Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3
A through B Commands
Downloads: This chapterpdf (PDF - 756.0KB) The complete bookPDF (PDF - 6.82MB) | Feedback

Firewall Services Module Commands

Table Of Contents

Firewall Services Module Commands

aaa accounting

aaa accounting match

aaa authentication include, exclude

aaa authentication console

aaa authentication match

aaa authentication secure-http-client

aaa authorization

aaa authorization command

aaa authorization match

aaa proxy-limit

aaa-server

aaa-server radius-acctport

aaa-server radius-authport

access-group

access-list alert-interval

access-list commit

access-list deny-flow-max

access-list ethertype

access-list extended

access-list icmp host

access-list mode

access-list object-group

access-list remark

access-list standard

activation-key

admin-context

alias

allocate-acl-partition (context submode)

allocate-interface (context submode)

area

arp

arp-inspection

auth-prompt

banner


Firewall Services Module Commands


This chapter contains an alphabetical listing of all the commands that are available to configure the Firewall Services Module (FWSM) on the Catalyst 6500 series switch and Cisco 7600 series router.

aaa accounting

To include or exclude TACACS+ or RADIUS user accounting on a server (designated by the aaa-server command), use the aaa accounting command. To disable accounting services, use the no form of this command.

[no] aaa accounting {include | exclude} service  interface_name source_ip source_mask [destination_ip destination_mask] server_tag

Syntax Description

include

Creates a new rule with the specified service to include.

exclude

Creates an exception to a previously stated rule by excluding the specified service from accounting.

service

Accounting service; valid values are any, ftp, http, telnet.

interface_name

Interface name from which users require authentication.

source_ip

IP address of the local host or network of hosts that you want to be authenticated or authorized.

source_mask

Network mask of source_ip.

destination_ip

(Optional) IP address of the destination hosts that you want to access the source_ip address; 0 indicates that all hosts have access.

destination_mask

(Optional) Network mask of the destination_ip.

server_tag

AAA server group tag.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The interface_name must match the VLAN number.

Before you can use this command, you must first designate an AAA server with the aaa server command.

To enable accounting for traffic that is specified by an access list, use the aaa accounting match command.


Note Use the match option between interfaces with the same security level. The include and exclude options are not supported in this configuration. If used, no warning is issued but the traffic on those interfaces will be dropped.


User accounting services can track the network services that a user accesses. These records are also kept on the designated AAA server. Accounting information is sent only to the active server in a server group.

When specifying the service, use the any keyword to provide accounting for all TCP services. For UDP services, use protocol/port. The port refers to the TCP or UDP destination port. A port value of 0 (zero) indicates all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used. See Appendix B, "Port and Protocol Values" for port information.

Use the aaa accounting command with the aaa authorization include, exclude and optionally, the aaa authorization commands. You must have authentication for traffic that you want to track.

To track connections from any host, enter the local IP address and netmask as 0.0.0.0  0.0.0.0 or 0 0. Use the same convention for the destination host IP addresses and netmasks; enter 0.0.0.0  0.0.0.0 to indicate any destination host.


Tip The help aaa command displays the syntax and usage for the aaa authorization include, exclude , aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.


Use interface_name with the source_ip address and the destination_ip address to determine where access is to come from and from whom.

Examples

This example shows how to specify that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group:

fwsm/context(config)#  aaa accounting include any inside 0 0 0 0

Related Commands

aaa accounting match

aaa authorization include, exclude

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa accounting match

To enable accounting for traffic that is identified by an access list, use the aaa accounting match command. To disable accounting for traffic that is identified by an access list, use the no form of this command.

[no] aaa accounting match access_list_name  interface_name server_tag

Syntax Description

access_list_name

Access list name.

interface_name

Interface name from which users require authentication.

server_tag

AAA server group tag.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The access_list_name is defined by the access-list extended command.

In an ACL, permit = account and deny = do not account.

The AAA server group tag is defined by the aaa-server command. Before you can use this command, you must first designate an AAA server with the aaa-server command.

Examples

This example shows how to enable accounting on a specific access list:

fwsm/context(config)# aaa accounting match acl1 termite scram
fwsm/context(config)# show acl
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300

Related Commands

aaa authenticaltion include, exclude

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authentication include, exclude

To enable accounting for connections through the FWSM, use the aaa accounting include command in global configuration mode. To exclude addresses from accounting, use the aaa accounting exclude command. To disable accounting, use the no form of this command.

aaa accounting {include | exclude} service  interface_name inside_ip inside_mask [outside_ip outside_mask] server_tag

no aaa accounting {include | exclude} service  interface_name inside_ip inside_mask [outside_ip outside_mask] server_tag

Syntax Description

exclude

Excludes the specified service and address from accounting if it was already specified by an include command.

include

Specifies the services and IP addresses that require accounting. Traffic that is not specified by an include statement is not processed.

inside_ip

Specifies the IP address on the higher security interface. This address might be the source or the destination address, depending on the interface to which you apply this command. If you apply the command to the lower security interface, then this address is the destination address. If you apply the command to the higher security interface, then this address is the source address. Use 0 to mean all hosts.

inside_mask

Specifies the network mask for the inside IP address. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

interface_name

Specifies the interface name from which users require accounting.

outside_ip

(Optional) Specifies the IP address on the lower security interface. This address might be the source or the destination address, depending on the interface to which you apply this command. If you apply the command to the lower security interface, then this address is the source address. If you apply the command to the higher security interface, then this address is the destination address. Use 0 to mean all hosts.

outside_mask

(Optional) Specifies the network mask for the outside IP address. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

server_tag

Specifies the AAA server group defined by the aaa-server host command.

service

Specifies the services that require accounting. You can specify one of the following values:

any or tcp/0 (specifies all TCP traffic)

ftp

http

https

ssh

telnet

tcp/port

udp/port


Defaults

By default, AAA accounting for administrative access is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The FWSM can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the FWSM. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the FWSM for the session, the service used, and the duration of each session.

Before you can use this command, you must first designate a AAA server with the aaa-server command.

To enable accounting for traffic that is specified by an access list, use the aaa accounting match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM.

You cannot use the aaa accounting include and exclude commands between same-security interfaces. For that scenario, you must use the aaa accounting match command.

Examples

The following example enables accounting on all TCP connections:

fwsm(config)# aaa-server mygroup protocol tacacs+
fwsm(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20
fwsm(config)# aaa accounting include any inside 0 0 0 0 mygroup

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authentication console

To enable authentication for access to the FWSM CLI, use the aaa authentication console command. To disable authentication verification, use the no form of this command.

[no] aaa authentication {enable | telnet | ssh | http} console {server_tag [LOCAL] | LOCAL}

Syntax Description

enable

(Optional) Specifies access verification for the FWSM's privileged mode.

telnet

(Optional) Specifies access verification for the Telnet access to the FWSM console.

ssh

(Optional) Specifies access verification for the SSH access to the FWSM console.

http

(Optional) Specifies access verification for the HTTP (Hypertext Transfer Protocol) access to the FWSM (through FDM).

server_tag

AAA server group tag of the local database.

LOCAL

See the "Usage Guidelines" section for information.


Defaults

The defaults are as follows:

The login password is cisco.


Note The cisco password cannot be used when specifying a password for user authentication.


The enable password is not set.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support fallback to LOCAL.


Usage Guidelines

The AAA server group tag is defined by the aaa-server command.

The LOCAL keyword specifies a second authentication method that can be local only. The LOCAL keyword is optional when specified as a RADIUS or TACACS+ server only.

Any access to the module (SSH, Telnet, enable) requiring a username and password is prompted only three times.

The enable and ssh keywords allow three tries before stopping with an access-denied message as follows:

The enable keyword requests a username and password before accessing privileged mode.

The ssh keyword requests a username and password before the first command line prompt on the SSH console connection. The ssh keyword allows a maximum of three authentication attempts.

The telnet keyword prompts you continually until you successfully log in. The telnet keyword forces you to specify a username and password before the first command line prompt of a Telnet console connection.

Telnet access to the FWSM CLI is available from any internal interface and from the outside interface with IPSec configured. Telnet access requires previous use of the telnet command.

SSH access to the FWSM console is also available from any interface (IPSec does not have to be configured on the interface). SSH access requires previous use of the ssh command.

If an aaa authentication ssh console server_tag command is not defined, you can gain access to the CLI with the username pix and with the FWSM Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests timeouts, which implies that the AAA servers may be down or not available, you can gain access to the FWSM using the PIX username and the enable password (set with the enable password command).

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters (some AAA servers accept passwords up to 32 characters). A password or username may not contain an "@" character as part of the password or username string.

The command only accepts the second, optional LOCAL keyword when the server_tag refers to an existing, valid TACACS+ or RADIUS server group defined in an aaa-server command. You can configure LOCAL as the first and only server_tag.

The no form of the command removes the complete command and does not support removing single methods.

Examples

This example shows how to enable authentication service for the FWSM console:

fwsm/context(config)# aaa authentication enable console 756

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authentication match

To enable authentication on a specific access list, use the aaa authentication match command. To disable authentication on a specific access list, use the no form of this command.

[no] aaa authentication match access_list_name  interface_name server_tag

Syntax Description

access_list_name

Access list name.

interface_name

Interface name.

server_tag

AAA server group tag.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The access_list_name is defined by the access-list deny-flow-max command.

The AAA server group tag is defined by the aaa server command. Enter TACACS+ or RADIUS to use the authentication database.

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters (some AAA servers accept passwords up to 32 characters). A password or username may not contain an "@" character as part of the password or username string.

Examples

This example shows how to enable authentication on a specific access list:

fwsm/context(config)#  aaa authentication match

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authentication secure-http-client

To enable encryption of usernames and passwords that are exchanged between an HTTP client and the FWSM, use the aaa authentication secure-http-client command. To disable encryption for usernames and passwords, use the no form of this command.

[no] aaa authentication secure-http-client

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to enable authentication on a specific access list:

fwsm/context(config)#  aaa authentication secure-http-client
fwsm/context(config)#  show aaa
aaa authentication secure-http-client

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authorization

To include or exclude a service from authorization to the specified host, use the aaa authorization command. To disable the feature, use the no form of this command.

[no] aaa authorization  {include | exclude} service  interface_name source_ip source_mask destination_ip destination_mask tacacs_server_tag

Syntax Description

include

Creates a new rule with the specified service to include.

exclude

Creates an exception to a previously stated rule by excluding the specified service from authorization to the specified host.

service

Services that require authorization; see the "Usage Guidelines" section for more information.

interface_name

Interface name that requires authentication.

source_ip

IP address of the host or the network of hosts that you want to be authorized.

source_mask

Network mask of the source_ip.

destination_ip

IP address of the hosts that you want to access the source_ip address.

destination_mask

Network mask of the destination_ip.

tacacs_server_tag

TACACS+ server group tag.


Defaults

An IP address of 0 indicates all hosts.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Usage Guidelines

The exclude keyword replaces the former except optional keyword by allowing the user to specify a port to exclude to a specific host or hosts.


Note Use the match option between interfaces with the same security level. The include and exclude options are not supported in this configuration. If used, no warning is issued but the traffic on those interfaces will be dropped.


When specifying the destination IP, use 0 to indicate all hosts.

For the destination and local mask, always specify a specific mask value. Use 0 if the IP address is 0, and use 255.255.255.255 for a host. Always specify a specific mask value.

Use interface_name in combination with the source_ip address and the destination_ip address to determine where access is to come from and from whom. The source_ip address is always on the highest security level interface and destination_ip is always on the lowest security level.

You can set the local IP address to 0 to indicate all hosts and to let the authentication server decide which hosts are authenticated.

Valid values for service are any, ftp, http, telnet, or protocol/port. Services that are not specified are authorized implicitly. Services that are specified in the aaa authentication command do not affect the services that require authorization.

For protocol/port, enter the following:

protocol—Enter the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on).

port—Enter the TCP or UDP destination port or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges apply only to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP, the port is not applicable and should not be used. An example port specification is as follows:

fwsm#/context(config)# aaa authorization include udp/53-1024 inside 0 0 0 0

This example shows how to enable authorization for DNS lookups to the inside interface for all clients and authorizes access to any other services that have ports in the range of 53 to 1024.

A specific authorization rule does not require the equivalent authentication. Authentication is only required with either FTP, HTTP, or Telnet to provide an interactive method with the user to enter the authorization credentials.

Except for its use with command authorization, the aaa authorization command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of the aaa authorization command.

Currently, the aaa authorization command is supported for use with local and TACACS+ servers but not with RADIUS servers. Although explicit RADIUS authorization cannot be configured, a dynamic ACL can be set at the RADIUS server to provide authorization (even if it is not configured in the FWSM).


Tip The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.


One aaa authorization command is permitted for each IP address. To authorize more than one service with aaa authorization, use the any keyword for the service type.

If the first authorization attempt fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. This example shows an authorization timeout message in Telnet:

Unable to connect to remote host: Connection timed out

User authorization services control which network services that a user can access. After a user is authenticated, attempts to access restricted services cause the FWSM to verify the access permissions of the user with the designated AAA server.


Note RADIUS authorization is supported for use with the access-list deny-flow-max commands and for use in configuring a RADIUS server with an acl=access_list_name vendor-specific identifier. For more information, see the access-list deny-flow-max command and the aaa-server radius-authport command.

If the AAA console login request times out, you can gain access to the FWSM by entering the fwsm username and the enable password.


When specifying the services service option, the valid values are telnet, ftp, http, https, tcp or 0, tcp or port, udp or port, icmp or port or protocol [/port]. Only the Telnet, FTP, HTTP, and HTTPS traffic triggers user interactive authentication.

For authentication of console access, Telnet access, SSH access, and enable mode access, specify telnet, ssh, or enable.

Examples

This example shows how to specify the default FWSM protocol configuration:

fwsm/context(config)#  aaa-server TACACS+ protocol tacacs+
fwsm/context(config)#  aaa-server RADIUS protocol radius 

fwsm/context(config)# aaa-server LOCAL protocol local

This example shows how to use the default protocol TACACS+ with the aaa commands. The first command specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three commands specify that any users starting outbound connections to any destination host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command specifies that access to the FWSM requires authentication from the TACACS+ server.

fwsm/context(config)#  aaa-server TACACS+ (inside) host 10.1.1.10 the key timeout 20
fwsm/context(config)#  aaa authentication include any 0 0 0 0 TACACS+
fwsm/context(config)#  aaa authorization include any 0 0 0 0
fwsm/context(config)#  aaa accounting include any 0 0 0 0 TACACS+
fwsm/context(config)#  aaa authentication TACACS+

This example shows how to enable authorization for DNS lookups from the outside interface:

fwsm/context(config)#  aaa authorization include udp/53 0.0.0.0 0.0.0.0

This example shows how to enable authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:

fwsm/context(config)#  aaa authorization include 1/0 0.0.0.0 0.0.0.0

Users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.

This example shows how to enable authorization only for ICMP echoes (pings) that arrive at the inside interface from an inside host:

fwsm/context(config)#  aaa authorization include 1/8 0.0.0.0 0.0.0.0

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authorization command

To enable authorization for a local or a TACACS server, use the aaa authorization command command. To disable authorization for local or a TACACS server, use the no form of this command.

[no] aaa authorization command {LOCAL_server_tag | tacacs_server_tag}

Syntax Description

LOCAL_server_tag

Predefined server tag for the AAA local protocol.

tacacs_server_tag

Predefined server tag for the TACACS user authentication server.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Usage Guidelines

You can enter the LOCAL_server_tag argument for the group tag value and use the local FWSM database AAA services such as local command authorization privilege levels.

Examples

This example shows how to enable authorization for a local or a TACACS server:

fwsm/context(config)# aaa authorization Server1

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa authorization match

To enable the local or TACACS+ user-authorization services for a specific access-list command name, use the aaa authorization match command. To disable the feature, use the no form of this command.

[no] aaa authorization match access_list_name  interface_name server_tag

Syntax Description

access_list_name

access-list command name.

interface_name

Interface name that requires authentication.

server_tag

AAA server group tag as defined by the aaa-server command.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Usage Guidelines

The AAA server group tag is defined by the aaa-server command. Enter TACACS+ or RADIUS to use the authentication database.

The access_list_name is defined by the access-list deny-flow-max command.

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters (some AAA servers accept passwords up to 32 characters). A password or username may not contain an "@" character as part of the password or username string.

Examples

This example shows how to enable authorization for a specified access list:

fwsm/context(config)# aaa authorization match my_access inside Server2

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa proxy-limit

To specify the number of concurrent proxy connections that are allowed per user, use the aaa proxy-limit command.

[no] aaa proxy-limit {proxy_limit | disable}

Syntax Description

proxy_limit

Number of concurrent proxy connections allowed per user; valid values are from 1 to 128.

disable

Disables the proxy limit.


Defaults

The proxy_limit is 16.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the maximum number of concurrent proxy connections that are allowed per user.

An uauth session is a cut-through session that performs authentication or authorization (the connection is proxied).

If a source address is a proxy server, you should exclude this IP address from authentication or increase the number of allowable outstanding AAA requests.

Examples

This example shows how to set and display the maximum number of outstanding authentication requests allowed:

fwsm/context(config)#  aaa proxy-limit 6
fwsm/context(config)#  show aaa proxy-limit
aaa proxy-limit 6

Related CommandsL

aaa authentication include, exclude

aaa authorization

aaa-server

show aaa proxy-limit

aaa-server

To define the AAA server group, use the aaa-server command. To remove the AAA server group, use the no form of this command.

[no] aaa-server server_tag

[no] aaa-server server_tag max-failed-attempts tries

[no] aaa-server server_tag deadtime deatimeout

aaa-server server_tag [interface_name] host server_ip [key] [timeout seconds]

aaa-server server_tag protocol auth_protocol tacacs+ | radius

Syntax Description

server_tag

Alphanumeric string that is the name of the server group.

max-failed-attempts tries

Specifies the maximum number of AAA requests to attempt to each AAA server in an AAA server group; the range is from 1 to 5 counters.

deadtime deatimeout

Specifies the number of minutes to declare the AAA server group as unresponsive; the range is from 0 to 1440 minutes.

interface_name

(Optional) Interface name on which the server resides.

host server_ip

(Optional) IP address of the TACACS+ or RADIUS server.

key

(Optional) Case-sensitive, alphanumeric keyword up to 127 characters and is the same value as the key on the TACACS+ server.

timeout seconds

(Optional) Retransmit timer that specifies the time duration before the FWSM chooses the next AAA server.

protocol auth_protocol

Type of AAA server, either tacacs+ or radius.


Defaults

The defaults are as follows:

The FWSM listens for RADIUS on ports 1645 for authentication and 1646 for accounting. The default ports are defined in RFC 2058 as 1812 for authentication and 1813 for accounting. The FWSM RADIUS ports were not changed for backward-compatibility purposes.

The following are the aaa-server default protocols:

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

The default timeout value is 10 seconds.

The interface name interface_name defaults to the outside.

The max-attempts is 3.

The deadtime is 10.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Usage Guidelines

The aaa-server command allows you to specify AAA server groups. The FWSM lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic. For example, you can specify a TACACS+ server for inbound traffic and another for outbound traffic. You can also specify that all outbound HTTP traffic will be authenticated by a TACACS+ server and that all inbound traffic will use RADIUS. The aaa-server command is used with the crypto map command to establish an authentication association so that VPN clients are authenticated when they access the FWSM.

Certain types of AAA services can be directed to different servers. Services can also be set up to fail over to multiple servers.

Use the server_tag in the aaa command to associate aaa authentication and aaa accounting commands to an AAA server. Up to 14 server groups are permitted. However, you cannot use the LOCAL keyword with the aaa-server command because the keyword is predefined by the FWSM.

Other aaa commands reference the server tag group defined by the aaa-server command server_tag parameter. This global setting takes effect when the TACACS+ or RADIUS service is started.


Note When a cut-through proxy is configured, TCP sessions (Telnet, FTP, HTTP, or HTTPS) may have their sequence number randomized even if the norandomseq optional keyword is used in the nat or static command. This situation occurs when an AAA server proxies the TCP session to authenticate the user before permitting access.


AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups, and each group can have up to 14 AAA servers for a total up to 196 AAA servers.

The max-attempts number keyword and argument allow you to configure the number of AAA requests to an AAA server before declaring that server unresponsive and tries the next server in the group. You should set the max-attempts number keyword and argument and the timeout values for the fall-back behavior when authenticating or authorizing commands in a fall-back configuration. For example, if you want to declare an individual AAA server as unresponsive, you should reduce the max-attempts number setting to 1 or 2.

You can configure the deadtime minutes keyword and argument without having configured the LOCAL method on any of the authentication and authorization commands. The deadtime minutes keyword and argument affect only the operations when you configure two methods for authenticating and authorizing AAA.


Note The second method must be LOCAL.


The deadtime minutes keyword and argument specify the minutes that a particular authentication or authorization method should be marked as unresponsive and skipped. When a AAA server group is marked unresponsive, the FWSM immediately performs the authentication or authorization against the next method specified (which is the local FWSM user database).


Note Every server in a group must be marked unresponsive before the whole group is declared unresponsive.


When you configure the deadtime to 0, the AAA server group is not considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group before using the next method in the method list.

The no form of the deadtime command restores the command to its default value of 10 minutes.

The deadtime period begins as soon as the last server in the AAA server group has been marked as down (unresponsive). A server is marked as down when the max-attempts value is reached and AAA fails to receive a response. When the deadtime period expires, the AAA server group is active and all requests are submitted again to the AAA servers in the AAA server group.

Some AAA servers accept passwords up to 32 characters, but the FWSM allows passwords up to 16 characters only.

When specifying the key, any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are permitted in the key.

The timeout default is 10 seconds. The maximum time is 30 seconds. If the timeout value is 10 seconds, the FWSM retransmits for 10 seconds. If no acknowledgment is received, the FWSM tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.

If accounting is enabled, the accounting information goes only to the active server.

If you are upgrading from a previous version of FWSM and have aaa commands in your configuration, using the default server groups lets you maintain backward compatibility with the aaa commands in your configuration.

The previous server type optional keyword at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server server_tag group name.

This example shows how to use the default protocol TACACS+ with the aaa commands:

fwsm/context(config)#  aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20
fwsm/context(config)#  aaa authentication include any 0 0 0 0 TACACS+
fwsm/context(config)#  aaa authorization include any outbound 0 0 0 0 host 10.1.1.10 
fwsm/context(config)#  aaa accounting include any 0 0 0 0 TACACS+
fwsm/context(config)#  aaa authentication TACACS+

The previous example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three commands specify that any users starting outbound connections to any destination host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command specifies that access to the FWSM requires authentication from the TACACS+ server.

This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, and the AuthOut group authenticates outbound connections.

fwsm/context(config)# aaa-server AuthIn protocol radius
fwsm/context(config)# aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20
fwsm/context(config)# aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4
fwsm/context(config)# aaa-server AuthOut protocol radius
fwsm/context(config)# aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15
fwsm/context(config)# aaa authentication include any 0 0 0 0 AuthIn
fwsm/context(config)# aaa authentication include any 0 0 0 0 AuthOut

This example shows how to list the commands that can be used to establish an Xauth crypto map:

fwsm/context(config)# ip address inside 10.0.0.1 255.255.255.0
fwsm/context(config)# ip address outside 168.20.1.5 255.255.255.0
fwsm/context(config)# ip local pool dealer 10.1.2.1-10.1.2.254
fwsm/context(config)# nat (inside) 0 access-list 80
fwsm/context(config)# aaa-server TACACS+ host 10.0.0.2 secret123 
fwsm/context(config)# crypto ipsec transform-set pc esp-des esp-md5-hmac 
fwsm/context(config)# crypto dynamic-map cisco 4 set transform-set pc
fwsm/context(config)# crypto map partner-map 20 ipsec-isakmp dynamic cisco
fwsm/context(config)# crypto map partner-map client configuration address initiate
fwsm/context(config)# crypto map partner-map client authentication TACACS+ 
fwsm/context(config)# crypto map partner-map interface outside
fwsm/context(config)# isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
fwsm/context(config)# isakmp client configuration address-pool local dealer outside
fwsm/context(config)# isakmp policy 8 authentication pre-share 
fwsm/context(config)# isakmp policy 8 encryption des
fwsm/context(config)# isakmp policy 8 hash md5
fwsm/context(config)# isakmp policy 8 group 1
fwsm/context(config)# isakmp policy 8 lifetime 86400

Related Commands

aaa authentication include, exclude

aaa authorization

aaa-server

show aaa proxy-limit

aaa-server radius-acctport

To set the port number of the RADIUS server that the FWSM uses for accounting functions, use the aaa-server radius-acctport command. To return to the default settings, use the no form of this command.

[no] aaa-server radius-acctport [acct_port]

Syntax Description

acct_port

(Optional) RADIUS authentication port number; valid values are from 1 to 65535.


Defaults

acct_port is 1645.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

You can change authorization and accounting port settings on the FWSM with the aaa-server radius-acctport and aaa-server radius-authport commands. These commands specify the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions.

The default RADIUS accounting port is 1645 and the default RADIUS authorization port is 1646. If your authentication server uses ports other than 1645 and 1646, then you must configure the FWSM for the appropriate ports prior to starting the RADIUS service with the aaa-server command. For example, some RADIUS servers use the port numbers 1812 and 1813 as defined in RFC 2138 and RFC 2139. If your RADIUS server uses ports 1812 and 1813, you must use the aaa-server radius-authport and aaa-server radius-acctport commands to reconfigure the FWSM to use ports 1812 and 1813.

These port pairs are assigned to authentication and accounting services on the RADIUS servers:

1645 (authentication), 1646 (accounting)—default for the FWSM

1812 (authentication), 1813 (accounting)—alternate

You can see these and other commonly used port number assignments online at this URL:

http://www.iana.org/assignments/port-numbers

See the "Specifying Port Values" section in Appendix B for additional information about port number assignments.

Examples

This example shows how to set the port number of the RADIUS server that the FWSM uses for accounting functions:

fwsm/context(config)#  aaa-server radius-acctport

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

aaa-server radius-authport

To set the port number of the RADIUS server that the FWSM uses for authentication functions, use the aaa-server radius-authport command. To return to the default settings, use the no form of this command.

[no] aaa-server radius-authport [auth_port]

Syntax Description

acct_port

(Optional) RADIUS authentication port number; valid values are from 1 to 65535


Defaults

auth_port is 1646.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

You can change authorization and accounting port settings on the FWSM with the aaa-server radius-acctport and aaa-server radius-authport commands. These commands specify the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions.

The default RADIUS accounting port is 1645 and the default RADIUS authorization port is 1646. If your authentication server uses ports other than 1645 and 1646, then you must configure the FWSM for the appropriate ports prior to starting the RADIUS service with the aaa-server command. For example, some RADIUS servers use the port numbers 1812 and 1813 as defined in RFC 2138 and RFC 2139. If your RADIUS server uses ports 1812 and 1813, you must use the aaa-server radius-authport and aaa-server radius-acctport commands to reconfigure the FWSM to use ports 1812 and 1813.

The following port pairs are assigned to authentication and accounting services on the RADIUS servers:

1645 (authentication), 1646 (accounting)—default for the FWSM

1812 (authentication), 1813 (accounting)—alternate

You can see these and other commonly used port number assignments online at this URL:

http://www.iana.org/assignments/port-numbers

See the "Specifying Port Values" section in Appendix B for additional information about port number assignments.

Examples

This example shows how to set the port number of the RADIUS server that the FWSM uses for authentication functions:

fwsm/context(config)# aaa-server radius-authport

Related Commands

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

access-group

To bind the access list to an interface, use the access-group command. To unbind the access list from the interface, use the no form of this command.

[no] access-group access-list {in | out} interface interface_name [per-user-override]

Syntax Description

access-list

Specifies the access-list ID.

in

Filters the inbound packets at the specified interface.

Note "Inbound" and "outbound" refer to the application of an access list on an interface, either to traffic entering the FWSM on an interface or traffic exiting the FWSM on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.

out

Filters the outbound packets at the specified interface. You might want to use an outbound access list to simplify your access list configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound access list that allows all traffic on each inside interface.

interface interface_name

Specifies the name of the interface on which you want to control access.

per-user-override

(Optional) Allows per-user access lists downloaded from a RADIUS server to override the existing interface access lists. This keyword is only available for an inbound access-group command.


Defaults

By default without an access-group command, no traffic can enter an interface. The exception to this rule is if a packet is part of an existing TCP or UDP connection; then returning traffic is allowed back through the FWSM. An access-group command is not required in this case on the destination interface. For connectionless protocols, you need to apply the access list to the source and destination interfaces if you want traffic to pass in both directions.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.3(1)

Support for the per-user-override option was implemented.


Usage Guidelines

The access-group command binds an access list to an interface. If you enter the permit option in an access-list command statement, the FWSM continues to process the packet. If you enter the deny option in an access-list command statement, the FWSM discards the packet and generates syslog message 106019.

You can apply one access list to each direction of the interface (in or out).

Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the FWSM can be controlled by attaching an inbound access list to the source interface (the in keyword). Traffic that exits the FWSM can be controlled by attaching an outbound access list to the destination interface (the out keyword). To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any interface unless you restrict it using an outbound access list, which adds restrictions to those already configured in the inbound access list.

The per-user-override keyword allows dynamic access lists that are downloaded for user authorization to override the access list assigned to the interface. For example, if the interface access list denies all traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic access list overrides the interface access list for that user.

Additionally, the following rules are observed:

At the time a packet arrives, if there is no per-user access list associated with the packet, the interface access list will be applied.

The per-user access list is governed by the timeout value specified by the uauth option of the timeout command, but it can be overridden by the AAA per-user session timeout value.

Existing access list log behavior will be the same. For example, if user traffic is denied because of a per-user access list, syslog message 109025 will be logged. If user traffic is permitted, no syslog message is generated. The log option in the per-user access-list will have no effect.


Note If all of the permit and deny statements are removed from an access-list that is referenced by one or more access-group commands, the access-group commands are automatically removed from the configuration. The access-group command cannot reference empty access lists or access lists that contain only a remark.


Examples

The following example shows how to use the access-group command. The static command provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command lets any host access the global address using port 80. The access-group command specifies that the access-list command applies to traffic entering the outside interface.

fwsm/context(config)# static (inside,outside) 209.165.201.3 10.1.1.3
fwsm/context(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80
fwsm/context(config)# access-group acl_out in interface outside

Related Commands

access-list alert-interval

access-list deny-flow-max

access-list extended

access-list remark

clear access-group

clear access-list

object-group

show access-group

show access-list

access-list alert-interval

To specify the time interval between deny flow maximum messages, use the access-list alert-interval command. To return to the default settings, use the no form of this command.

[no] access-list alert-interval secs

Syntax Description

secs

Time interval between deny flow maximum message generation; valid values are from 1 to 3600 seconds.


Defaults

300 seconds

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The access-list alert-interval command sets the time interval for generating the syslog message 106101. The syslog message 106101 alerts you that the FWSM has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if at least secs seconds have occurred since the last 106101 message.

See the access-list deny-flow-max command for information about the deny flow maximum message generation.

Examples

This example shows how to specify the time interval between deny flow maximum messages:

fwsm/context(config)# access-list alert-interval 30

Related Commands

access-list extended

clear access-list

object-group

show access-list

access-list commit

To commit ACLs when you are in manual-commit mode, use the access-list commit command.

access-list commit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

If you set the access-list mode command to manual-commit, then you must manually commit ACLs a before they can be used by the FWSM.


Note Manual-commit mode only affects ACLs that are not used or ACLs that are used with the access-group command. ACLs used for AAA, NAT, or other configuration commands are always committed automatically. For example, if you use the same ACL for access-group and for AAA, then the ACL commits automatically for AAA, but you must manually commit it for access-group. For this reason, we recommend that you do not use manual-commit mode if you share an ACL between an access-group command and other commands, such as AAA or NAT.


Examples

This example shows how to commit an ACL and other rules:

fwsm/context(config)# access-list commit

Related Commands

access-group

access-list extended

access-list mode

clear access-list

object-group

show access-list

access-list deny-flow-max

To specify the maximum number of concurrent deny flows that can be created, use the access-list deny-flow-max command. To return to the default settings, use the no form of this command.

[no] access-list deny-flow-max n

Syntax Description

n

Maximum number of concurrent ACL deny flows that can be created; valid values are from 1 to 4096.


Defaults

The default is 4096.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Syslog message 106101 is generated when the FWSM has reached the maximum number, n, of ACL deny flows.

Examples

This example shows how to specify the maximum number of concurrent deny flows that can be created:

fwsm/context(config)# access-list deny-flow-max 256

Related Commands

access-list extended

clear access-list

show access-list

access-list ethertype

To add an EtherType access list to the configuration and to configure policy for IP traffic through the firewall, use the access-list ethertype command. To remove the access list, use the no form of this command.

[no] access-list id ethertype {deny | permit} ether-value [unicast | multicast | broadcast]

Syntax Description

id

Name or number of an access list.

deny

Denies access if the conditions are matched. See the "Usage Guidelines" section for the description.

permit

Permits access if the conditions are matched. See the "Usage Guidelines" section for the description.

ether-value

Ethernet value.

unicast

(Optional) Specifies unicast notification.

multicast

(Optional) Specifies multicast notification.

broadcast

(Optional) Specifies broadcast notification.


Defaults

The defaults are as follows:

The FWSM denies all packets on the originating interface unless you specifically permit access.

ACL logging generates syslog message 106023 for denied packets—Deny packets must be present to log denied packets.

When the log optional keyword is specified, the default level for syslog message 106100 is 6 (informational).

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to add an EtherType access list:

fwsm/context(config)# access-list my_access ethertype permit unicast

Related Commands

access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

access-list extended

To add an access list to the configuration and to configure policy for IP traffic through the firewall, use the access-list extended command. To remove the access list, use the no form of this command.

[no] access-list id extended deny | permit protocol | object-group protocol_obj_grp_id host source_ip | source_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] destination_ip destination_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [disable] | [level] | [default] | [interval secs]]

Syntax Description

id

Name or number of an access list.

extended

Specifies an extended access list.

deny

Denies access if the conditions are matched. See the "Usage Guidelines" section for the description.

permit

Permits access if the conditions are matched. See the "Usage Guidelines" section for the description.

protocol

Name or number of an IP protocol; valid values are icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. See the "Usage Guidelines" section for additional information.

object-group

Specifies an object group; see the "Usage Guidelines" section for additional information.

protocol_obj_grp_id

Existing protocol object group identification.

source_ip

Address of the network or host local to the FWSM; see the "Usage Guidelines" section for additional information.

source_mask

Netmask bits (mask) to be applied to the source_addr if the source address is for a network mask.

network_obj_grp_id

Existing network object group identification.

operator

Operand that will compare the source IP address to the destination IP address; see the "Usage Guidelines" section for additional information.

port

(Optional) Port that you permit or deny services access; see the "Usage Guidelines" section for additional information.

service_obj_grp_id

(Optional) Object group.

destination_ip

IP address of the network or host to which the packet is being sent; see the "Usage Guidelines" section for additional information.

destination_mask

Netmask bits (mask) to be applied to destination_addr if the destination address is a network mask.

log default

(Optional) Specifies that a syslog message 106100 is generated for the ACE. See the "Usage Guidelines" section for information.

log disable

(Optional) Disables syslog messaging. See the "Usage Guidelines" section for information.

log level

(Optional) Specifies the syslog level; valid values are from 0 to 7. See the "Usage Guidelines" section for information.

interval secs

(Optional) Specifies the time interval at which to generate an 106100 syslog message; valid values are from 1 to 600 seconds.


Defaults

The defaults are as follows:

The FWSM denies all packets on the originating interface unless you specifically permit access.

ACL logging generates syslog message 106023 for only specified deny packets—Deny packets must be present to log denied packets.

When the log optional keyword is specified, the default level for syslog message 106100 is 6 (informational).

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When used with the access-group command, the deny optional keyword does not allow a packet to traverse the FWSM. By default, the FWSM denies all packets on the originating interface unless you specifically permit access.

When you specify the protocol to match any Internet protocol, including TCP and UDP, use the ip keyword.

Refer to the object-group command for information on how to configure object groups.

The operator compares the source IP address (sip) or destination IP address (dip) ports. Possible operands include lt for less than, gt for greater than, eq for equal, neq for not equal, and range for an inclusive range. Use the access-list command without an operator and port to indicate all ports by default as follows:

fwsm/context(config)# access-list acl_out permit tcp any host 209.165.201.1

Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP:

fwsm/context(config)# access-list acl_out deny tcp any host 209.165.201.1 eq ftp 

Use lt and a port to permit or deny access to all ports less than the port that you specify. For example, use lt 2025 to permit or deny access to the well-known ports (1 to 1024):

fwsm/context(config)# access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025

Use gt and a port to permit or deny access to all ports greater than the port that you specify. For example, use gt 42 to permit or deny ports 43 to 65535:

fwsm/context(config)# access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42

Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:

fwsm/context(config)# access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10

Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.

Enter port to specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. Refer to valid port numbers at this URL:

http://www.iana.org/assignments/port-numbers

See the "Specifying Port Values" section in Appendix B for a list of valid port literal names in port ranges. You can also specify numbers.

For the log disable | default | level optional keyword, use these guidelines:

When you specify the log optional keyword, it generates syslog message 106100 for the ACE to which it is applied. (syslog message 106100 is generated for every matching permit or deny ACE flow passing through the FWSM.) The first-match flow is cached. Subsequent matches increment the hit count displayed in the show access-list command for the ACE, and new 106100 messages are generated at the end of the interval that is defined by interval secs if the hit count for the flow is not zero.

The default ACL logging behavior (the log keyword is not specified) is that if a packet is denied, then message 106023 is generated. If a packet is permitted, then no syslog message is generated.

You can specify an optional syslog level (0-7) for the generated syslog messages (106100). If no level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists, then its existing log level remains unchanged.

If you do not specify the log disable optional keyword, the access list logging is completely disabled. No syslog message, including message 106023, is generated.

The log default optional keyword restores the default access list logging behavior.


Note Refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for additional information about logging.


The interval secs keyword and argument are used as the timeout value for deleting an inactive flow. If you do not specify the interval secs optional keyword, the default interval is 300 seconds for a new ACE. If an ACE already exists, any interval that was previously associated with that ACE remains unchanged.

The icmp_type argument is for non-IPSec use only or for permit or deny access to ICMP message types (see Table 2-1). You should omit this optional keyword to indicate all ICMP types.

ICMP message types are not supported with IPSec. When the access-list command is used with the crypto map command, the icmp_type is ignored.

The access-list command allows you to specify if an IP address is permitted or denied access to a port or protocol. One or more access-list commands with the same access list name are referred to as an "access list." Access lists that are associated with IPSec are known as "crypto access lists."

You can use the object-group command to group access lists.

Use the following guidelines for specifying a source, local, or destination address:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. We do not recommend that you use this keyword with IPSec.

Use host address as an abbreviation for a mask of 255.255.255.255.

Use the following guidelines for specifying a network mask:

Do not specify a mask if the address is for a host; if the destination address is for a host, use the host keyword before the address as follows:

fwsm/context(config)# access-list acl_grp permit tcp any host 192.168.1.1

If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions that you want to ignore.

Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With the FWSM, enter 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask as follows:

fwsm/context(config)# access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224

The access-list command supports the sunrpc service.

The show access-list command lists the access-list commands in the configuration and the hit count of the number of times each element has been matched during an access-list command search. Additionally, it displays the number of access list statements in the access list and indicates whether or not the list is configured for Turbo ACL. If the list has fewer than 18 ACEs, it is marked as turbo-configured but is not actually configured for Turbo ACL until there are 19 or more entries.

The show access-list source_addr optional keyword and argument filter the show output so that only those access-list elements that match the source IP address (or with any as source IP address) are displayed.

The clear access-list command removes all access-list commands from the configuration or, if specified, removes the access lists by their id. The clear access-list id counters command clears the hit count for the specified access list.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list commands in an access list, the no access-list command also removes the corresponding access-group command from the configuration.


Note The aaa, crypto map, and icmp commands use the access-list commands.


access-list logging Commands

This example shows what happens when you enable an access-list log optional keyword:

fwsm/context(config)# access-group outside-acl in interface outside
fwsm/context(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 
600
fwsm/context(config)# access-list outside-acl permit ip host 2.2.2.2 any
fwsm/context(config)# access-list outside-acl deny ip any any log 2

The previous example shows the use of access-list logging in an ICMP context:

1. An ICMP echo request (1.1.1.1 -> 192.168.1.1) arrives on the outside interface.

2. An ACL called outside-acl is applied for the access check.

3. The packet is permitted by the first ACE of outside-acl that has the log optional keyword enabled.

4. The log flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) has not been cached, so the following syslog message is generated and the log flow is cached:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) -> 
inside/192.168.1.1(8) hit-cnt 1 (first hit)

5. Twenty packets arrive on the outside interface within the next 10 minutes (600 seconds). Because the log flow has been cached, the log flow is located and the hit count of the log flow is incremented for each packet.

6. At the end of 10 minutes, this syslog message is generated and the hit count of the log flow is reset to 0:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) -> 
inside/192.168.1.1(8) hit-cnt 20 (300-second interval)

7. No packets arrive on the outside interface within the next 10 minutes, so the hit count of the log flow remains 0.

8. At the end of 20 minutes, the cached flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) is deleted because of the 0 hit count.

To disable a log optional keyword without removing the ACE, enter the access-list id log disable command.

When removing an ACE with a log optional keyword enabled using the no access-list command, you do not need to specify all the log options. The ACE is removed if its permit or deny rule is used to uniquely identify it. However, removing an ACE (with a log optional keyword enabled) does not remove the associated cached flows. You must remove the entire ACL to remove the cached flows. When a cached flow is flushed due to the removal of an ACL, a syslog message is generated if the hit count of the flow is nonzero.

Use the clear access-list command to remove all the cached flows.

access-list id remark command

You can access the access-list id [line line-num] remark text command to include comments (remarks) about entries in any ACL. You can use remarks to make the ACL easier to scan and interpret. Each remark line is limited to 100 characters.

The ACL remark can go before or after an access-list command, but you should place it in a consistent position so that it is clear which remark describes which access-list command.

The no access-list id line line-num remark text and no access-list id line line-num commands both remove the remark at that line number.

The following are samples of possible access-list remarks:

access-list out-acl remark - ACL for the outside interface
access-list out-acl remark - Allow Joe Smith's group to login
access-list out-acl permit tcp 1.1.1.0 255.255.255.0 server
access-list out-acl remark - Allow Lee White's group to login
access-list out-acl permit tcp 1.1.3.0 255.255.255.0 server
access-list out-acl remark - Deny known hackers
access-list out-acl deny ip host 192.23.56.1 any
access-list out-acl deny ip host 197.1.1.125 any

RADIUS Authorization

The FWSM allows a RADIUS server to send user group attributes to the FWSM in the RADIUS authentication response message. Additionally, the FWSM allows downloadable access lists from the RADIUS server. For example, you can configure an access list on a Cisco Secure ACS server and download it to the FWSM during RADIUS authorization.

After the FWSM authenticates a user, it can use the CiscoSecure acl attribute that is returned by the authentication server to identify an access list for a given user group. The firewall also provides the same functionality for TACACS+.

To restrict users to three servers and deny everything else, the access-list commands are as follows:

fwsm/context(config)# access-list eng permit ip any server1 255.255.255.255
fwsm/context(config)# access-list eng permit ip any server2 255.255.255.255
fwsm/context(config)# access-list eng permit ip any server3 255.255.255.255
fwsm/context(config)# access-list eng deny ip any any

In this example, the vendor-specific attribute string in the CiscoSecure configuration is set to acl=eng. This field in the CiscoSecure configuration contains the access-list identification name. The FWSM gets the acl=id from CiscoSecure and extracts the ACL number from the attribute string, which it places in a user's uauth entry. When a user tries to open a connection, the FWSM checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, the FWSM generates a syslog message. If there is no match, then the implicit rule is to deny.

Because the source IP of a given user can vary depending on where the user is logging in from, you should set the source address in the access-list command to any and the destination address to identify which network services to which the user is permitted or denied access. To specify that only the users logging in from a given subnet can use the specified services, you should specify the subnet instead of using any.


Note An access list that is used for RADIUS authorization does not require an access-group command to bind the statements to an interface.


The aaa authorization command does not have a radius optional keyword.

Configure the access list that is listed in Attribute 11 to specify a per-user access list name. Otherwise, remove Attribute 11 from the configuration if no access list is intended for user authentication. If the access list is not configured on the FWSM when the user attempts to login, the login will fail.

For more information, refer to the Cisco FWSM and VPN Configuration Guide.

Usage Notes

The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map commands referencing the access list are incomplete. To correct the condition, either define other access-list commands to complete the crypto map commands or remove the crypto map commands that pertain to the access-list command. Refer to the crypto map client command for more information.

ACLs that are dynamically updated on the FWSM by an AAA server can only be shown using the show access-list command. The write command does not save or display these updated lists.

The access-list command operates on a first-match basis.

If you specify an access-list command and bind it to an interface with the access-group command, by default, all traffic to that interface is denied. You must explicitly permit traffic. Inbound refers to traffic passing through the interface, not the traffic passing from a lower security level interface to a higher security level interface.

Always permit access first and then deny access afterward. If the host entries match, use the permit keyword; otherwise, use the default deny keyword. You only need to specify additional deny keywords if you need to deny specific hosts and permit everyone else.

You can see the security levels for interfaces with the show nameif command.

The optional ICMP message type (icmp_type) argument is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP.

You can bind only one access list to an interface using the access-group command.

If you specify the permit optional keyword in the access list, the FWSM continues to process the packet. If you specify the deny optional keyword in the access list, the FWSM discards the packet and generates this syslog message:

%fwsm#-4-106019: IP packet from source_addr to destination_addr, protocol protocol 
received from interface interface_name deny by access-group id

The access-list command uses the same syntax as the Cisco IOS software access-list command except that the FWSM uses a subnet mask. (Cisco IOS software uses a wildcard mask.) For example, in the Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as 255.255.255.0 in the FWSM access-list command.

We recommend that you do not use the access-list command with the outbound command. Using these commands together may cause debugging issues. The outbound command operates from one interface to another and the access-list command when used with the access-group command applies only to a single interface. If you use these commands together, the FWSM evaluates the access-list command before checking the outbound command.

Refer to Chapter 3, "Managing Network Access and Use" in the Cisco Firewall and VPN Configuration Guide for a detailed description about using the access-list command to provide server access and to restrict outbound user access.

See the aaa-server radius-acctport and aaa-server radius-authport commands to verify or change port settings.

ICMP Message Types

For non-IPSec use only, if you prefer more selective ICMP access, you can specify a single ICMP message type as the last optional keyword in this command. Table 2-1 lists the possible ICMP types values.

Table 2-1 ICMP Type Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

address-mask-request

18

address-mask-reply

31

conversion-error

32

mobile-redirect


This example shows that if you specify an ICMP message type for use with IPSec, FWSM ignores it:

fwsm/context(config)# access-list 10 permit icmp any any echo-reply

IPSec is enabled so that a crypto map command references the id for this access-list command, and then the echo-reply ICMP message type is ignored.

Using the access-list Command with IPSec

If you bind an access list to an interface with the access-group command, the access list selects which traffic can traverse the FWSM. When bound to a crypto map command, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B.

The access lists are not specific to IPSec. The crypto map command referring to the specific access list defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists that are associated with the IPSec crypto map command have these primary functions:

Select outbound traffic to be protected by IPSec (permit = protect).

Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

Process traffic to filter out and discard traffic that IPSec protects.

Determine whether to accept requests for IPSec security associations for the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for the crypto map commands with the ipsec-isakmp optional keyword.) A peer's initiated IPSec negotiation will be accepted only if you specify a data flow that is permitted by a crypto access list that is associated with an ipsec-isakmp crypto map entry.

You can associate a crypto access list with an interface by defining the corresponding crypto map command and applying the crypto map set to an interface. You must use different access lists in different entries of the same crypto map set. The access list's criteria are applied in the forward direction to traffic exiting your FWSM and the reverse direction to traffic entering your FWSM.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword.

If you configure multiple entries for a given crypto access list, the first permit keyword entry matched will be the entry used to determine the scope of the IPSec security association. The IPSec security association will be set up to protect traffic that meets the criteria of the matched keyword entry only. If traffic matches a different permit entry of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list command.

Some services, such as FTP, require two access-list commands, one for port 10 and another for port 21, to properly encrypt FTP traffic.

Examples

This example shows how to create a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command, the FWSM encrypts all IP traffic that is exchanged between the source and destination subnets.

fwsm/context(config)# access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 
255.255.0.0
fwsm/context(config)# access-group 101 in interface outside
fwsm/context(config)# crypto map mymap 10 match address 101

This example shows how to let only an ICMP message type of echo-reply be permitted into the outside interface:

fwsm/context(config)# access-list acl_out permit icmp any any echo-reply
fwsm/context(config)# access-group acl_out interface outside

This example shows how ACEs are numbered by the FWSM and how remarks are inserted (remarks are not assigned a line number):

fwsm/context(config)# show access-list ac
access-list ac; 2 elements
access-list ac line 1 permit ip any any (hitcnt=0)
access-list ac line 2 permit tcp any any (hitcnt=0)

fwsm/context(config)# access-list ac permit tcp object-group remote object-group locals
fwsm/context(config)# show access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac line 3 permit tcp object-group remote object-group locals
fwsm/context(config)# access-list ac remark This comment describes the ACE line 3

fwsm/context(config)# show access-list ac                          
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac line 3 permit tcp object-group remote object-group locals

fwsm/context(config)# access-list ac permit tcp 171.0.0.0 255.0.0.0 any
fwsm/context(config)# show access-list ac                                
access-list ac; 4 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac line 3 permit tcp object-group remote object-group locals
access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# no access-list ac permit tcp object-group remote object-group locals
fwsm/context(config)# show access-list ac                         
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

This example shows how to remove an access list comment:

fwsm/context(config)# access-list ac remark This comment diatribes the ACE line 5
fwsm/context(config)# sh access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 5

fwsm/context(config)# no access-list ac remark This comment describes the ACE line 5
fwsm/context(config)# show access-list ac                             
access-list ac; 3 elements
access-list ac permit ip any any line 1 (hitcnt=0) 
access-list ac permit tcp any any line 2 (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac permit tcp 171.0.0.0 255.0.0.0 any line 4 (hitcnt=0)

This example shows how to insert an access list entry at a specific line number:

fwsm/context(config)# show access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any
fwsm/context(config)# show access-list ac                                      
access-list ac; 4 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any (hitcnt=0) 
access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

The show access-list command has the following line of output which shows the total number of cached ACL log flows (total), the number of cached deny-flows (denied), and the maximum number of allowed deny-flows:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

Related Commands

access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

access-list icmp host

To add an ICMP host access list to the configuration and to configure policy for IP traffic through the FWSM, use the access-list icmp host command. To remove the access list, use the no form of this command.

[no] access-list id {deny | permit} host {source_ip | {source_ip source_mask}} [log [disable | [level] | default] | [interval secs]]

Syntax Description

id

Name or number of an access list.

deny

Denies access if the conditions are matched. See the "Usage Guidelines" section for the description.

permit

Permits access if the conditions are matched. See the "Usage Guidelines" section for the description.

host

Specifies that you are adding a host to the access list.

source_ip

IP address of the network or host from which the packet is being sent.

source_mask

Netmask bits (mask) to be applied to the source_addr if the source address is for a network mask.

log disable

(Optional) Disables syslog messaging. See the "Usage Guidelines" section for information.

log default

(Optional) Specifies that a syslog message 106100 is generated for ACE. See the "Usage Guidelines" section for information.

log level

(Optional) Specifies the syslog level; valid values are from 0 to 7. See the "Usage Guidelines" section for information.

interval secs

(Optional) Specifies the time interval at which to generate an 106100 syslog message; valid values are from 1 to 600 seconds.


Defaults

The defaults are as follows:

The FWSM denies all packets on the originating interface unless you specifically permit access.

ACL logging generates syslog message 106023 for denied packets—Deny packets must be present to log denied packets.

When the log optional keyword is specified, the default level for syslog message 106100 is 6 (informational).

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When used with the access-group command, the deny optional keyword does not allow a packet to traverse the FWSM. By default, the FWSM denies all packets on the originating interface unless you specifically permit access.

For the log disable | default | level optional keyword, use these guidelines:

When you specify the log optional keyword, it generates syslog message 106100 for the ACE to which it is applied. (syslog message 106100 is generated for every matching permit or deny ACE flow passing through the FWSM.) The first-match flow is cached. Subsequent matches increment the hit count displayed in the show access-list command for the ACE, and new 106100 messages are generated at the end of the interval that is defined by interval secs if the hit count for the flow is not zero.

The default ACL logging behavior (the log keyword is not specified) is that if a packet is denied, then message 106023 is generated. If a packet is permitted, then no syslog message is generated.

You can specify an optional syslog level (0-7) for the generated syslog messages (106100). If no level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists, then its existing log level remains unchanged.

If you do not specify the log disable optional keyword, the access list logging is completely disabled. No syslog message, including message 106023, is generated.

The log default optional keyword restores the default access list logging behavior.


Note Refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for additional information about logging.


The access-list command allows you to specify if an IP address is permitted or denied access to a port or protocol. One or more access-list commands with the same access list name are referred to as an "access list." Access lists that are associated with IPSec are known as "crypto access lists."

You can use the object-group command to group access lists.

Use the following guidelines for specifying a source, local, or destination address:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. We do not recommend that you use this keyword with IPSec.

Use host address as an abbreviation for a mask of 255.255.255.255.

Use the following guidelines for specifying a network mask:

Do not specify a mask if the address is for a host; if the destination address is for a host, use the host keyword before the address as follows:

fwsm/context(config)# access-list acl_grp permit tcp any host 192.168.1.1

If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions that you want to ignore.

Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With the FWSM, enter 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask as follows:

fwsm/context(config)# access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224

The access-list command supports the sunrpc service.

The show access-list command lists the access-list commands in the configuration and the hit count of the number of times each element has been matched during an access-list command search. Additionally, it displays the number of access list statements in the access list and indicates whether or not the list is configured for Turbo ACL. If the list has fewer than 18 ACEs, it is marked as turbo-configured but is not actually configured for Turbo ACL until there are 19 or more entries.

The show access-list source_addr optional keyword and argument filter the show output so that only those access-list elements that match the source IP address (or with any as source IP address) are displayed.

The clear access-list command removes all access-list commands from the configuration or, if specified, access lists by their id. The clear access-list id counters command clears the hit count for the specified access list.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list commands in an access list, the no access-list command also removes the corresponding access-group command from the configuration.


Note The aaa, crypto map, and icmp commands use the access-list commands.


access-list logging Commands

This example shows what happens when you enable an access-list log optional keyword:

fwsm/context(config)# access-group outside-acl in interface outside
fwsm/context(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 
600
fwsm/context(config)# access-list outside-acl permit ip host 2.2.2.2 any
fwsm/context(config)# access-list outside-acl deny ip any any log 2

The previous example shows the use of access-list logging in an ICMP context:

1. An ICMP echo request (1.1.1.1 -> 192.168.1.1) arrives on the outside interface.

2. An ACL called outside-acl is applied for the access check.

3. The packet is permitted by the first ACE of outside-acl that has the log optional keyword enabled.

4. The log flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) has not been cached, so the following syslog message is generated and the log flow is cached:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) -> 
inside/192.168.1.1(8) hit-cnt 1 (first hit)

5. Twenty packets arrive on the outside interface within the next 10 minutes (600 seconds). Because the log flow has been cached, the log flow is located and the hit count of the log flow is incremented for each packet.

6. At the end of 10 minutes, this syslog message is generated and the hit count of the log flow is reset to 0:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) -> 
inside/192.168.1.1(8) hit-cnt 20 (300-second interval)

7. No packets arrive on the outside interface within the next 10 minutes, so the hit count of the log flow remains 0.

8. At the end of 20 minutes, the cached flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) is deleted because of the 0 hit count.

To disable a log optional keyword without removing the ACE, enter the access-list id log disable command.

When removing an ACE with a log optional keyword enabled using the no access-list command, you do not need to specify all the log options. The ACE is removed if its permit or deny rule is used to uniquely identify it. However, removing an ACE (with a log optional keyword enabled) does not remove the associated cached flows. You must remove the entire ACL to remove the cached flows. When a cached flow is flushed due to the removal of an ACL, a syslog message is generated if the hit count of the flow is nonzero.

Use the clear access-list command to remove all the cached flows.

access-list id remark command

You can access the access-list id [line line-num] remark text command to include comments (remarks) about entries in any ACL. You can use remarks to make the ACL easier to scan and interpret. Each remark line is limited to 100 characters.

The ACL remark can go before or after an access-list command, but you should place it in a consistent position so that it is clear which remark describes which access-list command.

The no access-list id line line-num remark text and no access-list id line line-num commands both remove the remark at that line number.

The following are samples of possible access-list remarks:

access-list out-acl remark - ACL for the outside interface
access-list out-acl remark - Allow Joe Smith's group to login
access-list out-acl permit tcp 1.1.1.0 255.255.255.0 server
access-list out-acl remark - Allow Lee White's group to login
access-list out-acl permit tcp 1.1.3.0 255.255.255.0 server
access-list out-acl remark - Deny known hackers
access-list out-acl deny ip host 192.23.56.1 any
access-list out-acl deny ip host 197.1.1.125 any

RADIUS Authorization

The FWSM allows a RADIUS server to send user group attributes to the FWSM in the RADIUS authentication response message. Additionally, the FWSM allows downloadable access lists from the RADIUS server. For example, you can configure an access list on a Cisco Secure ACS server and download it to the FWSM during RADIUS authorization.

After the FWSM authenticates a user, it can use the CiscoSecure acl attribute that is returned by the authentication server to identify an access list for a given user group. The firewall also provides the same functionality for TACACS+.

To restrict users to three servers and deny everything else, the access-list commands are as follows:

fwsm/context(config)# access-list eng permit ip any server1 255.255.255.255
fwsm/context(config)# access-list eng permit ip any server2 255.255.255.255
fwsm/context(config)# access-list eng permit ip any server3 255.255.255.255
fwsm/context(config)# access-list eng deny ip any any

In this example, the vendor-specific attribute string in the CiscoSecure configuration is set to acl=eng. This field in the CiscoSecure configuration contains the access-list identification name. The FWSM gets the acl=id from CiscoSecure and extracts the ACL number from the attribute string, which it places in a user's uauth entry. When a user tries to open a connection, the FWSM checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, the FWSM generates a syslog message. If there is no match, then the implicit rule is to deny.

Because the source IP of a given user can vary depending on where the user is logging in from, you should set the source address in the access-list command to any and the destination address to identify which network services to which the user is permitted or denied access. To specify that only the users logging in from a given subnet can use the specified services, you should specify the subnet instead of using any.


Note An access list that is used for RADIUS authorization does not require an access-group command to bind the statements to an interface.


The aaa authorization command does not have a radius optional keyword.

Configure the access list that is listed in Attribute 11 to specify a per-user access list name. Otherwise, remove Attribute 11 from the configuration if no access list is intended for user authentication. If the access list is not configured on the FWSM when the user attempts to login, the login will fail.

For more information, refer to the Cisco FWSM and VPN Configuration Guide.

Usage Notes

The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map commands referencing the access list are incomplete. To correct the condition, either define other access-list commands to complete the crypto map commands or remove the crypto map commands that pertain to the access-list command. Refer to the crypto map client command for more information.

ACLs that are dynamically updated on the FWSM by an AAA server can only be shown using the show access-list command. The write command does not save or display these updated lists.

The access-list command operates on a first-match basis.

If you specify an access-list command and bind it to an interface with the access-group command, by default, all traffic to that interface is denied. You must explicitly permit traffic. Inbound refers to traffic passing through the interface, not the traffic passing from a lower security level interface to a higher security level interface.

Always permit access first and then deny access afterward. If the host entries match, use the permit keyword; otherwise, use the default deny keyword. You only need to specify additional deny keywords if you need to deny specific hosts and permit everyone else.

You can see the security levels for interfaces with the show nameif command.

The ICMP message type (icmp_type) optional argument is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP.

You can bind only one access list to an interface using the access-group command.

If you specify the permit optional keyword in the access list, the FWSM continues to process the packet. If you specify the deny optional keyword in the access list, the FWSM discards the packet and generates this syslog message:

%fwsm#-4-106019: IP packet from source_addr to destination_addr, protocol protocol 
received from interface interface_name deny by access-group id

The access-list command uses the same syntax as the Cisco IOS software access-list command except that the FWSM uses a subnet mask. (Cisco IOS software uses a wildcard mask.) For example, in the Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as 255.255.255.0 in the FWSM access-list command.

We recommend that you do not use the access-list command with the outbound command. Using these commands together may cause debugging issues. The outbound command operates from one interface to another and the access-list command when used with the access-group command applies only to a single interface. If you use these commands together, the FWSM evaluates the access-list command before checking the outbound command.

Refer to Chapter 3, "Managing Network Access and Use" in the Cisco Firewall and VPN Configuration Guide for a detailed description about using the access-list command to provide server access and to restrict outbound user access.

See the aaa-server radius-acctport and aaa-server radius-authport commands to verify or change port settings.

ICMP Message Types

For non-IPSec use only, if you prefer more selective ICMP access, you can specify a single ICMP message type as the last optional keyword in this command. Table 2-2 lists the possible ICMP types values.

Table 2-2 ICMP Type Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

address-mask-request

18

address-mask-reply

31

conversion-error

32

mobile-redirect


This example shows that if you specify an ICMP message type for use with IPSec, FWSM ignores it:

fwsm/context(config)# access-list 10 permit icmp any any echo-reply

IPSec is enabled so that a crypto map command references the id for this access-list command, and then the echo-reply ICMP message type is ignored.

Using the access-list Command with IPSec

If you bind an access list to an interface with the access-group command, the access list selects which traffic can traverse the FWSM. When bound to a crypto map command, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B.

The access lists are not specific to IPSec. The crypto map command referring to the specific access list defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists that are associated with the IPSec crypto map command have these primary functions:

Select outbound traffic to be protected by IPSec (permit = protect).

Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

Process traffic to filter out and discard traffic that IPSec protects.

Determine whether to accept requests for IPSec security associations for the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for the crypto map commands with the ipsec-isakmp optional keyword.) A peer's initiated IPSec negotiation will be accepted only if you specify a data flow that is permitted by a crypto access list that is associated with an ipsec-isakmp crypto map entry.

You can associate a crypto access list with an interface by defining the corresponding crypto map command and applying the crypto map set to an interface. You must use different access lists in different entries of the same crypto map set. The access list's criteria are applied in the forward direction to traffic exiting your FWSM and the reverse direction to traffic entering your FWSM.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword.

If you configure multiple entries for a given crypto access list, the first permit keyword entry matched will be the entry used to determine the scope of the IPSec security association. The IPSec security association will be set up to protect traffic that meets the criteria of the matched keyword entry only. Later, if traffic matches a different permit entry of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list command.

Some services, such as FTP, require two access-list commands, one for port 10 and another for port 21, to properly encrypt FTP traffic.

Examples

This example shows how to create a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command, the FWSM encrypts all IP traffic that is exchanged between the source and destination subnets.

fwsm/context(config)# access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 
255.255.0.0
fwsm/context(config)# access-group 101 in interface outside
fwsm/context(config)# crypto map mymap 10 match address 101

This example shows how to let only an ICMP message type of echo-reply be permitted into the outside interface:

fwsm/context(config)# access-list acl_out permit icmp any any echo-reply
fwsm/context(config)# access-group acl_out interface outside

This example shows how ACEs are numbered by the FWSM and how remarks are inserted (remarks are not assigned a line number):

fwsm/context(config)# show access-list ac
access-list ac; 2 elements
access-list ac line 1 permit ip any any (hitcnt=0)
access-list ac line 2 permit tcp any any (hitcnt=0)

fwsm/context(config)# access-list ac permit tcp object-group remote object-group locals
fwsm/context(config)# show access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac line 3 permit tcp object-group remote object-group locals
fwsm/context(config)# access-list ac remark This comment describes the ACE line 3

fwsm/context(config)# show access-list ac                          
access-list ac; 3 elements
access-list ac permit ip any any (hitcnt=0) 
access-list ac permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac permit tcp object-group remote object-group locals

fwsm/context(config)# access-list ac permit tcp 171.0.0.0 255.0.0.0 any
fwsm/context(config)# show access-list ac                                
access-list ac; 4 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac line 3 permit tcp object-group remote object-group locals
access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# no access-list ac permit tcp object-group remote object-group locals
fwsm/context(config)# show access-list ac                         
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

This example shows how to remove an access list comment:

fwsm/context(config)# access-list ac remark This comment diatribes the ACE line 5
fwsm/context(config)# sh access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 5

fwsm/context(config)# no access-list ac remark This comment describes the ACE line 5
fwsm/context(config)# show access-list ac                             
access-list ac; 3 elements
access-list ac permit ip any any line 1 (hitcnt=0) 
access-list ac permit tcp any any line 2 (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac permit tcp 171.0.0.0 255.0.0.0 any line 4 (hitcnt=0)

This example shows how to insert an access list entry at a specific line number:

fwsm/context(config)# show access-list ac
access-list ac; 3 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3
access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any
fwsm/context(config)# show access-list ac                                      
access-list ac; 4 elements
access-list ac line 1 permit ip any any (hitcnt=0) 
access-list ac line 2 permit tcp any any (hitcnt=0) 
access-list ac remark This comment describes the ACE line 3 
access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any (hitcnt=0) 
access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

The show access-list command has the following line of output which shows the total number of cached ACL log flows (total), the number of cached deny-flows (denied), and the maximum number of allowed deny-flows:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

Related Commands

access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

access-list mode

To switch the commitment mode for ACLs between manual- and auto-commit, use the access-list mode command.

access-list mode {auto-commit | manual-commit}

Syntax Description

auto-commit

Automatically commits an ACL when you add an ACE.

manual-commit

Disables auto-commit. You must manually commit an ACL using the access-list commit command.


Defaults

The default is auto-commit.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When you add an ACE to an ACL, the FWSM activates the ACL by committing it to the network processors. In auto-commit mode, the FWSM waits a short period of time after you last entered an access-list command and then commits the ACL. If you enter an ACE after the commitment starts, the FWSM aborts the commitment, and recommits the ACL after a new short waiting period. The FWSM displays a message similar to the following after it commits the ACL:

Access Rules Download Complete: Memory Utilization: < 1%

Large ACLs of approximately 60K ACEs can take 3 to 4 minutes to commit, depending on the size.

You can manually commit ACLs for the following reasons:

Your management application or script needs to monitor the ACL commitment for error messages. Some management applications cannot monitor errors that are the result of configuration commands, so if you add ACEs, and there is a commitment error, the management application might not receive the error. However, if the management application sets the mode to manual-commit, then it can monitor errors resulting from the access-list commit command, which is a run-time command. The management application typically sets this mode to manual-commit automatically.

You want to modify an ACL, such as inserting lines, but do not want to disrupt traffic. For example, with auto-commit, you cannot insert a line into an ACL. You have to create a new ACL (with the inserted line), and then change the ACL name that is assigned to the interface, causing a brief disruption. With manual commit, you can remove the ACL (from the configuration; not from running), enter a modified ACL with the same name, and then commit the ACL. Because the ACL name is the same, you do not need to change the interface assignment, and there is no disruption of traffic.

If you enable manual commit, then you must remember to manually commit any changes you make to ACLs, whether the change is an addition or a subtraction. Also, you must manually commit an ACL before you assign it to an interface (access-group command); the FWSM cannot assign an ACL to an interface if the ACL does not exist yet.

If you delete an ACE, but have not yet committed your change, the show running-config command shows the ACE with the text "uncommitted deletion". Adding an ACE shows the ACE as "uncommitted addition".


Note Manual-commit mode only affects ACLs that are not used or ACLs that are used with the access-group command. ACLs used for AAA, NAT, or other configuration commands are always committed automatically. For example, if you use the same ACL for access-group and for AAA, then the ACL commits automatically for AAA, but you must manually commit it for access-group. For this reason, we recommend that you do not use manual-commit mode if you share an ACL between an access-group command and other commands, such as AAA or NAT.


Examples

This example shows how to modify an existing access list using the manual-commit mode without disrupting traffic:

fwsm(config)# access-list mode manual-commit
fwsm(config)# no access-list CHANGEME
fwsm(config)# access-list CHANGEME ...
! New ACE 1
fwsm(config)# access-list CHANGEME ...
! New ACE 2
fwsm(config)# ...
fwsm(config)# access-list CHANGEME ...
! New ACE N
fwsm(config)# access-list commit

This example shows how to delete the old access list and add a new one with a different name:

fwsm(config)# access-list mode manual-commit
fwsm(config)# no access-list old-acl
fwsm(config)# access-list new-acl .... : New ACE1
fwsm(config)# access-list new-acl .... : New ACE2
fwsm(config)# ..........
fwsm(config)# access-list new-acl .... : New ACEn
fwsm(config)# access-list commit
fwsm(config)# access-group new-acl in interface old-interface

The previous example shows that there is a slight traffic disruption on the old interface, which is equal to the time taken for the commit to complete and the access-group command to be applied in the last two command lines.

This example shows how to configure the access list as shown in the previous example without a traffic disruption:

fwsm(config)# access-list mode manual-commit
fwsm(config)# access-list new-acl .... : New ACE1
fwsm(config)# access-list new-acl .... : New ACE2
fwsm(config)# ..........
fwsm(config)# access-list new-acl .... : New ACEn
fwsm(config)# access-list commit
fwsm(config)# access-group new-acl in interface old-interface
fwsm(config)# no access-list old-acl
fwsm(config)# access-list commit

The previous example shows that there is no disruption in traffic on the old interface. The only side effect of this sequence of commands is that the total number of ACEs configured on the FWSM will be NUM-ACE(old-acl) + NUM-ACE(new-acl) for a brief time.


This example shows how to use the manual-commit mode:

fwsm(config)# show access-list mode
ERROR: access-list <mode> does not exists
fwsm(config)# 
fwsm(config)# show access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
fwsm(config)# 
fwsm(config)# access-list 1 permit ip any any
fwsm(config)# Access Rules Download Complete: Memory Utilization: < 1%
fwsm(config)# 
fwsm(config)# show access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
access-list 1; 1 elements
access-list 1 extended permit ip any any (hitcnt=0)
fwsm(config)# 
fwsm(config)# access-list commit
ERROR: access-list mode set to auto-commit; command ignored
fwsm(config)# 
fwsm(config)# Access Rules Download Complete: Memory Utilization: < 1%
fwsm(config)# 
fwsm(config)# show access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
fwsm(config)# 
fwsm(config)# access-list mode manual-commit
fwsm(config)# 
fwsm(config)# show access-list
access-list mode manual-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
fwsm(config)# 
fwsm(config)# access-list 1 permit ip any any
fwsm(config)# 
fwsm(config)# show access-list
access-list mode manual-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
access-list 1; 1 elements
access-list 1 extended permit ip any any (hitcnt=0) (uncommitted addition)
fwsm(config)# 
fwsm(config)# access-group 1 in interface inside
ERROR: access-list not committed, ignoring command
fwsm(config)# access-list commit
Access Rules Download Complete: Memory Utilization: < 1%
fwsm(config)# 
fwsm(config)# access-group 1 in interface inside
fwsm(config)# show access-list
access-list mode manual-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
access-list 1; 1 elements
access-list 1 extended permit ip any any (hitcnt=0)
fwsm(config)# 
fwsm(config)# no access-list 1 permit ip any any
fwsm(config)# 
fwsm(config)# show access-list
access-list mode manual-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
access-list 1; 1 elements
access-list 1 extended permit ip any any (hitcnt=0) (uncommitted deletion)
fwsm(config)# 
fwsm(config)# access-list commit
Access Rules Download Complete: Memory Utilization: < 1%
fwsm(config)# #
fwsm(config)# show access-list
access-list mode manual-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 
300
fwsm(config)# 

Related Commands

access-list commit

access-list extended

clear access-list

show access-list

show access-list mode

access-list object-group

To add an access list to the configuration and to configure policy for IP traffic through the firewall, use the access-list object-group command. To remove the access list, use the no form of this command.

[no] access-list id {deny | permit} object-group {network_obj_grp_id destination_ip destination_mask} [log [disable | [level] | default] | [interval secs]]

[no] access-list id {deny | permit} {object-group {network_obj_grp_id [icmp_type [icmp_type_obj_grp_id]]} [log [disable | [level] | default] | [interval secs]]

Syntax Description

id

Name or number of an access list.

deny

Denies access if the conditions are matched. See the "Usage Guidelines" section for the description.

permit

Permits access if the conditions are matched. See the "Usage Guidelines" section for the description.

network_obj_grp_id

Existing network object group identification.

destination_ip

IP address of the network or host to which the packet is being sent. See the "Usage Guidelines" section for additional information.

destination_mask

Netmask bits (mask) to be applied to destination_ip if the destination address is a network mask.

log disable | default | level

(Optional) Specifies that a syslog message 106100 is generated for the ACE. See the log command for information.

interval secs

Specifies the time interval at which to generate an 106100 syslog message; valid values are from 1 to 600 seconds.

icmp_type

(Optional) ICMP type.

icmp_type_obj_grp_id

(Optional) Object group ICMP type ID.


Defaults

The defaults are as follows:

The FWSM denies all packets on the originating interface unless you specifically permit access.

ACL logging generates syslog message 106023 for denied packets—Deny packets must be present to log denied packets.

When the log optional keyword is specified, the default level for syslog message 106100 is 6 (informational).

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map commands referencing the access list are incomplete. To correct the condition, either define other access-list commands to complete the crypto map commands or remove the crypto map commands that pertain to the access-list command. Refer to the crypto map client command for more information.

ACLs that are dynamically updated on the FWSM by an AAA server can only be shown using the show access-list command. The write command does not save or display these updated lists.

The access-list command operates on a first-match basis.

If you specify an access-list command and bind it to an interface with the access-group command, by default, all traffic to that interface is denied. You must explicitly permit traffic. Inbound refers to traffic passing through the interface, not the traffic passing from a lower security level interface to a higher security level interface.

Always permit access first and then deny access afterward. If the host entries match, use the permit keyword; otherwise, use the default deny keyword. You only need to specify additional deny keywords if you need to deny specific hosts and permit everyone else.

You can see the security levels for interfaces with the show nameif command.

The optional ICMP message type (icmp_type) argument is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP.

You can bind only one access list to an interface using the access-group command.

If you specify the permit optional keyword in the access list, the FWSM continues to process the packet. If you specify the deny optional keyword in the access list, the FWSM discards the packet and generates this syslog message:

%fwsm#-4-106019: IP packet from source_addr to destination_addr, protocol protocol 
received from interface interface_name deny by access-group id

The access-list command uses the same syntax as the Cisco IOS software access-list command except that the FWSM uses a subnet mask. (Cisco IOS software uses a wildcard mask.) For example, in the Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as 255.255.255.0 in the FWSM access-list command.

We recommend that you do not use the access-list command with the outbound command. Using these commands together may cause debugging issues. The outbound command operates from one interface to another and the access-list command when used with the access-group command applies only to a single interface. If you use these commands together, the FWSM evaluates the access-list command before checking the outbound command.

Refer to Chapter 3, "Managing Network Access and Use" in the Cisco Firewall and VPN Configuration Guide for a detailed description about using the access-list command to provide server access and to restrict outbound user access.

See the aaa-server radius-acctport and aaa-server radius-authport commands to verify or change port settings.

ICMP Message Types

For non-IPSec use only, if you prefer more selective ICMP access, you can specify a single ICMP message type as the last optional keyword in this command. Table 2-3 lists the possible ICMP types values.

Table 2-3 ICMP Type Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

address-mask-request

18

address-mask-reply

31

conversion-error

32

mobile-redirect


Examples

This example shows how to set up an access list object group:

fwsm/contexta(config)# access-list VPN_SPLIT extended permit object-group ip host 
209.165.200.225 host 10.1.1.1

This example shows how to display access list object group information:

FWSM(config)# show access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300

Related Commands

access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

access-list remark

To specify the text of the remark to add before or after an access-list extended command, use the access-list remark command. To delete the remark, use the no form of this command.

[no] access-list id remark text

Syntax Description

id

Name of an access list.

remark text

Specifies the text of the remark to add before or after an access-list extended command.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The remark text can be up to 100 characters in length, including spaces and punctuation.

On an ACL that includes a remark only, you cannot use the access-group command.

Examples

This example shows how to specify the text of the remark to add before or after an access-list command:

fwsm/context(config)# access-list 77 remark checklist

Related Commands

access-list extended

clear access-list

show access-list

access-list standard

To add an access list to the configuration and to configure the policy for IP traffic through the firewall, use the access-list standard command. To remove the access list, use the no form of this command.

[no] access-list id standard {deny | permit} {any | ip_mask}

Syntax Description

id

Name or number of an access list.

deny

Denies access if the conditions are matched. See the "Usage Guidelines" section for the description.

permit

Permits access if the conditions are matched. See the "Usage Guidelines" section for the description.

any

Specifies access to anyone.

ip_mask

Specific IP netmask.


Defaults

The defaults are as follows:

The FWSM denies all packets on the originating interface unless you specifically permit access.

ACL logging generates syslog message 106023 for denied packets—Deny packets must be present to log denied packets.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When used with the access-group command, the deny optional keyword does not allow a packet to traverse the FWSM. By default, the FWSM denies all packets on the originating interface unless you specifically permit access.

When you specify the protocol to match any Internet protocol, including TCP and UDP, use the ip keyword.

Refer to the object-group command for information on how to configure object groups.

You can use the object-group command to group access lists.

Use the following guidelines for specifying a source, local, or destination address:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. We do not recommend that you use this keyword with IPSec.

Use host address as an abbreviation for a mask of 255.255.255.255.

Examples

This example shows how to deny IP traffic through the firewall:

fwsm/context(config)# access-list 77 standard deny

This example shows how to permit IP traffic through the firewall if conditions are matched:

fwsm/context(config)# access-list 77 standard permit

Related Commands

object-group

activation-key

To change the activation key on the FWSM and check the activation key running on the FWSM against the activation key that is stored in the Flash partition of the FWSM, use the activation-key command.

activation-key activation-key-four-tuple

Syntax Description

activation-key-four-tuple

Activation key; see the "Usage Guidelines" section for formatting guidelines.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Enter the activation-key-four-tuple as a four-element hexadecimal string with one space between each element as follows:

0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

The leading 0x specifier is optional; all values are assumed to be hexadecimal.

The key is not stored in the configuration file. The key is tied to the serial number.

Examples

This example shows how to change the activation key on the FWSM:

fwsm(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

Related Commands

clear activation-key

show activation-key

show version

admin-context

To set the administrator context, use the admin-context command.

admin-context admin-context-name

Syntax Description

admin-context-name

Context name.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: Multiple

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The system requires one admin context to function properly. The admin context must reside on the disk. Until you create the admin context, no other contexts can be created. You can change the admin context to any other context using the admin-context command. However, the admin context must already exist and its configuration must reside on the disk before you make this change.

Examples

This example shows how to set the admin context on the FWSM:

fwsm(config)# admin-context test1

Related Commands

context

show admin-context

show context

alias

To translate one address into another, use the alias command. To disable a previously set alias command, use the no form of this command.

[no] alias {interface_name} dnat_ip destination_ip [netmask]

Syntax Description

interface_name

Internal network interface name that the destination_ip overwrites.

dnat_ip

IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.

destination_ip

IP address on the external network that has the same address as a host on the internal network.

netmask

(Optional) Network mask that is applied to both IP addresses.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When entering the netmask, enter 255.255.255.255 for host masks.

Use the alias command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as 209.165.201.30.


Note To ensure that DNS fixup works properly, disable proxy-arp. If you are using the alias command for DNS fixup, you can disable proxy-arp with the sysopt noproxyarp internal_interface command after the alias command has been executed.


After changing or removing an alias command, use the clear xlate command.

You must have an A (address) record in the DNS zone file for the "dnat" address in the alias command.

The alias command has two uses that can be summarized in the following ways:

If the FWSM gets a packet that is destined for the dnat_IP_address, you can configure the alias command to send it to the destination_ip_address.

If the FWSM gets a DNS packet that is returned to the FWSM destined for destination_network_address, you can configure the alias command to alter the DNS packet to change the destination network address to dnat_network_address.

The alias command automatically interacts with the DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.

You can specify a net alias by using network addresses for the destination_ip and dnat_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.

To access an alias dnat_ip address with static and access-list commands, specify the dnat_ip address in the access-list command as the address from which traffic is permitted as follows:

fwsm/context(config)# alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
fwsm/context(config)# static (inside,outside) 209.165.201.1 192.168.201.1 netmask 
255.255.255.255
fwsm/context(config)# access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 
eq ftp-data
fwsm/context(config)# access-group acl_out in interface outside

An alias is specified with the inside address 192.168.201.1 mapping to the destination address 209.165.201.1.

When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the FWSM to be 192.168.201.29. If the FWSM uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the FWSM with SRC=209.165.201.2 and DST=192.168.201.29. The FWSM translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.

Examples

This example shows that the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the FWSM because the client assumes that the 209.165.201.29 is on the local inside network.

To correct this, use the alias command as follows:

fwsm/context(config)# alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224

fwsm/context(config)# show alias
alias 192.168.201.0 209.165.201.0 255.255.255.224

This example shows a web server that is on the inside at 10.1.1.11 and the static command that was created at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:

dns-server# www.example.com. IN  A 209.165.201.11

You must include the period at the end of the www.example.com. domain name.

This example shows how to use the alias command:

fwsm/context(config)# alias 10.1.1.11 209.165.201.11 255.255.255.255

The FWSM changes the name server replies to 10.1.1.11  for inside clients to directly connect to the web server.

To provide access, you also need the following commands:

fwsm/context(config)# static (inside,outside) 209.165.201.11 10.1.1.11

fwsm/context(config)# access-list acl_grp permit tcp host 209.165.201.7 host 
209.165.201.11 eq telnet
fwsm/context(config)# access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 
209.165.201.7

This example shows how to test the DNS entry for the host with the UNIX nslookup command:

fwsm(config)# nslookup -type=any www.example.com

Related Commands

access-list extended

static

allocate-acl-partition (context submode)

To map the current context to a partition, use the allocate-acl-partition command. To remove the context-to-partition mapping, use the no form of this command.

[no] allocate-acl-partition partition-number

Syntax Description

partition-number

Partition number.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: Multiple

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

When you run the allocate-acl-partition Y command, the current context is mapped to partition Y.

Using the no allocate-acl-partition command removes the mapping. If the context is the last context associated with the partition, the partition is moved from exclusive to non-exclusive . If the context is not the last context associated with the partition it is migrated to a non-exclusive partition.

Entering the show allocate-acl-partition X displays details about partition X. The details include the mode (non-exclusive/exclusive), and a list of associated contexts are displayed.

Examples

These examples show how to allocate contexts and ACL partitions.

This example shows how ACL partition #0 is shared by contexts "bandn" and "borders" while the remaining contexts share ACL paritition number 1:

FWSM/system# resource acl-partition 2 
FWSM/system# context bandn
FWSM/system# allocate-acl-partition 0
FWSM/system# context borders
FWSM/system# allocate-acl-partition 0
FWSM/system# context mompopa
FWSM/system# context mompopb
FWSM/system# context mompopc
FWSM/system# context mompopd

This example shows how ACL partition 0 is given to context "bandn" exclusively. ACL partition 1 is given to context "borders" exclusively. The remaining customers are distributed among partitions 2 and 3 in a round-robin fashion.

FWSM/system# resource acl-partition 4
FWSM/system# context bandn
FWSM/system# allocate-acl-partition 0
FWSM/system# context borders
FWSM/system# allocate-acl-partition 1
FWSM/system# context mompopa
FWSM/system# context mompopb
FWSM/system# context mompopc
FWSM/system# context mompopd

Related Commands

resource acl-partition

resource-manager

show resource acl-partition

show resource allocation

show resource types

show resource usage

allocate-interface (context submode)

To assign VLAN interfaces to the context, after you enter the context submode, use the allocate-interface command. To remove the VLAN interfaces from the context, use the no form of this command.

[no] allocate-interface vlannumber [-vlannumber] [mapped_name [-mapped_name]]

Syntax Description

vlannumber

Specifies the VLAN number.

-vlannumber

(Optional) Specifies a VLAN number range.

mapped_name -mapped_name

(Optional) Alphanumeric alias for the VLAN interface that can be used within the context instead of the VLAN number.


Command Modes

Security Context Mode: Multiple

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Enter the allocate-interface command before you enter the config-url (context submode) command. The FWSM must assign VLAN interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (for example, the nameif, nat, global commands). If you enter the config-url (context submode) command first, the FWSM loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.

If you do not specify a mapped name, the VLAN number is used within the context.

For security purposes, you might not want the context administrator to know which VLANs are being used by the context. For example, instead of using the VLAN number in the nameif command, you must use the context mapped name.

If you enter the no form of allocate-interface command, all interface configuration in a context is removed.

If you specify a range of VLAN IDs, you can specify a matching range of context aliases. Follow these guidelines:

The mapped_name must consist of an alphabetic portion followed by a numeric portion as follows:

int0

The alphabetic portion of the mapped_name must match for both ends of the range as follows:

vlan2-vlan10

The numeric portion of the mapped_name must include the same amount of numbers as the vlanx-vlany entry. For example, both ranges include 100 interfaces:

fwsm/context(config)# allocate-interface vlan100-vlan199 int1-int100

Do not include a space between the vlan keyword and the number.

If you enter vlan100-vlan199 int1-int15, or vlan100-vlan199 happy1-sad5, the command fails.

An additional context subconfiguration mode command is the config-url (context submode) command.

Examples

This example shows how to assign VLAN interfaces to the context:

fwsm(config)# context test1
Creating context `test1'... Done.(3)
fwsm/context(config)# allocate-interface vlan5
fwsm/context(config)# allocate-interface vlan6-vlan10

Related Commands

admin-context

changeto

class

clear context

config-url (context submode)

show context

area

To configure a regular OSPF area, use the area command. The area command is a subcommand of the router ospf command. To remove configured areas, use the no form of this command.

[no] area area_id {authentication [message-digest]} | {default-cost cost} | {filter-list prefix {prefix_list_name in | out}} | {range ip_address netmask [advertise | not-advertise]}

[no] area area_id nssa [no-redistribution] [default-information-originate [metric-type 1 | 2] [metric metric_value]] [no-summary]

area area_id stub [no-summary]

[no] area area_id {virtual-link router_id} [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key password] [message-digest-key id md5 password]

Syntax Description

area_id

Regular OSPF area.

authentication

Specifies the authentication type.

message-digest

(Optional) Specifies the message digest authentication that is used.

default-cost cost

Specifies the cost for the default summary route that is used for a stub or NSSA from 0 to 65535. The default value for cost is 1.

filter-list prefix prefix_list_name

Specifies the name of a prefix list.

in

Applies the configured prefix list to prefixes advertised inbound to the specified area.

out

Applies the configured prefix list to prefixes advertised outbound from the specified area.

range ip_address

Specifies the router ID in IP address format.

netmask

IP address mask or IP subnet mask used for a summary route.

advertise

(Optional) Sets the address range status to advertise and generates type 3 summary link-state advertisements (LSAs).

not-advertise

(Optional) Sets the address range status to DoNotAdvertise. The type 3 summary LSA is suppressed, and the component networks remain hidden from other networks.

nssa

Specifies the not-so-stubby area.

no-redistribution

(Optional) Imports route only into the normal areas and not into the NSSA area.

default-information-originate

(Optional) Generates a type 7 default in the NSSA area.

metric-type 1 | 2

(Optional) Specifies the metric type as type 1 or type 2.

metric metric_value

(Optional) Specifies the OSPF default metric value from 0 to 16777214.

no-summary

(Optional) Prevents an area border router (ABR) from sending summary LSAs into the stub area.

stub

Specifies that this OSPF area carries a default route and intra- and inter-area routes but does not carry external routes.

virtual-link router-id

Configures the router ID for an OSPF process.

null

(Optional) Specifies that no authentication is used. Overrides password or message digest authentication if configured for the OSPF area.

hello-interval seconds

(Optional) Specifies the interval between hello packets sent on the interface; valid values are from 1 to 65535 seconds.

retransmit-interval seconds

(Optional) Specifies the time between LSA retransmissions for adjacent routers belonging to the interface; valid values are from 1 to 65535 seconds.

transmit-delay seconds

(Optional) Specifies the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation in seconds from 0 to 65535. The default is 5 seconds.

dead-interval seconds

(Optional) Specifies the interval before declaring a neighboring routing device is down if no hello packets are received; valid values are from 1 to 65535 seconds.

authentication-key password

(Optional) Specifies an OSPF authentication password for use by neighboring routing devices.

message-digest-key key_id

(Optional) Enables the Message Digest 5 (MD5) authentication and specifies the numerical authentication key ID number; valid values are from 1 to 255.

md5 password

(Optional) Specifies an alphanumeric password up to 16 bytes.


Defaults

The defaults are as follows:

OSPF routing is disabled on the FWSM.

The cost is 1.

The authentication type for an area is 0, which means that there is no authentication.

OSPF routing through the FWSM is compatible with RFC 1583.

The area area_id range ip_address netmask [advertise | not-advertise] command is advertise.

The dead-interval is four times the interval set by the ospf hello-interval command.

The hello-interval seconds is 10 seconds.

The retransmit-interval seconds is 5 seconds.

The transmit-delay seconds is 1 second.

No area is defined for the area area_id nssa [[no-redistribution] [default-information-originate][no-summary]] command.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF protocol is used instead of the Routing Information Protocol (RIP). Do not attempt to configure the FWSM for both OSPF and RIP simultaneously.

The router ospf command is the global configuration command for OSPF routing processes running on the FWSM. This is the main command for all of the OSPF configuration commands.

Once you enter the router ospf command, the command prompt appears as (config-router)#, indicating that you are in the submode.

When you configure the area_id, the guidelines are as follows:

For all contexts, you can specify an area_id as either a decimal value or as an IP address.

The ID is the area that is to be associated with the OSPF address range. If you associate areas with IP subnets, you can specify a subnet address as the area_id.

When used in the context of authentication, area_id is the identifier of the area on which authentication is to be enabled.

When used in a cost context, area_id is the identifier for the stub or NSSA.

When used in the context of a prefix list, area_id is the identifier of the area on which filtering is configured.

When used in a stub area or not-so-stubby area (NSSA) context, area_id is the identifier for the stub or NSSA area.

When used in the context of an area range, area_id is the identifier of the area at whose boundary it is to summarize routes.

The area area_id subcommand creates a regular OSPF area. The no area area_id command removes the OSPF area, whether it is regular, stubby, or not so stubby.

fwsm(config)# area area_id authentication message-digest

The default authentication type for an area is 0, which indicates no authentication. To enable authentication for an OSPF area, use the area area_id authentication message-digest subcommand. To remove an authentication configuration from an area, use the no area area_id authentication message-digest subcommand.

fwsm(config)# area area_id default-cost cost

To specify a cost for the default summary route sent into a stub or not-so-stubby area (NSSA), use the area area_id default-cost cost subcommand. To remove the assigned default route cost, use the no area area_id default-cost subcommand. The default value for cost is 1.

fwsm(config)#  area area_id filter-list prefix prefix_list_name in 

To filter prefixes advertised in type 3 LSAs between OSPF areas of an ABR, use the area area_id filter-list prefix prefix_list_name [in | out] subcommand. To change or cancel the filter, use the no area area_id filter-list prefix prefix_list_name [in | out] subcommand.

Routes that originate from other routing protocols (or different OSPF processes) and that are injected into OSPF through redistribution are called external routes. There are two forms of external metrics: type 1 and type 2. These routes are represented by O E2 (for type 2) or O E1 (for type 1) in the IP routing table, and they are examined by the FWSM after it finishes building its internal routing table. After the routes are examined, they are flooded unaltered throughout the autonomous systems. (Autonomous systems are a collection of networks that are subdivided by areas under a common administration sharing a common routing strategy.)

OSPF type 1 metrics result in routes that add the internal OSPF metric to the external route metric; they are also expressed in the same terms as an OSPF link-state metric. The internal OSPF metric is the total cost of reaching the external destination including whatever internal OSPF network costs are incurred to get there. These costs are calculated by the device wanting to reach the external route. Because the cost is calculated this way, the OSPF type 1 metric is preferred.

OSPF type 2 metrics do not add the internal OSPF metric to the cost of external routes and are the default type used by OSPF. The use of OSPF type 2 metrics assumes that you are routing between autonomous systems. The cost is considered greater than any internal metrics, which eliminates the need to add internal OSPF metrics.

The default-information-originate optional keyword takes effect on an NSSA ABR or an NSSA autonomous system boundary router (ASBR) only.

To configure an NSSA area, use the area area_id nssa [no-redistribution] [default-information-originate [metric-type 1 | 2] [metric metric_value]] [no-summary] subcommand. To remove the entire NSSA configuration, use the no area area_id nssa subcommand. To remove a single NSSA configuration optional keyword, specify the optional keyword in the no subcommand. For example, to remove the no-redistribution optional keyword, use the no area area_id nssa no-redistribution command. By default, no NSSA is defined.

fwsm(config)# area area_id range address netmask advertise | not-advertise

To consolidate and summarize routes at an area boundary, use the area area_id range address netmask [advertise | not-advertise] subcommand. To disable this function, use the no area area_id range ip_address netmask subcommand. The no area area_id range ip_address netmask not-advertise subcommand removes only the not-advertise optional keyword.

fwsm(config)# area area_id stub no-summary

To define an area as a stub area, use the area area_id stub [no-summary] subcommand. To remove the stub area function, use the no area area_id stub [no-summary] subcommand. When area area_id stub no-summary is configured, you must use the no area area_id stub no-summary subcommand to remove the no summary optional keyword. The default is for no stub areas to be defined.

You cannot configure virtual links across a stub area, and they cannot contain an ASBR.

To define an OSPF virtual link, use the area area_id virtual-link router-id subcommand with the optional parameters. To remove a virtual link, use the no area area_id virtual-link router_id subcommand.

Examples

This example shows how to use the area commands:

fwsm/context(config)# area authentication

Related Commands

router ospf

show area

arp

To add a static ARP entry and set the ARP persistence timer, use the arp command. To disable ARP inspection or remove the ARP cache timeout from the configuration, use the no form of this command.

[no] arp interface_name ip_addr mac_addr [alias]

[no] arp timeout seconds

Syntax Description

interface_name

Interface name whose ARP table will be changed or viewed.

ip_addr

IP address for an ARP table entry.

mac_addr

Hardware MAC address for the ARP table entry.

alias

(Optional) Configures a static proxy ARP mapping (proxied IP-to-physical address binding) for the addresses specified.

timeout seconds

Specifies the duration to wait before the ARP table rebuilds itself and automatically updates new host information.


Defaults

The defaults are as follows:

Proxy ARP is enabled on all interfaces.

The ARP persistence timer is 14400 seconds (4 hours).

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The ARP maps an IP address to a MAC address (for example, 00e0.1e4e.3d8b) and is defined in RFC 826. Proxy ARP is a variation of the ARP protocol in which an intermediate device (for example, the FWSM) sends an ARP response on behalf of an end node to the requesting host. ARP mapping occurs automatically as the FWSM processes traffic; however, you can configure the ARP cache timeout value, static ARP table entries, or proxy ARP. The maximum ARP cache timeout value is 3567587 seconds.


Note Because ARP is a low-level TCP/IP protocol that resolves a node's MAC (physical) address from its IP address (through an ARP request asking the node with a particular IP address to send back its physical address), the presence of entries in the ARP cache indicates that the FWSM has network connectivity.


The arp timeout command specifies the duration to wait before the ARP table rebuilds itself, automatically updating host information. This feature is also known as the ARP persistence timer. The no arp timeout command resets the ARP persistence timer to its default value.

The arp interface_name ip mac command adds a static (persistent) entry to the FWSM ARP cache. For example, you could use the arp interface_name ip mac command to set up a static IP-to-MAC address mapping for hosts on your network. Use the no arp interface_name ip mac command to remove the static ARP mapping.

The static arp entries and the arp alias entries are not cleared when the ARP persistence timer times out and are automatically stored in the configuration when you use the write command to store the configuration.

The arp interface_name ip mac alias command configures proxy ARP for the IP and MAC addresses specified. Enable proxy ARP you allow the host to another host at that IP address. The FWSM is an intermediary between the two hosts so by sending the packet to the FWSM, the FWSM will pass the packet to the designated host. The FWSM returns the MAC address of the FWSM in the proxied response. Use the no arp interface_name ip mac alias command to remove the static proxy ARP mapping.

The interface_name argument is specified by the nameif command.

Examples

These examples show how to configure ARP:

fwsm/context(config)# arp inside 192.168.0.42 00e0.1e4e.2a7c
fwsm/context(config)# arp outside 192.168.0.43 00e0.1e4e.3d8b alias
fwsm/context(config)# arp timeout 60

fwsm/context(config)# show arp stat
Number of ARP entries:

PIX   270
NP1   269
NP2   269

NP_IPPS_ADD_ARP_ENTRY_NP_count          = 538
NP_IPPS_UPDATE_ARP_ENTRY_NP_count       = 4
NP_IPPS_DELETE_ARP_ENTRY_NP_count       = 0
NP_IPPS_ADD_ARP_ENTRY_NP_resend_count           = 0
NP_IPPS_UPDATE_ARP_ENTRY_NP_resend_count        = 0
NP_IPPS_DELETE_ARP_ENTRY_NP_resend_count        = 0
NP_IPPS_ADD_ARP_ENTRY_NP_failed_count           = 0
NP_IPPS_UPDATE_ARP_ENTRY_NP_failed_count        = 0
NP_IPPS_DELETE_ARP_ENTRY_NP_failed_count        = 0
arp_miss_counter                = 310
arp_miss_invalid_vcid   = 0
        Dropped blocks in ARP: 0
        Maximum Queued blocks: 1
        Queued blocks: 0
        Interface collision ARPs Received: 0
        ARP-defense Gratuitous ARPS sent: 0
        Total ARP retries: 0
        Unresolved hosts: 0
        Maximum Unresolved hosts: 11

Related Commands

clear arp

show arp

sysopt

arp-inspection

To enable or disable Address Resolution Protocol (ARP) inspection on an interface, use the arp-inspection command. To remove ARP inspection, use the no form of this command.

[no] arp-inspection if_name enable [flood | no-flood]

Syntax Description

if_name

Interface name whose ARP table will be changed or viewed.

enable

Enables ARP inspection on the interface.

flood

(Optional) ARP forwarding is on for the interface.

no-flood

(Optional) Specifies that ARP forwarding is off for the interface.


Defaults

ARP inspection is disabled on all interfaces.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: Transparent

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

To add static ARP entries in the FWSM this command is used to add bindings between IP addresses and MAC addresses for ARP inspection.

ARP inspection is enabled per interface and is configurable to flood or no flood depending on whether there is a miss or a hit in the static ARP table, when ARP inspection is enabled on the interface. This command also allows you to turn ARP forwarding on or off for an interface.

If ARP inspection is enabled on an interface, all ARP packets (reply or gratuitous arp) from this interface are inspected before forwarding. The ARP inspection check in for the static ARP table is as follows:

If an entry is found and the entry matches, the packet is forwarded.

If an entry is found but there is an entry mismatch, the packet is dropped and a syslog message is generated.

If an entry does not exist and the flood option is enabled, the packet is forward to the correct interface.

If an entry does not exist and the no_flood option is enabled, the packet is dropped and a syslog message is generated.

Examples

This example shows how to configure an ARP inspection:

fwsm/context(config)# arp-inspection

Related Commands

clear arp

show arp

sysopt

auth-prompt

To change the AAA challenge text for HTTP, FTP, and Telnet access, use the auth-prompt command. To disable the challenge text, use the no form of this command.

[no] auth-prompt [prompt | accept | reject] prompt text

Syntax Description

prompt

(Optional) Specifies the AAA challenge prompt string.

accept

(Optional) Displays the prompt string if a user authentication through Telnet is accepted.

reject

(Optional) Displays the prompt string if a user authentication through Telnet is rejected.

prompt text

String up to 235 alphanumeric characters or 31 words, limited by whichever maximum is first reached.


Defaults

The defaults are as follows:

Microsoft Internet Explorer displays only up to 37 characters in an authentication prompt.

Netscape Navigator displays up to 120 characters.

Telnet and FTP display up to 235 characters in an authentication prompt.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The AAA challenge text displays when a user logs in. If you do not use the AAA challenge text command, the following is displayed above the username and password prompts:

FTP users see "FTP authentication"

HTTP users see "HTTP Authentication"

The challenge text does not appear for Telnet access

If the user authentication occurs from Telnet, you can use the accept and reject optional keywords to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.

You should not use special characters when you change the challenge text; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)

Examples

This example shows how to set the authentication prompt and how users see the prompt:

fwsm/context(config)# auth-prompt XYZ Company Firewall Access

After this string is added to the configuration, users see the following:

Example.com Company Firewall Access
User Name:
Password:


Note The prompt keyword can be included or omitted.


This example shows how to set the authentication prompt using the prompt keyword:

fwsm/context(config)# auth-prompt prompt Hello There!

This example shows how to set the authentication prompt without the prompt keyword:

fwsm/context(config)# auth-prompt Hello There!

Related Commands

aaa authentication include, exclude

auth-prompt

clear auth-prompt

show auth-prompt

banner

To configure the session, login, or message-of-the-day banner, use the banner command. To remove all the lines for the banner optional keyword specified, use the no form of this command.

[no] banner {exec | login | motd text}

Syntax Description

exec

Configures the system to display a banner before displaying the enable prompt.

login

Configures the system to display a banner before the password login prompt when accessing the FWSM using Telnet.

motd

Configures the system to display a message-of-the-day banner.

text

Line of message text to be displayed in the FWSM CLI.


Defaults

The default is no login, session, or message-of-the-day banner.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The banner command configures a banner to display for the optional keyword specified. The text string consists of all characters following the first white space (space) until the end of the line (carriage return or line feed [LF]). Spaces in the text are preserved. However, you cannot enter tabs through the CLI.

Subsequent text entries are added to the end of an existing banner unless the banner is cleared first.


Note The tokens $(domain) and $(hostname) are replaced with the host name and domain name of the FWSM. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.


Multiple lines in a banner are handled by entering a new banner command for each line that you wish to add. Each line is then appended to the end of the existing banner. If the text is empty, a carriage return (CR) is added to the banner. There is no limit on the length of a banner other than RAM and Flash limits.

When accessing the FWSM through Telnet or SSH, the session closes if not enough system memory is available to process the banner messages or if a TCP write error occurs.

To replace a banner, use the no banner command before adding the new lines.

Use the no banner {exec | login | motd} command to remove all the lines for the banner optional keyword specified.

The no banner command does not selectively delete text strings, so any text that you enter at the end of the no banner command is ignored.

Examples

This example shows how to configure the motd, exec, and login banners:

fwsm(config)# banner motd Think on These Things
fwsm(config)# banner exec Enter your password carefully
fwsm(config)# banner login Enter your password to log in
fwsm(config)# show banner
exec:
Enter your password carefully

login:
Enter your password to log in

motd:
Think on These Things

This example shows how to add a second line to a banner:

fwsm(config)# banner motd and Enjoy Today
fwsm(config)# show banner motd
Think on These Things
and Enjoy Today

Related Commands

clear banner

enable

login

password/passwd

show banner

ssh

telnet