Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.2
D through F Commands
Downloads: This chapterpdf (PDF - 606.0KB) The complete bookPDF (PDF - 13.44MB) | Feedback

dbg

Table Of Contents

dbg

debug

default-information originate (route OSPF subcommand)

delete

description (submode)

dhcpd

dhcprelay

dir

disable

distance (router submode)

domain-name

dynamic-map

enable

established

exit

failover

failover interface ip

failover interface-policy

failover lan interface

failover lan unit

failover link

failover polltime

failover replication http

failover reset

filter ftp

filter https

filter url

firewall

fixup protocol

flashfs

floodguard

format

fragment

ftp mode


dbg

To enable debugging functions to troubleshoot the FWSM, use the dbg command. To disable debugging, use the no form of this command.

[no] dbg block sub-block

Syntax Description

block

Specifies block debugging.

sub-block

Specfies sub-block debugging.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to enable debugging on the FWSM:

fwsm(config)# dbg

debug

To debug packets or ICMP tracings to the interface to provide information for troubleshooting, use the debug command. To disable debugging, use the no form of this command.

[no] debug command

[no] debug packet interface_name [src s_ip [netmask m]] [dst d_ip [netmask m]] [[proto icmp] | [proto tcp [sport s_p ] [dport d_p]] [proto udp [sport s_p] [dport d_p]] [rx | tx | both]

Syntax Description

Table 2-5, Table 2-6, and Table 2-7 list the syntax descriptions for the debug command.

Table 2-5 Debug Arguments and Keywords 

Syntax
Description

interface_name

(Optional) Interface name.

s_ip

(Optional) Source IP address.

m

(Optional) Network mask.

d_ip

(Optional) Destination IP address.

proto icmp

(Optional) Display ICMP packets only.

proto tcp

(Optional) Display TCP packets only.

s_p

(Optional) Source port.

d_p

(Optional) Destination port.

proto udp

(Optional) Display UDP packets only.

sport

(Optional) Source port.

dport

(Optional) Destination port.

rx

(Optional) Display only packets received at the FWSM firewall.

tx

(Optional) Display only packets transmitted from the FWSM firewall.

both

(Optional) Display both received and transmitted packets.


Table 2-6 debug Commands Without Arguments or Keywords 

Syntax
Description

debug arp

Displays ARP information.

debug crypto vpnclient

Displays information about the FWSM EasyVPN client.

debug ctiqbe

Displays information about CTI Quick Buffer Encoding (CTIQBE), which is used with Cisco TAPI/JTAPI applications.

debug icmp trace

Displays information about ICMP traffic.

debug ils

Displays Internet Locator Service (ILS) fixup information (used in LDAP services).

debug rip

Displays informaiton about RIP.

debug route

Displays information from the FWSM routing module.

debug rtsp

Displays informaiton about RTSP.

debug sip

Debugs the fixup Session Initiation Protocol (SIP) module.

debug skinny

Debugs SCCP protocol activity. (Using this command may impact performance on high-traffic network segments.)

debug sqlnet

Debugs SQL*Net traffic.

debug ssh

Debugs information and error messages that are associated with the ssh command.

no debug all

Stops any and all debug messages from being displayed.

undebug all

Stops any and all debug messages from being displayed.


Table 2-7 debug Commands With Arguments or Keywords 

Syntax
Syntax Description

debug aaa [authentication | authorization | accounting | internal]

Displays authentication, authorization, and accounting information.

authentication(Optional) Specifies Network Time Protocol (NTP) clock authentication information.

authorization(Optional) Specifies NTP clock authorization information.

accounting(Optional) Specifies NTP clock accounting information.

internal(Optional) Specifies NTP clock internal information.

debug access-list {all | standard | turbo}

Displays access list configuration information.

allDisplays both standard and Turbo ACL information.

standardDisplays non-Turbo ACL information.

turboDisplays Turbo ACL information.

debug crypto {ca | ipsec | isakmp | vpnclient} [level]

Displays crypto information.

caDisplays information about certification authority (CA) traffic.

ipsecDisplays information about IPSec traffic.

isakmpDisplays information about Internet Key Exchange (IKE) traffic.

vpnclientDisplays information about the FWSM EasyVPN client.

level(Optional) Specifies the level of the debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to the following events:

Level 1: Interesting events

Level 2: Normative and interesting events

Level 3: Diminutive, normative, and interesting events

debug dhcpd {event | packet}

Displays Dynamic Host Configuration Protocol (DHCP) server information.

eventDisplays event information that is associated with the DHCP server.

packetDisplays packet information that is associated with the DHCP server.

debug dhcprelay {event | packet | error}

Displays DHCP relay agent information.

eventDisplays event information that is associated with the DHCP relay agent.

packetDisplays packet information that is associated with the DHCP relay agent.

errorDisplays error messages that are associated with the DHCP relay agent.

debug dns {resolver | all}

Displays Domain Name Server (DNS) debugging information.

resolver—Displays DNS resolution information.

all—Displays all DNS information.

debug fixup {udp | tcp}

Displays fixup information.

udpDisplays fixup information using UDP.

tcpDisplays fixup information using TCP.

debug fover option

Displays failover information.

optionDisplays failover information. See Table 2-8 for the optional keywords.

debug h323 {h225 | h245 | ras} [asn | event]

Displays information about the packet-based multimedia communications systems standard.

h225—Specifies H.225 signaling.

h245—Specifies H.245 signaling.

ras—Specifies the registration, admission, and status protocol.

asn—(Optional) Displays the output of the decoded protocol data units (PDUs).

event—(Optional) Displays the events of the H.245 signaling or turns on both traces.

debug mgcp [messages | parser]

Displays Media Gateway Protocol (MGCP) information.

messages—(Optional) Displays debug information for MGCP messages.

parser—(Optional) Displays debug information about parsing MGCP messages.

debug ntp [adjust | authentication | events | loopfilter | packets | params | select | sync | validity]

Displays NTP information.

adjust—(Optional) Displays Network Time Protocol (NTP) clock adjustments.

authentication—(Optional) Displays NTP clock authentication.

events—(Optional) Displays NTP event information.

loopfilter—(Optional) Displays NTP loop filter information.

packets—(Optional) Displays NTP packet information.

params—(Optional) Displays NTP clock parameters.

select—(Optional) Displays NTP clock selections.

sync—(Optional) Displays NTP clock synchronization.

validity—(Optional) Displays NTP peer clock validity.

debug packet interface_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto tcp [sport src_port]]  [dport dest_port]   | [proto udp [sport src_port]] [dport dest_port] [rx  |  tx  |  both]

Displays packet information.

interface_nameInterface name from which the packets are arriving; for example, to monitor packets coming into the FWSM from the outside, set interface_name to outside.

src source_ip—(Optional) Source IP address.

netmask mask—(Optional) Network mask.

dst dest_ip—(Optional) Destination IP address.

proto tcp—(Optional) Displays TCP packets only.

sport src_port—(Optional) Source port. See the "Specifying Port Values" section in Appendix B, "Port and Protocol Values," for a list of valid port literal names.

dport dest_port—(Optional) Destination port.

proto udp—(Optional) Displays UDP packets only.

rx—(Optional) Displays only packets that were received at the FWSM.

tx—(Optional) Displays only packets that were transmitted from the FWSM.

both—(Optional) Displays packets that were received at or transmitted from the FWSM.

debug ppp {error | io | uauth | upap | chap | negotiation}

Displays packet information.

errorDisplays Layer 2 Tunneling Protocol (L2TP) the Point-to-Point Protocol (PPP) virtual interface error messages.

ioDisplays the packet information for L2TP or PPP virtual interfaces.

uauthDisplays the L2TP or PPP virtual interface AAA user authentication debugging messages.

upapDisplays Password Authentication Protocol (PAP) authentication.

chapDisplays Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication.

negotiationEquivalent of the error, uauth, upap, and chap debug command keywords.

debug pppoe {event | error | packet}

Displays Point-to-Point Protocol over Ethernet (PPPoE) information.

eventDisplays PPPoE event information.

errorDisplays PPPoE error messages.

packetDisplays PPPoE packet information.

debug radius [session | all | user username]

Displays RADIUS information.

session—(Optional) Logs RADIUS session information and the attributes of sent and received RADIUS packets.

all—(Optional) Enables all RADIUS debug options.

user username—(Optional) Displays information for an individual username only.

debug vpdn {event | error | packet}

Displays L2TP protocol information.

event—(Optional) Displays L2 tunnel event change information.

error—(Optional) Displays L2TP protocol error messages.

packet—(Optional) Displays L2TP.


Defaults

The defaults are as follows:

MGCP debugging is disabled.

A session not using a trace channel has its output disabled.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Entering the debug command allows you to see debug information, and entering the show debug command allows you to see the current state of tracing. To debug the contents of network layer protocol packets, use the debug packet command.


Note Using the debug commands may slow down traffic on busy networks.


If you enter the debug packet command on an FWSM that experiences a heavy load, the output might display so fast that you cannot stop the output when you enter the no debug packet command from the console. To fix this situation, you can enter the no debug packet command from a Telnet session.

To let users ping through the FWSM, add the access-list acl_grp permit icmp any   any command to the configuration and bind it to each interface that you want to test with the access-group command. This action lets pings go outbound and inbound.

To stop the debug packet trace command, enter the following command:

fwsm/context_name(config)# no debug packet interface_name

Replace interface_name with the name of the interface; for example, inside, outside, or a perimeter interface name.

no debug all and undebug all

The no debug all and undebug all commands allow you to stop any and all debug messages from being displayed.

debug crypto

When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages display only when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates that the value is incorrect appears in the debug crypto ca command output.

Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.

debug dhcpc

The debug dhcpc detail command allows you to display detailed packet information about the Dynamic Host Configuration Protocol (DHCP) client. Entering the debug dhcpc error command displays DHCP client error messages. Entering the debug dhcpc packet command displays packet information about the DHCP client. To disable debugging, use the no form of the debug dhcpc command.

The debug dhcpd event command allows you to display event information about the DHCP server. Entering the debug dhcpd packet command displays packet information about the DHCP server. To disable debugging, use the no form of the debug dhcpd commands.

debug icmp

The debug icmp trace command allows you to display ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the FWSM. This command can trace only packets that are pinigs to the interfaces.

To stop the debug icmp trace command, enter the following command:

fwsm/context_name(config)# no debug icmp trace

debug mgcp

The debug mgcp command allows you to display debug information for Media Gateway Control Protocol (MGCP) traffic. Without any options explicitly specified, the debug mgcp command allows you to enable all three MGCP debug options. The no debug mgcp command, without any options explicitly specified, disables all MGCP debugging.

debug sqlnet

The debug sqlnet command allows you to display reports on traffic between Oracle SQL*Net clients and servers through the FWSM.

debug ssh

The debug ssh command allows you to display reports on information and error messages associated with the ssh command.

debug fover

Table 2-8 lists the optional keywords for the debug fover command.

Table 2-8 debug fover Command Options 

Option
Description

fail

Failover internal exception

fmsg

Failover message

ifc

Network interface status trace

lanrx

LAN-based failover receive process messages

lanretx

LAN-based failover retransmit process messages

lantx

LAN-based failover transmit process messages

lancmd

LAN-based failover main thread messages

open

Failover device open

put

IP network packet transmitted

rxip

IP network failover packet received

txip

IP network failover packet transmit

verify

Failover message verify

switch

Failover switching status


Trace Channel Feature

The debug packet command allows you to send its output to the trace channel. All other debug commands do not. Using the trace channel changes the way that you can see output on your screen during a FWSM console or Telnet session.

If a debug command does not use the trace channel, each session operates independently, which means that any commands started in the session only appear in the session. By default, a session not using a trace channel has output disabled by default.

The location of the trace channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the FWSM serial console:

If you are using only the FWSM serial console, all the debug commands display on the serial console.

If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug commands, the output displays on the Telnet console session.

If you have two or more Telnet console sessions, the first session is the trace channel. If that session closes, the serial console session becomes the trace channel. The next Telnet console session that accesses the console becomes the trace channel.

The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.


Caution If one network administrator is using the serial console and another network administrator starts a Telnet console session, the serial console debug command output will suddenly stop without warning. If you are using the serial console and debug command output is not appearing, enter the who command to see if a Telnet console session is running.

Examples

This example shows partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after entering the debug dhcpc commands to obtain debugging information.

fwsm/context_name(config)# debug dhcpc packet
fwsm/context_name(config)# debug dhcpc detail
fwsm/context_name(config)# ip address outside dhcp setroute
DHCP:allocate request
DHCP:new entry. add to queue
DHCP:new ip lease str = 0x80ce8a28
DHCP:SDiscover attempt # 1 for entry:
Temp IP addr:0.0.0.0 for peer on Interface:outside
Temp sub net mask:0.0.0.0
   DHCP Lease server:0.0.0.0, state:1 Selecting
   DHCP transaction id:0x8931
   Lease:0 secs, Renewal:0 secs, Rebind:0 secs
   Next timer fires after:2 seconds
   Retry count:1   Client-ID:cisco-0000.0000.0000-outside

DHCP:SDiscover:sending 265 byte length DHCP packet
DHCP:SDiscover 265 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0
DHCP client msg received, fip=10.3.2.2, fport=67
DHCP:Received a BOOTREP pkt
DHCP:Scan:Message type:DHCP Offer
DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB
DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB
DHCP:Scan:Lease Time:259200
DHCP:Scan:Subnet Address Option:255.255.254.0
DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140
DHCP:Scan:Domain Name:example.com
DHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87
DHCP:Scan:Router Address Option:10.3.2.1
DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255

This example executes the debug icmp trace command:

fwsm/context_name(config)# debug icmp trace

When you ping a host through the FWSM from any interface, the trace output displays on the console. This example shows a successful ping from an external host (209.165.201.2) to the FWSM outside interface (209.165.201.1).

Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2
NO DEBUG ICMP TRACE
ICMP trace off

The previous example shows the Internet Control Message Protocol (ICMP) packet length is 32 bytes, the ICMP packet identifier is 1, and the ICMP sequence number, which starts at 0 and is incremented each time that a request is sent.

The following is sample output from the show debug command output. The sample output also includes the debug crypto commands.

fwsm/context_name(config)# show debug
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet

This example shows the debugging messages for Unity client negotiation using Diffie-Hellman group 5:

fwsm(config)# debug crypto isakmp

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 
ISAKMP (0): atts are acceptable. Next payload is 3

This example shows possible output for the debug mgcp messages command:

17: MGCP: Retransmitted command RSIP
        Gateway IP      gate-1
        Transaction ID  1
18: MGCP: Expired command RSIP
        Gateway IP      gate-1
        Transaction ID  1
19: MGCP: New command RSIP
        Gateway IP      gate-1
        Transaction ID  1
        Endpoint name   d001
        Call ID         
        Connection ID   
        Media IP        0.0.0.0
        Media port      0
        Flags           0x80
20: MGCP: Retransmitted command RSIP
        Gateway IP      gate-1
        Transaction ID  1

This example shows possible output for the debug mgcp parser command:

28: MGCP packet:
RSIP 1 d001@10.10.10.11 MGCP 1.0
RM: restart

29: MGCP: command verb - RSIP
30: MGCP: transaction ID - 1
31: MGCP: endpoint name - d001
32: MGCP: header parsing succeeded
33: MGCP: restart method - restart
34: MGCP: payload parsing succeeded
35: MGCP packet:
RSIP 1 d001@10.10.10.11 MGCP 1.0
RM: restart

36: MGCP: command verb - RSIP
37: MGCP: transaction ID - 1
38: MGCP: endpoint name - d001
39: MGCP: header parsing succeeded
40: MGCP: restart method - restart
41: MGCP: payload parsing succeeded

This example shows possible output for the debug mgcp sessions command:

91: NAT::requesting UDP conn for generic-pc-2/6166 [192.168.5.7/0]
        from dmz/ca:generic-pc-2/2427 to outside:generic-pc-1/2727
92: NAT::reverse route: embedded host at dmz/ca:generic-pc-2/6166
93: NAT::table route: embedded host at outside:192.168.5.7/0
94: NAT::pre-allocate connection for outside:192.168.5.7 to dmz/ca:generic-pc-2/6166
95: NAT::found inside xlate from dmz/ca:generic-pc-2/0 to outside:172.23.58.115/0
96: NAT::outside NAT not needed
97: NAT::created UDP conn dmz/ca:generic-pc-2/6166 <-> outside:192.168.5.7/0
98: NAT::created RTCP conn dmz/ca:generic-pc-2/6167 <-> outside:192.168.5.7/0
99: NAT::requesting UDP conn for 192.168.5.7/6058 [generic-pc-2/0]
        from dmz/ca:genericgeneric-pc-2/2427 to outside:generic-pc-1/2727
100: NAT::table route: embedded host at outside:192.168.5.7/6058
101: NAT::reverse route: embedded host at dmz/ca:generic-pc-2/0
102: NAT::pre-allocate connection for dmz/ca:generic-pc-2 to outside:192.168.5.7/6058
103: NAT::found inside xlate from dmz/ca:generic-pc-2/0 to outside:172.23.58.115/0
104: NAT::outside NAT not needed
105: NAT::created UDP conn dmz/ca:generic-pc-2/0 <-> outside:192.168.5.7/6058
106: NAT::created RTCP conn dmz/ca:generic-pc-2/0 <-> outside:192.168.5.7/6059
107: MGCP: New session
        Gateway IP     generic-pc-2
        Call ID        9876543210abcdef
        Connection ID  6789af54c9
        Endpoint name  aaln/1
        Media lcl port 6166
        Media rmt IP   192.168.5.7
        Media rmt port 6058
108: MGCP: Expired session, active 0:06:05
        Gateway IP      generic-pc-2
        Call ID         9876543210abcdef
        Connection ID   6789af54c9
        Endpoint name   aaln/1
        Media lcl port  6166
        Media rmt IP    192.168.5.7
        Media rmt port  6058

This example shows how to debug the contents of packets with the debug packet command:

fwsm/context_name(config)# debug packet inside
--------- PACKET ---------
-- IP --
4.3.2.1 ==>     255.3.2.1
        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x60
        id = 0x3902     flags = 0x0     frag off=0x0
        ttl = 0x20      proto=0x11      chksum = 0x5885
        -- UDP --
                source port = 0x89      dest port = 0x89
                len = 0x4c      checksum = 0xa6a0
        -- DATA --
                00000014:                                     00 01 00 00            |
         ....
                00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46            | ..
.. EIEPEGEGEFF
                00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43            | CC
NFAEDCACACACAC
                00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01            | AC
AAA.. ..... ..
                00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00                                                                        | ..
....`......
--------- END OF PACKET ---------

This example shows sample output from the show debug command:

fwsm/context_name(config)# show debug
debug icmp trace off
debug packet off
debug sqlnet off

Related Commands

mgcp
show conn
timeout

default-information originate (route OSPF subcommand)

To generate a type 7 default in the not-so-stubby area (NSSA), use the default-information originate command.

default-information originate [always] [metric metric_value] [metric-type {1 | 2}] [route-map map_name]

Syntax Description

always

(Optional) Specifies that a type 7 default is always generated.

metric metric_value

(Optional) Specifies the Open Shortest Path First (OSPF) default metric value from 0 to 16777214.

metric-type 1

(Optional) Specifies the type of OSPF metric routes; valid values are 1.

metric-type 2

(Optional) Specifies the type of OSPF metric routes; valid values are 2.

route-map map_name

(Optional) Name of the route map to apply.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Command Mode: configuration mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

This command is supported on an NSSA area border router (ABR) or an NSSA autonomous system boundary router (ASBR) only.

The show ip ospf command displays the configured router ospf subcommands.

Examples

This example shows how to generate a type 7 default in the NSSA area:

fwsm/context_name(config)# default-information originate

Related Commands

router ospf
show default-information originate
show ip ospf

delete

To delete a file in the disk partition, use the delete command.

delete [/noconfirm] [/recursive] [/force] [disk:]path

Syntax Description

/noconfirm

(Optional) Specifies not to prompt for confirmation.

/recursive

(Optional) Deletes the specified file recursively in all subdirectories.

/force

(Optional) Deletes the specified file without prompting you to confirm the delete action.

disk:

(Optional) Changes the current working directory.

path

Specifies the path and filename.


Defaults

If you do not specify a directory, the directory is disk: by default.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The filename prompt is still on if the disk partition is the only option. However, you may include it before the path.

The file is deleted from the current working directory if a path is not specified. Wildcards are supported when deleting files. When deleting files, you are prompted with the filename and you must confirm the delete. If you use the delete disk command, you are prompted to enter the filename for deletion.

Examples

This example shows how to delete a file named test.cfg in the root directory:

fwsm(config)# delete test.cfg

This example shows how to recursively delete all files but not directories under the configuration directory:

fwsm(config)# delete /recursive disk:/configs/*

All files in the disk partition are deleted because of the wildcard * meaning all.

This example shows how to force a file deletion:

fwsm(config)# delete /force *

Related Commands

cd
copy disk
copy flash
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show file

description (submode)

To configure the context description information, use the description command. To remove the context description information from the configuration, use the no form of this command.

[no] description text

Syntax Description

text

Context description.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: multiple context mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The description command can also be used as a context submode command and an object-group submode command.

Examples

This example shows how to configure the context description information:

fwsm(config)# description my aministrator context
fwsm(config)# show context detail
Context "my_context", has been created, but the config hasn't been parsed
  Desc: my admin context
  Config URL: n/a
  Real Interfaces:
  Mapped Interfaces:
  Class: default, Flags: 0x00000043, ID: 1
Context "system", is a system resource
  Config URL: flash:config
  Real Interfaces:
  Mapped Interfaces:
  Class: default, Flags: 0x00000019, ID: 257
Context "null", is a system resource
  Config URL: ... null ...
  Real Interfaces:
  Mapped Interfaces:
  Class: default, Flags: 0x00000009, ID: 258

Related Commands

context

dhcpd

To configure the DHCP server, use the dhcpd command. To remove the specified configuration or disable a function, use the no form of this command.

dhcpd {address ip1[-ip2] srv_interface_name} | {dns dnsip1 [dnsip2]} | {wins winsip1 [winsip2]} | {lease lease_length} | {domain domain_name} | {enable server_interface_name}

dhcpd {option code ascii string | hex hex_string | {ip address_1 | address_2]}

dhcpd ping_timeout timeout

no dhcpd option code

Syntax Description

address ip1

Start address of the DHCP address pool.

address ip2

(Optional) End address of the DHCP address pool.

server_interface_name

Interface to enable DHCP server; default to inside interface.

dns dnsip1

IP addresses of the DNS servers for the DHCP client.

dns dnsip2

(Optional) IP addresses of the DNS servers for the DHCP client.

 

Specifies the IP addresses of the Microsoft NetBIOS name servers (WINS server).

 

(Optional) Specifies the IP addresses of the Microsoft NetBIOS name servers (WINS server).

lease lease_length

Length of the lease, in seconds, granted to the DHCP client from the DHCP server; valid values are from 300 to 1048575 seconds.

domain domain_name

DNS domain name.

enable server_interface_name

Specifies the interface on which to enable the DHCP server.

option code

Positive number representing the DHCP option code; valid values are 66 or 150.

ascii string

Specifies an ASCII character string without white space representing the TFTP server.

hex hex_string

Specifies the TFTP server in dotted decimal format, such as 1.1.1.1, but is treated as a character string without white spaces by the FWSM DHCP server.

ip address_1

Specifies the IP addresses of a TFTP server.

ip address_2

(Optional) Specifies the IP addresses of a TFTP server.

ping_timeout timeout

Allows the configuration of the timeout value of a ping in milliseconds, before assigning an IP address to a DHCP client.


Defaults

lease_length is 3600 seconds.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The address ip1 [ip2] allows you to specify an IP pool address range. The size of the pool is limited to 32 addresses with 10 users per license and 128 addresses with 50 users per license on the FWSM. The unlimited user license on the FWSM and all other FWSM platforms support 256 addresses.

If the address pool range is larger than 253 addresses, the netmask of the FWSM interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0.

The dns dns1 [dns2] command allows you to specify that the DNS A (address) resource records that match the static translation are rewritten. A second server address is optional.

The lease lease_length command allows you to configure the length of the lease, in seconds, that are granted to the DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds.

The option 150 command allows you to specify the TFTP server IP address(es) that are designated for Cisco IP phones in dotted decimal format. DHCP option 150 is site specific; it gives the IP addresses of a list of TFTP servers.

A DHCP server provides network configuration parameters to a DHCP client. Support for the DHCP server within the FWSM means that the FWSM can use DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network. Refer to the Cisco Firewall and VPN Configuration Guide for information on how to implement the DHCP server feature into the FWSM.

You must specify an interface name, interface_name, for the dhcpd address and dhcpd enable commands when using FWSM software Version 2.2(1). In earlier software versions, only the inside interface could be configured as the DHCP server so there was no need to specify interface_name.


Note The FWSM DHCP server does not support some BOOTP requests or failover configurations.


The dhcpd address ip1[-ip2] interface_name command allows you to specify the DHCP server address pool. The address pool of a FWSM DHCP server must be within the same subnet of the FWSM interface that is enabled, and you must specify the associated FWSM interface with the interface_name. The client must be physically connected to the subnet of a FWSM interface. The size of the pool is limited to 256 per pool on the FWSM. The unlimited user license on the FWSM and all other FWSM platforms support 256 addresses. The dhcpd address command cannot use names with a "-" (dash) character because the "-" character is interpreted as a range specifier instead of as part of the object name.

The no dhcpd address command allows you to remove the DHCP server address pool that you configured.

The dhcpd dns command allows you to specify the IP address(es) of the DNS server(s) for the DHCP client. You can specify two DNS servers. The no dhcpd dns command allows you to remove the DNS IP address(es) from the configuration.

The dhcpd wins command allows you to specify the addresses of the WINS server for the DHCP client. The no dhcpd dns command allows you to remove the WINS server IP address(es) from the configuration.

The dhcpd lease command allows you to specify the length of the lease in seconds that are granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address that the DHCP granted. The no dhcpd lease command allows you to remove the lease length that you specified from the configuration and replaces this value with the default value of 3600 seconds.

The dhcpd domain command allows you to specify the DNS domain name for the DHCP client. The no dhcpd domain command allows you to remove the DNS domain server from the configuration.

The dhcpd enable interface_name command allows you to enable the DHCP daemon to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.

You must enable DHCP to use this command. Use the dhcpd enable interface_name command to turn on DHCP.


Note The FWSM DHCP server daemon does not support clients that are not directly connected to a FWSM interface.


The dhcpd option 66 | 150 command allows you to retrieve TFTP server address information for IP phone connections.

When a dhcpd option command request arrives at the FWSM DHCP server, the FWSM places the value(s) that are specified by the dhcpd option 66 | 150 in the response.

Use the dhcpd option code command as follows:

If the TFTP server for IP Phone connections is located on the inside interface, use the local IP address of the TFTP server in the dhcpd option command.

If the TFTP server is located on a less secure interface, create a group of NAT global and access-list entries for the inside IP phones, and use the actual IP address of the TFTP server in the dhcpd option command.

If the TFTP server is located on a more secure interface, create a group of static and access-list statements for the TFTP server and use the global IP address of the TFTP server in the dhcpd option command.

The debug dhcpd event command allows you to display event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. To disable debugging, use the no form of the debug dhcpd commands.

Examples

This partial example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool for the DHCP clients and a DNS server address for the DHCP client, and how to enable the dmz interface of the FWSM for the DHCP server function.

fwsm/context_name(config)# dhcpd address 10.0.1.100-10.0.1.108 dmz
fwsm/context_name(config)# dhcpd dns 209.165.200.226
fwsm/context_name(config)# dhcpd enable dmz

This partial example shows how to define a DHCP pool of 256 addresses. The dmz interface of the FWSM is configured as the DHCP server, and the netmask of the dmz interface is 255.255.0.0.

fwsm/context_name(config)# ip address dmz 10.0.1.1 255.255.0.0
fwsm/context_name(config)# dhcpd address 10.0.1.2-10.0.1.257 dmz
fwsm/context_name(config)# dhcpd enable dmz 2.0-10.0.2.255

This partial example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a FWSM in a small office and home office (SOHO) environment with the inside interface as the DHCP server:

fwsm/context_name(config)# ip address outside
! enable dhcp server daemon on the inside interface
fwsm/context_name(config)# ip address inside 10.0.1.2 255.255.255.0
fwsm/context_name(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
fwsm/context_name(config)# dhcpd dns 209.165.201.2 209.165.202.129
fwsm/context_name(config)# dhcpd wins 209.165.201.5 inside
fwsm/context_name(config)# dhcpd lease 3000
fwsm/context_name(config)# dhcpd domain example.com
fwsm/context_name(config)# dhcpd enable inside
! use outside interface IP as PAT global address
fwsm/context_name(config)# nat (inside) 1 0 0
fwsm/context_name(config)# global (outside) 1 interface

This example shows sample output from the show dhcpd command:

fwsm/context_name(config)# show dhcpd
dhcpd address 10.0.1.100-10.0.1.108 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd dns 192.23.21.23
dhcpd enable inside 

This example shows sample output from the show dhcpd binding command:

fwsm/context_name(config)# show dhcpd binding
IP Address Hardware Address Lease Expiration Type
10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic

This example shows sample output from the show dhcpd statistics command:

fwsm/context_name(config)# show dhcpd statistics
Address Pools 1
Automatic Bindings 1
Expired Bindings 1
Malformed messages 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 1

Related Commands

clear dhcpd
dhcpd
ip address
show dhcpd
show dhcprelay

dhcprelay

To configure the DHCP relay agent, which relays requests between the FWSM interface of the DCHP server and DHCP clients on a different FWSM interface, use the dhcprelay command. To remove the DHCP relay agent configuration, use the no form of this command.

[no] dhcprelay enable client_interface

[no] dhcprelay server server_ip server_interface

[no] dhcprelay setroute client_interface

[no] dhcprelay timeout seconds

[no] dhcprelay {enable | server | setroute | timeout}

Syntax Description

enable

Enables the DHCP relay agent to accept DHCP requests from clients on the specified interface.

client_interface

Name of the interface on which the DHCP relay agent accepts client requests.

server server_ip

IP address of the DHCP server to which the DHCP relay agent forwards client requests.

server_interface

Name of the FWSM interface on which the DHCP server resides.

setroute client_interface

Configures the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of client_interface.

timeout seconds

Specifies the number of seconds that are allowed for DHCP relay address negotiation.


Defaults

The defaults are as follows:

DHCP relay agent is disabled.

seconds is 60 seconds.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: Routed

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

In order for the FWSM to start the DHCP relay agent with the dhcprelay enable client_interface command, you must have a dhcprelay server command already in the configuration. Otherwise, the FWSM displays an error message similar to the following:

DHCPRA:Warning - There are no DHCP servers configured!
No relaying can be done without a server!
Use the 'dhcprelay server <server_ip> <server_interface>' command

The dhcprelay enable client_interface command allows you to start a DHCP server task on the specified interface. If this dhcprelay enable command is the first dhcprelay enable command to be issued, and there are dhcprelay server commands in the configuration, then the ports for the DHCP servers referenced are opened and the DHCP relay task starts.

dhcprelay server

Add at least one dhcprelay server command to the FWSM configuration before you enter the dhcprelay enable command or the FWSM will issue an error message.

The dhcprelay server command allows you to open a UDP port 67 on the specified interface for the specified server and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration. If there is no dhcprelay enable command in the configuration, then the sockets are not opened and the DHCP relay task does not start.

When you remove the dhcprelay server dhcp_server_ip [server_interface] command, the port for that server is closed. If the dhcprelay server command being removed is the last dhcprelay server command in the configuration, then the DHCP relay task stops.

dhcprelay setroute

The dhcprelay setroute client_interface command allows you to enable the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of client_interface. The DHCP relay agent substitutes the address of the default router with the address of client_interface.

If there is no default router option in the packet, the FWSM adds one containing the address of client_interface. This action allows the client to set its default route to point to the FWSM.

When you do not configure the dhcprelay setroute client_interface command (and there is a default router option in the packet), it passes through the FWSM with the router address unaltered.

dhcprelay timeout

The dhcprelay timeout command allows you to set the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.

no dhcprelay commands

The no dhcprelay enable client_interface command allows you to remove the DHCP relay agent configuration for the interface that is specified by client_interface only.

The no dhcprelay server dhcp_server_ip [server_interface] command allows you to remove the DHCP relay agent configuration for the DHCP server that is specified by dhcp_server_ip [server_interface] only.

Examples

This example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the FWSM, client requests on the inside interface of the FWSM, and a timeout value up to 90 seconds:

fwsm/context_name(config)# dhcprelay server 10.1.1.1 outside
fwsm/context_name(config)# show dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay timeout 50

fwsm/context_name(config)# dhcprelay timeout 60
fwsm/context_name(config)# show dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay timeout 60

fwsm/context_name(config)# dhcprelay enable inside
fwsm/context_name(config)# show dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 60

This example shows how to disable the DHCP relay agent if there is only one dhcprelay enable command in the configuration:

fwsm/context_name(config)# no dhcprelay enable
fwsm/context_name(config)# show dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay timeout 60

This example shows the output of the show dhcprelay statistics command:

fwsm/context_name(config)# show dhcprelay statistics
Packets Relayed
BOOTREQUEST          0
DHCPDISCOVER         7
DHCPREQUEST          3
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

BOOTREPLY            0
DHCPOFFER            7
DHCPACK              3
DHCPNAK              0

Related Commands

clear dhcprelay
dhcpd
show dhcpd
show dhcprelay

dir

To display the directory contents, use the dir command.

dir [/recursive] [disk:] [flash:][path]

Syntax Description

/recursive

(Optional) Displays the directory contents recursively.

disk:

(Optional) Specifies the disk file system.

flash:

(Optional) Displays the contents of the default Flash partition.

path

(Optional) Specifies the path for the directory.


Defaults

If you do not specify a directory, the directory is changed to disk: by default.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The dir command without keyword or arguments displays the directory contents of the current directory.

Examples

This example shows how to display the directory contents:

fwsm(config)# dir
Directory of disk:/

1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

This example shows how to display recursively the contents of the disk:

fwsm(config)# dir /recursive disk:
Directory of disk:/*
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

This example shows how display the contents of the Flash partition:

fwsm(config)# dir flash:
Directory of flash:/
0     -wx  6783044    <no date>  image
1     rw-  1314       <no date>  startup-config

Related Commands

cd
copy disk
copy flash
clear ftp
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show file

disable

To exit privileged mode and return to unprivileged mode, use the disable command.

disable

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Use the enable command to enter privileged mode. The disable command allows you to exit privileged mode and returns you to unprivileged mode.

Examples

This example shows how to enter privileged mode:

fwsm> enable
fwsm#

This example shows how to exit privileged mode:

fwsm# disable
fwsm>

distance (router submode)

To define Open Shortest Path First (OSPF) route administrative distances that are based on route type, use the distance command. To return to the default setting, use the no form of this command.

distance ospf [intra-area d1][inter-area d2][external d3]

no distance ospf

Syntax Description

intra-area

(Optional) Sets the distance for all routes within an area.

d1, d2, and d3

(Optional) Distance for different area route types.

inter-area

(Optional) Sets the distance for all routes from one area to another area.

external

(Optional) Sets the distance for routes from other routing domains that are learned by redistribution.


Defaults

d1, d2, and d3 110.

Command Modes

Security Context Mode: single context mode

Command Mode: configuration mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show ip ospf command displays the configured router ospf subcommands.

Examples

This example shows how to define an OSPF route administrative distance:

fwsm(config_router)# distance ospf

Related Commands

router ospf
show distance
show ip ospf

domain-name

To change the domain name, use the domain-name command. To remove the domain name, use the no form of this command.

[no] domain-name name

Syntax Description

name

A domain name that contains up to 63 characters.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The domain-name command allows you to change the domain name.


Note Sets the domain name to a fully qualified domain name. The RSA key uses this domain name and you must use the host name. If you change the domain name, you need to redo the RSA keys.


Examples

This example shows how to use the domain-name command:

fwsm/context_name(config)# domain-name example.com

Related Commands

show domain-name

dynamic-map

To create a dynamic crypto map entry template, use the dynamic-map command.

dynamic-map map seq subcommand

Syntax Description

map

Specifies the dynamic crypto map template tag.

seq

Specifies the sequence number to insert into the dynamic crypto map entry.

subcommand

Subcommands; see the "Usage Guidelines" section for additional information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The clear dynamic-map command allows you to remove the dynamic-map commands from the configuration. The show dynamic-map command allows you to display the dynamic-map commands in the configuration.


Note The dynamic-map command is the same as the crypto dynamic-map command. Refer to the crypto dynamic-map command for more information.


Examples

This example shows how to create a dynamic crypto map entry:

fwsm/context_name(config)# dynamic-map

Related Commands

show dynamic-map

enable

To access privileged mode or privilege levels, or to set the enable password, use the enable command. Use the no form of this command to change the password.

[no] enable [pw] [level 1evel] [encrypted]

Syntax Description

pw

(Optional) Password for this privilege level. The minimum is three characters.

level

(Optional) Specifies to set the privilege level, from 0 to 15.

encrypted

(Optional) Specifies that the provided password is already encrypted.


Defaults

The privilege level is 15.

The password is blank.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged to set the password, unprivileged for for the enable command only

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The enable command allows you to enter privileged mode. The FWSM prompts you for your privileged mode password. By default, the enable password is blank—you can press the Enter key at the password prompt to start privileged mode. Use the disable command to exit privileged mode. Use the enable password command to change the password.

If you do not enter a level, the level is 15. If you enter a level, you are prompted for the password set for that level. If you configure local command authorization with the aaa authorization command, and you set command privilege levels (privilege command), you can only use commands available at that level. If no command authorization is used, then level 2 and above is privileged mode and you can access all privileged commands.


Note If you define privilege levels 10 and 12, the level 15 password is not changed or removed.


The enable password command allows you to change the privileged mode password. The FWSM prompts you for the privileged mode password after you enter the enable command. You can return the enable password to its original value (press the Enter key at the prompt) by entering the no enable password command.

The encrypted keyword appears in the configuration when you set the password. You cannot see the original password in the configuration, you can see only the encrypted form. Copy the configuration passwords to another FWSM in their encrypted form by cutting and pasting the enable command including the encryped argument.

Examples

This example shows how to enter privileged mode with the enable command and then enter configuration mode with the configure terminal command:

fwsm> enable
Password: 
fwsm# configure terminal
fwsm(config)# 
 
   

This example shows how to enter privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:

fwsm> enable
Password:
fwsm# enable password w0ttal1fe
fwsm# configure terminal
fwsm(config)# write terminal
Building configuration...
enable password 2oifudsaoid.9ff encrypted

This example shows how to encrypt your password:

fwsm# enable password 1234567890123456 encrypted
fwsm# show enable password
enable password 1234567890123456 encrypted

fwsm# enable password 1234567890123456
fwsm# show enable password
enable password feCkwUGktTCAgIbD encrypted

This example shows how to set enable passwords for each level:

fwsm(config)# enable password cisco level 10
fwsm(config)# show enable
enable password wC38a.EQklqK3ZqY level 10 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted

fwsm(config)# enable password wC38a.EQklqK3ZqY level 12 encrypted
fwsm(config)# show enable
enable password wC38a.EQklqK3ZqY level 10 encrypted
enable password wC38a.EQklqK3ZqY level 12 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted

fwsm(config)# no enable password level 12
fwsm(config)# show enable
enable password wC38a.EQklqK3ZqY level 10 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted

fwsm(config)# no enable password level 10
fwsm(config)# show enable
enable password 8Ry2YjIyt7RRXU24 encrypted

Related Commands

show enable

established

To permit return connections on ports that are based on an established connection, use the established command. To disable the established feature, use the no form of this command.

[no] established est_protocol dport [sport] [permitto protocol port [-port]] [permitfrom protocol port[-port]]

Syntax Description

protocol

Specifies the IP protocol (UDP or TCP) to use for the established connection lookup.

dport

Specifies the destination port to use for the established connection lookup.

sport

(Optional) Specifies the source port to use for the established connection lookup.

permitto

(Optional) Allows the return protocol connections destined to the specified port.

protocol

IP protocol (UDP or TCP) used by the return connection.

port -port

Specifies the (UDP or TCP) destination port of the return connection.

permitfrom

Allows the return protocol connection(s) originating from the specified port.


Defaults

The defaults are as follows:

dport—0 (wildcard)

sport—0 (wildcard)

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The established command allows you to permit return access for outbound connections through the FWSM. This command works with an original connection that is outbound from a network and protected by the FWSM and a return connection that is inbound between the same two devices on an external host. The established command allows you to specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not. The permitto and permitfrom keywords refine the return inbound connection.


Caution We recommend that you always specify the established command with the permitto and permitfrom keywords. Using the established command without these keywords is a security risk because when connections are made to external systems, those system can make unrestricted connections to the internal host involved in the connection. This situation can be exploited for an attack of your internal systems.

The following potential security violations could occur if you do not use the established command correctly.

This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:

fwsm/context_name(config)# established tcp 0 4000

This example shows that the src_port is the originating traffic's source port. You can specify it as 0 if the protocol does not specify which source ports are used. The dest_port is the originating traffic's destination port. You can specify it as 0 if the protocol does not specify which destination ports are used. Use wildcard ports (0) only when necessary.

fwsm/context_name(config)# established tcp 0 0 


Note To allow the established command to work properly, the client must listen on the port that is specified with the permitto keyword.


You can use the established command with the nat 0 command (where there are no global commands).


Note You cannot use the established command with Port Address Translation (PAT).


The FWSM supports XDMCP (X Display Manager Control Protocol) with assistance from the established command.


Caution Using XWindows system applications through the FWSM may cause security risks.

XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:

fwsm/context_name(config)# established tcp 0 6000 to tcp 6000 from tcp 1024-65535

Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the sport field as 0 (wildcard). The dport should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:

fwsm/context_name(config)# setenv DISPLAY hostname:displaynumber.screennumber

The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The FWSM does XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.

Examples

This example shows a connection between two hosts using protocol A from the SRC port B destined for port C. To permit return connections through the FWSM and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.

fwsm/context_name(config)# established A B C permitto D E permitfrom D F

This example shows how a connection is started by an internal host to an external host using TCP source port 6060 and any destination port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and TCP source port 6059.

fwsm/context_name(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059

This example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.

fwsm/context_name(config)# established udp 0 6060 permitto tcp 6061 permitfrom tcp 
1024-65535

This example shows how a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.

fwsm/context_name(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242

This example shows how to allow packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:

fwsm/context_name(config)# established tcp 9999 permitto tcp 5454

Related Commands

clear established
show established

exit

To exit an access mode, use the exit command.

exit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode and Configuration

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Use the exit command to exit an access mode. This command has the same function as the quit command.

You may also use the key sequence Ctrl-Z to exit.

Examples

This example shows how to exit configuration mode and privileged mode:

fwsm(config)# exit
fwsm# exit
fwsm>

Related Commands

quit

failover

To enable failover on a standby FWSM, use the failover command. To disable the failover configuration, use the no form of this command.

[no] failover [active]

Syntax Description

active

(Optional) Makes the FWSM the active module in a failover pair.


Defaults

Disabled

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The failover feature provides high availability for the FWSM. You can install up to four FWSMs in a single switch chassis, and you can designate a pair of modules for a failover with two FWSMs working together as active and standby modules. Inter- and intrachassis topologies are supported.


Note The failover pair must be two otherwise identical modules with compatible FWSM hardware and software.


The no form of this command switches the module to standby. The failover feature supports stateful failover or logical updates.

Use the failover active command to initiate a failover switch from the standby module, or use the no failover active command from the active module to initiate a failover switch. You can use this feature to return a failed module to service, or to force an active module offline for maintenance. Because the standby module does not keep state information on each connection, all active connections are dropped and must be reestablished by the clients.

You can see the information from the show failover command using SNMP.

You can monitor 250 interfaces for failover.

You can see the IP addresses of the standby module with the show ip address command. The current IP addresses are the same as the system IP addresses on the failover active module except for the failover interface. The system IP addresses will always be those addresses that are configured for the primary module. The current IP addresses will either be those addresses that are configured for the primary or the secondary module, depending on whether the module is the active or the standby module.

Use the IP address from the ip address ip_address with the ping command to check the status of the standby module. This address must be on the same network as the system IP address. For example, if the system IP address is 192.159.1.3, set the failover IP address to 192.159.1.4.

The interface name of a VLAN logical interface cannot be used for interface_name.

Examples

When properly configured, the failover configurations for your primary and secondary FWSMs must be different and must reflect which is the primary FWSM and which is the secondary FWSM.

This example shows how to configure the primary FWSM:

fwsm(config)# failover lan unit primary                   
fwsm(config)# failover lan interface lanlink vlan 9
fwsm(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2 
fwsm(config)# failover

This example shows how to configure the secondary FWSM:

fwsm(config)# failover lan unit secondary 
fwsm(config)# failover lan interface lanlink vlan 9
fwsm(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2 
fwsm(config)# failover

Related Commands

clear failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover interface ip

To specify the IP address and mask for the failover or stateful interface and the failover peer interface, use the failover interface ip command.

failover interface ip interface_name ip_address mask standby ip_address

Syntax Description

interface_name

Interface name for the failover or stateful interface.

ip_address mask

Specifies the IP address for the failover or stateful interface on the active module.

standby ip_address

Specifies the IP address used by the standby module to communicate with the active module.


Defaults

Not configured

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Failover and stateful interfaces are functions of Layer 3, even when they are in transparent firewall mode and are global to the system. You configure failover in the system context mode (except for the monitor-interface command).

Examples

This example shows how to specify the IP address and mask for the failover interface:

fwsm(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2 

Related Commands

clear failover
failover
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover interface-policy

To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command. To restore the default, use the no form of this command.

failover interface-policy n[%]

Syntax Description

n

Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.

%

(Optional) Specifies that the number n is a percentage of the monitored interfaces.


Defaults

50 percent

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

There is no space between the n argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other FWSM is functioning properly, the FWSM will mark itself as failed and a failover may occur (if the active FWSM is the one that fails).

Examples

These examples show two ways to specify the failover policy:

fwsm(config)# failover interface-policy 20 percent

fwsm(config)# failover interface-policy 5

Related Commands

clear failover
failover
failover interface ip
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover lan interface

To specify the interface name and VLAN used for failover communication, use the failover lan interface command. To remove the failover interface, use the no form of this command.

[no] failover lan interface interface_name vlan vlan

Syntax Description

interface_name

Specifies the name of the FWSM interface that is dedicated to failover.

vlan vlan

Sets the VLAN number.


Defaults

Not configured

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Failover requires a dedicated interface, but you can use the same interface for stateful failover. The interface needs enough capacity to handle both the LAN-based failover and stateful failover traffic.


Note We recommend that you use two separate dedicated interfaces.


The interface name of a VLAN logical interface cannot be used for interface_name.

The no form of this command also clears the failover interface IP address configuration.

Examples

This example shows how to specify the interface and failover VLAN:

fwsm(config)# failover lan interface failint vlan 5

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan unit
failover link
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover lan unit

To configure the FWSM as the primary FWSM or the secondary FWSM, use the failover lan unit command.

failover lan unit {primary | secondary}

Syntax Description

primary

Specifies the FWSM as the highest failover priority.

secondary

Specifies the FWSM as the lowest failover priority.


Defaults

Secondary

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The primary and secondary designation for the failover module refers to which module takes over at boot time. This command determines which FWSM becomes active when both modules are booting or when there is contention when both modules are active.

Examples

This example shows how to configure the primary failover unit:

fwsm(config)# failover lan unit primary

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan interface
failover link
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover link

To specify the interface name and VLAN for the stateful failover interface, use the failover link command. To remove the stateful failover interface, use the no form of this command.

[no] failover link interface_name [vlan vlan]

Syntax Description

interface_name

Specifies the name of the FWSM interface that is used for stateful update information.

vlan vlan

(Optional) Sets the VLAN used for stateful update information; see the "Usage Guidelines" section for additional information.


Defaults

Not configured

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The vlan vlan keyword and argument are required when not sharing the failover interface.

The failover link command allows you to enable stateful failover. The interface name of a VLAN logical interface cannot be used for interface_name. Enter the no failover link command to disable the stateful failover feature and also clear the stateful failover interface IP address configuration. If you are not sharing the interface with the failover interface, you must configure the IP address using the fail interface ip command and keyword.

Examples

This example shows how to specify the stateful failover interface:

fwsm(config)# failover link statefulint vlan 6

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover polltime
failover replication http
failover reset
monitor-interface
show failover
write standby

failover polltime

To specify the failover module and interface monitoring poll frequency, use the failover polltime command. To restore the default, use the no form of this command.

[no] failover polltime [unit] [msec] time [holdtime time]

[no] failover polltime interface time

Syntax Description

unit

(Optional) Sets how often hello messages are sent on the failover link.

msec

(Optional) Specifies that the time interval between messages is in msec.

time

Amount of time between hello messages.

holdtime time

(Optional) Sets the time during which a unit must receive a hello message on the failover link or when the unit begins the testing process for peer failure.

interface time

Specifies the poll time for interface monitoring.


Defaults

The defaults are as follows:

The unit poll time is 1 second.

The interface time is 15 seconds.

The holdtime time is 15 seconds.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified.


Usage Guidelines

The unit keyword is used for the unit poll time instead of the interface poll time. Set the unit poll time in seconds between 1 and 15. The default is 1 second. If you specify msec, you can set the time between 500 and 999 miliseconds.

Set the hold time value in seconds between 3 and 45. The default is the greater of 15 seconds or 3 times the poll time. You cannot enter a value that is less than 3 times the poll time. With a faster poll time, the FWSM can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.

For example, if the poll time is 1 second, then a 15-second hold time means that 15 hello messages are missed before the unit is tested for failure.


Note The interval between the stateful information updates is 10 seconds. If you set the poll time greater than 10, then that interval is used.


If a monitored interface does not receive five consecutive hello messages, the FWSM begins the testing process for interface failure.

The interface default is 15 seconds (which means that an interface receives no reply for 75 seconds [5 times the polling interval] before the interface is tested for failure).

When the unit or interface keywords are not specified, the poll time configured is for the unit (module).

Examples

These examples show how to specify a monitoring poll frequency:

fwsm(config)# failover polltime unit 5 holdtime 45

fwsm(config)# failover polltime interface 12

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover link
failover replication http
failover reset
monitor-interface
show failover
write standby

failover replication http

To enable HTTP (port 80) connection replication, use the failover replication http command. To disable HTTP connection replication, use the no form of this command.

[no] failover replication http

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The failover replicate http command allows the stateful replication of HTTP sessions in a stateful failover environment. The no form of this command disables HTTP replication in a stateful failover configuration. When HTTP replication is enabled, the show failover command displays the failover replicate http command configuration.

Examples

This example shows how to enable HTTP connection replication:

fwsm(config)# failover replication http

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover reset
monitor-interface
show failover
write standby

failover reset

To change the failover modules to an unfailed state after a fault has been corrected, use the failover reset command.

failover reset

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The failover reset command allows you to change the failover modules to an unfailed state after a reset. The failover reset command can be entered from either module, but we recommend that you always enter the commands at the active module. Entering the failover reset command at the active module will "unfail" the standby module.

Examples

This example shows how to change the failover module to the unfailed state:

fwsm(config)# failover reset

Related Commands

clear failover
failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
monitor-interface
show failover
write standby

filter ftp

To enable File Transfer Protocol (FTP) filtering with a Webserver or Enterprise server, use the filter ftp command. To disable FTP filtering, use the no form of this command.


Note Enabling the filter ftp command also enables the FTP fixup even if this fixup is not configured explicitly. This will cause active FTP connections to succeed. If this is not desired, make sure that the FTP server only accepts passive FTP connections.


[no] filter ftp dest-port source_ip source_mask destination_ip destination_mask [allow] [interact-block]

Syntax Description

dest-port

Destination port number.

source_ip

IP address of the highest security level access point.

source_mask

Network mask of source_ip.

destination_ip

IP address of the lowest security level access point.

destination_mask

Network mask of destination_ip.

allow

(Optional) Allows outbound FTP connections to pass through the FWSM without filtering when the server is unavaliable.

interact-block

(Optional) Prevents users from connecting to the FTP server through an interactive FTP program.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Set the source_ip or the destination_ip address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

Always specify a specific destination_mask value. Use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

Set the source_mask to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

Examples

This example shows how to enable FTP filtering:

fwsm/context_name(config)# filter ftp 21 128.34.65.9 255.255.255.0 140.72.34.6 
255.255.255.0 allow

Related Commands

show filter

filter https

To enable HTTPS filtering, use the filter https command. To disable HTTPS filtering, use the no form of this command.

[no] filter https port [-port] | except source_ip source_mask destination_ip destination_mask [allow]

Syntax Description

port -port

TCP port range.

except

Creates an exception to a previously specified set of IP addresses (URL only).

source_ip

IP address of the highest security level access point.

source_mask

Network mask of source_ip.

destination_ip

IP address of the lowest security level access point.

destination_mask

Network mask of destination_ip.

allow

(Optonal) Allows outbound HTTP connections to pass through the FWSM without filtering when the server is unavailable.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Set the source_ip, destination_ip address, source_mask, or destination_mask to 0.0.0.0 (or in shortened form, 0) to specify all hosts. Always specify a specific destination_mask value.

Examples

This example shows how to enable HTTP filtering:

fwsm/context_name(config)# filter https 441 128.35.65.9 255.255.255.0 140.72.34.6 
255.255.255.0 allow

Related Commands

show filter

filter url

To filter HTTP requests from inside users with an external filtering server, use the filter url command. To disable HTTP filtering, use the no form of this command.

[no] filter url [http | port[-port]] source_ip source_mask destination_ip destination_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]

filter url except source_ip source_mask destination_ip destination_mask

filter url {port | except} source_ip mask destination_ip destination_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]

Syntax Description

http

(Optional) Specifies port 80. You can enter http or www instead of 80 to specify port 80.

port

Number of the port for inside traffic to use for HTTP.

-port

(Optional) Specifies the port range for inside traffic to use for HTTP.

source_ip

IP address of the inside traffic only. Outbound traffic is supported (high to low security level) except if you enable the same security level.

source_mask

Network mask of source_ip.

destination_ip

IP address of the lowest security level access point.

destination_mask

Network mask of destination_ip.

allow

(Optional) Allows outbound connections to pass through the FWSM without filtering when the server is unavailable.

proxy-block

(Optional) Prevents users from connecting to an HTTP proxy server.

longurl-truncate

(Optional) Sends only the originating host name or IP address to the Websense server if the URL is over the URL buffer limit.

longurl-deny

(Optional) Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available.

cgi-truncate

(Optional) Truncates CGI URLs to include only the CDI script location and script name (but not parameters).

except

Exempts the specified traffic from filtering.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Set the source_ip or the destination_ip address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

Always specify a specific destination_mask value. Use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

Set the source_mask to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

The filter url command allows you to prevent outbound users from accessing URLs that you designate using the N2H2 server or Websense server.


Note You must add a filtering server using the url-server command before you use any filter commands. If you later remove all servers from the configuration, all other filter commands are removed.


The allow keyword to the filter command determines how the FWSM behaves if the N2H2 server or Websense server goes offline. If you use the allow keyword with the filter command and the N2H2 server or Websense server goes offline, the configured port traffic passes through the FWSM without filtering. Without the allow keyword and with the server offline, the FWSM stops the outbound configured port (web) traffic until the server is back online. If another URL server is available, the FWSM passes control to the next URL server.


Note With the allow keyword set, the FWSM passes control to an alternate server if the N2H2 server or Websense server goes offline.


Examples

This example shows how to filter all outbound HTTP connections except those from the 10.0.2.54 host:

fwsm/context_name(config)# url-server (perimeter) host 10.0.1.1
fwsm/context_name(config)# filter url 80 0 0 0 0
fwsm/context_name(config)# filter url except 10.0.2.54 255.255.255.255 0 0

This example shows how to block all outbound HTTP connections that are destined to a proxy server that listens on port 8080:

fwsm/context_name(config)# filter url 8080 0 0 0 0 proxy-block

Related Commands

show filter

firewall

To set the firewall mode to transparent, use the firewall command. To set the mode to routed, use the no form of this command.

[no] firewall transparent

Syntax Description

transparent

Specifies transparent firewall mode.


Defaults

Routed firewall mode

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to set the firewall mode to transparent:

fwsm(config)# firewall transparent

Related Commands

clear firewall
show firewall

fixup protocol

To modify the FWSM protocol fixups to add, delete, or change services and feature defaults, use the fixup protocol command. To disable the fixups, use the no form of this command.

[no] fixup protocol prot [option] port [-port]

Syntax Description

prot 

(Optional) Protocol fixup to be enabled or disabled: ftp [strict], http, h323, ils, mgcp, rsh, sip, skinny, smtp, sqlnet, icmp error, dns [maximum-length length].

option

(Optional) Option to the inspection function.

port -port

Specifies a range of ports to enable the fixup.


Defaults

The defaults are as follows:

The FWSM fixup protocols and ports are as follows:

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

(These are the defaults that are enabled on an FWSM running software version 2.2.)

All fixup protocol commands are always present in the configuration and most are enabled.

fixup protocol mgcp is disabled.

fixup protocol icmp is disabled.

fixup protocol icmp error is disabled.

The FWSM listens to port 21 for FTP.

fixup protocol rpc to port 111 for UDP is enabled.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


fixup protocol ftp

The fixup protocol ftp command allows you to specify the listening port or ports for the File Transfer Protocol (FTP). The following describes the features and usage of this command:

You can use port numbers or supported port literals. See the "Specifying Port Values" section in Appendix B, "Port and Protocol Values," for a list of valid port literal names.

The FWSM by default listens to port 21 for FTP.

You can specify multiple ports.

You can specify only the port for the FTP control connection and not the data connection. The FWSM stateful inspection dynamically prepares the data connection. For instance, this example is incorrect:

fwsm/context_name(config)# fixup protocol ftp 21
fwsm/context_name(config)# fixup protocol ftp 20

This example is correct:

fwsm/context_name(config)# fixup protocol ftp 21


Caution Use caution when moving FTP to a higher port. For example, if you set the FTP port to 2021 by entering the fixup protocol ftp 2021 command , all connections that initiate to port 2021 will have their data payload interpreted as FTP commands.

If you disable the FTP fixups with the no fixup protocol ftp command, the outbound users can start connections only in passive mode, and all inbound FTP is disabled.

The strict keyword to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. The connections that are sending embedded commands are dropped. The strict keyword allows only an FTP server to generate the 227 command and an FTP client to generate the port command. The 227 and port commands are checked to ensure that they do not appear in an error string.

fixup protocol http

The fixup protocol http command allows you to set the port for HTTP traffic application inspection.

Use the port keyword to change the default port assignments from 80. Use the port-port arguments to apply HTTP application inspection to a range of port numbers.


Note The no fixup protocol http command disables the filter url command.


HTTP inspection performs these functions:

URL logging of GET messages

URL screening through N2H2 server or Websense servers

Java and ActiveX filtering

You must configure the URL screening and the Java and ActiveX filtering features with the filter command.

fixup protocol icmp

When ICMP fixup is enabled with the fixup protocol icmp command, a connection is created for each ICMP traffic stream. An access list is not needed on low security interfaces to allow return traffic (replies) to high security interfaces. You are encouraged to keep the default timeout value for ICMP connections set at the minimum of 2 seconds. This action will help mitigate an attack attempt on the open connection.

fixup protocol icmp error

The fixup protocol icmp error command allows you to enable NAT of ICMP error messages. This command creates translations for intermediate hops that are based on the static or network address translation configuration on the FWSM.

The no fixup protocol icmp error command allows you to disable the creation of a translation (xlate) for the intermediate nodes that generate ICMP error messages.

fixup protocol dns

Use the fixup protocol dns command to specify the maximum Domain Name System (DNS) packet length. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. This functionality is called DNS Guard.

The port assignment for DNS is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

fwsm(config)# fixup protocol dns maximum-length 1500 
fwsm(config)# show fixup protocol dns 
fixup protocol dns maximum length 1500

Note The FWSM drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes. A syslog message will be generated when a DNS packet is dropped.


The no fixup protocol dns command disables the DNS fixup. The clear fixup protocol dns resets the DNS fixup to its default settings (512 byte maximum packet length).


Note If DNS fixup is disabled, the A-record is not sent to NAT and the DNS ID is not matched in requests and responses. By disabling the DNS fixup, the maximum length check on UDP DNS packets can be bypassed and packets greater than the maximum length configured are permitted.


fixup protocol mgcp

Use the mgcp command to configure additional support for the MGCP fixup. To use MGCP, you need to configure at least two fixup protocol commands as follows:

One for the port on which the gateway receives commands.

One for the port on which the call agent receives commands.

A call agent sends commands to the default MGCP port for the gateways, 2427, and a gateway sends commands to the default MGCP port for the call agents, 2727.

This example adds fixup support for the call agents and gateways that use the default ports:

fwsm#/context_name(config)# fixup protocol mgcp 2427 
fwsm#/context_name(config)# fixup protocol mgcp 2727

fixup protocol rpc

The fixup protocol rpc command allows you to configure one or more RPC servers and allow a list of services (NFS, NIS, and so on) on those servers for a specified timeout as follows:

The active keyword represents those services for which traffic has already been sent through the FWSM.

The no rpc-server active service service_type server ip_addr command allows you to remove one of the services from the active list immediately, so that you can block the specified traffic.

The clear rpc-server [active] command allows you to clear the entire list of RPC servers or the entire list of active services.

fixup protocol rtsp

The fixup protocol rtsp command allows you to configure the FWSM to pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.

If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554 as follows:

fwsm/context_name(config)# fixup protocol rtsp 554
fwsm/context_name(config)# fixup protocol rtsp 8554

These restrictions apply to the fixup protocol rtsp command:

The FWSM will not fix RTSP messages passing through the UDP ports.

PAT is not supported with the fixup protocol rtsp command.

The FWSM cannot recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.

The FWSM cannot perform NAT on the RTSP messages because the embedded IP addresses are contained in the SDP files as part of the HTTP or RTSP messages. The packets could be fragmented, and the FWSM cannot perform NAT on fragmented packets.

With Cisco IP/TV, the number of NAT processes that the FWSM performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).

You can configure NAT for the Apple QuickTime 4 or RealPlayer applications. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network.

When using RealPlayer, you should properly configure transport mode. For the FWSM, add an access-list command from the server to the client or vice versa. For RealPlayer, change the transport mode by clicking Options>Preferences>Transport>RTSP Settings.

If using TCP mode on the RealPlayer application, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the FWSM, you do not need to configure the fixup.

If using UDP mode on the RealPlayer application, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes. On the FWSM, add the fixup protocol rtsp port command.

fixup protocol sip

The fixup protocol sip command allows you to enable SIP application inspection so that Session Initiation Protocol (SIP) packets are inspected, and then NAT is provided for the appropriate IP addresses.

SIP, as defined by the IETF, enables call handling sessions and two-party audio conferences (calls). SIP works with the Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Using SIP, the FWSM can support any SIP Voice over IP (VoIP) gateway or VoIP proxy server. SIP and SDP are defined in the following RFCs:

SIP: Session Initiation Protocol, RFC 2543

SDP: Session Description Protocol, RFC 2327

To support SIP, you must inspect calls through the FWSM, signaling messages for the media connection addresses, media ports, and embryonic connections for the media. While the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated because SIP is a text-based protocol that contains IP addresses throughout the text.

FWSM software version 1.1(1) and later versions support PAT for SIP. In FWSM software version 2.2(1) and later versions, you can disable the SIP fixup for both UDP and TCP signaling with the no fixup protocol sip 5060 command.


Note If you change the value of port, SIP will not operate on a different port. You can only turn sip inspection on or off. You cannot change the port.


For additional information about the SIP protocol, refer to RFC 2543. For additional information about the Session Description Protocol (SDP), refer to RFC 2327.


Note Currently, the FWSM does not support NAT TFTP messages.


fixup protocol skinny

The Skinny Client Control Protocol (SCCP or "skinny") protocol supports IP telephony. An application layer ensures that all SCCP signaling and media packets can traverse the FWSM. The skinny fixup supports both NAT and PAT configurations.


Note The FWSM does not recognize or inspect skinny messages that are fragmented.

Skinny message fragmentation can occur when a call is established that includes a conference bridge. The FWSM tracks the skinny protocol for RTP traffic flow; however, with the skinny messages fragmented, the FWSM cannot correctly RTP.


fixup protocol smtp

The fixup protocol smtp command allows you to enable Mail Guard, which lets only mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into Xs, which are rejected by the internal server. This situation results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.


Note During an interactive SMTP session, various SMTP security rules may reject or deadlock your Telnet session. These rules include the following: SMTP commands must be at least four characters, must be terminated with a carriage return and line feed, and must wait for a response before issuing the next reply.


As of FWSM software version 1.1 and later versions, the fixup protocol smtp command allows you to change the characters in the SMTP banner to asterisks except for the "2", "0", and "0" characters. The carriage return and line feed characters are ignored.

In FWSM software version 1.1, all characters in the SMTP banner are converted to asterisks.

fixup protocol sqlnet

The FWSM uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.

Examples

This example shows how to enable the CTIQBE fixup:

fwsm/context_name(config)# fixup protocol ctiqbe 2748

fwsm(config)# show fixup protocol ctiqbe
fixup protocol ctiqbe 2748

This example shows how to enable access to an inside server running Mail Guard:

fwsm/context_name(config)# static (inside,outside) 209.165.201.1 192.168.42.1 netmask 
255.255.255.255
fwsm/context_name(config)# access-list acl_out permit tcp host 209.165.201.1 eq smtp any
fwsm/context_name(config)# access-group acl_out in interface outside
fwsm/context_name(config)# fixup protocol smtp 25

This example shows how to disable Mail Guard:

fwsm/context_name(config)# static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 
255.255.255.255
fwsm/context_name(config)# access-list acl_out permit tcp host 209.165.201.1 eq smtp any
fwsm/context_name(config)# access-group acl_out in interface outside
fwsm/context_name(config)# no fixup protocol smtp 25

In this example, the static command allows you to set up a global address to permit access for outside hosts to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command allows access for any outside users to the global address through the SMTP port (25). The no fixup protocol command disables Mail Guard.

This example shows a fixup protocol ftp configuration that uses multiple FTP fixups:

For an FWSM with two interfaces
:
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
:
: There is an inside host 10.1.1.15 that is
: exported as 192.168.1.15.  This host runs the FTP
: services at port 21 and 1021
:
static (inside, outside) 192.168.1.15 10.1.1.15
:
: Construct an access list to permit inbound FTP traffic to
: port 21 and 1021
:
access-list outside permit tcp any host 192.168.1.15 eq ftp
access-list outside permit tcp any host 192.168.1.15 eq 1021
access-group outside in interface outside
:
: Specify that traffic to port 21 and 1021 are FTP traffic
:
fixup protocol ftp 21
fixup protocol ftp 1021

This example shows how to enable the MGCP fixup on the FWSM:

fwsm/context_name(config)# fixup protocol mgcp 2427
fwsm/context_name(config)# fixup protocol mgcp 2727
fwsm(config)# show running-config
: Saved
:
fwsm# Version 2.2(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname fwsm#
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol mgcp 2427
fixup protocol mgcp 2727
fixup protocol sip udp 5060
names
access-list 101 permit tcp any host 10.1.1.3 eq www 
access-list 101 permit tcp any host 10.1.1.3 eq smtp 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.23.59.232 255.255.0.0
ip address inside 10.1.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
routing interface inside
route outside 0.0.0.0 0.0.0.0 172.23.59.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 10.1.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server 10.1.1.1 outside
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end

This example shows how to remove the MGCP fixup from the configuration:

fwsm/context_name(config)# no fixup protocol mgcp

Related Commands

clear fixup
debug
mgcp
show conn
show fixup
timeout

flashfs

To downgrade the file system information, use the flashfs command. To remove the file system information, use the no form of this command.

[no] flashfs

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The clear flashfs command allows you to clear the file system part of the Flash partition in the FWSM. Versions 4.n cannot use the information in the file system; you need to clear the memory to let the earlier version operate correctly.

The clear flashfs command does not affect the configuration that is stored in the Flash partition.

Examples

This example shows how to write the file system to the Flash partition before downgrading to a lower version of software:

fwsm(config)# flashfs

Related Commands

clear flashfs
show flashfs

floodguard

To enable or disable the flood defender to protect against flood attacks, use the floodguard command.

floodguard {enable  | disable}

Syntax Description

enable

Enables the flood defender.

disable

Disables the flood defender.


Defaults

Enabled

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The floodguard command allows you to reclaim the FWSM resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the FWSM actively reclaims the TCP user resources.

When the resources deplete, the FWSM lists messages about being out of resources or out of tcpusers.

If the FWSM uauth subsystem is depleted, the TCP user resources in different states are reclaimed. The order depends on the urgency of this situation:

1. Timewait

2. FinWait

3. Embryonic

4. Idle

Examples

This example shows how to enable the floodguard command and list the floodguard command in the configuration:

fwsm/context_name(config)# floodguard enable
fwsm/context_name(config)# show floodguard
fwsm/context_name(config)# floodguard enable

Related Commands

clear floodguard
show floodguard

format

To format the disk file system, use the format command.

format disk:

Syntax Description

disk:

Specifies the device to format.


Defaults

If you do not specify a directory, the directory is changed to disk: by default.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The format command allows you to erase all data on the device and then write the file allocation table (FAT) information to the device.

Examples

This example shows how to display the directory contents:

fwsm(config)# format disk:

Related Commands

cd
copy disk
copy flash
copy ftp
copy tftp
dir
mkdir
more
pwd
rename
rmdir
show file

fragment

To provide additional management of packet fragmentation and improve compatibility with the Network File System (NFS), use the fragment command.

fragment size database-limit [interface]

fragment chain chain-limit [interface]

fragment timeout seconds [interface]

Syntax Description

size database-limit

Sets the maximum number of packets in the fragment database; valid values are from 1 to 30000 or the total number of blocks. See the "Usage Guidelines" section for additional information.

interface

(Optional) FWSM interface. If not specified, the command will apply to all interfaces.

chain chain-limit

Specifies the maximum number of packets into which a full IP packet can be fragmented; valid values are from 1 to 8200 packets.

timeout seconds

Specifies the maximum number of seconds that a packet fragment will wait to be reassembled after the first fragment is received before being discarded; valid values are from 1 to 30 seconds.


Defaults

The defaults are as follows:

chain-limit is 24.

database-limit is 200.

seconds is 5.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(3)

Support for this command was introduced on the FWSM. This command replaces the fragguard command.


Usage Guidelines

By default, the FWSM accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the FWSM to prevent fragmented packets from traversing the FWSM by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.

If a large percentage of the network traffic through the FWSM is NFS, additional tuning may be necessary to avoid database overflow. See system log message 209003 for additional information.

In an environment where the MTU between the NFS server and client is small, such as a WAN interface, the chain keyword may require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.

If you do not specify the interface, the command applies to all interfaces.

Setting the database-limit of the size keyword to a large value can make the FWSM more vulnerable to a Denial of Service (DoS) attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool. See the show block command for more details. The default values will limit DoS due to fragment flooding to that interface only.

Examples

This example shows how to prevent fragmented packets on the outside and inside interfaces:

fwsm/context_name(config)# fragment chain 1 outside
fwsm/context_name(config)# fragment chain 1 inside

Continue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.

This example shows how to configure the outside fragment database to limit a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:

fwsm/context_name(config)# fragment outside size 2000
fwsm/context_name(config)# fragment outside chain 45
fwsm/context_name(config)# fragment outside timeout 10

Related Commands

clear fragment

ftp mode

To set the FTP mode, use the ftp mode command. To disable the FTP mode, use the no form of this command.

[no] ftp mode passive

Syntax Description

passive

Sets the FTP mode to passive.


Defaults

passive

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to set the FTP mode to passive:

fwsm(config)# ftp mode passive

Related Commands

clear ftp
show ftp