny version
11 - 22description
11 - 24dhcp-network-scope
11 - 26dhcp-server 11 - 27
dhcpd address
11 - 29dhcpd auto_config
11 - 31dhcpd dns
11 - 33dhcpd domain
11 - 35dhcpd enable
11 - 37dhcpd lease
11 - 39dhcpd option
11 - 41dhcpd ping_timeout
11 - 44dhcpd wins
11 - 46dhcprelay enable
11 - 48dhcprelay server
11 - 50dhcprelay setroute
11 - 52dhcprelay timeout
11 - 54dialog
11 - 56dir
Contents
disable
11 - 60disable (cache)
11 - 61distance ospf
11 - 63dns domain-lookup
11 - 65dns-group (tunnel-group webvpn configuration mode)
11 - 67dns name-server
11 - 69dns retries
11 - 71dns-server
11 - 73dns server-group
11 - 74dns timeout
11 - 76domain-name
11 - 77downgrade
11 - 79drop
11 - 83duplex
11 - 85 11 - 87email through functions Commands 12 - 1
enable
12 - 3enable (webvpn)
12 - 5enable password
12 - 6enforcenextupdate
12 - 8enrollment retry count
12 - 9enrollment retry period
12 - 11enrollment terminal
12 - 12enrollment url
12 - 13erase
12 - 14established
12 - 16exceed-mss
12 - 19exit
12 - 21 12 - 23expiry-time
12 - 24failover
12 - 26failover active
12 - 28failover group
12 - 29failover interface ip
12 - 31Contents
failover interface-policy
12 - 33failover key
12 - 35failover lan enable
12 - 37failover lan interface
12 - 39failover lan unit
12 - 41failover link
12 - 43failover mac address
12 - 46failover polltime
12 - 48failover reload-standby
12 - 50failover replication http
12 - 51failover reset
12 - 53failover timeout
12 - 54file-bookmarks
12 - 56file-encoding
12 - 58filter
12 - 60filter activex
12 - 62filter ftp
12 - 64filter https
12 - 66filter java
12 - 68filter url
12 - 70fips enable
12 - 74fips self-test poweron
12 - 76firewall transparent
12 - 77format
12 - 79fqdn
12 - 81fragment
12 - 82ftp-map
12 - 84ftp mode passive
12 - 86functions
12 - 88 12 - 90gateway through hw-module module shutdown Commands 13 - 1
gateway
13 - 2global
13 - 4group-alias
13 - 7group-delimiter
Contents
group-lock
13 - 10group-object
13 - 11group-policy
13 - 13group-policy attributes
13 - 16group-prompt
13 - 19group-url
13 - 21gtp-map
13 - 23help
13 - 25hic-fail-group-policy
13 - 27hidden-parameter
13 - 29homepage
13 - 31hostname
13 - 32html-content-filter
13 - 33http
13 - 35http authentication-certificate
13 - 37http-comp
13 - 39http-map
13 - 40http-proxy
13 - 43http redirect
13 - 44http server enable
13 - 46https-proxy
13 - 47hw-module module recover
13 - 48hw-module module reload
13 - 50hw-module module reset
13 - 52hw-module module shutdown
13 - 54 13 - 56icmp through imap4s Commands 14 - 1
icmp
14 - 2icmp-object
14 - 5id-cert-issuer
14 - 7igmp
14 - 9igmp access-group
14 - 10igmp forward interface
14 - 11igmp join-group
14 - 12igmp limit
14 - 14Contents
igmp query-interval
14 - 15igmp query-max-response-time
14 - 17igmp query-timeout
14 - 19igmp static-group
14 - 20igmp version
14 - 21ignore lsa mospf
14 - 23imap4s
14 - 24 14 - 25inspect ctiqbe through inspect xdmcp Commands 15 - 1
inspect ctiqbe
15 - 2inspect dns
15 - 4inspect esmtp
15 - 7inspect ftp
15 - 10inspect gtp
15 - 13inspect h323
15 - 15inspect http
15 - 19inspect icmp
15 - 22inspect icmp error
15 - 24inspect ils
15 - 26inspect mgcp
15 - 28inspect netbios
15 - 31inspect pptp
15 - 33inspect rsh
15 - 35inspect rtsp
15 - 37inspect sip
15 - 40inspect skinny
15 - 43inspect snmp
15 - 46inspect sqlnet
15 - 48inspect sunrpc
15 - 50inspect tftp
15 - 52inspect xdmcp
15 - 54 15 - 56interface-dhcp through issuer-name Commands 16 - 1
intercept-dhcp
16 - 2Contents
interface (vpn load-balancing)
16 - 6interface-policy
16 - 8ip-address
16 - 10ip address
16 - 11ip address dhcp
16 - 13ip audit attack
16 - 15ip audit info
16 - 17ip audit interface
16 - 19ip audit name
16 - 21ip audit signature
16 - 23ip-comp
16 - 29ip local pool
16 - 30ip-phone-bypass
16 - 32ips
16 - 33ipsec-udp
16 - 35ipsec-udp-port
16 - 37ip verify reverse-path
16 - 38ipv6 access-list
16 - 40ipv6 address
16 - 44ipv6 enable
16 - 46ipv6 icmp
16 - 47ipv6 nd dad attempts
16 - 50ipv6 nd ns-interval
16 - 52ipv6 nd prefix
16 - 53ipv6 nd ra-interval
16 - 55ipv6 nd ra-lifetime
16 - 57ipv6 nd reachable-time
16 - 59ipv6 nd suppress-ra
16 - 60ipv6 neighbor
16 - 61ipv6 route
16 - 63isakmp am-disable
16 - 65isakmp disconnect-notify
16 - 66isakmp enable
16 - 67isakmp identity
16 - 68isakmp ipsec-over-tcp
16 - 70Contents
isakmp keepalive 16 - 71
isakmp nat-traversal
16 - 73isakmp policy authentication
16 - 75isakmp policy encryption
16 - 77isakmp policy group
16 - 79isakmp policy hash
16 - 81isakmp policy lifetime
16 - 83isakmp reload-wait
16 - 85issuer-name
16 - 86 16 - 88join-failover-group through kill Commands 17 - 1
join-failover-group
17 - 2kerberos-realm
17 - 4key
17 - 6keypair
17 - 8kill
17 - 9 17 - 10ldap-attribute-map through log-adj-changes Commands 18 - 1
ldap-attribute-map (aaa-server host mode)
18 - 2ldap attribute-map (global configuration mode)
18 - 4ldap-base-dn
18 - 6ldap-defaults
18 - 8ldap-dn
18 - 9ldap-login-dn
18 - 11ldap-login-password
18 - 13ldap-naming-attribute
18 - 15ldap-over-ssl
18 - 17ldap-scope
18 - 19leap-bypass
18 - 21 18 - 23lmfactor
18 - 24log-adj-changes
18 - 26 18 - 27Contents
logging asdm through logout message Commands 19 - 1
logging asdm
19 - 2logging asdm-buffer-size
19 - 4logging buffered
19 - 6logging buffer-size
19 - 8logging class
19 - 10logging console
19 - 13logging debug-trace
19 - 15logging device-id
19 - 17logging emblem
19 - 19logging enable
19 - 21logging facility
19 - 23logging flash-bufferwrap
19 - 25logging flash-maximum-allocation
19 - 27logging flash-minimum-free
19 - 29logging from-address
19 - 31logging ftp-bufferwrap
19 - 33logging ftp-server
19 - 35logging history
19 - 37logging host
19 - 39logging list
19 - 41logging mail
19 - 44logging message
19 - 46logging monitor
19 - 48logging permit-hostdown
19 - 50logging queue
19 - 52logging rate-limit
19 - 54logging recipient-address
19 - 56logging savelog
19 - 58logging standby
19 - 60logging timestamp
19 - 62logging trap
19 - 63login
19 - 65login-button
19 - 67login-message
19 - 69Contents
login-title
19 - 71logo
19 - 73logout
19 - 75logout-message
19 - 76 19 - 78mac address through multicast-routing Commands 20 - 1
mac address
20 - 2mac-address-table aging-time
20 - 4mac-address-table static
20 - 5mac-learn
20 - 7mac-list
20 - 8management-access
20 - 10management-only
20 - 12map-name
20 - 14map-value
20 - 16mask-syst-reply
20 - 18match access-list
20 - 20match any
20 - 22match default-inspection-traffic
20 - 24match dscp
20 - 26match flow ip destination-address
20 - 28match interface
20 - 30match ip address
20 - 32match ip next-hop
20 - 34match ip route-source
20 - 36match metric
20 - 38match port
20 - 40match precedence
20 - 42match route-type
20 - 44match rtp
20 - 46match tunnel-group
20 - 48max-failed-attempts
20 - 50max-header-length
20 - 52max-object-size
20 - 54max-uri-length
Contents
mcc
20 - 57media-type
20 - 59memory caller-address
20 - 61memory profile enable
20 - 63memory profile text
20 - 65memory-size
20 - 67message-length
20 - 68mfib forwarding
20 - 70mgcp-map
20 - 71min-object-size
20 - 73mkdir
20 - 75mode
20 - 76monitor-interface
20 - 79more
20 - 81mroute
20 - 83mtu
20 - 85multicast-routing
20 - 87 20 - 89name through override-account-disable Commands 21 - 1
name
21 - 2nameif
21 - 4names
21 - 6name-separator
21 - 7nat
21 - 8nat (vpn load-balancing)
21 - 14nat-control
21 - 16nbns-server (tunnel-group webvpn attributes mode)
21 - 18nbns-server (webvpn mode)
21 - 20neighbor
21 - 22nem
21 - 24network area
21 - 25network-object
21 - 27nt-auth-domain-controller
21 - 29ntp authenticate
21 - 31ntp authentication-key
21 - 33Contents
ntp server
21 - 35ntp trusted-key
21 - 37object-group
21 - 39ospf authentication
21 - 44ospf authentication-key
21 - 46ospf cost
21 - 47ospf database-filter
21 - 49ospf dead-interval
21 - 50ospf hello-interval
21 - 51ospf message-digest-key
21 - 52ospf mtu-ignore
21 - 54ospf network point-to-point non-broadcast
21 - 55ospf priority
21 - 57ospf retransmit-interval
21 - 58ospf transmit-delay
21 - 59outstanding
21 - 60override-account-disable
21 - 61 21 - 63page style through pwd Commands 22 - 1
page style
22 - 2pager
22 - 4participate
22 - 6passwd
22 - 8password (crypto ca trustpoint)
22 - 10password-management
22 - 12password-parameter
22 - 14password-prompt
22 - 16password-storage
22 - 18peer-id-validate 22 - 19
perfmon
22 - 21periodic
22 - 23permit errors
22 - 25permit response
22 - 27pfs
22 - 29pim
Contents
pim accept-register
22 - 31pim dr-priority
22 - 32pim hello-interval
22 - 33pim join-prune-interval
22 - 34pim old-register-checksum
22 - 35pim rp-address
22 - 36pim spt-threshold infinity
22 - 38ping
22 - 39police
22 - 41policy
22 - 43policy-map
22 - 44policy-server-secret
22 - 46polltime interface
22 - 48pop3s
22 - 50port
22 - 51port-forward
22 - 52port-forward (webvpn)
22 - 54port-forward-name
22 - 56port-misuse
22 - 57port-object
22 - 59preempt
22 - 62prefix-list
22 - 64prefix-list description
22 - 67prefix-list sequence-number
22 - 69pre-shared-key 22 - 70
primary
22 - 71priority
22 - 73priority (vpn load balancing)
22 - 74priority-queue
22 - 76privilege
22 - 78protocol http
22 - 80protocol ldap
22 - 81protocol scep
22 - 82protocol-object
22 - 83proxy-bypass
22 - 85Contents
pwd
22 - 87 22 - 88queue-limit through routerospf Commands 23 - 1
queue-limit (priority-queue)
23 - 2queue-limit (tcp-map)
23 - 4quit
23 - 6radius-common-pw
23 - 8radius-with-expiry 23 - 10
reactivation-mode
23 - 12redistribute
23 - 14reload
23 - 16remote-access threshold session-threshold-exceeded
23 - 19rename
23 - 20replication http
23 - 22request-command deny
23 - 24request-method
23 - 26request-queue
23 - 29request-timeout
23 - 31reserved-bits
23 - 33retries
23 - 35retry-interval
23 - 37rewrite
23 - 39re-xauth
23 - 41rmdir
23 - 43route
23 - 44route-map
23 - 46router-id
23 - 48router ospf
23 - 49 23 - 51same-security-traffic through show asdm sessions Commands 24 - 1
same-security-traffic
24 - 2sasl-mechanism
24 - 4secondary
24 - 6secondary-color
24 - 8Contents
secure-unit-authentication
24 - 11security-level
24 - 13serial-number
24 - 15server
24 - 16server-port
24 - 17server-separator
24 - 19server-type
24 - 20service
24 - 22service password-recovery
24 - 24service-policy
24 - 27session
24 - 29set connection
24 - 31set connection advanced-options
24 - 34set connection timeout
24 - 36set metric
24 - 38set metric-type
24 - 40setup
24 - 42show aaa local user
24 - 45show aaa-server
24 - 47show access-list
24 - 49show activation-key
24 - 51show admin-context
24 - 53show arp
24 - 54show arp-inspection
24 - 55show arp statistics
24 - 56show asdm history
24 - 58show asdm image
24 - 65show asdm log_sessions
24 - 66show asdm sessions
24 - 67 24 - 68show asp drop through show curpriv Commands 25 - 1
show asp drop
25 - 2show asp table arp
25 - 40show asp table classify
25 - 42show asp table interfaces
25 - 45Contents
show asp table mac-address-table
25 - 47show asp table routing
25 - 49show asp table vpn-context
25 - 51show blocks
25 - 53show bootvar
25 - 59show capture
25 - 61show chardrop
25 - 63show checkheaps
25 - 64show checksum
25 - 65show chunkstat
25 - 66show clock
25 - 67show compression svc
25 - 68show conn
25 - 69 25 - 7425 - 75
show conn
25 - 76show console-output
25 - 81show context
25 - 82show counters
25 - 86show cpu
25 - 88show crashinfo
25 - 90show crashinfo console
25 - 98show crypto accelerator statistics
25 - 100show crypto ca certificates
25 - 103show crypto ca crls
25 - 105show crypto ipsec df-bit
25 - 106show crypto ipsec fragmentation
25 - 107show crypto key mypubkey
25 - 108show crypto protocol statistics
25 - 109show ctiqbe 25 - 112
show curpriv
25 - 114 25 - 116show debug through show ipv6 traffic Commands 26 - 1
show debug
26 - 2show dhcpd
Contents
show dhcprelay state
26 - 7show dhcprelay statistics
26 - 8show disk
26 - 10show dns-hosts
26 - 12show failover
26 - 14show file
26 - 18show firewall
26 - 19show flash
26 - 20show fragment
26 - 22show gc
26 - 24show h225 26 - 25
show h245 26 - 27
show h323-ras 26 - 29
show history
26 - 31show icmp 26 - 33
show idb
26 - 34show igmp groups
26 - 36show igmp interface
26 - 37show igmp traffic
26 - 38show interface
26 - 39show interface ip brief
26 - 47show inventory
26 - 49show ip address
26 - 51show ip address dhcp
26 - 53show ip audit count
26 - 57show ip verify statistics
26 - 59show ipsec sa
26 - 60show ipsec sa summary
26 - 67show ipsec stats
26 - 69show ipv6 access-list
26 - 71show ipv6 interface
26 - 73show ipv6 neighbor
26 - 75show ipv6 route
26 - 77show ipv6 routers
26 - 79show ipv6 traffic
26 - 80Contents
26 - 82
show isakmp sa through show route Commands 27 - 1
show isakmp sa
27 - 2show isakmp stats
27 - 4show local-host
27 - 7show logging
27 - 10show logging rate-limit
27 - 12show mac-address-table
27 - 13show management-access
27 - 15show memory
27 - 16show memory binsize
27 - 19show memory profile
27 - 20show memory webvpn
27 - 23show memory-caller address
27 - 25show mfib
27 - 27show mfib active
27 - 28show mfib count
27 - 30show mfib interface
27 - 31show mfib reserved
27 - 32show mfib status
27 - 34show mfib summary
27 - 35show mfib verbose
27 - 36show mgcp
27 - 37show mode
27 - 39show module
27 - 40show mrib client
27 - 44show mrib route
27 - 46show mroute
27 - 48show nameif
27 - 51show ntp associations
27 - 53show ntp status
27 - 57show ospf
27 - 59show ospf border-routers
27 - 61show ospf database
27 - 62show ospf flood-list
Contents
show ospf interface
27 - 67show ospf neighbor
27 - 68show ospf request-list
27 - 70show ospf retransmission-list
27 - 71show ospf summary-address
27 - 73show ospf virtual-links
27 - 74show perfmon
27 - 75show pim df
27 - 77show pim group-map
27 - 78show pim interface
27 - 80show pim join-prune statistic
27 - 81show pim neighbor
27 - 82show pim range-list
27 - 84show pim topology
27 - 86show pim topology reserved
27 - 88show pim topology route-count
27 - 89show pim traffic
27 - 90show pim tunnel
27 - 92show priority-queue statistics
27 - 93show processes
27 - 95show reload
27 - 98show resource types
27 - 99show resource usage
27 - 100show route
27 - 103 27 - 104show running-config through show running-config isakmp Commands 28 - 1
show running-config
28 - 2show running-config aaa
28 - 5show running-config aaa-server
28 - 7show running-config aaa-server host
28 - 9show running-config access-group
28 - 10show running-config access-list
28 - 11show running-config alias
28 - 13show running-config arp
28 - 14show running-config arp timeout
28 - 15Contents
show running-config arp-inspection
28 - 16show running-config asdm
28 - 17show running-config auth-prompt
28 - 19show running-config banner
28 - 20show running-config class-map
28 - 21show running-config client-update
28 - 22show running-config clock
28 - 23show running-config command-alias
28 - 25show running-config compression
28 - 27show running-config console timeout
28 - 28show running-config context
28 - 29show running-config crypto
28 - 30show running-config crypto dynamic-map
28 - 32show running-config crypto ipsec
28 - 33show running-config crypto isakmp
28 - 34show running-config crypto map
28 - 35show running-config dhcpd
28 - 36show running-config dhcprelay
28 - 37show running-config dns
28 - 38show running-config domain-name
28 - 39show running-config enable
28 - 40show running-config established
28 - 41show running-config failover
28 - 42show running-config filter
28 - 43show running-config fips
28 - 44show running-config fragment
28 - 45show running-config ftp-map
28 - 47show running-config ftp mode
28 - 48show running-config global
28 - 49show running-config group-delimiter
28 - 50show running-config group-policy
28 - 51show running-config gtp-map
28 - 52show running-config http
28 - 54show running-config http-map
28 - 55show running-config icmp
28 - 57Contents
show running-config imap4s
28 - 58show running-config interface
28 - 60show running-config ip address
28 - 62show running-config ip audit attack
28 - 64show running-config ip audit info
28 - 65show running-config ip audit interface
28 - 66show running-config ip audit name
28 - 67show running-config ip audit signature
28 - 68show running-config ip local pool
28 - 69show running-config ip verify reverse-path
28 - 71show running-config ipv6
28 - 72show running-config isakmp
28 - 73 28 - 74show running-config ldap through show running-config webvpn auto-signon Commands 29 - 1
show running-config ldap
29 - 2show running-config logging
29 - 4show running-config mac-address-table
29 - 5show running-config mac-learn
29 - 6show running-config mac-list
29 - 7show running-config management-access
29 - 8show running-config mgcp-map
29 - 9show running-config monitor-interface
29 - 11show running-config mroute
29 - 13show running-config mtu
29 - 14show running-config multicast-routing
29 - 15show running-config name
29 - 16show running-config nameif
29 - 17show running-config names
29 - 19show running-config nat
29 - 20show running-config nat-control
29 - 22show running-config ntp
29 - 23show running-config object-group
29 - 24show running-config passwd
29 - 26show running-config pim
29 - 27show running-config policy-map
29 - 28Contents
show running-config pop3s
29 - 30show running-config port-forward 29 - 32
show running-config prefix-list
29 - 33show running-config priority-queue
29 - 34show running-config privilege
29 - 35show running-config rip
29 - 37show running-config route
29 - 38show running-config route-map
29 - 39show running-config router
29 - 41show running-config same-security-traffic
29 - 42show running-config service
29 - 43show running-config service-policy
29 - 44show running-configuration smtps
29 - 45show running-config snmp-map
29 - 47show running-config snmp-server
29 - 48show running-config ssh
29 - 49show running-config ssl
29 - 51show running-config static
29 - 52show running-config sunrpc-server
29 - 53show running-config sysopt
29 - 55show running-config tcp-map
29 - 56show running-config telnet
29 - 57show running-config terminal
29 - 58show running-config tftp-server
29 - 59show running-config timeout
29 - 60show running-config tunnel-group
29 - 61show running-config url-block
29 - 63show running-config url-cache
29 - 65show running-configuration url-list 29 - 66
show running-config url-server
29 - 67show running-config username
29 - 68show running-config virtual
29 - 69show running-config vpn load-balancing
29 - 70show running-configuration vpn-sessiondb
29 - 72show running-config webvpn
29 - 73Contents
show running-config webvpn auto-signon
29 - 75 29 - 76show service-policy through show webvpn svc Commands 77
show service-policy
78show service-policy inspect gtp
82show shun
85show sip
86show skinny
88show snmp-server statistics
90show ssh sessions
92show startup-config
94show sunrpc-server active
96show tcpstat
97show tech-support
100show traffic
105show uauth
107show url-block 109
show url-cache statistics 111
show url-server 113
show version
115show vpn load-balancing
117show vpn-sessiondb
119show vpn-sessiondb ratio
123show vpn-sessiondb summary
125show webvpn csd
126show webvpn group-alias
128show webvpn group-url
129show webvpn sso-server
130show webvpn svc
132 134shun through sysopt uauth allow-http-cache Commands 31 - 1
shun
31 - 2shutdown
31 - 4smtps
31 - 6smtp-server
31 - 7Contents
snmp-server
31 - 8snmp-map
31 - 11snmp-server enable trap remote-access
31 - 13speed
31 - 14split-dns
31 - 16split-tunnel-network-list
31 - 18split-tunnel-policy
31 - 20ssh
31 - 22ssh disconnect
31 - 24ssh scopy enable
31 - 26ssh timeout
31 - 28ssh version
31 - 30ssl client-version
31 - 32ssl encryption
31 - 34ssl server-version
31 - 36ssl trust-point
31 - 38sso-server
31 - 40sso-server value (config-group-webvpn)
31 - 42sso-server value (config-username-webvpn)
31 - 44start-url
31 - 46static
31 - 48strict-http
31 - 54strip-group 31 - 56
strip-realm 31 - 58
subject-name (crypto ca certificate map)
31 - 60subject-name (crypto ca trustpoint)
31 - 62summary-address
31 - 63sunrpc-server
31 - 65support-user-cert-validation
31 - 67svc
31 - 69svc compression
31 - 71svc dpd-interval
31 - 72svc enable
31 - 74svc image
31 - 75svc keepalive
31 - 77Contents
svc keep-installer
31 - 79svc rekey
31 - 81syn-data
31 - 83sysopt connection permit-vpn
31 - 85sysopt connection tcpmss
31 - 87sysopt connection timewait
31 - 89sysopt nodnsalias
31 - 91sysopt noproxyarp
31 - 93sysopt radius ignore-secret
31 - 95sysopt uauth allow-http-cache
31 - 97 31 - 98tcp-map through tx-ring-limit Commands 32 - 1
tcp-map
32 - 2tcp-options
32 - 4telnet
32 - 6terminal
32 - 9terminal pager
32 - 10terminal width
32 - 12test aaa-server
32 - 13test sso-server
32 - 15text-color
32 - 17tftp-server
32 - 18timeout
32 - 20timeout (aaa-server host)
32 - 23timeout (gtp-map)
32 - 25timeout (dns-server-group configuration mode)
32 - 27timers lsa-group-pacing
32 - 29timers spf
32 - 30title
32 - 32transfer-encoding
32 - 34trust-point 32 - 37
ttl-evasion-protection
32 - 38tunnel-group
32 - 40tunnel-group general-attributes
32 - 42tunnel-group ipsec-attributes
32 - 44Contents
tunnel-group webvpn-attributes
32 - 46tunnel-group-map default-group
32 - 48tunnel-group-map enable
32 - 50tunnel-limit
32 - 52tx-ring-limit
32 - 54 32 - 56urgent-flag through write terminal Commands 33 - 1
urgent-flag
33 - 2url
33 - 4url-block
33 - 6url-cache
33 - 8url-list
33 - 10url-list (webvpn)
33 - 12url-server
33 - 14user-authentication
33 - 17user-authentication-idle-timeout
33 - 19username
33 - 21username attributes
33 - 23username-prompt
33 - 25user-parameter
33 - 27virtual http
33 - 29virtual telnet
33 - 31vlan
33 - 33vpn-access-hours
33 - 35vpn-addr-assign
33 - 36vpn-filter
33 - 38vpn-framed-ip-address
33 - 39vpn-framed-ip-netmask
33 - 40vpn-group-policy
33 - 41vpn-idle-timeout
33 - 43vpn load-balancing
33 - 45vpn-sessiondb logoff
33 - 47vpn-sessiondb max-session-limit
33 - 49vpn-sessiondb max-webvpn-session-limit
33 - 50vpn-session-timeout
Contents
vpn-simultaneous-logins
33 - 53vpn-tunnel-protocol
33 - 54web-agent-url
33 - 55web-applications
33 - 57web-bookmarks
33 - 59webvpn (group-policy and username modes)
33 - 61who
33 - 64window-variation
33 - 65wins-server
33 - 67write erase
33 - 68write memory
33 - 69write net
33 - 71write standby
33 - 73write terminal
33 - 75 33 - 77Contents
About This Guide
This preface introduces the Cisco Security Appliance Command Reference.
This preface includes the following sections:
• Document Objectives, page xliii
• Audience, page xliv
• Document Organization, page xliv
• Document Conventions, page xlvi
• Related Documentation, page xlvi
• Obtaining Documentation, page xlvii
• Documentation Feedback, page xlvii
• Cisco Product Security Overview, page xlviii
• Obtaining Technical Assistance, page xlix
• Obtaining Additional Publications and Information, page l
Document Objectives
This guide contains the commands available for use with the security appliance to protect your network from unauthorized use and to establish Virtual Private Networks to connect remote sites and users to your network.
You can also configure and monitor the security appliance by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm.
This guide applies to the Cisco PIX 500 series security appliances (PIX 515/515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5510, ASA 5520, and ASA 5540).
Throughout this guide, the term “security appliance” applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0.