cc/td/doc/product/software/ios112
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Network Data Encryption and Router Authentication Commands

Network Data Encryption and Router Authentication Commands

This chaper describes the function and displays the syntax of each command used to configure network data encryption with router authentication. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.

access-list (encryption)

To define an encryption access list by number, use the extended IP access list global configuration command. To remove a numbered encryption access list, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log]
no access-list access-list-number
access-list-number Number of an encryption access list. This is a decimal number from 100 to 199.
dynamic dynamic-name (Optional) Identifies this encryption access list as a dynamic encryption access list. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide.
timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide.
deny Does not encrypt/decrypt IP traffic if the conditions are matched.
permit Encrypts/decrypts IP traffic if the conditions are matched.
protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers, as described in text that follows.
source Number of the network or host from which the packet is being sent. There are three other ways to specify the source:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

 Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

 Number of the network or host to which the packet is being sent. There are three other ways to specify the destination:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

 (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name.
tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name.
icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name.
igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15.
operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535.

TCP port names can be used only when filtering TCP.

UDP port names can be used only when filtering UDP.

established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was encrypted/decrypted or not; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets encrypted/decrypted or not in the prior 5-minute interval.

clear crypto connection

To terminate an encrypted session in progress, use the clear crypto connection global configuration command.

clear crypto connection connection-id
connection-id Identifies the encrypted session to terminate.

crypto algorithm 40-bit-des

To globally enable 40-bit Data Encryption Standard (DES) algorithm types, use the crypto algorithm 40-bit-des global configuration command. Use the no form of this command to globally disable a 40-bit DES algorithm type.

crypto algorithm 40-bit-des [cfb-8 | cfb-64]
no crypto algorithm 40-bit-des [cfb-8 | cfb-64]
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.
cfb-64 (Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

crypto algorithm des

To globally enable Data Encryption Standard (DES) algorithm types that use a 56-bit DES key, use the crypto algorithm des global configuration command. Use the no form of this command to globally disable a DES algorithm type.

crypto algorithm des [cfb-8 | cfb-64]
no crypto algorithm des [cfb-8 | cfb-64]
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.
cfb-64 (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

crypto clear-latch

To reset an Encryption Service Adapter (ESA) in a Cisco 7500 series router, use the crypto clear-latch global configuration command.

crypto clear-latch [slot] (for Cisco 7500 series routers with an installed ESA only)
slot Identifies the ESA to reset, by naming the slot of the ESA's second-generation Versatile Interface Processor (VIP2).

crypto gen-signature-keys

To generate a Digital Signature Standard (DSS) public/private key pair, use the crypto gen-signature-keys global configuration command.

crypto gen-signature-keys key-name (for Cisco routers other than Cisco 7500 series routers)
crypto gen-signature-keys key-name [slot] (for Cisco 7500 series routers)
key-name A name you assign to the crypto engine. This will name either the Cisco IOS software crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. Any character string is valid. Using a fully qualified domain name might make it easier to identify public keys.
slot (Optional) Used to identify the crypto engine (by location). Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a VIP2 for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).

crypto key-exchange

To exchange Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated ACTIVE must use the crypto key-exchange global configuration command.

crypto key-exchange ip-address key-name [tcp-port]
ip-address The IP address of the peer router (designated PASSIVE) participating with you in the key exchange.
key-name Identifies the crypto engine--either the Cisco IOS crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. This name must match the key-name argument assigned when you generated DSS keys using the crypto gen-signature-keys command.
tcp-port (Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the PASSIVE router's tcp-port value.

1 1964 is a TCP port number that has not been preassigned by the Internetworking Engineering Task Force (IETF).

crypto key-exchange passive

To enable an exchange of Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated PASSIVE must use the crypto key-exchange passive global configuration command.

crypto key-exchange passive [tcp-port]
tcp-port (Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the ACTIVE router's tcp-port value.

1 1964 is a TCP port number that has not been pre-assigned by the Internetworking Engineering Task Force (IETF).

crypto key-timeout

To specify the time duration of encrypted sessions, use the crypto key-timeout global configuration command. Use the no form to restore the time duration of encrypted sessions to the default of 30 minutes.

crypto key-timeout minutes
no crypto key-timeout minutes
minutes Specifies the time duration of encrypted sessions. Can be from 1 to 1440 minutes (24 hours) in 1 minute increments. Specified by an integer from 1 to 1440.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.

crypto map (global configuration)

To create or modify a crypto map definition and enter the crypto map configuration mode, use the crypto map global configuration command. Use the no form of this command to delete a crypto map definition.

crypto map map-name [seq-num]
no crypto map map-name [seq-num]
map-name The name you assign to the crypto map.
seq-num (Optional) Identifies the sequence number (definition set) of the crypto map. If no sequence number is specified, it is assumed that this is a new map definition (even if a crypto map already exists with the map-name), and a new sequence number will be assigned by default. Therefore, it is strongly recommended that you always use this argument.

crypto map (interface configuration)

To apply a previously defined crypto map to an interface, use the crypto map interface configuration command. Use the no form of the command to eliminate the crypto map from the interface.

crypto map map-name
no crypto map map-name
map-name The name which identifies the crypto map. This is the name assigned when the crypto map was created.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.

crypto pregen-dh-pairs

To enable pregeneration of Diffie-Hellman (DH) public numbers, use the crypto pregen-dh-pairs global configuration command. Use the no form to disable pregeneration of DH public numbers for all crypto engines.

crypto pregen-dh-pairs count (for Cisco routers other than Cisco 7500 series routers)
crypto pregen-dh-pairs count [slot] (for Cisco 7500 series routers)
no crypto pregen-dh-pairs
count Specifies how many DH pubic numbers to pregenerate and hold in reserve. Specified by an integer from 0 to 10.
slot (Optional) Used to identify the crypto engine. Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a second-generation Versatile Interface Processor (VIP2) for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).

crypto public-key

To manually specify the Digital Signature Standard (DSS) public key of a peer encrypting router, use the crypto public-key global configuration command. Use the no form of this command to delete the DSS public key of a peer encrypting router.

crypto public key key-name serial-number
hex-key-data
hex-key-data...
 quit
no crypto public key key-name serial-number
key-name Identifies the crypto engine of the peer encrypting router.
serial-number The serial number of the peer encrypting router's public DSS key.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.

hex-key-data The DSS public key of the peer encrypting router, in hexadecimal format.

crypto zeroize

To delete the Digital Signature Standard (DSS) public/private key pair of a crypto engine, use the crypto zeroize global configuration command.

crypto zeroize [slot]
slot (Optional) Used to identify the crypto engine. Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a second-generation Versatile Interface Processor (VIP2) for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).

deny

To set conditions for a named encryption access list, use the deny access-list configuration command. The deny command prevents IP traffic from being encrypted/decrypted if the conditions are matched. To remove a deny condition from an encryption access list, use the no form of this command.

deny source [source-wildcard]
no deny source [source-wildcard] deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
no access-list access-list-number

For ICMP, you can also use the following syntax:

deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For IGMP, you can also use the following syntax:

deny igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For UDP, you can also use the following syntax:

deny udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

source-wildcard

 (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

protocol

 Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

 Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

 Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

 (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name.
tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name.
icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name.
igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15.
operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65,535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

ip access-list extended (encryption)

To define an encryption access list by name, use the ip access-list extended global configuration command. To remove a named encryption access list, use the no form of this command.

ip access-list extended name
no ip access-list extended name
name Name of the encryption access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

match access list

To specify an encryption access list within a crypto map definition, use the match access list crypto map configuration command. Use the no form of this command to eliminate an encryption access list from a crypto map definition.

match access list [access-list-number | name]
no match access list [access-list-number | name]
access-list-number Identifies the numbered encryption access list. This value should match the access-list-number argument of the numbered encryption access list being matched.
name Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.

permit

To set conditions for a named encryption access list, use the permit access-list configuration command. The permit command causes IP traffic to be encrypted/decrypted if the conditions are matched. To remove a permit condition from an encryption access list, use the no form of this command.

permit source [source-wildcard]
no permit source [source-wildcard] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

For ICMP, you can also use the following syntax:

permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For IGMP, you can also use the following syntax:

permit igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

permit tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For UDP, you can also use the following syntax:

permit udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

source-wildcard

 (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

protocol

 Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

 Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

 Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

 (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name.
tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name.
icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name.
igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15.
operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

set algorithm 40-bit-des

To specify a 40-bit Data Encryption Standard (DES) algorithm type within a crypto map definition, use the set algorithm 40-bit-des crypto map configuration command. Use the no form of this command to disable a 40-bit DES algorithm type within a crypto map definition.

set algorithm 40-bit-des [cfb-8 | cfb-64]
no set algorithm 40-bit-des [cfb-8 | cfb-64]
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.
cfb-64 Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

set algorithm des

To enable basic Data Encryption Standard (DES) algorithm types within a crypto map definition, use the set algorithm des crypto map configuration command. Use the no form of this command to disable a basic DES algorithm type within a crypto map definition.

set algorithm des [cfb-8 | cfb-64]
no set algorithm des [cfb-8 | cfb-64]
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.
cfb-64 (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

set peer

To specify a peer encrypting router within a crypto map definition, use the set peer crypto map configuration command. Use the no form of this command to eliminate a peer encrypting router from a crypto map definition.

set peer key-name
no set peer key-name
key-name Identifies the crypto engine of the peer encrypting router.

show crypto algorithms

To view which Data Encryption Standard (DES) algorithm types are globally enabled for your router, use the show crypto algorithms privileged EXEC command. This displays all basic DES and 40-bit DES algorithm types globally enabled.

show crypto algorithms

show crypto card

To view the operational status of an Encryption Service Adapter (ESA), use the show crypto card privileged EXEC command. This command is valid only for a Cisco 7500 series router with an installed ESA.

show crypto card [slot] (for Cisco 7500 series routers with an installed ESA only)
slot Identifies the ESA to show, by naming the slot of the ESA's second-generation Versatile Interface Processor (VIP2).

show crypto connections

To view current and pending encrypted session connections, use the show crypto connections privileged EXEC command.

show crypto connections

show crypto engine brief

To view all crypto engines within a Cisco 7500 series router, use the show crypto engine brief privileged EXEC command.

show crypto engine brief (for Cisco 7500 series routers only)

show crypto engine configuration

To view the Cisco IOS crypto engine of your router, use the show crypto engine configuration privileged EXEC command.

show crypto engine configuration

show crypto engine connections active

To view the current active encrypted session connections for all crypto engines, use the show crypto engine connections active privileged EXEC command.

show crypto engine connections active (for Cisco routers other than Cisco 7500 series routers)
show crypto engine connections active [slot] (for Cisco 7500 series routers)
slot (Optional) Used to identify the crypto engine. Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a second-generation Versatile Interface Processor (VIP2) for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).

show crypto engine connections dropped-packets

To view information about packets dropped during encrypted sessions for all router crypto engines, use the show crypto engine connections dropped-packets privileged EXEC command.

show crypto engine connections dropped-packets

show crypto key-timeout

To view the current setting for the time duration of encrypted sessions, use the show crypto key-timeout privileged EXEC command.

show crypto key-timeout

show crypto map

To view all created crypto maps of your router, use the show crypto map privileged EXEC command.

show crypto map

show crypto map interface

To view the crypto map applied to a specific interface, use the show crypto map interface privileged EXEC command.

show crypto map interface interface



 interface

 Designates the router interface.



 show crypto map tag


 To view a specific crypto map, use the show crypto map tag privileged EXEC command.

show crypto map tag map-name

 map-name
 Identifies the crypto map by its name. This should match the map-name argument assigned during crypto map creation.



 show crypto mypubkey


 To view Digital Signature Standard (DSS) public keys (for all your router crypto engines) in hexadecimal form, use the show crypto mypubkey EXEC command.

show crypto mypubkey (for Cisco routers other than Cisco 7500 series routers)
show crypto mypubkey [rsp] (for Cisco 7500 series routers)

 rsp
 (Optional) If this argument is used, only the DSS public keys for the Route Switch Processor (RSP) (Cisco IOS crypto engine) will be displayed.

 If this argument is not used, DSS public keys for all crypto engines will be displayed.


 This argument is available only on Cisco 7500 series routers.




 show crypto pregen-dh-pairs


 To view the number of Diffie-Hellman (DH) number pairs currently generated, use the show crypto pregen-dh-pairs privileged EXEC command.

show crypto pregen-dh-pairs (for Cisco routers other than Cisco 7500 series routers)
show crypto pregen-dh-pairs [slot] (for Cisco 7500 series routers)

 slot
 (Optional) Used to identify the crypto engine. Use the chassis slot number of the crypto engine location. This argument is available only on Cisco 7500 series routers. This will be either the chassis slot number of the Route Switch Processor (RSP) for the Cisco IOS crypto engine, or the chassis slot number of a second-generation Versatile Interface Processor (VIP2) for a VIP2 or ESA crypto engine. The value is a positive integer. If no slot is specified, the RSP slot will be assigned as the default (selecting the Cisco IOS crypto engine).



 show crypto pubkey


 To view all peer router Digital Signature Standard (DSS) public keys known to your router, use the show crypto pubkey EXEC command.

show crypto pubkey


 show crypto pubkey name


 To view a specific peer router Digital Signature Standard (DSS) public key known by its name, use the show crypto pubkey name EXEC command.

show crypto pubkey name key-name

 key-name
 Identifies the crypto engine of the peer router.



 show crypto pubkey serial


 To view a specific peer router Digital Signature Standard (DSS) public key known by its serial number, use the show crypto pubkey serial EXEC command.

show crypto pubkey serial serial-number

 serial-number
 Identifies the serial number of the crypto engine.



 test crypto initiate-session


 To set up a test encryption session, use the test crypto initiate-session privileged EXEC command.

test crypto initiate-session src-ip-addr dst-ip-addr map-name seq-num

 src-ip-addr
 IP address of source host. Should be included in an encryption access list definition as a valid IP address source address.

 dst-ip-addr
 IP address of destination host. Should be included in an encryption access list definition as a valid IP address destination address.

 map-name
 Names the crypto map to be used.

 seq-num
 Names the crypto map sequence number.

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1997 © Cisco Systems Inc.