Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM
Total Page:16
File Type:pdf, Size:1020Kb
Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM First Published: 2021-01-04 Last Modified: 2021-01-04 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2021 Cisco Systems, Inc. All rights reserved. PART I T-Z Commands • ta – tk, on page 1 • tl – tz, on page 95 • u, on page 155 • v, on page 259 • w - z , on page 349 ta – tk • table-map, on page 3 • tcp-inspection, on page 5 • tcp-map, on page 6 • tcp-options, on page 8 • telnet, on page 10 • telnet timeout, on page 12 • terminal interactive, on page 14 • terminal monitor, on page 16 • terminal pager, on page 17 • terminal width, on page 19 • test aaa-server, on page 20 • test aaa-server ad-agent, on page 22 • test dynamic-access-policy attributes, on page 24 • test dynamic-access-policy execute, on page 25 • test regex, on page 26 • test sso-server (Deprecated), on page 28 • text-color, on page 30 • tftp blocksize, on page 31 • tftp-server, on page 32 • tftp-server address (Deprecated), on page 34 • threat-detection basic-threat, on page 36 • threat-detection rate, on page 39 • threat-detection scanning-threat, on page 42 • threat-detection statistics, on page 45 • threshold, on page 48 • throughput level, on page 50 • ticket (Deprecated), on page 52 • timeout (aaa-server host), on page 54 • timeout (dns server-group), on page 56 • timeout (global), on page 57 • timeout (policy-map type inspect gtp > parameters), on page 62 • timeout (policy-map type inspect m3ua > parameters), on page 64 • timeout (policy-map type inspect radius-accounting > parameters), on page 66 Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM 1 T-Z Commands • timeout (type echo), on page 67 • timeout assertion, on page 69 • timeout edns, on page 70 • timeout pinhole, on page 71 • timeout secure-phones (Deprecated), on page 72 • time-range, on page 74 • timers nsf wait, on page 76 • timers bgp, on page 77 • timers lsa arrival, on page 79 • timers lsa-group-pacing, on page 80 • timers pacing flood, on page 81 • timers pacing flood, on page 82 • timers pacing lsa-group, on page 83 • timers pacing retransmission, on page 84 • timers spf, on page 86 • timers throttle, on page 88 • timestamp, on page 91 • title, on page 93 Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM 2 T-Z Commands table-map table-map To modify metric and tag values when the IP routing table is updated with BGP learned routes, use the table-map command in address family configuration mode. To disable this function, use the no form of the command. table-map map_name [ filter ] no table-map map_name [ filter ] Syntax Description map_name The name of the route map that should control what gets put into the BGP routing table (RIB). filter (Optional) Specifies that the route map controls not only the metrics on a BGP route, but also whether the route is downloaded into the RIB. A BGP route is not downloaded to the RIB if it is denied by the route map. Command Default This command is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context System Address family • Yes — • Yes • Yes — configuration Command History Release Modification 9.2(1) This command was added. Usage Guidelines A table map references a route map that sets metrics and a tag value for routes that are updated in the BGP routing table, or controls whether routes are downloaded to the RIB. When the table-map command: • Does not include the filter keyword, the route map referenced is used to set certain properties of a route before the route is installed (downloaded) into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map. • Includes the filter keyword, the route map referenced also controls whether the BGP route is downloaded to the RIB. A BGP route is not downloaded to the RIB if it is denied by the route map. You can use match clauses in the route map that the table map references to match routes based on IP access list, autonomous system paths, and next hop. Examples In the following address family configuration mode example, the ASA software is configured to automatically compute the tag value for the BGP learned routes and to update the IP routing table: Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM 3 T-Z Commands table-map ciscoasa(config)# route-map tag ciscoasa(config-route-map)# match as path 10 ciscoasa(config-route-map)# set automatic-tag ciscoasa(config)# router bgp 100 ciscoasa(config-router)# address-family ipv4 unicast ciscoasa(config-router-af)# table-map tag Related Commands Command Description address-family Enters the address-family configuration mode. route-map Defines the conditions for redistributing routes from one routing protocol into another. Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM 4 T-Z Commands tcp-inspection tcp-inspection To enable DNS over TCP inspection, use the tcp-inspection command in parameters configuration mode. To disable protocol enforcement, use the no form of this command. tcp-inspection no tcp-inspection Syntax Description This command has no arguments or keywords. Command Default DNS over TCP inspection is disabled. Command Modes The following table shows the modes in which you can enter the command: Command Mode Firewall Mode Security Context Routed Transparent Single Multiple Context System Parameters • Yes • Yes • Yes • Yes — configuration Command History Release Modification 9.6(2) This command was added. Usage Guidelines Add this command to a DNS inspection policy map to include DNS/TCP port 53 traffic in the inspection. Without this command, UDP/53 DNS traffic only is inspected. Ensure that DNS/TCP port 53 traffic is part of the class to which you apply DNS inspection. The inspection default class includes TCP/53. Examples The following example shows how to enable DNS over TCP inspection a DNS inspection policy map: ciscoasa(config)# policy-map type inspect dns preset_dns_map ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# tcp-inspection Related Commands Command Description inspect dns Enables DNS inspection. policy-map type inspect dns Creates a DNS inspection policy map. show running-config policy-map Display all current policy map configurations. Cisco ASA Series Command Reference, T - Z Commands and IOS Commands for ASASM 5 T-Z Commands tcp-map tcp-map To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the ASA drops when they are detected. To remove the TCP map, use the no form of this command. tcp-map map_name no tcp-map map_name Syntax Description map_name Specifies the TCP map name.