Table Of ContentCisco ASA 5500 Series
Command Reference
For the Cisco ASA 5500 Series Adaptive Security Appliance
Software Version 8.2(5)
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: N/A Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Cisco ASA 5500 Series Command Reference
© 2011 Cisco Systems, Inc. All rights reserved.
About This Guide
This preface introduces the Cisco ASA 5500 Series Command Reference.
This preface includes the following sections:
• Document Objectives, page iii
(cid:129) Audience, page iv
(cid:129) Document Organization, page iv
(cid:129) Document Conventions, page iv
(cid:129) Related Documentation, page v
(cid:129) Obtaining Documentation, Obtaining Support, and Security Guidelines, page v
Document Objectives
This guide contains the commands available for use with the adaptive security appliance to protect your
network from unauthorized use and to establish Virtual Private Networks to connect remote sites and
users to your network.
You can also configure and monitor the adaptive security appliance by using ASDM, a web-based GUI
application. ASDM includes configuration wizards to guide you through some common configuration
scenarios and online Help for less common scenarios. For more information, see the following site:
http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html.
This guide applies to the Cisco PIX 500 series adaptive security appliances (PIX 515/515E, PIX 525,
and PIX 535) and the Cisco ASA 5500 series adaptive security appliances (ASA 5505, ASA 5510,
ASA 5520, ASA 5540, and ASA 5550). Throughout this guide, the term “adaptive security appliance”
applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and
PIX 520 adaptive security appliances are not supported in software Version 7.0.
Cisco ASA 5500 Series Command Reference
OL-18972-02 iii
About This Guide
Audience
Audience
This guide is for network managers who perform any of the following tasks:
(cid:129) Manage network security
(cid:129) Install and configure firewall/security appliances
(cid:129) Configure VPNs
(cid:129) Configure intrusion detection software
Use this guide with the Cisco ASA 5500 Series Configuration Guide using the CLI.
Document Organization
(cid:129) “Using the Command-Line Interface” introduces you to the adaptive security appliance commands
and access modes.
(cid:129) Chapters 1 through 32 list all commands in alphabetical order.
Document Conventions
The adaptive security appliance command syntax descriptions use the following conventions:
Command descriptions use these conventions:
(cid:129) Braces ({ }) indicate a required choice.
(cid:129) Square brackets ([ ]) indicate optional elements.
(cid:129) Vertical bars ( | ) separate alternative, mutually exclusive elements.
(cid:129) Boldface indicates commands and keywords that are entered literally as shown.
(cid:129) Italics indicate arguments for which you supply values.
Examples use these conventions:
(cid:129) Examples depict screen displays and the command line in screen font.
(cid:129) Information you need to enter in examples is shown in boldface screen font.
(cid:129) Variables for which you must supply a value are shown in italic screen font.
(cid:129) Examples might include output from different platforms; for example, you might not recognize an
interface type in an example because it is not available on your platform. Differences should be
minor.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
For information on modes, prompts, and syntax, see the “Using the Command-Line Interface” section.
Cisco ASA 5500 Series Command Reference
iv OL-18972-02
About This Guide
Related Documentation
Related Documentation
For more information, see the following documentation:
(cid:129) Release Notes for Cisco ASDM
(cid:129) Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
(cid:129) Cisco ASA 5500 Series Hardware Installation Guide
(cid:129) Cisco ASA 5500 Series Quick Start Guide
(cid:129) Cisco ASA 5500 Series Release Notes
(cid:129) Cisco ASA 5500 Series Configuration Guide using the CLI
(cid:129) Cisco ASA 5500 Series System Log Messages
(cid:129) Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series
(cid:129) Release Notes for Cisco Secure Desktop
(cid:129) Migrating to ASA for VPN 3000 Concentrator Series Administrators
(cid:129) Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series
Obtaining Documentation, Obtaining Support, and Security
Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly
What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco ASA 5500 Series Command Reference
OL-18972-02 v
About This Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
Cisco ASA 5500 Series Command Reference
vi OL-18972-02
Using the Command-Line Interface
This section describes how to use the CLI on the adaptive security appliance, and it includes the
following topics:
(cid:129) Firewall Mode and Security Context Mode, page vii
(cid:129) Command Modes and Prompts, page viii
(cid:129) Syntax Formatting, page ix
(cid:129) Abbreviating Commands, page ix
(cid:129) Command-Line Editing, page ix
(cid:129) Command Completion, page x
(cid:129) Command Help, page x
(cid:129) Filtering show Command Output, page x
(cid:129) Command Output Paging, page xi
(cid:129) Adding Comments, page xii
(cid:129) Text Configuration Files, page xii
Note The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the adaptive security
appliance operating system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI
command works with or has the same function on the adaptive security appliance.
Firewall Mode and Security Context Mode
The adaptive security appliance runs in a combination of the following modes:
(cid:129) Transparent firewall or routed firewall mode
The firewall mode determines if the security appliance runs as a Layer 2 or Layer 3 firewall.
(cid:129) Multiple context or single context mode
The security context mode determines if the adaptive security appliance runs as a single device or
as multiple security contexts, which act like virtual devices.
Some commands are only available in certain modes.
Cisco ASA 5500 Series Command Reference
OL-18972-02 vii
Using the Command-Line Interface
Command Modes and Prompts
Command Modes and Prompts
The adaptive security appliance CLI includes command modes. Some commands can only be entered in
certain modes. For example, to enter commands that show sensitive information, you need to enter a
password and enter a more privileged mode. Then, to ensure that configuration changes are not entered
accidentally, you have to enter a configuration mode. All lower commands can be entered in higher
modes, for example, you can enter a privileged EXEC command in global configuration mode.
When you are in the system configuration or in single context mode, the prompt begins with the
hostname:
hostname
When you are within a context, the prompt begins with the hostname followed by the context name:
hostname/context
The prompt changes depending on the access mode:
(cid:129) User EXEC mode
User EXEC mode lets you see minimum adaptive security appliance settings. The user EXEC mode
prompt appears as follows when you first access the adaptive security appliance:
hostname>
hostname/context>
(cid:129) Privileged EXEC mode
Privileged EXEC mode lets you see all current settings up to your privilege level. Any user EXEC
mode command will work in privileged EXEC mode. Enter the enable command in user EXEC
mode, which requires a password, to start privileged EXEC mode. The prompt includes the number
sign (#):
hostname#
hostname/context#
(cid:129) Global configuration mode
Global configuration mode lets you change the adaptive security appliance configuration. All user
EXEC, privileged EXEC, and global configuration commands are available in this mode. Enter the
configure terminal command in privileged EXEC mode to start global configuration mode. The
prompt changes to the following:
hostname(config)#
hostname/context(config)#
(cid:129) Command-specific configuration modes
From global configuration mode, some commands enter a command-specific configuration mode.
All user EXEC, privileged EXEC, global configuration, and command-specific configuration
commands are available in this mode. For example, the interface command enters interface
configuration mode. The prompt changes to the following:
hostname(config-if)#
hostname/context(config-if)#
Cisco ASA 5500 Series Command Reference
viii OL-18972-02
Using the Command-Line Interface
Syntax Formatting
Syntax Formatting
Command syntax descriptions use the following conventions:
Table 1 Syntax Conventions
Convention Description
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical bar indicates a choice within an optional or required set of keywords or
arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical bar indicate
an optional choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical bar indicate a required
choice.
[x {y | z}] Nested sets of square brackets or braces indicate optional or required choices within
optional or required elements. Braces and a vertical bar within square brackets indicate
a required choice within an optional element.
Abbreviating Commands
You can abbreviate most commands down to the fewest unique characters for a command; for example,
you can enter wr t to view the configuration instead of entering the full command write terminal, or you
can enter en to start privileged mode and conf t to start configuration mode. In addition, you can enter
0 to represent 0.0.0.0.
Command-Line Editing
The adaptive security appliance uses the same command-line editing conventions as Cisco IOS software.
You can view all previously entered commands with the show history command or individually with the
up arrow or ^p command. Once you have examined a previously entered command, you can move
forward in the list with the down arrow or ^n command. When you reach a command you wish to reuse,
you can edit it or press the Enter key to start it. You can also delete the word to the left of the cursor
with ^w, or erase the line with ^u.
The adaptive security appliance permits up to 512 characters in a command; additional characters are
ignored.
Cisco ASA 5500 Series Command Reference
OL-18972-02 ix
Using the Command-Line Interface
Command Completion
Command Completion
To complete a command or keyword after entering a partial string, press the Tab key. The adaptive
security appliance only completes the command or keyword if the partial string matches only one
command or keyword. For example, if you enter s and press the Tab key, the adaptive security appliance
does not complete the command because it matches more than one command. However, if you enter dis,
the Tab key completes the command disable.
Command Help
Help information is available from the command line by entering the following commands:
(cid:129) help command_name
Shows help for the specific command.
(cid:129) help ?
Shows commands for which there is help.
(cid:129) command_name ?
Shows a list of arguments available.
(cid:129) string? (no space)
Lists the possible commands that start with the string.
(cid:129) ? and +?
Lists all commands available. If you enter ?, the adaptive security appliance shows only commands
available for the current mode. To show all commands available, including those for lower modes,
enter +?.
Note If you want to include a question mark (?) in a command string, you must press Ctrl-V before typing the
question mark so you do not inadvertently invoke CLI help.
Filtering show Command Output
You can use the vertical bar (|) with any show command and include a filter option and filtering
expression. The filtering is performed by matching each output line with a regular expression, similar to
Cisco IOS software. By selecting different filter options you can include or exclude all output that
matches the expression. You can also display all output beginning with the line that matches the
expression.
The syntax for using filtering options with the show command is as follows:
hostname# show command | {include | exclude | begin | grep [-v]} regexp
In this command string, the first vertical bar (|) is the operator and must be included in the command.
This operator directs the output of the show command to the filter. In the syntax diagram, the other
vertical bars (|) indicate alternative options and are not part of the command.
Cisco ASA 5500 Series Command Reference
x OL-18972-02
Description:This preface introduces the Cisco ASA 5500 Series Command Reference. This
preface includes the following sections: • Document Objectives, page iii.
