Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3
S Commands
Downloads: This chapterpdf (PDF - 1.72MB) The complete bookPDF (PDF - 6.82MB) | Feedback

same-security-traffic

Table Of Contents

same-security-traffic

service

set (route map submode)

set metric (route map submode)

set metric-type (route map submode)

setup

show

show aaa

show aaa proxy-limit

show aaa-server

show access-group

show access-list

show access-list mode

show activation-key

show admin-context

show alias

show area

show arp

show auth-prompt

show banner

show blocks

show ca

show capture

show checkheaps

show checksum

show chunkstat

show class

show clock

show compatible rfc1583

show configure

show conn

show console-output

show context

show counters

show cpu

show crashdump

show crypto dynamic-map

show crypto engine

show crypto interface

show crypto ipsec

show crypto map

show curpriv

show default-information originate

show dbg

show debug

show dhcpd

show dhcprelay

show disk

show dispatch stats

show dispatch table

show distance

show domain-name

show dynamic-map

show enable

show established

show failover

show file

show filter

show firewall

show fixup

show flashfs

show floodguard

show fragment

show ftp

show gc

show global

show h225

show h245

show h323-ras

show history

show hostname

show http

show hw

show icmp

show igmp

show ignore lsa mospf

show interface

show ip address

show ip ospf

show ip ospf border-routers

show ip ospf database

show ip ospf flood-list

show ip ospf interface

show ip ospf neighbor

show ip ospf request-list

show ip ospf retransmission-list

show ip ospf summary-address

show ip ospf virtual-links

show ip verify

show isakmp

show isakmp policy

show local-host

show log-adj-changes

show logging

show logging rate-limit

show mac-address interface

show mac-address-table

show mac-learn

show match

show memory

show memory-caller address

show memory binsize

show memory profile

show mode

show mgcp

show monitor-interface

show mroute

show mtu

show multicast

show name

show nameif

show names

show nat

show network

show nic

show object-group

show pager

show password/passwd

show pc conn

show pdm

show perfmon

show privilege

show processes

show redistribute

show resource acl-partition

show resource allocation

show resource types

show resource usage

show rip

show rpc-server

show route

show route-map

show router

show router-id

show routing

show running-config

show same-security-traffic

show service

show serial

show session

show set

show shun

show snmp-server

show ssh

show startup-config

show static

show summary-address

show sysopt

show tech-support

show terminal

show tcpstat

show telnet

show tftp-server

show timeout

show timers

show uauth

show uptime

show url-block

show url-cache stat

show url-server

show username

show version

show virtual

show vlan

show vpngroup

show who

show xlate

shun

shutdown

snmp-server

ssh

static

summary-address

sysopt


same-security-traffic

To enable same-security level interface communication, use the same-security-traffic command. To disable the same-security interfaces, use the no form of this command.

[no] same-security-traffic permit inter-interface

[no] same-security-traffic permit intra-interface

Syntax Description

inter-interface

Specifies that communication between two different interfaces with the same security level is being enabled.

intra-interface

Specifies that communication between two hosts in the same interface is enabled.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command with the inter-interface keyword was introduced on the FWSM.

2.3(1)

Support for the intra-interface keyword was added.


Usage Guidelines

Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) lets you configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

You do not need to configure NAT between same security level interfaces.

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed.


Note We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.

If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.

To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned.


Examples

This example shows how to enable the same-security interface communication:

fwsm/context_name(config)# same-security-traffic permit inter-interface
fwsm/context_name(config)# show same-security-traffic
same-security-traffic permit inter-interface

fwsm/context_name(config)# same-security-traffic permit intra-interface
fwsm/context_name(config)# show same-security-traffic
same-security-traffic permit intra-interface

Related Commands

clear same-security-traffic

show same-security-traffic

service

To enable system services, use the service command. To disable system services, use the no form of this command.

[no] service {resetinbound | resetoutside}

Syntax Description

resetinbound

Sends a reset to a denied inbound TCP packet.

resetoutside

Sends a reset to a denied TCP packet to the outside interface.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The service command works with all inbound TCP connections to static interfaces whose access lists or uauth (user authorization) do not allow inbound connections. One use is for resetting identity request (IDENT) connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the keyword, the FWSM drops the packet without returning an RST.

The FWSM sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that outbound e-mail can be transmitted without having to wait for IDENT to time out. The FWSM sends a syslog message stating that the incoming connection was denied. Without entering the service resetinbound command, the FWSM drops packets that are denied and generates a syslog message stating that the SYN was denied. However, outside hosts keep retransmitting the SYN until the IDENT times out.

When an IDENT connection times out, the connections slow down. Perform a trace to determine that IDENT is causing the delay and then enter the service command.

Use the service resetinbound command to handle an IDENT connection through the FWSM. These methods for handling IDENT connections are ranked from most secure to the least secure:

1. Use the service resetinbound command.

2. Use the established command with the permitto tcp 113 keyword.

3. Enter the static and access-list commands to open TCP port 113.

When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is as follows:

Unable to connect to remote host: Connection timed out

If you use the resetoutside command, the FWSM actively resets denied TCP packets that terminate at the FWSMs least-secure interface. By default, these packets are silently discarded. We recommend that you use the resetoutside keyword with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with FWSM version 6.0 and higher. This keyword allows the FWSM to terminate the IDENT from an external SMTP or FTP server. Actively resetting these connections avoids the 30-second timeout delay.

To remove the service commands from the configuration, use the clear service command.

Examples

This example shows how to enable system services:

fwsm/context_name(config)# service resetinbound

Related Commands

clear service

show service

set (route map submode)

To specify the values in the destination routing protocol for a route map, use the set command in the route-map submode. To delete an entry, use the no form of this command.

[no] set metric [+ | -] metric_value

[no] set metric-type {type-1 | type-2 | internal | external}

Syntax Description

metric

Specifies metric values.

+ or -

(Optional) Specifies positive or negative metric values.

metric_value

Metric value; valid values are from 0 to 2147483647.

metric-type

Specifies the type of OSPF metric routes.

type-1

Specifies the type of OSPF metric routes that are external to a specified autonomous system.

type-2

Specifies the type of OSPF metric routes that are external to a specified autonomous system.

internal

Specifies routes that are internal to a specified autonomous system.

external

Specifies the OSPF metric routes that are external to a specified autonomous system.

ip-address

IP address of the next hop to which to output packets.

ip-address

(Optional) IP address of the secondary next hop.


Defaults

Default metric value; valid values are from -2147483647 to 2147483647.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to send packets passed by a match clause of a route map:

fwsm(config-route-map)# set metric + 56789

Related Commands

match (route map submode)

route-map

set metric (route map submode)

set metric-type (route map submode)

show route-map

show set

set metric (route map submode)

To set the metric value for a routing protocol, use the set metric subcommand. To return to the default metric value, use the no form of this command.

set metric [+ | -] metric_value

[no] set metric value

Syntax Description

+ or -

Specifies positive or negative values.

metric_value

Metric value; valid values are from 0 to 2147483647.

value

Default metric value; valid values are from -2147483647 to 2147483647.


Defaults

-2147483647 to 2147483647.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The no set metric value subcommand allows you to return to the default metric value. In this context, the value is an integer from -2147483647 to 2147483647.

Examples

This example shows how to configure a route map for OSPF routing:

fwsm(config)# route-map maptag1 permit 8
fwsm(config-route-map)# set metric 5
fwsm(config-route-map)# match metric 5
fwsm(config-route-map)# set metric-type type-2
fwsm(config-route-map)# show route-map
route-map maptag1 permit 8
  set metric 5
  set metric-type type-2
  match metric 5
fwsm(config-route-map)# exit
fwsm(config)# 

Related Commands

match (route map submode)

route-map

set metric-type (route map submode)

show route-map

show set

set metric-type (route map submode)

To specify the type of OSPF metric routes, use the set metric-type subcommand. To return to the default setting, use the no form of this command.

set metric-type {type-1 | type-2 | internal | external}

no set metric-type

Syntax Description

type-1

Specifies the type of OSPF metric routes that are external to a specified autonomous system.

type-2

Specifies the type of OSPF metric routes that are external to a specified autonomous system.

internal

Specifies the routes that are internal to a specified autonomous system.

external

Specifies the OSPF metric routes that are external to a specified autonomous system.


Defaults

type-2

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example show how to configure a route map for OSPF routing:

fwsm(config)# route-map maptag1 permit 8
fwsm(config-route-map)# set metric 5
fwsm(config-route-map)# match metric 5
fwsm(config-route-map)# set metric-type type-2
fwsm(config-route-map)# show route-map
route-map maptag1 permit 8
  set metric 5
  set metric-type type-2
  match metric 5
fwsm(config-route-map)# exit
fwsm(config)# 

Related Commands

route-map

set metric (route map submode)

set metric-type (route map submode)

show route-map

show set

setup

To preconfigure the FWSM through interactive prompts, use the setup command.

setup

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The FWSM requires some preconfiguration before the PDM can connect to it. The setup dialog automatically appears at boot time if there is no configuration in the Flash partition. Once you enter the setup command, you are asked for the setup information in Table 2-14.

Table 2-14 FWSM Setup Information 

Prompt
Description
Firewall Mode

Valid values are routed or transparent, or variations of these values. For example, r or t for routed or transparent are valid values.

Enable password:

Specify an enable password for this FWSM. (The password must have at least three characters.)

Inside IP address:

Network interface IP address of the FWSM.

Inside network mask:

Network mask that applies to the inside IP address must be a valid mask such as 255.0.0.0, 255.255.0.0, or 255.255.x.x. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

Host name:

Host name that you want to display in the FWSM command line prompt.

Domain name:

DNS domain name of the network on which the FWSM runs.

IP address of host 
running Device 
Manager:

IP address on which the PDM connects to the FWSM.

Use this configuration 
and write to flash?

Stores the new configuration to the Flash partition. If the answer is yes, the inside interface is enabled and the requested configuration is written to the Flash partition. If the user answers anything else, the setup dialog repeats the values that are already entered as the defaults for the questions.


You must configure an inside interface before this command can be used. If you do not configure an insie interface, the No inside interface. Can not continue. error is displayed.

The host and domain names are used to generate the default certificate for the Secure Socket Layer (SSL) connection. The interface type is determined by the hardware.

Examples

This example shows how to complete the setup command prompts. This example assumes that VLAN 100 has been configured on the switch as a firewall VLAN. This example shows an inside interface being defined followed by the setup command with the FWSM being placed in routed mode.

FWSM(config)# setup
Pre-configure FWSM Firewall now through interactive prompts [yes]? y
Firewall Mode [Routed]:
No inside interface.  Can not continue.
FWSM(config)# nameif vlan100 inside 100
FWSM(config)# setup
Pre-configure FWSM Firewall now through interactive prompts [yes]? y
Firewall Mode [Routed]:
Enable password [<use current password>]: ciscofwsm
Inside IP address [127.0.0.1]: 192.168.1.1
Inside network mask [255.255.255.255]: 255.255.255.0
Host name [FWSM]: accounting-fwsm
Domain name: example.com
IP address of host running FWSM Device Manager: 192.168.1.2

The following configuration will be used:
Enable password: ciscofwsm
Clock (UTC): 11:37:36 Mar 8 2005
Firewall Mode: Routed
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: accounting-fwsm
Domain name: example.com
IP address of host running FWSM Device Manager: 192.168.1.2
 
Use this configuration and write to flash? y
Building configuration...
Cryptochecksum: 2e02e1d2 019721a8 981ec7f8 19bbc74b 
[OK]
accounting-fwsm(config)# Access Rules Download Complete: Memory Utilization: < 1%

Related Commands

pdm

show

To display the information about the commands, use the show command.

show command_keywords [|{include | exclude | begin | grep [-v]} regexp]

show   ?

Syntax Description

command_keywords

Argument or list of arguments that specifies the information to display.

|

UNIX pipe symbol, "|".

include

(Optional) Includes all output lines that match the specified regular expression.

exclude

(Optional) Excludes all output lines that match the specified regular expression.

begin

(Optional) Displays all output lines starting from the line that matches the specified regular expression.

grep

(Optional) Displays all output lines that match the specified regular expression. grep is equivalent to include, and grep -v is equivalent to exclude.

-v

(Optional) When used withthe grep keyword, the -v option is equivilent to an exclude statement.

regexp

(Optional) Cisco IOS-style regular expression.


Defaults

See each command for the default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show command_keywords [|{include | exclude | begin | grep} regexp] command runs the show command keyword specified. Only the first "|" is a pipe character in this syntax. This character represents piping output to the filter. When "|" is present, a filtering keyword and a regular expression must also be present.

The CLI syntax and semantics of the show output filtering options are the same as in Cisco IOS software and are available through the console, Telnet, or SSH sessions.

Most commands have a show command form where the command name is used as a show keyword. For example, the global command has an associated show global command.

The show   ? command displays a list of all commands that are available on the FWSM.

Do not enclose the regexp argument in quotes or double quotes. Additionally, trailing white spaces (between keywords) are taken as part of the regular expression.

Examples

This example shows how to use a show command output filter keyword, where the "|" is the UNIX pipe symbol:

fwsm(config)# show config | grep access-list
access-list 101 permit tcp any host 10.1.1.3 eq www 
access-list 101 permit tcp any host 10.1.1.3 eq smtp 

This example shows sample output from the show ? command:

fwsm(config)# show ?

At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

aaa             Enable, disable, or view TACACS+, RADIUS or LOCAL
                user authentication, authorization and accounting
aaa-server      Define AAA Server group
access-group    Bind an access-list to an interface to filter inbound traffic
access-list     Add an access list
activation-key  Modify activation-key.
age             This command is deprecated. See ipsec, isakmp, map, ca commands
alias           Administer overlapping addresses with dual NAT.
apply           Apply outbound lists to source or destination IP addresses
arp             Change or view arp table, set arp timeout value and view status
auth-prompt     Customize authentication challenge, reject or acceptance prompt
auto-update     Configure auto update support
banner          Configure login/session banners
blocks          Show system buffer utilization
ca              CEP (Certificate Enrollment Protocol)
                Create and enroll RSA key pairs into a PKI (Public Key Infrastr.
capture         Capture inbound and outbound packets on one or more interfaces
checksum        View configuration information cryptochecksum
chunkstat       Display chunk stats
clock           Show and set the date and time of FWSM
configure       Configure from terminal, floppy, memory, network, or 
                factory-default.  The configuration will be merged with the 
                active configuration except for factory-default in which case
                the active configuration is cleared first.
conn            Display connection information
console         Set idle timeout for the serial console of the FWSM
cpu             Display cpu usage
Crashinfo       Read, write and configure crash write to flash. 
crypto          Configure IPsec, IKE, and CA
ctiqbe          Show the current data stored for each CTIQBE session.
curpriv         Display current privilege level
debug           Debug packets or ICMP tracings through the FWSM Firewall.
dhcpd           Configure DHCP Server
dhcprelay       Configure DHCP relay agent
domain-name     Change domain name
dynamic-map     Specify a dynamic crypto map template
eeprom          show or reprogram the 525 onboard i82559 devices
enable          Configure enable passwords
established     Allow inbound connections based on established connections
failover        Enable/disable FWSM failover feature to a standby FWSM
filter          Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filg
fips-mode       Enable or disable FIPS mode
fixup           Add or delete FWSM service and feature defaults
flashfs         Show, destroy, or preserve filesystem information
fragment        Configure the IP fragment database
global          Specify, delete or view global address pools,
                or designate a PAT(Port Address Translated) address
h225            Show the current h225 data stored for each connection.
h245            List the h245 connections.
h323-ras        Show the current h323 ras data stored for each connection.
history         Display the session command history
http            Configure HTTP server
icmp            Configure access for ICMP traffic that terminates at an interfae
interface       Set network interface paremeters and configure VLANs
igmp            Clear or display IGMP groups
ip              Set the ip address and mask for an interface
                Define a local address pool
                Configure Unicast RPF on an interface
                Configure the Intrusion Detection System
ipsec           Configure IPSec policy
isakmp          Configure ISAKMP policy
local-host      Display or clear the local host network information
logging         Enable logging facility
mac-list        Add a list of mac addresses using first match search
map             Configure IPsec crypto map
memory          System memory utilization
mgcp            Configure the Media Gateway Control Protocol fixup
mroute          Configure a multicast route
mtu             Specify MTU(Maximum Transmission Unit) for an interface
multicast       Configure multicast on an interface
name            Associate a name with an IP address
nameif          Assign a name to an interface
names           Enable, disable or display IP address to name conversion 
nat             Associate a network with a pool of global IP addresses
ntp             Configure Network Time Protocol
object-group    Create an object group for use in 'access-list', etc
ospf            Show OSPF information or clear ospf items.
outbound        Create an outbound access list
pager           Control page length for pagination
passwd          Change Telnet console access password
pdm             Configure FWSMDevice Manager
prefix-list     Configure a prefix-list
privilege       Configure/Display privilege levels for commands
processes       Display processes
rip             Broadcast default route or passive RIP
route           Enter a static route for an interface
route-map       Create a route-map.
router          Create/configure OSPF routing process
routing         Configure interface specific unicast routing parameters.
running-config  Display the current running configuration
service         Enable system services
session         Access an internal AccessPro router console
shun            Manages the filtering of packets from undesired hosts
sip             Show the current data stored for each SIP session.
skinny          Show the current data stored for each Skinny session.
snmp-server     Provide SNMP and event information
ssh             Add SSH access to FWSM console, set idle timeout, display
                list of active SSH sessions & terminate a SSH session
startup-config  Display the startup configuration
static          Configure one-to-one address translation rule
tcpstat         Display status of tcp stack and tcp connections
tech-support    Tech support
telnet          Add telnet access to FWSM console and set idle timeout
terminal        Set terminal line parameters
tftp-server     Specify default TFTP server address and directory
timeout         Set the maximum idle times
traffic         Counters for traffic statistics
uauth           Display or clear current user authorization information
url-cache       Enable URL caching
url-block       Enable URL pending block buffer and long URL support
url-server      Specify a URL filter server
username        Configure user authentication local database
version         Display FWSM system software version
virtual         Set address for authentication virtual servers
vpdn            Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient       Configure Easy VPN Remote
vpngroup        Configure group settings for Cisco VPN Clients and
                Cisco Easy VPN Remote products
who             Show active administration sessions on FWSM
xlate           Display current translation and connection slot information

show aaa

To display the local, TACACS+, or RADIUS user accounting, use the show aaa command.

show aaa

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Examples

This example shows how to display the local, TACACS+, or RADIUS user accounting:

fwsm/context_name(config)# show aaa

Related Commands

aaa accounting match

aaa authentication include, exclude

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

show aaa proxy-limit

To display the number of concurrent proxy connections that are allowed per user, use the show aaa proxy-limit command.

show aaa proxy-limit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show aaa proxy-limit command allows you to display the number of outstanding authentication requests that are allowed or indicates that the proxy limit is disabled if you disabled it.

Examples

This example shows how to display the number of concurrent proxy connections that are allowed per server:

fwsm/context_name(config)# show aaa proxy-limit

Related Commands

aaa accounting match

aaa authentication include, exclude

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

show aaa-server

To display the AAA server configuration information, use the show aaa-server command.

show aaa-server

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support a second LOCAL method for AAA configurations.


Examples

This example shows how to display the AAA server configuration information:

fwsm/context_name(config)# show aaa-server

Related Commands

aaa accounting match

aaa authentication include, exclude

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

show access-group

To bind an access list to an interface, use the show access-group command.

show access-group

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to bind an access list to an interface:

FWSM# show access-group 
access-group outside_in in interface inside
access-group 100 out interface inside

Related Commands

access-group

show access-list

To display the access list entries, use the show access-list command.

show access-list [id]

Syntax Description

id

(Optional) Access list.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how the FWSM displays access list entries.

fwsm(config)# show access-list ac
access-list ac; 2 elements
access-list ac permit ip any any (hitcnt=0)
access-list ac permit tcp any any (hitcnt=0)

Related Commands

access-list extended

clear access-list

show access-list mode

show access-list mode

To display the compilation mode for the system, use the show access-list mode command.

show access-list mode

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the access list compilation mode for the FWSM:

fwsm(config)# show access-list mode
access-list mode manual-commit

Related Commands

access-list extended

access-list mode

clear access-list

show access-list

show activation-key

To display the commands in the configuration for features that are enabled by your activation key, including the number of contexts allowed, use the show activation-key command.

show activation-key

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show activation-key command output indicates the status of the activation key as follows:

If the activation key in the FWSM Flash partition is the same as the activation key running on the FWSM, then the show activation-key output reads as follows:

The flash activation key is the SAME as the running key.

If the activation key in the FWSM Flash partition is different from the activation key running on the FWSM, then the show activation-key output reads as follows:

The flash activation key is DIFFERENT from the running key.
The flash activation key takes effect after the next reload.

If the FWSM Flash partition software image version is not the same as the running FWSM software image, then the show activation-key output reads as follows:

The flash image is DIFFERENT from the running image.
The two images must be the same in order to examine the flash activation key.

If you downgrade your activation key, the display shows that the running key (the old key) differs from the key that is stored in the Flash (the new key). When you restart, the FWSM uses the new key.

If you upgrade your key to enable extra features, the new key starts running immediately without a restart.

Examples

This example shows how to display the commands in the configuration for features that are enabled by your activation key:

fwsm(config)# show activation-key
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 100 (per security context)
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Throughput:         Unlimited
ISAKMP peers:       Unlimited
Security Contexts:  2
This machine has an Unrestricted (UR) license.
The flash activation key is the SAME as the running key.
fwsm(config)# 

Related Commands

activation-key

clear

show admin-context

To display which context is designated as the administration context, use the show admin-context command.

show admin-context

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the designated administration context:

fwsm(config)# show admin-context
Admin: admin disk:/admin.cfg

Related Commands

admin-context

show alias

To display the overlapping addresses with dual NAT commands in the configuration, use the show alias command.

show alias

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display alias information:

fwsm/context_name(config)# show alias
fwsm/context_name(config)# 

Related Commands

alias

show area

To display the area commands in the configuration, use the show area command.

show area

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display area command configuration information:

fwsm/context_name(config)# show area

Related Commands

area

show arp

To list the entries in the ARP table, use the show arp command.

show arp [timeout | statistics]

Syntax Description

timeout

(Optional) Specifies ARP timeout information.

statistics

(Optional) Specifies ARP statistics.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line and context command line

Command Mode: configuration mode and privileged mode

Firewall Mode: routed firewall mode and transparent mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to list the entries in the ARP table:

fwsm(config)# show arp statistics
        Dropped blocks in ARP: 6
        Maximum Queued blocks: 3
        Queued blocks: 1
        Interface collision ARPs Received: 5
        ARP-defense Gratuitous ARPS sent: 4
        Total ARP retries: 15
        Unresolved hosts: 1
        Maximum Unresolved hosts: 2

Related Commands

arp
arp-inspection

show auth-prompt

To display the current AAA challenge text, use the show auth-prompt command.

show auth-prompt

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the AAA challenge text:

fwsm/context_name(config)# show auth-prompt

Related Commands

auth-prompt

show banner

To display the specified banner and all the lines that are configured for it, use the show banner command.

show banner [{exec | login | motd}]

Syntax Description

exec

(Optional) Displays the banner before the enable prompt.

login

(Optional) Displays the banner seen before the password login prompt when accessing the FWSM using Telnet.

motd

(Optional) Displays the message-of-the-day banner.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show banner {motd | exec | login} command allows you to display the specified banner keyword and all the lines that are configured for it. If you do not specify a banner keyword, then all the banners are displayed.

Examples

This example shows how to display the message-of-the-day (motd) banner:

fwsm/context_name(config)# show banner motd

Related Commands

banner

clear banner

show blocks

To display the blocks in the preallocated system buffer, use the show blocks command.

show blocks [address hex-address | all | assigned | free | old | pool block-size | queue history [detail] [dump | header | packet]]

Syntax Description

address hex-address

(Optional) Specifies the block address.

all

(Optional) Specifies all blocks.

assigned

(Optional) Specifies the assigned blocks.

free

(Optional) Specifies the free blocks.

old

(Optional) Specifies the old blocks.

pool block-size

(Optional) Specifies a block pool and size.

queue history

(Optional) Specifies the queue history.

detail

(Optional) Specifies the block details.

dump

(Optional) Specifes a block dump.

header

(Optional) Specifies a header.

packet

(Optional) Specifies a packet.


This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was updated on the FWSM.


Usage Guidelines

The show blocks command allows you to determine whether the FWSM is being overloaded similarly to the show cpu command. The show blocks command allows you to display preallocated system buffer utilization.

In the show blocks command listing, the SIZE column displays the block type. The MAX column is the maximum number of allocated blocks. The LOW column is the fewest blocks that are available since the last reboot. The CNT column is the current number of available blocks. A zero in the LOW column indicates a previous event where memory is full. A zero in the CNT column means memory is full now. A full memory condition is not a problem as long as traffic is moving through the FWSM.

You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is full, there may be a problem.

You can also display the information from the show blocks command using SNMP.

Packet-Processing Blocks (1550 and 16384 Bytes)

When a packet enters an FWSM's interface, it is placed on the input interface queue, passed up to the operating system, and placed in a block. For Ethernet packets, the 1550-byte blocks are used; if the packet comes in on a 66-MHz Gigabit Ethernet card, the 16384-byte blocks are used. The FWSM determines whether the packet should be permitted or denied based on the adaptive security algorithm (ASA) and processes the packet through to the output queue on the outbound interface. If the FWSM is having trouble keeping up with the traffic load, the number of available 1550-byte blocks (or 16384-byte blocks for 66-MHz GE) will hover close to 0 (as shown in the CNT column of the command output). When the CNT column is zero, the FWSM attempts to allocate more blocks, up to a maximum of 8192. If no more blocks are available, the FWSM drops the packet.

Failover and syslog Blocks (256 Bytes)

The 256-byte blocks are mainly used for stateful failover messages. The active FWSM generates and sends packets to the standby FWSM to update the translation and connection table. In bursty traffic, where high rates of connections are created or torn down, the number of available 256-byte blocks may drop to 0. This situation indicates that one or more connections were not updated to the standby FWSM. The stateful failover protocol will catch the missing xlate or connection the next time. If the CNT column for 256-byte blocks stays at or near 0 for extended periods of time, then the FWSM is having trouble keeping the translation and connection tables synchronized because of the number of connections per second that the FWSM is processing. If this situation happens consistently, you might upgrade the FWSM to a faster model.

The syslog messages that are sent out from the FWSM also use the 256-byte blocks, but they are generally not released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7) to the syslog server. This is indicated by the logging trap line in the FWSM configuration. We recommend that you set logging at Notification (level 5) or lower, unless you require additional information for debugging purposes.

Table 2-15 describes the columns in the show blocks display.

Table 2-15 Display Column Description

Column
Description

SIZE

Size, in bytes, of the block pool.

MAX

Maximum number of blocks available for the specified byte block pool. The maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks does not change. The exception is for the 256- and 1550-byte blocks, where the FWSM can dynamically create more when needed, up to a maximum of 8192.

LOW

Low-water mark. This number indicates the lowest number of this size blocks available since the FWSM was powered up, or since the last clearing of the blocks (with the clear blocks command).

CNT

Current number of blocks available for that specific size block pool.


Table 2-16 describes the rows in the show blocks display.

Table 2-16 Display Row Description

Size
Description

4

Duplicates existing blocks in DNS, Internet Security Association and Key Management Protocol (ISAKMP), URL filtering, uauth, TFTP, and TCP modules.

80

Used in TCP intercept to generate acknowledgment (ACK) packets and for failover hello messages.

256

Used for stateful failover updates, syslogging, and other TCP functions.

1550

Used to store Ethernet packets for processing through the FWSM.

16384

Only used for the 64-bit, 66-MHz Gigabit Ethernet cards (i82543).

2048

Control or guided frames used by the network processors (NP) for control updates.


Examples

This example show how to display preallocated system buffer memory blocks:

fwsm(config)# show blocks
            SIZE    MAX    LOW    CNT 
     4   1600   1600   1600
    80    100     97     97
   256     80     79     79
            1550    788    402    404
 65536      8      8      8
  2048   1000    994   1000

Related Commands

clear blocks

show ca

To display the certificate authorization information, use the show ca command.

show ca {certificate | crl | configure | identity | mypubkey rsa | subject-name | verifycertdn}

Syntax Description

certificate

Displays the current status of requested certificates and relevant information of received certificates, such as CA and RA certificates.

crl

Displays whether there is a CRL in RAM, and where and when the CRL is downloaded.

configure

Displays the current communication parameter settings that are stored in the FWSM RAM.

identity

Displays the current CA settings that are stored in RAM.

mypubkey rsa

Displays the FWSM's public keys in a DER/BER encoded PKCS#1 representation.

subject-name

Displays the subject Distinguished Name (DN).

verifycertdn

Displays the certificate's Distinguished Name (DN).


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the current status of requested certificates. The CA certificate stems from a Microsoft CA server that was previously generated for this FWSM.

fwsm(config)# show ca certificate

RA Signature Certificate
  Status:Available
  Certificate Serial Number:6106e08a000000000005
  Key Usage:Signature
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:09 Jul 11 2000

    end   date:17:27:09 Jul 11 2001

Certificate
  Status:Available
  Certificate Serial Number:1f80655400000000000a
  Key Usage:General Purpose
  Subject Name
    Name:firewall.example.com
  Validity Date:
    start date:20:06:23 Jul 17 2000

    end   date:20:16:23 Jul 17 2001

CA Certificate
  Status:Available
  Certificate Serial Number:25b81813efe58fb34726eec44ae82365
  Key Usage:Signature
    CN = MSCA
     OU = Cisco
     O = VSEC
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:07:34 Jul 11 2000
RA KeyEncipher Certificate
  Status:Available
  Certificate Serial Number:6106e24c000000000006
  Key Usage:Encryption
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:10 Jul 11 2000

    end   date:17:27:10 Jul 11 01 

Table 2-17 describes strings within the show ca certificate command sample output.

Table 2-17 Command Sample Output 

Sample Output String
Description

CN

Common name

C

Country

EA

E-mail address

L

Locality

ST

State or province

O

Organization name

OU

Organizational module name

DC

Domain component


This example shows how to display certificate information. See Table 2-17 for descriptions of the strings within the following sample output.

fwsm(config)# show ca crl

CRL:
    CRL Issuer Name:
        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA
=<16> username@example.com
    LastUpdate:17:07:40 Jul 11 2000

    NextUpdate:05:27:40 Jul 19 2000

This example shows how to display information about the RSA keys. Special-usage RSA keys were previously generated for this FWSM using the ca generate rsa command.

fwsm(config)# show ca mypubkey rsa

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: firewall.example.com
 Usage: Signature Key
 Key Data:
            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
            6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
            6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: firewall.example.com
 Usage: Encryption Key
 Key Data:
            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a
            48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98
            908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

This example shows how to display a certificate with a CRL string. See Table 2-17 for descriptions of the strings within the following sample output.

fwsm(config)# show ca crl

CRL:
    CRL Issuer Name:
        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA
=<16> username@example.com
    LastUpdate:17:07:40 Jul 11 2000

    NextUpdate:05:27:40 Jul 19 2000

Related Commands

ca authenticate

show capture

To display the capture configuration when no options are specified, use the show capture command.

show capture [[context-name/] [capture_name] [access-list access_list_name] [count number] [detail] [dump]]

Syntax Description

context-name/

(Optional) Context name.

capture_name

(Optional) Name of the packet capture.

access-list access_list_name

(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification.

count number

(Optional) Displays the packet count.

detail

(Optional) Displays additional protocol information for each packet.

dump

(Optional) Displays a hexadecimal dump of the packets that are transported over the data link transport.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

If you specify the capture_name, then the capture buffer contents for that capture are displayed.

The dump keyword does not display MAC information in the hexadecimal dump.

The decoded output of the packets depend on the protocol of the packet. In Table 2-18, the bracketed output is displayed when you specify the detail keyword.

Table 2-18 Packet Capture Output Formats 

Packet Type
Capture Output Format

802.1Q

HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet

ARP

HH:MM:SS.ms [ether-hdr] arp-type arp-info

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr: hex-dump


Examples

This example shows how to display the capture configuration:

fwsm(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside

This example shows how to display the packets that are captured by an ARP capture:

fwsm(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown

Related Commands

capture
clear capture

show checkheaps

To show the checkheaps statistics, use the show checkheaps command in privileged EXEC mode. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

show checkheaps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Security Context Mode: single context and system mode

Access Location: system and context command line

Command Mode: privileged

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3

This command was introduced.


Examples

The following is sample output from the show checkheaps command:

fwsm# show checkheaps

Checkheaps stats from buffer validation runs
--------------------------------------------
Time elapsed since last run     : 42 secs
Duration of last run            : 0 millisecs
Number of buffers created       : 8082
Number of buffers allocated     : 7808
Number of buffers free          : 274
Total memory in use             : 43570344 bytes
Total memory in free buffers    : 87000 bytes
Total number of runs            : 310

Related Commands

checkheaps

show checksum

To display the configuration checksum, use the show checksum command.

show checksum

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: Unprivileged

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show checksum command allows you to display four groups of hexadecimal numbers that act as a digital summary of the configuration contents. This same information is stored with the configuration when you store the configuration in the Flash partition. By using the show config command, viewing the checksum at the end of the configuration listing, and using the show checksum command, you can compare the numbers to see if the configuration has changed. The FWSM tests the checksum to determine if a configuration has not been corrupted.

If a dot (".") appears before the checksum in the show config or show checksum command output, the output indicates a normal configuration load or write mode indicator (when loading from or writing to the FWSM Flash partition). The "." shows that the FWSM is preoccupied with the operation but is not "hung up." This message is similar to a "system processing, please wait" message.

Examples

This example shows how to display the configuration or the checksum:

fwsm(config)# show checksum
Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81

show chunkstat

To display the chunk statistics, use the show chunkstat command.

show chunkstat

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the chunk statistics:

fwsm(config)# show chunkstat
Chunk statistics: created 1, destroyed: 0,sibs created: 0, sibs trimmed: 0
Dump of chunk at 0cc835e4, name "Radix trie mask chunks", data start @ 0cc845dc,
 end @ 0cc8845c
 flink: 013ef300, blink: 013ef300
 next: 00000000, next_sibling: 00000000, prev_sibling: 00000000
 flags 00000001
 maximum chunk elt's: 1000, elt size: 16, index first free 997
 # chunks in use: 3, HWM of total used: 3, alignment: 0

Chunk statistics: created 1, destroyed: 0,sibs created: 0, sibs trimmed: 0
Dump of chunk at 0cbd77ec, name "IP subnet NDB entry", data start @ 0cbd8014, en
d @ 0cc66954
 flink: 00000000, blink: 00ed81c8
 next: 00000000, next_sibling: 00000000, prev_sibling: 00000000
 flags 00000009
 maximum chunk elt's: 500, elt size: 1156, index first free 500
 # chunks in use: 0, HWM of total used: 0, alignment: 0

show class

To display the class configuration, use the show class command.

show class

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: Multiple

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display class configuration information:

fwsm(config)# show class
Class Name           Members    ID   Flags
default                All       1    0001
fwsm(config)#

Related Commands

class
clear

show clock

To display the FWSM clock for use with the FWSM Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol, use the show clock command.

show clock

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(2)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the FWSM clock for use with the PFSS and PKI protocols:

fwsm/context_name(config)# show clock
08:46:48    [0] Jul 16 2003

show compatible rfc1583

To display the method that is used to calculate the summary route costs per RFC 1583, use the show compatible rfc1583 command.

show compatible rfc1583

Syntax Description

This command has no arguments or keywords.

Defaults

The defaults are as follows:

OSPF routing is disabled on the FWSM.

OSPF routing through the FWSM is compatible with RFC 1583.

Command Modes

Security Context Mode: single context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display calculation methods for summary route costs per RFC 1583:

fwsm/context_name(config)# show compatible rfc1583

Related Commands

compatible rfc1583

show configure

To display the startup configuration of the FWSM, use the show configure command.

show configure

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show configure and show startup-config commands allow you to display the startup configuration of the FWSM. The write terminal and show running-config commands allow you to display the configuration that is currently running on the FWSM.

Examples

This example shows how to display the startup configuration of the FWSM:

fwsm/context_name(config)# show configure
: Saved
: Written by enable_15 at 16:17:31 Jun 26 2003

fwsm Version 2.2(0)141
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sw8fx1
ftp mode passive
names
access-list deny-flow-max 4096
access-list alert-interval 300
no pager
logging history debugging
class default
  limit-resource All 0
!
admin-context admin

context admin
  logical-interface vlan300
  config-url disk:admin.cfg
!
context my_context
  logical-interface vlan300
  config-url disk:my_context.cfg
!
context my_context
  logical-interface vlan300
  config-url disk:my_context.cfg
!
failover
failover lan unit secondary
failover lan interface failover vlan 500
failover polltime unit 15
failover polltime interface 15
failover interface-policy 50 percent
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
no pdm history enable
arp timeout 14400
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:01:00 rpc 0:10:00 h
23 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
floodguard enable
no sysopt route dnat
terminal width 511
gdb enable
mgcp command-queue 0
Cryptochecksum:03266426306f5ed3d9eb48b859a7263c

Related Commands

clear configure
configure

show conn

To display the connections used and those that are available, use the show conn command.

show conn [count] | [protocol {TCP | UDP | icmp}] [{foreign | local} ip [-ip2]] [netmask mask]  [{lport | fport} port1 [-port2]]

show conn [state up [,finin][,finout][,http_get][,smtp_data][,data_in][,data_out][,...]]

show conn detail

Syntax Description

count

(Optional) Displays only the number of used connections.

protocol TCP

(Optional) Displays the active TCP connections; see the "Usage Guidelines" section for additional information.

protocol UDP

(Optional) Displays the active UDP connections; see the "Usage Guidelines" section for additional information.

protocol icmp

(Optional) Displays the active ICMP connections; see the "Usage Guidelines" section for additional information.

foreign ip -ip2

(Optional) Displays the active connections by the foreign IP address.

local ip -ip2

(Optional) Displays the active connections by the local IP address.

netmask mask

(Optional) Displays the netmask for the foreign IP address or by the local IP address.

lport port1 -port2

(Optional) Displays the local active connections by port; see the "Usage Guidelines" section for additional information.

fport port1 -port2

(Optional) Displays the foreign active connections by port; see the "Usage Guidelines" section for additional information.

state

(Optional) Displays the active connections by their current state; see the "Usage Guidelines" section for additional information.

up

(Optional) Active connections.

,finin

(Optional) Foreign connection state in.

,finout

(Optional) Foreign connection state out.

,http_get

(Optional) HTTP connection state.

smtp_data

(Optional) SMTP connection state.

,data_in

(Optional) Data connection state.

,data_out

(Optional) Data connection state out.

,...

(Optional) Other connections.

detail

Displays the connection details.


Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show conn command allows you to display the number of, and information about, active TCP connections. When specifying multiple show conn state keywords, use commas without spaces to list as follows:

fwsm(config)# show conn state up,rpc,h323,sip

If you insert spaces, the FWSM does not recognize the command.

You can also display the connection count information from the show conn command using SNMP.

The accuracy of the displayed count may vary depending on the traffic volume and the type of traffic that is passing through the FWSM.

See the "Specifying Port Values" section in Appendix B, "Port and Protocol Values," for a list of valid port literal names.

When you enter the show conn command, the following active connections are displayed by their current state (listed in bold print):

Up (up)

Inbound connection (conn_inbound)

Computer Telephony Interface Quick Buffer Encoding (CTIQBE) connection (ctiqbe)

Inbound data (data_in)

Outbound data (data_out)

Dump clean up connection (dump)

FIN inbound (finin)

FIN outbound (finout)

H.225 connection (h225)

H.323 connection (h323)

HTTP get (http_get)

Media Gateway Control Protocol (MGCP) connection (mgcp)

An outbound command denying access to Java applets (nojava)

RPC connection (rpc)

SIP connection (sip)

Skinny Client Control Protocol (SCCP) connection (skinny)

SMTP mail banner (smtp_banner)

SMTP mail data (smtp_data)

SQL*Net data fix up (sqlnet_fixup_data)

Incomplete SMTP mail connection (smtp_incomplete)

protocol is a protocol that is specified by number. See the "Specifying Protocol Values" section in Appendix B, "Port and Protocol Values," for a list of valid protocol literal names.

The show conn detail command displays the following information:

{UDP | TCP} outside_ifc:real_addr/real-port [(map_addr/port)] 
inside_ifc:real_addr/real_port [(map-addr/port)] flags flags

The connection flags are defined in Table 2-19.

Table 2-19 Connection Flags 

Flag
Description

---

SKINNY (not used)

a

Awaiting outside ACK to SYN

A

Awaiting inside ACK to SYN

B

Initial SYN from outside

C

Computer Telephony Interface Quick Buffer Encoding (CTIQBE)

d

Dump

D

DNS

E

Outside back connection

f

Inside FIN

F

Outside FIN

g

Media Gateway Control Protocol (MGCP)

G

Group

h

H.225

H

H.323

i

Incomplete

I

Inbound data

k

RTP/RTCP (UDP) connection object

m

SIP media connection

M

SMTP data

O

Outbound data

p

Replicated (unused)

P

Inside back connection

q

SQL*Net data

r

Inside acknowledged FIN

R

Outside acknowledged FIN

R

UDP RPC

s

Awaiting outside SYN

S

Awaiting inside SYN

t

SIP transient connection

T

TCP SIP connection

T

UDP SIP connection

U

Up


Examples

This example shows a TCP session connection from inside host 10.1.1.15 to the outside Telnet server at 192.150.49.10. Because there is no B flag, the connection is initiated from the inside. The U, I, and O flags indicate that the connection is active and has received inbound and outbound data.

fwsm(config)# show conn
2 in use, 2 most used
TCP out 192.150.49.10:23 in 10.1.1.15:1026 idle 0:00:22
Bytes 1774 flags UIO
UDP out 192.150.49.10:31649 in 10.1.1.15:1028 idle 0:00:14
flags D-

This example shows a UDP connection from outside host 192.150.49.10 to inside host 10.1.1.15. The D flag indicates a DNS connection. The number 1028 is the DNS ID over the connection.

fwsm(config)# show conn detail
2 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, D - DNS, d - dump,
       E - outside back connection, f - inside FIN, F - outside FIN,
       G - group, H - H.323, I - inbound data, M - SMTP data,
       O - outbound data, P - inside back connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, U - up
TCP outside:192.150.49.10/23 inside:10.1.1.15/1026 flags UIO
UDP outside:192.150.49.10/31649 inside:10.1.1.15/1028 flags dD

This example shows sample output from the show conn command:

show conn
6 in use, 6 most used
             TCP out 209.165.201.1:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 
             TCP out 209.165.201.1:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 
             TCP out 209.165.201.1:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 
             TCP out 209.165.201.1:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 
             TCP out 209.165.201.1:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 
             TCP out 209.165.201.1:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 
             UDP out 209.165.201.7:24 in 10.3.3.4:1402 idle 0:01:30 
             UDP out 209.165.201.7:23 in 10.3.3.4:1397 idle 0:01:30 
             UDP out 209.165.201.7:22 in 10.3.3.4:1395 idle 0:01:30 

Host 10.3.3.4 on the inside has accessed a website at 209.165.201.1. The global address on the outside interface is 209.165.201.7.

This example shows how to display connections to the FWSM that are in the up state:

fwsm/context_name(config)# show conn state up
0 in use, 0 most used
 Network Processor 1 connections
 Network Processor 2 connections

Related Commands

clear conn

show console-output

To display the currently configured console timeout value, use the show console-output command.

show console-output

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the console output:

fwsm(config)# show console-output
Message #1 : Initializing debugger......:  Message #2 : Found PCI card in slot:
 bus:2 dev:9 (vendor:0x8086 deviceid:0x1001)
Message #3 : Found PCI card in slot:2 bus:2 dev:8 (vendor:0x8086 deviceid:0x100
)
Message #4 : Found PCI card in slot:3 bus:1 dev:6 (vendor:0x1014 deviceid:0x1e8
Message #5 : Ignoring PCI card in slot:3 (vendor:0x1014 deviceid:0x1e8)
Message #6 : Found PCI card in slot:4 bus:1 dev:5 (vendor:0x1014 deviceid:0x1e8
Message #7 : Ignoring PCI card in slot:4 (vendor:0x1014 deviceid:0x1e8)
Message #8 : Found PCI card in slot:5 bus:1 dev:4 (vendor:0x1014 deviceid:0x1e8
Message #9 : Ignoring PCI card in slot:5 (vendor:0x1014 deviceid:0x1e8)
Message #10 : Found PCI card in slot:7 bus:0 dev:2 (vendor:0x1011 deviceid:0x22
Message #11 : PCI-2-PCI bridge in slot:7 (vendor:0x1011 deviceid:0x22)
Message #12 : IBM NP4GS3 in slot:7 dev:4 (vendor:0x1014 deviceid:0x1e8)
Message #13 : IBM NP4GS3 in slot:7 dev:5 (vendor:0x1014 deviceid:0x1e8)
Message #14 : IBM NP4GS3 in slot:7 dev:6 (vendor:0x1014 deviceid:0x1e8)
Message #15 : Found PCI card in slot:8 bus:0 dev:1 (vendor:0x1022 deviceid:0x20
0)
Message #16 : The NICs as we know them:
Message #17 : Nic 0: driver 2, bus 2, dev 9, irq 5, media 4, mediaIndex 0
Message #18 : Nic 1: driver 2, bus 2, dev 8, irq 7, media 4, mediaIndex 1
Message #19 : Nic 2: driver 3, bus 0, dev 1, irq 11, media 1, mediaIndex 0
Message #20 : write addr 0xa0000240, data 0x80000000
Message #21 : write addr 0xa0000240, data 0x80000000
Message #22 : write addr 0xa0000240, data 0x80000000

Related Commands

clear console-output

show context

To display the currently configured contexts, use the show context command.

show context [detail] [name | admin | count]

Syntax Description

detail

(Optional) Displays context details.

name

(Optional) Information about the specified context.

admin

(Optional) Displays the administrator context.

count

(Optional) Displays the number of contexts configured.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: Multiple

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display detailed information about the configured contexts:

fwsm/context_name(config)# show context my_context
Context Name      Class      Interfaces           URL
 my_context             default    30                   disk:my_context.cfg

fwsm/context_name(config)# show context
Context Name      Class      Interfaces           URL
*admin            default    30,40                disk:admin.cfg
 my_context             default    30                   disk:my_context.cfg

fwsm/context_name(config)# show context count
Total active contexts: 2

fwsm(config)# changeto context my_context
fwsm/my_context(config)# show context
Context Name      Class      Interfaces           URL
 my_context             default    30                   disk:my_context.cfg

Related Commands

clear context
context

show counters

To display and clear the protocol stack counters, use the show counters command.

show counters [context context-name | top N | all | summary] [protocol protocol_name [:counter_name]| detail] [threshold count_threshold]

Syntax Description

context

(Optional) Specifies a context.

context-name

(Optional) Context name.

top N

(Optional) Displays the counter details for the specified location.

all

(Optional) Displays the filter details.

summary

(Optional) Displays a counter summary.

protocol

(Optional) Displays the counters for the specified protocol.

protocol_name

(Optional) Protocol by name.

:counter_name

(Optional) Counter by name.

detail

(Optional) Displays the counters in detail.

threshold

(Optional) Displays only those counters at or above the specified threshold.

count_threshold

(Optional) Threshold to begin displaying counters.


Defaults

show counters summary detail threshold 1

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display all counters:

fwsm# show counters all
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               2   single_vf
IOS_IPC      OUT_PKTS              2   single_vf

fwsm(config)# show counters
Protocol     Counter           Value   Context
NPCP         IN_PKTS            7195   Summary
NPCP         OUT_PKTS           7603   Summary
IOS_IPC      IN_PKTS             869   Summary
IOS_IPC      OUT_PKTS            865   Summary
IP           IN_PKTS             380   Summary
IP           OUT_PKTS            411   Summary
IP           TO_ARP              105   Summary
IP           TO_UDP                9   Summary
UDP          IN_PKTS               9   Summary
UDP          DROP_NO_APP           9   Summary
FIXUP        IN_PKTS             202   Summary

This example shows how to display a summary of counters:

fwsm# show counters summary
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               2   Summary
IOS_IPC      OUT_PKTS              2   Summary

This example shows how to display counters for a context:

fwsm# show counters context single_vf
Protocol     Counter           Value   Context
IOS_IPC      IN_PKTS               4   single_vf
IOS_IPC      OUT_PKTS              4   single_vf

Related Commands

clear counters

show cpu

To display the CPU utilization information, use the show cpu usage command.

In system context:

show cpu [usage] context

show cpu [usage] [context {all | context_name}]

In a context:

show cpu [usage]

Syntax Description

usage

(Optional) Displays the CPU usage for the FWSM.

context

(Optional) Specifies that the display shows contexts.

all

(Optional) Specifies that the display shows all context.

context_name

(Optional) Context name.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show cpu usage command displays the CPU usage information. When the command displays per-context CPU usage, the value is displayed with one decimal digit of precision instead of an integer value.

This command displays how the CPU usage is spread across all of the contexts and system-level (system and kernel) processes. The columns will always total 100 percent. In an idle system, all of the CPU usage is displayed in the system and kernel processes as shown in the examples.

In the system context:

The show cpu command displays how busy the system currently is.

The show cpu context all command displays where all the CPU time is being used.

The show cpu context context_name command displays the percentage of CPU time used by the specified context.

In a context, the show cpu command displays the percentage of CPU time used by that context.

Examples

This example shows how to display the CPU utilization for the FWSM:

fwsm(config)# show cpu usage
CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 0%

The percentage usage prints as NA (not applicable) if the usage is unavailable for the specified time interval. This situation can occur if you ask for CPU usage before the 5-second, 1-minute, or 5-minute time interval has elapsed.

This example shows how to display the CPU utilization for a context:

fwsm/context_name(config)# show cpu usage context admin
CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 0%

This example shows how to display the CPU utilization for all contexts:

fwsm(config)# show cpu usage context all
CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 0%
5 sec  1 min  5 min  Context Name
   0%     0%     0%  admin
  59%    59%    59%  system
  41%    41%    41%  <kernel>

show crashdump

To display the crash information file that is stored in the Flash partition of the FWSM, use the show crashdump command.

show crashdump [save]

Syntax Description

save

(Optional) Displays whether or not the FWSM is configured to save crash information to the Flash partition.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show crashdump save command allows you to display whether or not the FWSM is configured to save crash information to the Flash partition.

The show crashdump command allows you to display the crash information file that is stored in the Flash partition of the FWSM. If the crash information file is from a test crash (from the crashdump test command), the first string of the crash information file is ": Saved_Test_Crash" and the last one is ": End_Test_Crash". If the crash information file is from a real crash, the first string of the crash information file is ": Saved_Crash" and the last one is ": End_Crash" (this includes crashes from the crashdump force page-fault or crashdump force watchdog commands).

Examples

This example shows how to display the current crash information configuration:

fwsm(config)# show crashdump save
crashdump save enable

This example shows the output for a crash information file test. (However, this test does not actually crash the FWSM. It provides a simulated example file.)

fwsm(config)# crashdump test
fwsm(config)# exit
fwsm(config)# show crashdump
: Saved_Test_Crash

Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)

Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
    vector 0x000000ff (user defined)
       edi 0x004f20c4
       esi 0x00000000
       ebp 0x00e88c20
       esp 0x00e88bd8
       ebx 0x00000001
       edx 0x00000074
       ecx 0x00322f8b
       eax 0x00322f8b
error code n/a
       eip 0x0010318c
        cs 0x00000008
    eflags 0x00000000
       CR2 0x00000000
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
.
.
.
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008

Cisco Firewall Version 2.2
Cisco Device Manager Version 2.2

Compiled on Fri 15-Nov-02 14:35 by root

FWSM up 10 days 0 hours

Hardware:   FWSM, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This FWSM has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2002


------------------ show clock ------------------

15:34:28.129 UTC Sun Nov 24 2002

------------------ show memory ------------------

Free memory:        50444824 bytes
Used memory:        16664040 bytes
-------------     ----------------
Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550   1188    795    927

------------------ show interface ------------------

Interface vlan20 "", is administratively down, line protocol is up
        MAC address 0000.0000.0000, MTU 0
        IP address 127.0.0.1, subnet mask 255.255.255.255
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets
Interface vlan40 "outside", is up, line protocol is up
        MAC address 0005.9a38.7400, MTU 1500
        IP address 40.7.12.1, subnet mask 255.255.0.0
                Received 684499 packets, 473311321 bytes
                Transmitted 512981 packets, 29781306 bytes
                Dropped 0 packets
Interface vlan41 "inside", is up, line protocol is up
        MAC address 0005.9a38.7400, MTU 1500
        IP address 41.7.12.1, subnet mask 255.255.0.0
                Received 780297 packets, 70082987 bytes
                Transmitted 605699 packets, 473794675 bytes
                Dropped 61 packets
Interface vlan2000 "", is administratively down, line protocol is down
        MAC address 0000.0000.0000, MTU 0
        IP address 127.0.0.1, subnet mask 255.255.255.255
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer
Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3792/4096 FragDBGC
.
.
.
Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2
Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1
Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 865565.090 secs):
                6139 packets    830375 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                90 packets      6160 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                1 packets       60 bytes
                0 pkts/sec      0 bytes/sec
intf2:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
: End_Test_Crash

Related Commands

clear crashdump
crashdump force

show crypto dynamic-map

To display a dynamic crypto map set, use the show crypto dynamic-map command.

show crypto dynamic-map [tag  dynamic-map-name]

Syntax Description

tag dynamic-map-name

(Optional) Shows the crypto dynamic map set with the specified map-name.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

For detailed help, refer to the subcommand help in the mode where the commands are available. For example, you can enter the following:

fwsm/context_name(config)#  ca ?
fwsm(config)#  help ca.

Examples

This example shows sample output for the show crypto dynamic-map command:

fwsm(config)# show crypto dynamic-map
Crypto Engine Connection Map:
    size = 8, free = 7, used = 0, active = 0

The following partial configuration was in effect when the preceding show crypto dynamic-map command was issued:

crypto ipsec security-association lifetime seconds 120        
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto ipsec transform-set tauth ah-sha-hmac 
crypto dynamic-map dyn1 10 set transform-set tauth t1 
crypto dynamic-map dyn1 10 match address 152
crypto map to-firewall local-address Ethernet0
crypto map to-firewall 10 ipsec-isakmp 
crypto map to-firewall 10 set peer 172.21.114.123
crypto map to-firewall 10 set transform-set tauth t1 
crypto map to-firewall 10 match address 150
crypto map to-firewall 20 ipsec-isakmp dynamic dyn1
access-list 150 permit ip host 172.21.114.67 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 8.8.8.1
access-list 152 permit ip host 172.21.114.67 any

This example shows output from the show crypto map command for a crypto map named "mymap":

fwsm(config)# show crypto map

Crypto Map: "mymap" interfaces: { outside }

Crypto Map "mymap" 1 ipsec-isakmp
        Peer = 171.69.231.241
        access-list no-nat; 1 elements
        access-list no-nat permit ip 192.168.0.0 255.255.255.0 1.1.1.0 255.255.255.0 
(hitcnt=0) 
        Current peer: 171.69.231.241
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={ mycrypt, }

Related Commands

clear crypto dynamic-map
crypto dynamic-map

show crypto engine

To display the cryptography engine usage statistics, use the show crypto engine command.

show crypto engine

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show crypto engine command allows you to display the usage statistics for the cryptography engine that is used by the FWSM.

Examples

This example shows sample output for the show crypto engine command:

fwsm(config)# show crypto engine
Crypto Engine Connection Map:
    size = 8, free = 7, used = 0, active = 0

Related Commands

clear crypto dynamic-map

show crypto interface

To display the VPN accelerator cards (VACs) installed in the FWSM chassis and to display the packet, payload byte, queue length, and moving average counters for traffic moving through the card for VAC+, use the show crypto interface command.

show crypto interface [counters]

Syntax Description

counters

(Optional) Displays the packet count, byte queue, and moving averages for traffic through a VAC+.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show crypto interface command allows you to display VACs that are installed in the FWSM chassis.

The show crypto interface counters command allows you to display information (see Table 2-20) for the FWSM VAC+ only.

Table 2-20 show crypto interface Counters 

Counter
Description

interfaces

Number and type of crypto interface cards installed.

packet count

Number of packets sent to the installed crypto interface card(s).

payload bytes

Number of bytes of payload either after decapsulation or before encapsulation.

input queue (curr/max)

Total number of packets that are awaiting service from the crypto interface card(s).

interface queue (curr/max)

Total number of packets that have been queued at the crypto interface card(s) for service.

output queue (curr/max)

Total number of packets that have been released by the crypto interface card(s) and are awaiting dispatch to the packet path.

moving averages

5second

1minute

5minute

5-second, 1-minute, and 5-minute moving averages of the packet count and payload bytes through all crypto interface cards.


Examples

This example shows sample output from the show crypto interface and show crypto interface counters commands:

fwsm/context_name(config)# show crypto interface
Encryption hardware device : Crypto5823 (revision 0x1) 
fwsm(config)# show crypto interface counters

interfaces: 1
  Crypto5823 (revision 0x1), maximum queue size 64

packet count:               318657093
payload bytes:              89861300946
input     queue (curr/max): 1336/1584
interface queue (curr/max): 64/64
output    queue (curr/max): 0/64
moving averages
  5second   128273 pkts/sec   289 Mbits/sec
  1minute   128326 pkts/sec   290 Mbits/sec
  5minute   128279 pkts/sec   289 Mbits/sec

This example shows the same sample output after the clear crypto interface counters command has been used:

fwsm/context_name(config)# clear crypto interface counters
fwsm/context_name(config)# show crypto interface counters

interfaces: 1
  Crypto5823 (revision 0x1), maximum queue size 64

packet count:               355968
payload bytes:              100382976
input     queue (curr/max): 1317/1537
interface queue (curr/max): 64/64
output    queue (curr/max): 0/64
moving averages
  5second       NA pkts/sec    NA Mbits/sec
  1minute       NA pkts/sec    NA Mbits/sec
  5minute       NA pkts/sec    NA Mbits/sec

This example shows sample output from the show crypto interface and show crypto interface counters commands when a VAC+ is installed:

fwsm/context_name(config)# show crypto interface
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5 
fwsm/context_name(config)# show crypto interface counters
no crypto interface counters available

This example shows sample output from the show crypto interface and show crypto interface counters commands when no crypto interface card is installed (neither a VAC nor a VAC+):

fwsm(config)# show crypto interface
fwsm(config)# show crypto interface counters
no crypto interface counters available

Related Commands

crypto map interface

show crypto ipsec

To display the configured transform sets, use the show crypto ipsec command.

show crypto ipsec security-association lifetime

show crypto ipsec transform-set [tag transform-set-name]

show crypto ipsec sa [map map-name | address | identity] [detail]

Syntax Description

security-association lifetime

Displays the security-association lifetime value that is configured for a crypto map entry.

transform-set

Displays the configured transform sets.

tag transform-set-name

(Optional) Specifies a transform set.

sa

Displays the settings that are used by the current security associations.

map map-name

(Optional) Name of the crypto map set.

address

(Optional) Displays all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP).

identity

(Optional) Displays only the flow information.

detail

(Optional) Displays detailed error counters.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show crypto ipsec sa command allows you to display the settings that are used by the current security associations. If you do not enter a keyword, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, and port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound). The identity keyword does not show the security association information.


Note While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display may be outdated. In this situation, you should assume that the security association lifetime values that display are invalid.

The show crypto ipsec sa command allows you to display the Payload Compression Protocol (PCP) in its output.


Examples

This example shows how to display the security-association lifetime value:

fwsm/context_name(config)# show crypto ipsec security-association lifetime
Security-association lifetime: 4608000 kilobytes/120 seconds

This configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:

fwsm/context_name(config)# crypto ipsec security-association lifetime seconds 120

This example shows how to display the configured transform sets:

fwsm/context_name(config)# show crypto ipsec transform-set 

Transform set combined-des-sha: { esp-des esp-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set combined-des-md5: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t1: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t100: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t2: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   { esp-des } 
   will negotiate = { Tunnel, },

This configuration was in effect when the preceding show crypto ipsec transform-set command was issued:

fwsm/context_name(config)# crypto ipsec transform-set combined-des-sha esp-des 
esp-sha-hmac
fwsm/context_name(config)# crypto ipsec transform-set combined-des-md5 esp-des 
esp-md5-hmac
fwsm/context_name(config)# crypto ipsec transform-set t1 esp-des esp-md5-hmac
fwsm/context_name(config)# crypto ipsec transform-set t100 ah-sha-hmac
fwsm/context_name(config)# crypto ipsec transform-set t2 ah-sha-hmac esp-des

This example shows how to display the settings that are used by the current security associations:

fwsm/context_name(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
 
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67/500
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
interface: inside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
		inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:

Related Commands

crypto ipsec security-association lifetime
crypto ipsec transform-set

show crypto map

To display the crypto map configuration, use the show crypto map command.

show crypto map [interface interface-name | tag map-name]

Syntax Description

interface interface-name

(Optional) Displays the identifying interface to be used by the FWSM to identify itself to peers.

tag map-name

(Optional) Displays the crypto map set with the specified map name.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the crypto map configuration:

fwsm/context_name(config)# show crypto map

Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123
 
Crypto Map "firewall-alice" 10 ipsec-isakmp
        Peer = 172.21.114.67
        access-list 141 permit ip host 172.21.114.123 host 172.21.114.67
        Current peer: 172.21.114.67
        Security-association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={ t1, }

This configuration was in effect when the preceding show crypto map command was issued:

fwsm/context_name(config)# crypto map firewall-alice 10 ipsec-isakmp 
fwsm/context_name(config)# crypto map firewall-alice 10 set peer 172.21.114.67
fwsm/context_name(config)# crypto map firewall-alice 10 set transform-set t1 
fwsm/context_name(config)# crypto map firewall-alice 10 match address 141

This example shows the sample output for the show crypto map command when manually established security associations are used:

fwsm/context_name(config)# show crypto map

Crypto Map "multi-peer" 20 ipsec-manual
        Peer = 172.21.114.67
        access-list 120 permit ip host 1.1.1.1 host 1.1.1.2
        Current peer: 172.21.114.67
        Transform sets={ t2, }
        Inbound esp spi: 0, 
         cipher key: ,
         auth_key: ,
        Inbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
        Outbound esp spi: 0
         cipher key: ,
         auth key: , 
        Outbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,

This configuration was in effect when the preceding show crypto map command was issued:

fwsm/context_name(config)# crypto map multi-peer 20 ipsec-manual 
fwsm/context_name(config)# crypto map multi-peer 20 set peer 172.21.114.67
fwsm/context_name(config)# crypto map multi-peer 20 set session-key inbound ah 256
010203040506070809010203040506070809010203040506070809
fwsm/context_name(config)# crypto map multi-peer 20 set session-key outbound ah 256
010203040506070809010203040506070809010203040506070809
fwsm/context_name(config)# crypto map multi-peer 20 set transform-set t2 
fwsm/context_name(config)# crypto map multi-peer 20 match address 120

Related Commands

crypto map client

show curpriv

To display the current user privileges, use the show curpriv command.

show curpriv

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: Unprivileged

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates that the user has entered the config terminal command.

fwsm(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
fwsm(config)# exit

fwsm(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
fwsm(config)#  exit

fwsm(config)# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
fwsm(config)# 

Related Commands

privilege
show privilege

show default-information originate

To display a type 7 default in the not-so-stubby area (NSSA), use the show default-information originate command.

show default-information originate

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

This command is supported on an NSSA ABR or an NSSA autonomous system boundary router (ASBR) only.

The show ip ospf command displays the configured router ospf subcommands.

Examples

This example shows how to display NSSA information:

fwsm/context_name(config)# show default-information originate

Related Commands

default-information originate (router OSPF subcommand)
router ospf
show ip ospf

show dbg

To display the debug information, use the show dbg command.

show dbg

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display debug information:

fwsm(config)# show dbg
i82557 isr
i82557 queues
ip config
ip open
ip close
ip put
ip get
ip ioctl
ip arpin
ip arpreq
ip in
ip answer
ip route
.
.
.
ci config

Related Commands

debug

show debug

To display the debug information, use the show debug command.

show debug

Syntax Description

This command has no keywords or arguments.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display debug information:

fwsm(config)# show debug

Related Commands

debug

show dhcpd

To display the binding and statistics information associated with all of the dhcpd commands, use the show dhcpd command.

show dhcpd [binding | statistics]

Syntax Description

binding

(Optional) Displays binding information for a given server IP address and its associated client hardware address and lease length.

statistics

(Optional) Displays statistical information, such as the address pool, number of bindings, malformed messages, sent messages, and received messages.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example show how to display DHCPD statistics:

fwsm/context_name(config)# show dhcpd statistics

Related Commandsdhcpd

dhcpd
dhcprelay

show dhcprelay

To display the Dynamic Host Configuration Protocol (DHCP) relay statistics, use the show dhcprelay command.

show dhcprelay [statistics]

Syntax Description

statistics

(Optional) Displays counters for the packets that are relayed by the DHCP relay agent.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The output of the show dhcprelay command increments until you enter the clear dhcprelay statistics command.

Examples

This example show how to display DHCPD statistics:

fwsm/context_name(config)# show dhcprelay

Related Commands

clear dhcprelay
dhcpd
dhcprelay

show disk

To display the information about the disk file system, use the show disk command.

show disk all | filesys

Syntax Description

all

Displays all files in the file system and the geometry of the partitions.

filesys

Displays only the geometry of the partitions.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the disk file system information:

fwsm(config)# show disk
-#- --length-- -----date/time------ path
  1 1519       10:03:50 Jul 14 2003   my_context.cfg
  2 1516       10:04:02 Jul 14 2003   my_context.cfg
  3 1516       10:01:34 Jul 14 2003   admin.cfg

60973056 bytes available (12288 bytes used)

This example shows how to display all disk file system information and the partition information:

fwsm(config)# show disk all
-#- --length-- -----date/time------ path
  1 1519       10:03:50 Jul 14 2003   my_context.cfg
  2 1516       10:04:02 Jul 14 2003   my_context.cfg
  3 1516       10:01:34 Jul 14 2003   admin.cfg

60973056 bytes available (12288 bytes used)

******** Flash Card Geometry/Format Info ********

COMPACT FLASH CARD GEOMETRY
   Number of Heads:            8
   Number of Cylinders       467
   Sectors per Cylinder       32
   Sector Size               512
   Total Sectors          119552

COMPACT FLASH CARD FORMAT
   Number of FAT Sectors      59
   Sectors Per Cluster         8
   Number of Clusters      14889
   Number of Data Sectors 119264
   Base Root Sector          119
   Base FAT Sector             1
   Base Data Sector          151

This example shows how to display the partition information:

fwsm(config)# show disk filesys

******** Flash Card Geometry/Format Info ********

COMPACT FLASH CARD GEOMETRY
   Number of Heads:            8
   Number of Cylinders       467
   Sectors per Cylinder       32
   Sector Size               512
   Total Sectors          119552

COMPACT FLASH CARD FORMAT
   Number of FAT Sectors      59
   Sectors Per Cluster         8
   Number of Clusters      14889
   Number of Data Sectors 119264
   Base Root Sector          119
   Base FAT Sector             1
   Base Data Sector          151
: Saved

show dispatch stats

To display all the dispatch layer statistics, use the show dispatch stats command.

show dispatch stats [funcid]

Syntax Description

funcid

(Optional) Specifies the dispatch layer statistics function ID.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the dispatch statistics table:

fwsm(config)# show dispatch stats

Dispatch Level Stats:
Total pkts received                        :         4855
Total bytes received                       :       332519
Total pkts dropped                         :            0
Total Control Channels Created             :            0
Total primary_sessions_created             :            0
Total secondary_sessions_created Created   :            0
Total sessions freed                       :            0
Total embryonic sessions created           :            0
Total session moved to full open           :            0
Total embryonic session timeouts           :            0
Total zombie created                       :            0
Total zombie reused                        :            0
Total zombie freed                         :            0
Max conn hash chain length                 :            0
Total delete indications Received          :            0
Total buffer overflow count                :            0
Total url filtering connections        :            0

Fixup Error Stats:
Invalid Ethernet Type                      :            0
Packet Received in Indication              :            0
Invalid TLV Length                         :            0
Unknown TLV                                :            0
Invalid Packet Length                      :            0
Invalid L4 protocol in packet              :            0
Invalid conn ptr in indication             :            0
Unsolicited delete indication              :            0
Host object lookup failure for indication  :            0
Invalid internal interface in indication   :            0
Invalid PIF in session info TLV            :            0
Conn lookup failure for delte indication   :            0
Fragments received for missing conn object :            0
Session ID mismatch existing connection    :            0
Xlate ID mismatch for existing connnection :            0
Packets received for deleted connections   :            0

Connection object allocation failures      :            0
Host object allocation failures            :            0
Xlate allocation failures                  :            0
Xlate missing for conn                     :            0
full open in zombie                        :            0
Junk pointer in session TLV                        :            0
error in setting VCID                        :            0

Related Commands

clear dispatch stats

show dispatch table

To display all the dispatch layer statistics, use the show dispatch table command.

show dispatch table

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the dispatch statistics table:

fwsm(config)# show dispatch table
------------------------------------------------------------------------
                            NAT TABLE ENTRIES
 FID     CBACK FUNC    QUEUE       Channel    MAX_CONN   LINK STATUS
------------------------------------------------------------------------
   1      url_filter  TASK SWITCH    f682d0         1000      ACTIVE
   2          domain  FAST SWITCH    f684b0         1000      ACTIVE
   4             ftp  FAST SWITCH    f684b0         1000      ACTIVE
   5            http  TASK SWITCH    f68258         1000      ACTIVE
   6       h323_h225  TASK SWITCH    f68280         1000      ACTIVE
   7        h323_ras  TASK SWITCH    f68398         1000      ACTIVE
   8             ils  FAST SWITCH    f684b0         1000      ACTIVE
   9             rpc  FAST SWITCH    f684b0         1000      ACTIVE
  10             rsh  TASK SWITCH    f68294         1000      ACTIVE
  11            rtsp  TASK SWITCH    f682e4         1000      ACTIVE
  12            smtp  FAST SWITCH    f684b0         1000      ACTIVE
  13          sqlnet  TASK SWITCH    f682a8         1000      ACTIVE
  14             sip  TASK SWITCH    f68320         1000      ACTIVE
  15          skinny  TASK SWITCH    f68334         1000      ACTIVE
  16      udp_domain  FAST SWITCH    f684b0         1000      ACTIVE
  17         rpc_udp  FAST SWITCH    f684b0         1000      ACTIVE
  18           xdmcp  FAST SWITCH    f684b0         1000      ACTIVE
  19         udp_sip  TASK SWITCH    f683fc         1000      ACTIVE
  20         netbios  FAST SWITCH    f684b0         1000      ACTIVE
  21    ftp_filter_command  TASK SWITCH    f68438         1000      ACTIVE
  22    https_filter  TASK SWITCH    f6844c         1000      ACTIVE
  23            mgcp  TASK SWITCH    f68474         1000      ACTIVE
  33    indication handler  TASK SWITCH    f684c4         1000      ACTIVE
  34      AAA/events  TASK SWITCH    f684d8         1000      ACTIVE
  35         np/show  TASK SWITCH    f684ec         1000      ACTIVE
  36    pkt to IPstack  TASK SWITCH    f68500         1000      ACTIVE
  37    syslog_entry  TASK SWITCH    f68514         1000      ACTIVE
  38    fornax_pk_lu_process  TASK SWITCH    f68528         1000      ACTIVE
----------------------------------------------------------------------
                            PAT TABLE ENTRIES

 FID    CBACK FUNC     QUEUE       Channel     MAX_CONN   LINK STATUS
------------------------------------------------------------------------
 129     url_filter  TASK SWITCH    f682d0         1000      ACTIVE
 130         domain  TASK SWITCH    f6830c         1000      ACTIVE
 132            ftp  FAST SWITCH    f684b0         1000      ACTIVE
 133           http  TASK SWITCH    f68258         1000      ACTIVE
 134      h323_h225  TASK SWITCH    f68280         1000      ACTIVE
 135       h323_ras  TASK SWITCH    f68398         1000      ACTIVE
 136            ils  TASK SWITCH    f68348         1000      ACTIVE
 137            rpc  TASK SWITCH    f68460         1000      ACTIVE
 138            rsh  TASK SWITCH    f68294         1000      ACTIVE
 140           smtp  TASK SWITCH    f6826c         1000      ACTIVE
 141         sqlnet  TASK SWITCH    f682a8         1000      ACTIVE
 142            sip  TASK SWITCH    f68320         1000      ACTIVE
 143         skinny  TASK SWITCH    f68334         1000      ACTIVE
 144     udp_domain  TASK SWITCH    f68410         1000      ACTIVE
 145        rpc_udp  TASK SWITCH    f68370         1000      ACTIVE
 146          xdmcp  TASK SWITCH    f68384         1000      ACTIVE
 147        udp_sip  TASK SWITCH    f683fc         1000      ACTIVE
 148        netbios  TASK SWITCH    f683d4         1000      ACTIVE
 149   ftp_filter_command  TASK SWITCH    f68438         1000      ACTIVE
 150   https_filter  TASK SWITCH    f6844c         1000      ACTIVE
----------------------------------------------------------------------

Related Commands

clear dispatch stats
show dispatch stats

show distance

To display the OSPF route administrative distances based on route type, use the show distance command.

show distance

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display OSPF route administrative distances:

fwsm(config)# show distance

Related Commands

distance (router submode)
router ospf
show ip ospf

show domain-name

To display the IPSec domain name, use the show domain-name command.

show domain-name name

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The domain-name command allows you to change the IPSec domain name.


Note The change of the domain name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs using the ca zeroize rsa command, and delete related certificates using the no ca identity ca_nickname command.


Examples

This example shows how to display the IPSec domain name:

fwsm/context_name(config)# show domain-name example.com

Related Commands

domain-name

show dynamic-map

To display a dynamic crypto map entry, use the show dynamic-map command.

show dynamic-map

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the dynamic crypto map entries:

fwsm/context_name(config)# show dynamic-map
No crypto map templates found.

Related Commands

crypto dynamic-map
dynamic-map

show enable

To display the password configuration for privilege levels, use the show enable command.

show enable

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the password configuration:

fwsm/context_name(config)# show enable
enable password 8Ry2YjIyt7RRXU24 encrypted

Related Commands

enable

show established

To display the allowed inbound connections that are based on established connections, use the show established command.

show established

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display inbound connections that are based on established connections:

fwsm/context_name(config)# show established

Related Commands

clear established
established

show failover

To verify the status of the connection and to determine which module is active, use the show failover command.

show failover [statistics | state | interface | history]

Syntax Description

statistics

Displays failover statistics.

state

Displays the failover state of both failover units. The information displayed includes the primary or secondary status of the unit, the Active/Standby status of the unit, and, if a unit is in the failed state, the reason for the failure.

interface

Displays the interface configuration.

history

Displays the configuration history.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.3(1)

Support for the Autostate feature and suspend configuration synchronization were added on the FWSM.


Usage Guidelines

The show failover command allows you to display the dynamic failover information, interface status, and logical interface update status. In the show failover output, the fields have the following values:

Stateful Obj has these values:

Xmit—Indicates the number of packets transmitted.

Xerr—Indicates the number of transmit errors.

Rcv—Indicates the number of packets received.

Rcv—Indicates the number of receive errors.

Each row is for a particular object static count as follows:

General—Indicates the sum of all stateful objects.

Sys cmd—Refers to the logical update system commands, such as login or stay alive.

Up time—Indicates the value for the FWSM up time, which the active FWSM module will pass on to the standby module.

Xlate—Indicates the FWSM translation information.

Tcp conn—Indicates the FWSM dynamic TCP connection information.

Udp conn—Indicates the FWSM dynamic UDP connection information.

ARP tbl—Indicates the FWSM dynamic ARP table information.

RIF tbl—Indicates the dynamic router table information.

The Standby Logical Update Statistics output that is displayed when you use the show failover command describes only the stateful failover. The "xerrs" value does not indicate an error in failover, but rather the number of packet transmit errors.

If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a "waiting" state. You must set a failover IP address for failover to work.

Autostate allows the FWSM to quickly detect the failure of the interfaces connecting the real hosts. To allow autostate support on an FWSM interface, you must enable interface monitoring (see the monitor-interface command) on that interface. The switch operating system software informs the FWSM when the first or last physical port has joined or left a VLAN assigned to that FWSM, excluding the FWSM port channel and trunk port to the MSFC.

The FWSM responds to a VLAN down condition by marking the interfaces associated with that VLAN as autostate down. This VLAN is considered as a failed interface for interface monitoring of health status and may cause a failover if the interface policy threshold is met. When suspend configuration configuration is enabled, two interfaces will no longer synchronize the configuration or replicate commands.


Note When suspend configuration synchronization is enabled, interface monitoring and logical interfaces are disabled.


Examples

This example shows how to display failover information. See Table 2-21 for a description of each field.

fwsm(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface fover Vlan 150
Unit Poll frequency 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 249 of 250 maximum
Config sync: active
Last Failover at: 10:58:08 Apr 15 2004
        This host: Primary - Active 
                Active time: 2232 (sec)
                admin Interface inside (10.6.8.91): Normal 
                admin Interface outside (70.1.1.2): Normal 
        Other host: Secondary - Standby 
                Active time: 0 (sec)
                admin Interface inside (10.6.8.100): Normal 
                admin Interface outside (70.1.1.3): Normal 

Stateful Failover Logical Update Statistics
        Link : Luifc Vlan 151
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        xlate           0          0          0          0
        tcp conn        0          0          0          0
        udp conn        0          0          0          0
        ARP tbl         0          0          0          0
        RIP Tbl         0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

Table 2-21 describes the show failover output.

Table 2-21 Show Failover Display Description 

Field
Options

Failover

On

Off

Failover Unit

Primary

Secondary

Failover LAN Interface

Shows the interface name and VLAN for the failover link:

interface_name vlan number

If you have not configured the failover interface, the display shows:

Not configured

Unit Poll frequency

n seconds

The number of seconds that you set with the failover poll unit command. The default is 15 seconds.

Interface Poll frequency

n seconds

The number of seconds that you set with the failover poll interface command. The default is 15 seconds.

Interface Policy

n[%]

The threshold for interface failure that you set with the failover interface-policy command. The default is 50%.

Monitored Interfaces

n of 250 maximum

The number of interfaces that you are monitoring.

Config sync

Active—Configuration synchronization is active on the FWSM

Suspended—Configuration synchronization has been suspended or disabled on the FWSM

Last Failover

The last time that a failover occurred.

This host:

Other host:

For each host, the display shows the following information.

Primary or Secondary

Active—The unit is in active mode.

Standby—The unit is in standby mode,

Disabled—The unit has failover disabled, or the failover link is not configured.

Listen—The unit is attempting to discover an active unit by listening for polling messages.

Learn—The unit detected an active unit, and is not synchronizing the configuration before going to standby mode.

Failed—The unit is failed.

Active time:

n (sec)

The amount of time that the unit has been in the active state. This time is cumulative, so the standby unit, if it was active in the past, will also show a value.

[context_name] Interface name (n.n.n.n):

For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions:

Failed—The interface has failed.

Link Down—The interface line protocol is down.

Normal—The interface is working correctly.

No Link—The interface has been administratively shut down.

Unknown—The FWSM cannot determine the status of the interface.

(Waiting)—The interface has not yet received any polling messages from the other unit.

(Autostate Down)—The interface is marked as autostate down.

Testing—The interface is being tested.

In multiple context mode, the context name appears before each interface.

Stateful Failover Logical Update Statistics

The following fields relate to the stateful failover feature. If the Link field shows an interface name, the stateful failover statistics are shown.

Link

interface_name—The interface used for the stateful failover link.

Unconfigured—You are not using stateful failover.

Stateful Obj

For each field type, the following statistics are used:

xmit—Number of transmitted packets to the other unit.

xerr—Number of errors that occurred while transmitting packets to the other unit.

rcv—Number of received packets.

rerr—Number of errors that occurred while receiving packets from the other unit.

General

Sum of all stateful objects.

sys cmd

Logical update system commands; for example, LOGIN and Stay Alive.

up time

Up time, which the active unit passes to the standby unit.

xlate

Translation information.

tcp conn

TCP connection information.

udp conn

Dynamic UDP connection information.

ARP tbl

Dynamic ARP table information.

RIP Tbl

Dynamic router table information.

Logical Update Queue Information

For each field type, the following statistics are used:

Cur—Current number of packets

Max—Maximum number of packets

Total—Total number of packets

Recv Q

Status of the receive queue.

Xmit Q

Status of the transmit queue.


Related Commands

clear failover

failover

failover interface ip

failover interface-policy

failover lan interface

failover lan unit

failover link

failover polltime

failover reset

monitor-interface

show failover

write standby

show file

To display the information about the file system, use the show file command.

show file descriptors | system

Syntax Description

descriptors

Displays all open file descriptors.

system

Displays the size, bytes available, type of media, flags, and prefix information about the disk file system.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the file system information:

fwsm(config)# show file descriptors
No open file descriptors
fwsm(config)# show file system
File Systems:
   Size(b)     Free(b)    Type  Flags  Prefixes
* 60985344    60973056    disk    rw     disk:

Related Commands

cd

copy disk

copy flash

copy tftp

copy tftp

dir

format

mkdir

more

pwd

rename

rmdir

show filter

To display the URL, Java, or HTTPS filtering information, use the show filter command.

show filter

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display filtering information:

fwsm/context_name(config)# show filter

Related Commands

clear filter

filter ftp

filter https

filter url

show firewall

To display the FWSM mode, use the show firewall command.

show firewall [transparent]

Syntax Description

transparent

(Optional) Specifies the transparent mode.


This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the firewall mode:

fwsm(config)# show firewall
Firewall mode: Router

Related Commands

clear firewall

firewall

show fixup

To display the fixup configuration and port values, use the show fixup command.

show fixup

show fixup protocol  {protocol [protocol] | mgcp}

Syntax Description

protocol protocol

(Optional) Displays the port values for the protocol specified.

mgcp

(Optional) Displays the configured MGCP fixups.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show fixup command allows you to display the current fixup configuration and port values.

The show fixup protocol  protocol [protocol] command allows you to display the port values for the individual protocol specified.

The show fixup protocol mgcp command allows you to display the configured MGCP fixups.

Examples

This example shows how to display the current fixup configuration and port values:

fwsm(config)# show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol pptp 1723
fixup protocol sip udp 5060

This example shows the configured MGCP fixups:

fwsm(config)# show fixup protocol mgcp
fixup protocol mgcp 2427
fixup protocol mgcp 2727

Related Commands

clear fixup
fixup protocol

show flashfs

To display the file system information, use the show flashfs command.

show flashfs

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show flashfs command displays the size in bytes of each file system sector and the current state of the file system. The data in each sector is as follows:

file 0—FWSM binary image, where the .bin file is stored.

file 1—FWSM configuration data that you can view with the show config command.

file 2—FWSM data file that stores IPSec key and certificate information.

file 3—flashfs downgrade information for the show flashfs command.

file 4—The compressed FWSM image size in the Flash partition.

The origin values are integer multiples of the underlying file system sector size.

Examples

This example shows how to display file system information:

fwsm(config)# show flashfs
flash file system:  version:2  magic:0x12345679
  file 0: origin:       0 length:1511480
  file 1: origin: 2883584 length:3264
  file 2: origin:       0 length:0
  file 3: origin: 3014656 length:4444164
  file 4: origin: 8257536 length:280

Related Commands

clear floodguard
clear flashfs
no flashfs

show floodguard

To display the flood guard status, use the show floodguard command.

show floodguard

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the flood guard status:

fwsm/context_name(config)# show floodguard
floodguard enable

Related Commands

clear floodguard
floodguard

show fragment

To display the states of the fragment databases, use the show fragment command.

show fragment [interface]

Syntax Description

interface

(Optional) FWSM interface.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show fragment command allows you to display the states of the fragment databases. If you specify the interface name, only information for the database residing at the specified interface is displayed. If you do not specify the interface name, the command will apply to all interfaces.

Use the show fragment command to display this information:

State of the fragment database.

Size—Maximum number of packets set by the size keyword. This value is the maximum number of fragments that are allowed on the interface. (Max_Block)

Chain—Maximum number of fragments for a single packet set by the chain keyword. (Max_Block_Chain)

Timeout—Maximum number of seconds set by the timeout keyword. This value is the time that you allow the fragments to exist in the system per interface before they are deleted by the garbage collection process.

Queue—Number of packets currently awaiting reassembly. This value specifies the actual number of fragments that have been received on the interface. (Block_Queued)

Assemble—Number of packets successfully reassembled. This counter is not used because the FWSM is providing virtual reassembly of packets.

Fail—Number of packets that failed to be reassembled. This error counter is incremented when bad fragments are received.

Overflow—Number of packets that overflowed the fragment database. This counter is incremented when the limit that you specify for fragmented packets crossing the interface is reached.

Examples

This example shows how to display the states of the fragment databases:

fwsm(config)# show fragment outside
Interface:outside
Size:2000, Chain:45, Timeout:10
Queue:1060, Assemble:809, Fail:0, Overflow:0

Related Commands

clear fragment
fragment

show ftp

To display the FTP mode, use the show ftp command.

show ftp

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the FTP mode:

fwsm(config)# show ftp
ftp mode passive

Related Commands

clear ftp
ftp mode

show gc

To display the garbage collection process statistics, use the show gc command.

show gc

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display garbage collection process statistics:

fwsm(config)# show gc

Garbage collection process stats:
Total tcp conn delete response             :            0
Total udp conn delete response             :            0
Total number of zombie cleaned             :            0
Total number of embryonic conn cleaned     :            0
Total error response                       :            0
Total queries generated                    :            0
Total queries with conn present response   :            0
Total number of sweeps                     :          946
Total number of invalid vcid               :            0
Total number of zombie vcid                :            0

Related Commands

clear gc

show global

To display the global commands in the configuration, use the show global command.

show global

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the global commands:

fwsm/context_name(config)# show global

Related Commands

clear global

global

show h225

To display the H225 statistics, use the show h225 command.

show h225

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the H225 statistics:

fwsm/context_name(config)# show h225
Total: 0
        LOCAL           TPKT    FOREIGN         TPKT

Related Commands

show h245
show h323-ras

show h245

To display the H245 statistics, use the show h245 command.

show h245

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This command shows how to display the H245 statistics:

fwsm/context_name(config)# show h245
Total: 0
        LOCAL           TPKT    FOREIGN         TPKT

Related Commands

show h225
show h323-ras

show h323-ras

To display the H323-ras statistics, use the show h323-ras command.

show h323-ras

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This command shows how to display the H323-ras statistics:

fwsm/context_name(config)# show h323-ras
Total: 0
        GK              Caller

Related Commands

show h225
show h245

show history

To display the previously entered commands, use the show history command.

show history

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: Unprivileged

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show history command allows you to display previously entered commands. You can examine commands individually with the up and down arrows, enter ^p to display previously entered lines, or enter ^n to display the next line.

Examples

This example shows how to display previously entered commands when you are in unprivileged mode:

fwsm> show history
show history
help
show history

This example shows how to display previously entered commands when you are in privileged mode:

fwsm/context_name(config)# show history
show history
help
show history
enable
show history

This example shows how to display previously entered commands when you are in configuration mode:

fwsm(config)# show history
show history
help
show history
enable
show history
config t show history

show hostname

To display the host name in the FWSM command line prompt, use the show hostname command.

show hostname

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display a host name:

fwsm(config)# show hostname 
fwsm(config)# 

Related Commands

hostname
clear hostname

show http

To display the HTTP server information, use the show http command.

show http

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display HTTP server information:

fwsm/context_name(config)# show http
http server disabled

Related Commands

clear http
http

show hw

To display the FWSM hardware version, use the show hw command.

show hw

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the FWSM hardware version:

fwsm/context_name(config)# show hw

FWSM Firewall Version 2.2(0)141

c6000-fwm-2-1-0-141  #126: Wed Jun 18 16:31:27 MDT 2003
    msgreene@boulder-view3:/users/msgreene/projects/firecat/mainline/XFWSM/obj

sw8fx1 up 1 hour 9 mins
Configuration last modified by enable_15 at 12:46:55 Jul 18 2003

Related Commands

show version

show icmp

To display the ICMP information, use the show icmp command.

show icmp

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display ICMP information:

fwsm/context_name(config)# show icmp
icmp permit any mgmt

Related Commands

icmp
clear icmp

show igmp

To display the Internet Group Management Protocol (IGMP) information for a multicast group, whether statically configured or dynamically created, use the show igmp command.

show igmp [group | interface interface_name] [detail]

Syntax Description

group

(Optional) Address of the multicast group to join.

interface interface_name

(Optional) Specifies the name of the interface to display information.

detail

(Optional) Displays all information in the IGMP table.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: System

Command Mode: Global

Command History

Release
Modification
 

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the IGMP information for a multicast group:

fwsm(config)# show igmp 

  IGMP is enabled on interface inside
  Current IGMP version is 2
  IGMP query interval is 60 seconds
  IGMP querier timeout is 125 seconds
  IGMP max query response time is 10 seconds
  Last member query response interval is 1 seconds
  Inbound IGMP access group is 
  IGMP activity: 0 joins, 0 leaves
  IGMP querying router is 10.1.3.1 (this system)

  IGMP Connected Group Membership
   Group Address    Interface            Uptime    Expires   Last Reported

Related Commands

show multicast

show ignore lsa mospf

To display the link-state advertisement (LSA) for type 6 Multicast OSPF (MOSPF) packets that you did not want sent to the syslog, use the show ignore lsa mospf subcommand.

show ignore lsa mospf

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the link-state advertisement (LSA) for type 6 Multicast OSPF (MOSPF) packets that you do not want to syslog:

fwsm/context_name(config)# show ignore lsa mospf

Related Commands

ignore lsa mospf (router ospf submode)
router ospf
show ip ospf

show interface

To display the information about the VLAN configuration, use the show interface command.

show interface [interface] [running-config | detail | stats | {ip [brief]}]

Syntax Description

interface

(Optional) Interface; see the "Usage Guidelines" section for additional information.

running-config

(Optional) Displays the interface running configuration.

detail

(Optional) Displays the interface configuration details.

stats

(Optional) Displays the interface statistics.

ip

(Optional) Displays information about the interface IP configuration.

brief

(Optional) Displays compacted information about the interface IP configuration.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

You can use this command to display the status of interfaces. You can specify the id (as either the VLAN or the mapped name) or the name of the interface. The interface argument identifies a particular interface.

The dropped packets statistic in the display shows a record of those packets that arrived on the interface, but were not destined for the FWSM. These packets include traffic flooded by the switch, multicast and broadcast traffic (unless the FWSM is configured to relay those) and packets that fail sanity checks such as incorrect IP length versus Layer 2 length or checksums. This counter does not record packets dropped by the security policy.

Examples

This example shows how to display the interface activity:

fwsm(config)# show interface
Interface int450 "", is administratively down, line protocol is up
        Available but not configured via nameif
Interface int901 "share1", is administratively down, line protocol is down
        Available but not assigned from Supervisor
        MAC address 0005.9a38.7400, MTU 1500
        IP address 1.1.1.1, subnet mask 255.255.0.0
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets
Interface int902 "", is administratively down, line protocol is down
        Available but not assigned from Supervisor or configured via nameif
Interface Vlan10 "mgmt", is up, line protocol is up
        MAC address 0005.9a38.7400, MTU 1500
        IP address 10.7.12.1, subnet mask 255.255.0.0
                Received 565 packets, 109547 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 812 packets
Interface Vlan40 "outside", is administratively down, line protocol is up
        MAC address 0005.9a38.7400, MTU 1500
        IP address 40.7.12.1, subnet mask 255.255.0.0
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets
Interface Vlan41 "inside", is administratively down, line protocol is down
        MAC address 0005.9a38.7400, MTU 1500
        IP address 41.7.12.1, subnet mask 255.255.0.0
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets
In this context:
int450 = vlan450 - trunked from the cat6k, but no nameif has been done
int901 = vlan901 - NOT trunked from cat6k and a nameif has been done
int902 = vlan902 - NOT trunked from cat6k but no nameif has been done
vlan10 - trunked and nameif'd
vlan40 - trunked and namei'd, but shut
vlan41 - trunked and nameif'd, but the vlan has been shut from system.
fwsm(config)# 

This example shows how to display the interface statistics:

fwsm(config)# show interface vlan10 stats
Interface vlan10 "", is administratively down, line protocol is up
        MAC address 0000.0000.0000, MTU 0
        IP address 127.0.0.1, subnet mask 255.255.255.255
                Received 0 packets, 0 bytes
                Transmitted 0 packets, 0 bytes
                Dropped 0 packets

Related Commands

clear interface stats
interface

show ip address

To display the IP addresses that are assigned to the network interfaces, use the show ip address command.

show ip address [interface_name]

Syntax Description

interface_name

(Optional) Interface name to display detailed information; valid values are dhcp and pppoe.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The dhcp keyword displays detailed information about the Dynamic Host Configuration Protocol (DHCP) lease.

The pppoe keyword displays detailed information about the Point-to-Point Protocol Over Ethernet (PPPOE) connection.

Examples

This example shows how to display the IP addresses assigned to the network interfaces:

fwsm(config)# show ip address
System IP Addresses:
        ip address outside 209.165.201.2 255.255.255.224
        ip address inside 192.168.2.1 255.255.255.0
        ip address perimeter 192.168.70.3 255.255.255.0
Current IP Addresses:
        ip address outside 209.165.201.2 255.255.255.224
        ip address inside 192.168.2.1 255.255.255.0
        ip address perimeter 192.168.70.3 255.255.255.0

The current IP addresses are the same as the system IP addresses on the failover active module. When the primary module fails, the current IP addresses become the IP addresses of the standby module.

Related Commands

clear ip address

clear ip verify reverse-path

ip address

ip prefix-list

ip verify reverse-path

show ip address

show ip verify

show ip ospf

To display the general information about the OSPF routing processes, use the show ip ospf command.

show ip ospf [pid]

Syntax Description

pid

(Optional) ID of the OSPF process.


Defaults

Lists all OSPF processes if no pid is specified.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

If the pid is included, only information for the specified routing process is included.

Examples

These examples show how to display general information about the OSPF routing processes:

fwsm(config)# show ip ospf 5
 Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
 Number of external LSA 0. Checksum Sum 0x     0
 Number of opaque AS LSA 0. Checksum Sum 0x     0
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 0. 0 normal 0 stub 0 nssa
 External flood list length 0
fwsm(config)# show ip ospf
 Routing Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
 Number of external LSA 0. Checksum Sum 0x     0
 Number of opaque AS LSA 0. Checksum Sum 0x     0
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 0. 0 normal 0 stub 0 nssa
 External flood list length 0

 Routing Process "ospf 12" with ID 172.23.59.232 and Domain ID 0.0.0.12
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
 Number of external LSA 0. Checksum Sum 0x     0
 Number of opaque AS LSA 0. Checksum Sum 0x     0
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 0. 0 normal 0 stub 0 nssa
 External flood list length 0

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf border-routers

To display the internal OSPF routing table entries to an area border router (ABR) and autonomous system boundary router (ASBR), use the show ip ospf border-routers command.

show ip ospf border-routers

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display the internal OSPF routing table entries to an ABR and ASBR:

fwsm/context_name(config)# show ip ospf border-routers
OSPF Process 5 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
OSPF Process 12 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf database

To display the lists of information that are related to the Open Shortest Path First (OSPF) database for a specific router, use the show ip ospf database command.

show ip ospf [pid] database [internal] [adv-router [addr]]

show ip ospf [pid [area_id]] database [internal] [self-originate] [lsid]

show ip ospf [pid [area_id]] database {router | network | summary | asbr-summary | external | nssa-external | database-summary}

Syntax Description

pid

(Optional) ID of the OSPF process.

database

Displays the database information.

internal

(Optional) Displays the routes that are internal to a specified autonomous system.

adv-router

(Optional) Displays the advertised router.

addr

(Optional) Router address.

area_id

(Optional) ID of the area that is associated with the OSPF address range.

self-originate

(Optional) Displays the information for the specified autonomous system.

lsid

(Optional) LSA ID.

router

(Optional) Displays the router.

network

(Optional) Displays the OSPF database information about the network.

summary

(Optional) Displays a summary of the list.

asbr-summary

(Optional) Displays an ASBR list summary.

external

(Optional) Displays the routes external to a specified autonomous system.

nssa-external

(Optional) Displays the external not-so-stubby-area list.

database-summary

(Optional) Displays the complete database summary list.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

The various forms of this command deliver information about different OSPF LSAs.

If you intend to associate the areas with IP subnets, you can specify a subnet address as the area_id using the following guidelines:

When used in the context of authentication, area_id is the identifier of the area on which authentication is to be enabled.

When using a cost context, area_id is the identifier for the stub or not-so-stubby are (NSSA).

When used in the context of a prefix list, area_id is the identifier of the area on which filtering is configured.

When used in a stub area or NSSA context, area_id is the identifier for the stub or NSSA area.

When used in the context of an area range, area_id is the identifier of the area at whose boundary to summarize routes.

Examples

This example shows how to display the lists of information that are related to the OSPF database for a specific router:

fwsm/context_name(config)# show ip ospf database router
OSPF Router with ID (127.0.0.1) (Process ID 5)
OSPF Router with ID (172.23.59.232) (Process ID 12)

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf flood-list

To display a list of OSPF link-state advertisements (LSAs) waiting to be flooded over an interface, use the show ip ospf flood-list command.

show ip ospf flood-list interface_name

Syntax Description

interface_name

Name of the interface for which to display neighbor information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display a list of OSPF LSAs waiting to be flooded over an interface:

fwsm/context_name(config)# show ip ospf flood-list outside

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf interface

To display the OSPF-related interface information, use the show ip ospf interface command.

show ip ospf interface interface_name

Syntax Description

interface_name

Name of the interface for which to display the OSPF-related information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display the OSPF-related interface information:

fwsm/context_name(config)# show ip ospf interface
fwsm/context_name(config)# show ip ospf interface inside

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf neighbor

To display the OSPF-neighbor information on a per-interface basis, use the show ip ospf neighbor command.

show ip ospf neighbor [interface_name] [nbr_router_id] [detail]

Syntax Description

interface_name

(Optional) Name of the interface for which to display neighbor information.

nbr_router_id

(Optional) ID of the neighbor router.

detail

(Optional) Lists all neighbors.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display the OSPF-neighbor information on a per-interface basis:

fwsm/context_name(config)# show ip ospf neighbor outside detail

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf request-list

To display a list of all link-state advertisements (LSAs) that are requested by a router, use the show ip ospf request-list command.

show ip ospf request-list nbr_router_id interface_name

Syntax Description

nbr_router_id

ID of the neighbor router that is specified by its IP address. Displays the list of all LSAs that are requested by the router from this neighbor.

interface_name

Name of the interface for which to display neighbor information. Displays the list of all LSAs that are requested by the router from this interface.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display a list of LSAs that are requested by a router:

fwsm/context_name(config)# show ip ospf request-list 172.23.59.232 outside

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf retransmission-list

To display a list of all link-state advertisements (LSAs) waiting to be resent, use the show ip ospf retransmission-list command.

show ip ospf retransmission-list nbr_router_id interface_name

Syntax Description

nbr_router_id

ID of the neighbor router that is specified by its IP address.

interface_name

Name of the interface for which to display neighbor information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

The nbr_router_id argument displays the list of all LSAs that are waiting to be resent for this interface.

The interface_name argument displays the list of all LSAs that are waiting to be resent for this neighbor.

Examples

This example shows how to display a list of all LSAs that are waiting to be resent:

fwsm/context_name(config)# show ip ospf retransmission-list 173.25.26.201 outside

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf summary-address
show ip ospf virtual-links
show routing

show ip ospf summary-address

To display a list of all summary address redistribution information that is configured under an OSPF process, use the show ip ospf summary-address command.

show ip ospf summary-address

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display a list of all summary address redistribution information before a summary address has been configured for an OSPF process with the ID of 5:

fwsm/context_name(config)# show ip ospf 5 summary-address
OSPF Process 5, Summary-address
    Not configured

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf virtual-links
show routing

show ip ospf virtual-links

To display the parameters and the current state of OSPF virtual links, use the show ip ospf virtual-links command.

show ip ospf virtual-links

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display the parameters and the current state of OSPF virtual links:

fwsm/context_name(config)# show ip ospf virtual-links

Related Commands

clear ip ospf
ospf (interface submode)
route-map
router ospf
routing interface
show ip ospf border-routers
show ip ospf database
show ip ospf flood-list
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show routing

show ip verify

To display the ingress and egress filtering to verify addressing and route integrity statistics, use the show ip verify command.

show ip verify [reverse-path [interface int_name]]

show ip verify statistics

Syntax Description

reverse-path

(Optional) Displays the egress filters.

interface int_name

(Optional) Name of an interface that you want to display.

statistics

Displays filtering statistics.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display ingress and egress filtering to verify addressing and route integrity statistics:

fwsm(config)# show ip verify statistics
interface outside: 2 unicast rpf drops
interface inside: 1 unicast rpf drops
interface intf2: 3 unicast rpf drops

Related Commands

clear ip verify reverse-path
ip verify reverse-path

show isakmp

To display the Internet Security Association and Key Management Protocol (ISAKMP) identity information, use the show isakmp command.

show isakmp sa [detail]

show isakmp identity

Syntax Description

sa

Displays all current Internet Key Exchange (IKE) security associations between the FWSM and its peer.

detail

(Optional) Displays detailed ISAKMP identity information.

identity

Displays ISAKMP identity information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Table 2-22 lists the descriptions for the show isakmp sa detail command output.

Table 2-22 show isakmp Command Output Field Descriptions 

Field
Description

dst

Destination

src

Source

state

Operational state

pending

Pending status

created

When created

Total

Total statistics

Embryonic

Embryonic state

Local

IP address and port of the FWSM on which the command is run (the format is IP_Address:port)

Remote

Peer IP address and port

Encr

Encryption algorithm

Hash

Hash algorithm

Auth

Authorization method (preshared key, or rsa)

State

State of the connection

Lifetime

Time until the rekey or until expiration and deletion


Examples

This example shows how to display identity information after IKE negotiations were successfully completed between the FWSM and its peer:

fwsm/context_name(config)# show isakmp sa
        dst            src         state     pending    created 
    16.132.40.2    16.132.30.2    QM_IDLE        0           1 

This example shows how to display detailed ISAKMP identity information:

fwsm/context_name(config)# show isakmp sa detail
Total     : 1
Embryonic : 0
         Local            Remote          Encr  Hash    Auth  State      Lifetime
   192.168.10.2:4500    192.168.10.5:1178 3des  sha     psk  QM_IDLE       117

This example shows how to display all IKE security associations between the FWSM and its peer:

fwsm/context_name(config)# show isakmp sa
        dst            src         state     pending    created 
    16.132.40.2    16.132.30.2    QM_IDLE        0           1 

show isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy including the default parameters, use the show isakmp policy command.

show isakmp policy

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display output from the show isakmp policy command after two IKE policies are configured with priorities 70 and 90:

fwsm/context_name(config)# show isakmp policy

Protection suite priority 70
                                                      encryption algorithm:                  DES - Data Encryption Standard (56 bit keys)
                                                      hash algorithm: Message Digest 5
                                                      authentication method:             Rivest-Shamir-Adleman Signature
                                                      Diffie-Hellman group:                   #2 (1024 bit)
                                                      lifetime:                                                    5000 seconds, no volume limit
Protection suite priority 90
                                                      encryption algorithm:                    DES - Data Encryption Standard (56 bit keys)
                                                      hash algorithm: Secure Hash Standard
                                                      authentication method:            Pre-Shared Key
                                                      Diffie-Hellman group:                  #1 (768 bit)
                                                      lifetime:                                                 10000 seconds, no volume limit
Default protection suite
                                                      encryption algorithm:                  DES - Data Encryption Standard (56 bit keys)
                                                      hash algorithm: Secure Hash Standard
                                                      authentication method:            Rivest-Shamir-Adleman Signature
                                                      Diffie-Hellman group:                  #1 (768 bit)
                                                      lifetime:                                                86400 seconds, no volume limit


Note Although the output shows "no volume limit" for the lifetimes, you can configure only a time lifetime (such as 86,400 seconds); the volume limit lifetimes are not configurable.


Examples

This example shows sample output from the show isakmp and show isakmp policy commands for a configuration using Diffie-Hellman group 5 in its ISAKMP policy:

fwsm/context_name(config)# show isakmp
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 5
isakmp policy 1 lifetime 86400

fwsm/context_name(config)# show isakmp policy
Protection suite of priority 8
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit

show local-host

To display the network states of local hosts, use the show local-host command.

show local-host [ip_address] [detail]

Syntax Description

ip_address

(Optional) Local host IP address.

detail

(Optional) Displays the detailed network states of local host information.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support UDP maximum connections for local hosts.


Usage Guidelines


Note Beginning with Release 2.3, using the show local host command is not a reliable method for monitoring the rate of SYN attacks.


The show local-host command allows you to display the network states of local hosts. Local hosts are any hosts on the same subnet as an internal FWSM interface (not the outside interface).

This command allows you to show the translation and connection slots for the local hosts or stop all traffic on these hosts. This command provides information for hosts that are configured with the nat 0 command when normal translation and connection states may not apply.

The show local-host detail command displays more information about active xlates and connections.

Use the ip_address argument to limit the display to a single host.

This command displays the maximum connection value for the UDP protocol. Every time the UPD maximum connection value is not set, the value will be displayed as 0 by default and will not be applied.

In the event of a syn attack (with TCP intercept configured), the show local-host command output includes the number of intercepted connections in the usage count. This field typically displays only full open connections.

Examples

This example shows how to display the network states of local hosts:

fwsm/context_name(config)# show local-host 10.1.1.15
local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0
   Xlate(s):
       PAT Global 172.16.3.200(1024) Local 10.1.1.15(55812) 
       PAT Global 172.16.3.200(1025) Local 10.1.1.15(56836) 
       PAT Global 172.16.3.200(1026) Local 10.1.1.15(57092) 
       PAT Global 172.16.3.200(1027) Local 10.1.1.15(56324) 
       PAT Global 172.16.3.200(1028) Local 10.1.1.15(7104) 
   Conn(s):
       TCP out 192.150.49.10:23 in 10.1.1.15:1246 idle 0:00:20 Bytes 449 flags UIO
       TCP out 192.150.49.10:21 in 10.1.1.15:1247 idle 0:00:10 Bytes 359 flags UIO

The xlate describes the translation slot information, and the Conn is the connection state information.

This example shows how to display the detailed network state of local host information:

fwsm/context_name(config)# show local-host detail                             
     local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0  
         Xlate(s):                                                           
             TCP PAT from inside:10.1.1.15/1026 to outside:192.150.49.1/1024 
                       flags ri                                              
             ICMP PAT from inside:10.1.1.15/21505 to outside:192.150.49.1/0  
                       flags ri                                              
             UDP PAT from inside:10.1.1.15/1028 to outside:192.150.49.1/1024 
                       flags ri                                              
         Conn(s):                                                            
             TCP outside:192.150.49.10/23 inside:10.1.1.15/1026 flags UIO    
             UDP outside:192.150.49.10/31649 inside:10.1.1.15/1028 flags dD  

Related Commands

clear local-host

show log-adj-changes

To display the syslog message that are sent by the router when an OSPF neighbor goes up or down, use the show log-adj-changes subcommand.

show log-adj-changes [detail]

Syntax Description

detail

(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.


Defaults

Enable

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show log-adj-changes subcommand is enabled by default, but the show log-adj-changes subcommand is only displayed in the OSPF configuration when you specify the detail keyword or when you disable the feature.

Examples

This example shows how to display syslog message that are sent by the router when an OSPF neighbor goes up or down:

fwsm(config)# show log-adj-changes

Related Commands

log-adj-changes (router ospf submode)
router ospf
show ip ospf

show logging

To display the enabled logging options, use the show logging command.

show logging message {syslog_id | all} | level | disabled}

show logging queue

Syntax Description

message

Displays the syslog messages.

syslog_id

Message number to display.

all

Displays all syslog message IDs.

level

Displays the logging level.

disabled

Displays the suppressed syslog messages.

queue

Displays the syslog message queue.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

If the logging buffered command is in use, the show logging command allows you to display the current message buffer. The show logging disabled command displays suppressed syslog messages.

The show message disabled command allows you to list the suppressed messages. All syslog messages are permitted unless explicitly disallowed. You cannot block the "FWSM Startup begin" message, and you cannot block more than one message per command.

If a message is listed in syslog as   %FWSM-1-101001, use "101001" as the syslog_id.


Note Refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Internet Router Firewall Services Module System Message Guide for message numbers.


The show logging queue command allows you to display the following:

Number of messages that are in the queue

Highest number of messages recorded that are in the queue

Number of messages that are discarded because block memory was not available to process them

Examples

This example shows how to display the enabled logging options:

fwsm(config)# show logging 
Syslog logging: enabled
                           Timestamp logging: disabled
                           Console logging: disabled
                           Monitor logging: disabled
                           Buffer logging: level debugging, 37 messages logged
                           Trap logging: disabled
305001: Portmapped translation built for gaddr 209.165.201.5/0 laddr 192.168.1.2/256
...

The line of output starting with 305001 shows a translation to a PAT global through global address 209.165.201.5 from a host at 192.168.1.2. The "305001" identifies a syslog message for creating a translation through a PAT global.

This example shows sample output from the show logging command with the logging device-id hostname command configured on a host named fwsm-1:

fwsm(config)# logging device-id hostname
fwsm(config)# show logging
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: level debugging, 0 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: hostname "fwsm-1"

Related Commands

clear logging
logging

show logging rate-limit

To display the disallowed messages to the original set, use the show logging rate-limit command.

show logging rate-limit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

After the information is cleared, nothing more displays until the hosts reestablish their connections.

Examples

This example shows how to display the disallowed messages:

fwsm/context_name(config)# show logging rate-limit

Related Commands

clear logging

show mac-address interface

To display the information about the MAC-address on an interface, use the show mac-address interface command.

show mac-address interface ifname

Syntax Description

ifname

Interface name.


Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: transparent firewall mode

Command History

Release
Modification

2.3(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information abou the MAC-address on an interface:

fwsm(config)# show mac-address interface 4

Related Commands

clear mac-address-table
mac-address-table aging-time
mac-address-table static

show mac-address-table

To display the information about the MAC-address table, use the show mac-address-table command.

show mac-address-table [static] [count]

Syntax Description

static

(Optional) Displays the static MAC addresses in the bridge table.

count

(Optional) Displays the MAC address table count.


Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information about the MAC-address table:

fwsm(config)# show mac-address-table

Related Commands

clear mac-address-table
mac-address-table aging-time
mac-address-table static

show mac-learn

To display the learned MAC-address information, use the show mac-learn command.

show mac-learn

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the learned MAC-address information:

fwsm(config)# show mac-learn

Related Commands

clear mac-learn

show match

To display the route-map match configuration, use the show match command.

show match

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the route-map match configuration:

fwsm(config)# show match

Related Commands

match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match route-type (route map submode)
route-map

show memory

To display a summary of the maximum physical memory and current free memory that is available to the FWSM operating system, use the show memory command.

show memory

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show memory command allows you to display a summary of the maximum physical memory and current free memory that is available to the FWSM operating system. The memory in the FWSM is allocated as needed.

You can also display the information from the show memory command using SNMP.

Examples

This example shows how to display a summary of the maximum physical memory and current free memory that is available to the FWSM:

fwsm(config)# show memory
Free memory:       845044716 bytes (79%)
Used memory:       228697108 bytes (21%)
-------------     ----------------
Total memory:     1073741824 bytes (100%)

show memory-caller address

To display the address ranges configured on the security appliance, use the show memory-caller address command in privileged EXEC mode.

show memory-caller address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Security Context Mode: single, multiple context and system mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3

Support for this command was introduced on the FWSM.


Usage Guidelines

You must first configure an address ranges with the memory caller-address command before you can display them with the show memory-caller address command.

Examples

The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command:
fwsm# memory caller-address 0x00109d5c 0x00109e08  
fwsm# memory caller-address 0x009b0ef0 0x009b0f14  
fwsm# memory caller-address 0x00cf211c 0x00cf4464 

fwsm# show memory-caller address
Move down stack frame for the addresses: 
pc = 0x00109d5c-0x00109e08  
pc = 0x009b0ef0-0x009b0f14  
pc = 0x00cf211c-0x00cf4464 

If address ranges are not configured before entering the show memory-caller address command, no addresses display:

fwsm# show memory-caller address

Move down stack frame for the addresses:

Related Commands

memory caller-address

show memory binsize

To display summary information about the chunks allocated for a specific bin size, use the show memory binsize command in privileged EXEC mode.

show memory binsize size

Syntax Description

size

Displays chunks (memory blocks) of a specific bin size. The bin size is from the "fragment size" column of the show memory detail command output.


Defaults

No default behavior or values.

Command Modes

Security Context Mode: single, multiple context and system mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3

Support for this command was introduced on the FWSM.


Usage Guidelines

This command has no usage guidelines.

Examples

The following example displays summary information about a chunk allocated to a bin size of 500:

fwsm# show memory binsize 500
pc = 0x00b33657, size = 460      , count = 1

Related Commands

show memory-caller address
show memory profile
show memory

show memory profile

To display information about the memory usage (profiling) of the security appliance, use the show memory profile command in privileged EXEC mode.

show memory profile [peak] [detail | collated | status]

Syntax Description

collated

(Optional) Collates the memory information displayed.

detail

(Optional) Displays detailed memory information.

peak

(Optional) Displays the peak capture buffer rather than the "in use" buffer.

status

(Optional) Displays the current state of memory profiling and the peak capture buffer.


Defaults

No default behavior or values.

Command Modes

Security Context Mode: multiple context and system mode

Access Location: system command line

Command Mode: privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3

Support for this command was introduced on the FWSM.


Usage Guidelines

Use the show memory profile command to troubleshoot memory usage level and memory leaks. You can still see the profile buffer contents even if profiling has been stopped. Starting profiling clears the buffer automatically.


Note The security appliance might experience a temporary reduction in performance when memory profiling is enabled.


Examples

The following example shows...

fwsm# show memory profile 
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 0 

The output of the show memory profile detail command (below) is divided into six data columns and one header column, at the far left. The address of the memory bucket corresponding to the first data column is given at the header column (the hexidecimal number). The data itself is the number of bytes that is held by the text/code that falls in the bucket address. A period (.) in the data column means no memory is held by the text at this bucket. Other columns in the row correspond to the bucket address that is greater than the increment amount from the previous column. For example, the address bucket of the first data column in the first row is 0x001069e0. The address bucket of the second data column in the first row is 0x001069e4 and so on. Normally the header column address is the next bucket address; that is, the address of the last data column of the previous row plus the increment. All rows without any usage are suppressed. More than one such contiguous row can be suppressed, indicated with three periods at the header column (...).

fwsm# show memory profile detail 
Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004  
Total = 48941152  
...  
0x001069e0 . 24462 . . . .  
...  
0x00106d88 . 1865870 . . . .  
...  
0x0010adf0 . 7788 . . . .  
...  
0x00113640 . . . . 433152 .  
...  
0x00116790 2480 . . . . .  
<snip> 

The following example shows collated output:

fwsm# show memory profile collated
Range: start = 0x00100020, end = 0x00e006e0, increment = 00000004  
Total = 48941152  
24462 0x001069e4  
1865870 0x00106d8c  
7788 0x0010adf4  
433152 0x00113650  
2480 0x00116790  
<snip> 

The following example shows the peak capture buffer:

fwsm# show memory profile peak
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 102400 

The following example shows the peak capture buffer and the number of bytes that is held by the text/code that falls in the corresponding bucket address:

fwsm# show memory profile peak detail 
Range: start = 0x004018b4, end = 0x004169d0, increment = 00000004  
Total = 102400  
...  
0x00404c8c . . 102400 . . . 

The following example shows the current state of memory profiling and the peak capture buffer:

fwsm# show memory profile status 
InUse profiling: ON 
Peak profiling: OFF 
Memory used by profile buffers: 11518860 bytes 
Profile: 
0x00100020-0x00bfc3a8(00000004)

Related Commands

memory profile enable
memory profile text
clear memory profile

show mode

To display the current mode for the FWSM, use the show mode command.

show mode

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: System and Context

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the current mode for the FWSM:

fwsm/context_name(config)# show mode
Firewall mode: multiple
The flash mode is the SAME as the running mode.

Related Commands

mode

show mgcp

To display the Media Gateway Control Protocol (MGCP) information, use the show mgcp command.

show mgcp {commands | sessions} [detail]

Syntax Description

commands

Displays the number of MGCP commands in the command queue.

sessions

Displays the number of existing MGCP sessions.

detail

(Optional) Displays additional information about each command (or session) in the output.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display MGCP information:

fwsm/context_name(config)# show mgcp commands
1 in use, 1 most used, 200 maximum allowed
CRCX, gateway IP: host-pc-2, transaction ID: 2052, idle: 0:00:07

fwsm/context_name(config)# show mgcp commands detail
1 in use, 1 most used, 200 maximum allowed
CRCX, idle: 0:00:10
Gateway IP      host-pc-2
Transaction ID  2052
Endpoint name   aaln/1
Call ID         9876543210abcdef
Connection ID   
Media IP        192.168.5.7
Media port      6058

fwsm/context_name(config)# show mgcp sessions
1 in use, 1 most used
Gateway IP host-pc-2, connection ID 6789af54c9, active 0:00:11

fwsm/context_name(config)# show mgcp sessions detail
1 in use, 1 most used
Session active 0:00:14
Gateway IP      host-pc-2
Call ID         9876543210abcdef
Connection ID   6789af54c9
Endpoint name   aaln/1
Media lcl port  6166
Media rmt IP    192.168.5.7
Media rmt port  6058

Related Commands

clear mgcp
mgcp

show monitor-interface

To display the information about the monitored interface, use the show monitor-interface command.

show monitor-interface

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.

2.3(1)

Support for the Autostate feature was added on the FWSM.


Usage Guidelines

The show monitor-interface command allows you to display the interface status for the monitored interfaces in the user context when this command is used in multiple context mode. The interfaces must be configured before you use this command to receive information.

Autostate allows the FWSM to quickly detect the failure of the interfaces connecting the real hosts. To allow autostate support on an FWSM interface, you must enable interface monitoring (see the monitor-interface command) on that interface. The switch operating system software informs the FWSM when the first or last physical port has joined or left a VLAN assigned to that FWSM, excluding the FWSM port channel and trunk port to the MSFC.

The FWSM responds to a VLAN down condition by marking the interfaces associated with that VLAN as autostate down. This VLAN is considered as a failed interface for interface monitoring of health status and may cause a failover if the interface policy threshold is met. When you suspend the configuration configuration, two interfaces will no longer synchronize the configuration or replicate commands.


Note When you enable the suspend configuration synchronization, interface monitoring and logical interfaces are disabled.


Examples

This example shows how to display the status of the monitored interfaces (from within the context):

primary/contexta(config)# show monitor-interface
        This host: Primary - Active
                Interface outside (88.1.1.2): Normal
                Interface inside (10.6.8.91): Normal
        Other host: Secondary - Standby
                Interface outside (88.1.1.3): Normal
                Interface inside (10.6.8.100): Normal

Related Commands

failover interface ip
failover interface-policy
failover lan interface
monitor-interface
show failover
write standby

show mroute

To display the information about the current multicast route table information, use the show mroute command.

show mroute [dst [src]]

Syntax Description

dst

(Optional) Displays multicast route table information that is based on the specified Class D address of the multicast group.

src

(Optional) Displays multicast route table information that is based on the specified IP address of the multicast source.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information about the current multicast route table:

fwsm/context_name(config)# show mroute

Related Commands

mtu

show mtu

To display the current maximum transmission unit (MTU) block size, use the show mtu command.

show mtu

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show interface command also shows the MTU value.

Examples

This example shows how to display the current MTU block size:

fwsm(config)# show mtu
mtu outside 1500
mtu inside 1500

Related Commands

mtu
show interface

show multicast

To display all or per-interface multicast settings, use the show multicast command.

show multicast [interface interface_name]

Syntax Description

interface interface_name

(Optional) Displays the per-interface multicast settings.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display all multicast settings:

fwsm(config)# show multicast

Related Commands

show igmp

show name

To list the name commands in the configuration, use the show name command.

show name

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to list the name command configuration.

fwsm(config)# show name
System IP Addresses:
name 192.168.42.3 fwsm_inside
name 209.165.201.3 fwsm_outside

Related Commands

clear name

name

show nameif

To display the name of an interface, use the show nameif command.

show nameif

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the name of an interface:

fwsm(config)# show nameif
nameif vlan36 inside security100
nameif vlan22 shared security50
nameif vlan38 dmz security50
nameif vlan10 mgmt security10
nameif vlan37 outside security0

Related Commands

nameif

show names

To display the IP address-to-name conversion, use the show names command.

show names

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example show how to display the IP address-to-name conversion:

fwsm/context_name(config)# show names
System IP Addresses:
name 192.168.42.3 fwsm_inside
name 209.165.201.3 fwsm_outside

Related Commands

clear name

name

names

show name

show nat

To display a pool of global IP addresses that are associated with a network, use the show nat command.

show nat

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.

2.2(1)

This command was modified to support UDP maximum connections for local hosts.


Usage Guidelines

This command displays the maximum connection value for the UDP protocol. Every time the UPD maximum connection value is not set, the value will be displayed as 0 by default and will not be applied.


Note In transparent mode, only NAT ID 0 is valid.


Examples

This example shows how to display a pool of global IP addresses that are associated with a network:

fwsm/context_name(config)# show nat
nat (inside) 1001 36.7.2.0 255.255.255.224 0 0
nat (inside) 1001 36.7.2.32 255.255.255.224 0 0
nat (inside) 1001 36.7.2.64 255.255.255.224 0 0
nat (inside) 1002 36.7.2.96 255.255.255.224 0 0
nat (inside) 1002 36.7.2.128 255.255.255.224 0 0
nat (inside) 1002 36.7.2.160 255.255.255.224 0 0
nat (inside) 1003 36.7.2.192 255.255.255.224 0 0
nat (inside) 1003 36.7.2.224 255.255.255.224 0 0

Related Commands

clear nat
nat

show network

To display the interfaces on which the OSPF protocol runs and the area ID for those interfaces, use the show network subcommand.

show network prefix ip_address netmask area area_id

Syntax Description

prefix

IP address.

ip_address

Router ID in IP address format.

netmask

IP address mask or IP subnet mask used for a summary route.

area area_id

Specifies the area to be configured as a regular OSPF area.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the interfaces on which the OSPF protocol runs:

fwsm/context_name(config)# show network area

Related Commands

object-group

show nic

To display the status of the internal network interface cards (NICs), use the show nic command

show nic

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the status of the internal NICs:

fwsm(config)# show nic
interface gb-ethernet0 is up, line protocol is up
  Hardware is i82543 rev02 gigabit ethernet, address is 000b.5f0d.3700
 PCI details are - Bus:0, Dev:0, Func:0
  MTU 1500 bytes, BW 1 Gbit full duplex
        502 packets input, 51236 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        18375 packets output, 1854756 bytes, 0 underruns
        input queue (curr/max blocks): hardware (255/255) software (0/0)
        output queue (curr/max blocks): hardware (0/2) software (0/0)
interface gb-ethernet1 is up, line protocol is up
  Hardware is i82543 rev02 gigabit ethernet, address is 000b.5f0d.3700
 PCI details are - Bus:0, Dev:0, Func:0
  MTU 16000 bytes, BW 1 Gbit full duplex
        12256 packets input, 1424408 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        4 packets output, 280 bytes, 0 underruns
        input queue (curr/max blocks): hardware (255/255) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/0)

show object-group

To remove all the object commands from the configuration, use the show object-group command.

show object-group [protocol | service | icmp-type | network]

show object-group id obj_grp_id

Syntax Description

protocol

(Optional) Defines a group of protocols such as TCP and UDP.

service

(Optional) Defines a group of TCP/UDP port specifications such as "eq smtp" and "range 2000 2010."

icmp-type

(Optional) Defines a group of ICMP types such as echo and echo-reply.

network

(Optional) Defines a group of hosts or subnet IP addresses.

obj_grp_id

Name of a previously defined object group.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Table 2-23 lists the descriptions for the show object-group commands and their accompanying configuration commands.

Table 2-23 Command Description 

Command
Further Configuration

show object-group protocol

After entering this command, add the protocol objects to the protocol group with the protocol-object and the group-object subcommand.

show object-group service

After entering this command, add the port objects to the service group with the port-object and the group-object subcommand.

object-group icmp-type

After entering this command, add the ICMP objects to the ICMP type group with the icmp-object and the group-object subcommand.

object-group network

After entering this command, add the network objects to the network group with the network-object and the group-object subcommand. To group object groups together, they must be the same type. For example, you can group two or more network object groups together, but you cannot group a protocol group and a network group together.


Examples

This example shows how to remove all the object commands from the configuration:

fwsm(config)# show object-group

Related Commands

clear object-group
object-group

show pager

To display the lines that are configured for screen paging, use the show pager command.

show pager

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: Unprivileged

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the lines that are configured for screen paging:

fwsm(config)# show pager
pager lines 30

Related Commands

clear pager
pager

show password/passwd

To display the Telnet password, use the show password command.

show {password | passwd}

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The passwd keyword is an accepted shortened form of password.

Examples

This example shows how to display the Telnet password:

fwsm/context_name(config)# show password
passwd 2KFQnbNIdI.2KYOU encrypted

Related Commands

clear password
password/passwd

show pc conn

To display information about connections, address translation, and local host information that are maintained on the control-point, use the show pc conn command in privileged EXEC mode. This command also shows the number of TCP, UDP, and embryonic connections, as well as those connections most used.

show pc conn [count] | local-host | xlate

Syntax Description

count

Shows a count of the current active connections maintained on the control-point, along with a high water mark of most connections used on the control-pont.

local-host

Shows the total number of active TCP, UDP, and embryonic connections maintained on the control-point.

xlate

Shows the total number of active address translations maintained on the control-point.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

2.3(1)

This command was introduced.


Usage Guidelines

All the connections that are being processed by the control-point on the FWSM display. These connections are being processed in software on the central CPU, not in hardware.

Examples

The following example shows how to display connection information:

fwsm# show pc conn

2 in use, 10230 most used

UDP out 14.1.26.199:53 in 10.10.10.119:53 idle 0:00:00 flags 
UDP out 14.1.26.199:53 in 10.10.10.119:53 idle 0:00:00 flags 

Related Commands

Command
Description

show xlate

Shows translations.

show conn

Shows connection information.

show local-host

Shows IP addresses of local hosts.

set connection

Sets connection limits.


show pdm

To display the device manager buffer information, use the show pdm command.

show pdm history [view {all | 12h | 5d | 60m | 10m}] [snapshot] [feature {all | blocks | cpu | failover | ids | interface interface_name | memory | perfmon | xlates}] [pdmclient]

show pdm logging

show pdm sessions

Syntax Description

history

Displays the contents of the PDM history buffer.

view all

(Optional) Displays the history for all features.

view 12h | 5d | 60m | 10m | all

(Optional) Specifies the PDM history view to display: 12 hours (12h), 5 days (5d), 60 minutes (60m), 10 minutes (10m), or all history contents in the PDM history buffer.

snapshot

(Optional) Displays only the last PDM history data point.

feature

(Optional) Displays the history for a single feature; if not specified, the history for all features is displayed.

all

(Optional) Displays the history for all features.

blocks

(Optional) Displays the buffer blocks.

cpu

(Optional) Displays the history for CPU usage; this output is similar to output of the show cpu command.

failover

(Optional) Displays the history for failover.

ids

(Optional) Displays the history for the Intrusion Detection System Module (IDSM).

interface interface_name

(Optional) Specifies the interface name on which the PDM resides.

memory

(Optional) Displays the history for memory.

perfmon

(Optional) Displays the history for performance.

xlates

(Optional) Displays the history for translation slot information.

pdmclient

(Optional) Displays the PDM history in PDM-display format.

logging

Displays the contents of the PDM logging buffer (located within the PDM).

sessions

Displays the PDM session ID number.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The PDM syslog messages are stored separately from the FWSM syslog messages. The clear pdm logging command clears the PDM log without disabling PDM logging.

The show pdm sessions command is accessible through the FWSM command-line interface (CLI). The show pdm sessions command allows you to display all the active PDM sessions that are connected to the FWSM by a unique session_id, beginning with session number 0.

Examples

This example shows how to display the contents of the PDM history buffer:

fwsm(config)# show pdm history view 10m snapshot pdmclient
INTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0|
RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:FWSMoutsideINTER
FACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTOR
Y|SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0
|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:FWSMinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0
|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP|
OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:FWSMS
YS:METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_H
ISTORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|B
LK1550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10|
0|METRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HIS
TORY|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUP
S|VIEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIE
W|10|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0|
METRIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|

This example shows how to report the data that is formatted for the FWSM CLI:

fwsm(config)# pdm history enable
fwsm(config)# show pdm history view 10m snapshot
Available 4 byte Blocks:  [  10s] : 1600
Used 4 byte Blocks:  [  10s] : 0
Available 80 byte Blocks:  [  10s] : 400
.
.
.
Max Xlates:  [  10s] : 0
ISAKMP SAs:  [  10s] : 0
IPSec SAs:  [  10s] : 0
L2TP Sessions:  [  10s] : 0
L2TP Tunnels:  [  10s] : 0
PPTP Sessions:  [  10s] : 0
PPTP Tunnels:  [  10s] : 0

Related Commands

clear pdm

pdm

show perfmon

To display information about the FWSM performance, use the show perfmon command.

show perfmon

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

This command output does not display in a Telnet console session.

The perfmon command allows you to monitor the FWSM's performance. The show perfmon command allows you to display the information immediately.

Examples

This example shows how to display information about the FWSM performance:

fwsm/context_name(config)# show perfmon
Context: admin
PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
WebSns Req           0/s          0/s
TCP Fixup            0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
TCP Intercept    322779/s      322779/s

Related Commands

perfmon

show privilege

To display the privileges for a command or a set of commands, use the show privilege command.

show privilege [all | command command | level level]

Syntax Description

all

(Optional) Displays the privilege level for all commands.

command command

(Optional) Displays the privilege level for a specific command.

level level

(Optional) Displays the commands that are configured with the specified level; valid values are from 0 to 15.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: System

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the privileges for level 0 commands:

fwsm(config)# show privilege level 0
privilege show level 0 command checksum
privilege show level 0 command curpriv
privilege configure level 0 mode enable command enable
privilege show level 0 command history
privilege configure level 0 command login
privilege configure level 0 command logout
privilege show level 0 command pager
privilege clear level 0 command pager
privilege configure level 0 command pager
privilege configure level 0 command quit
privilege show level 0 command version

Related Commands

clear privilege
privilege

show processes

To display a list of the processes that are running on the FWSM, use the show processes command.

show processes

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show processes command allows you to display a list of the processes that are running on the FWSM.

Processes are lightweight threads requiring only a few instructions. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes that are used and the total size of the stack, and Process lists the thread's function.

Examples

This example shows how to display a list of processes that are running on the FWSM:

fwsm(config)# show processes

    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 00102aa0 0a63f288 0089b068     117460 0a63e2d4 3600/4096 arp_timer
Lsi 00102aa0 0a6423b4 0089b068         10 0a64140c 3824/4096 FragDBGC
Hwe 004257c8 0a7cacd4 0082dfd8          0 0a7c9d1c 3972/4096 udp_timer
Lwe 0011751a 0a7cc438 008ea5d0         20 0a7cb474 3560/4096 dbgtrace
<--- More --->

show redistribute

To display the redistribution between OSPF processes according to the parameters specified, use the show redistribute command.

show redistribute {static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]

show redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1|2]}] [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]

Syntax Description

static

(Optional) Specifies the static connections.

connected

(Optional) Specifies the operating connections.

metric metric_value

(Optional) Specifies the OSPF default metric value from 0 to 16777214.

metric-type metric_type

(Optional) Specifies the OSPF metric type; valid values are type-1, type-2, internal, or external.

route-map map_name

(Optional) Specifies the name of the route map to apply.

tag tag_value

(Optional) Specifies the value to match for controlling redistribution with route maps.

subnets

(Optional) Specifies the redistributing routes into OSPF and scopes the redistribution for the specified protocol.

ospf pid

Specifies an internally used identification parameter for an OSPF routing process; valid values are from 1 to 65535.

match

(Optional) Specifies the conditions for redistributing routes from one routing protocol into another.

internal type

(Optional) Specifies the OSPF metric routes that are internal to a specified autonomous system; valid values are either type 1 or 2.

external type

(Optional) Specifies the OSPF metric routes that are external to a specified autonomous system; valid values are either type 1 or 2.

nssa-external type

(Optional) Specifies the OSPF metric type for routes that are external to a not-so-stubby area (NSSA); valid values are either type 1 or 2.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

You assign the pid locally on the FWSM; it can be from 1 to 65535. You must assign a unique value for each OSPF routing process.

Examples

This example shows how to display the redistribution of processes across OSPF:

fwsm(config)# show redistribute

Related Commands

redistribute (OSPF submode)
router ospf
show ip ospf

show resource acl-partition

To display partition ACL memory information, use the show resource acl-partition command.

show resource acl-partition context-name

Syntax Description

context-name

Context.


Defaults

Twelve ACL memory partitions.

Command Modes

Security Context Mode: multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.3(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

This command display the details about all existing partitions. For each partition, the mode (non-exclusive or exclusive) and a list of associated contexts are displayed.

Examples

This example shows how to display partition and ACL memory information:

fwsm(config)# show resource acl-partition context!A

Related Commands

resource acl-partition

show resource allocation

To display a list of system resource allocations, use the show resource allocation command.

show resource allocation [detail]

Syntax Description

detail

(Optional) Displays resource allocation details.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show resource allocation command allows you to display a list of system resource allocations.

Processes are lightweight threads requiring only a few instructions. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes that are used and the total size of the stack, and Process lists the thread's function.

Examples

This example shows the total allocation of each resource as an absolute value and as a percentage of the available system resources:

fwsm# show resource allocation
Resource                    Total       % of Avail
 Conns [rate]               35000           35.00%
 Fixups [rate]              35000           35.00%
 Syslogs [rate]             10500           35.00%
 Conns                     305000           30.50%
 Hosts                      78842           30.07%
 IPsec                          7           35.00%
 SSH                           35           35.00%
 Telnet                        35           35.00%
 Xlates                     91749           34.99%
 All                    unlimited 

Table 2-24 shows each field description.

Table 2-24 show resource allocation Fields

Field
Description

Resource

Name of the resource that you can limit.

Total

Total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the FWSM converts the percentage to an absolute number for this display.

% of Avail

The percentage of the total system resources that is allocated across all contexts.


This example shows the detail option:

fwsm# show resource allocation detail
Resource Origin:
    A    Value was derived from the resource 'all'
    C    Value set in the definition of this class
    D    Value set in default class
Resource         Class          Mmbrs  Origin      Limit      Total    Total %
Conns [rate]     default          all      CA  unlimited                     
                 gold               1       C      34000      34000     20.00%
                 silver             1      CA      17000      17000     10.00%
                 bronze             0      CA       8500                     
                 All Contexts:      3                         51000     30.00%

Fixups [rate]    default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      10000      10000     10.00%
                 bronze             0      CA       5000                     
                 All Contexts:      3                         10000     10.00%

Syslogs [rate]   default          all      CA  unlimited                     
                 gold               1       C       6000       6000     20.00%
                 silver             1      CA       3000       3000     10.00%
                 bronze             0      CA       1500                     
                 All Contexts:      3                          9000     30.00%

Conns            default          all      CA  unlimited                     
                 gold               1       C     200000     200000     20.00%
                 silver             1      CA     100000     100000     10.00%
                 bronze             0      CA      50000                     
                 All Contexts:      3                        300000     30.00%

Hosts            default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      26214      26214      9.99%
                 bronze             0      CA      13107                     
                 All Contexts:      3                         26214      9.99%

IPSec            default          all       C          5                     
                 gold               1       D          5          5     50.00%
                 silver             1      CA          1          1     10.00%
                 bronze             0      CA  unlimited                     
                 All Contexts:      3                            11    110.00%

SSH              default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Telnet           default          all       C          5                     
                 gold               1       D          5          5      5.00%
                 silver             1      CA         10         10     10.00%
                 bronze             0      CA          5                     
                 All Contexts:      3                            20     20.00%

Xlates           default          all      CA  unlimited                     
                 gold               1      DA  unlimited                     
                 silver             1      CA      23040      23040     10.00%
                 bronze             0      CA      11520                     
                 All Contexts:      3                         23040     10.00%
mac-addresses    default          all       C      65535                     
                 gold               1       D      65535      65535    100.00%
                 silver             1      CA       6553       6553      9.99%
                 bronze             0      CA       3276                     
                 All Contexts:      3                        137623    209.99%

Table 2-25 shows each field description.

Table 2-25 show resource allocation detail Fields

Field
Description

Resource

Name of the resource that you can limit.

Class

Name of each class, including the default class.

All contexts field shows the total values across all classes.

Mmbrs

Number of contexts assigned to each class.

Origin

Origin of the resource limit, as follows:

A—You set this limit with the all option, instead of as an individual resource.

C—This limit is derived from the member class.

D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be "C" instead of "D."

FWSM can combine "A" with "C" or "D."

Limit

Limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the FWSM converts the percentage to an absolute number for this display.

Total

Total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank.

% of Avail

Percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank.


Related Commands

clear resource usage
show resource types
show resource usage

show resource types

To display a list of system resource types, use the show resource types command.

show resource types

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display a list of system resource types:

fwsm# show resource types
Rate limited resource types:
  Conns           Connections/sec
  Fixups          Fixups/sec
  Syslogs         Syslogs/sec

Absolute limit types:
  Conns           Connections
  Hosts           Hosts
  IPsec           IPsec Mgmt Tunnels
  SSH             SSH Sessions
  Telnet          Telnet Sessions
  Xlates          XLATE Objects
  All             All Resources

Related Commands

clear resource usage
show resource allocation
show resource usage

show resource usage

To display a list of system resource usage, use the show resource usage command.

show resource usage [context context_name | top n | all | summary | system] [resource {[rate] resource_name | all} | detail] [counter counter_name [count_threshold]]

Syntax Description

context

(Optional) Specifies the context.

context_name

(Optional) Name of the context.

top n

(Optional) Specifies a number of resources.

all

(Optional) Specifies all resources.

summary

(Optional) Specifies a summary of resources.

system

(Optional) Specifies the system resources.

resource

(Optional) Specifies a specific resource.

rate

(Optional) Specifies a resource rate.

resource_name

(Optional) Resource name.

all

(Optional) Specifies all resources.

detail

(Optional) Specifies detail.

counter

(Optional) Specifies a specific resource counter.

counter_name

(Optional) Specifies the counter name.

count_threshold

(Optional) Specifies the counter threshold.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.

2.3(1)

Support for sync cookies was introduced on the FWSM.


Examples

This example shows how to display a list of system resource usage:

The following sample display shows the resource usage for all contexts and all resources:

fwsm# show resource usage summary
Resource              Current         Peak      Limit     Denied Context
Syslogs [rate]           1743         2132      12000(U)       0 Summary
Conns                     584          763     100000(S)       0 Summary
Xlates                   8526         8966      93400          0 Summary
Hosts                     254          254     262144          0 Summary
Conns [rate]              270          535      42200       1704 Summary
Fixups [rate]             270          535     100000(S)       0 Summary
U = Some contexts are unlimited and are not included in the total.
S = All contexts are unlimited; system limit is shown.

This example shows the amount of resources being used by TCP intercept for individual contexts (sample text in italics shows the TCP intercept information):

FWSM(config)# show resource usage detail        
Resource              Current         Peak      Limit        Denied Context
memory                 843732       847288  unlimited             0 admin
chunk:channels             14           15  unlimited             0 admin
chunk:fixup                15           15  unlimited             0 admin
chunk:hole                  1            1  unlimited             0 admin
chunk:ip-users             10           10  unlimited             0 admin
chunk:list-elem            21           21  unlimited             0 admin
chunk:list-hdr              3            4  unlimited             0 admin
chunk:route                 2            2  unlimited             0 admin
chunk:static                1            1  unlimited             0 admin
tcp-intercept-rate     328787       803610  unlimited             0 admin
np-statics                  3            3  unlimited             0 admin
statics                     1            1  unlimited             0 admin
ace-rules                   1            1        N/A             0 admin
console-access-rul          2            2        N/A             0 admin
fixup-rules                14           15        N/A             0 admin
memory                 959872       960000  unlimited             0 c1
chunk:channels             15           16  unlimited             0 c1
chunk:dbgtrace              1            1  unlimited             0 c1
chunk:fixup                15           15  unlimited             0 c1
chunk:global                1            1  unlimited             0 c1
chunk:hole                  2            2  unlimited             0 c1
chunk:ip-users             10           10  unlimited             0 c1
chunk:udp-ctrl-blk          1            1  unlimited             0 c1
chunk:list-elem            24           24  unlimited             0 c1
chunk:list-hdr              5            6  unlimited             0 c1
chunk:nat                   1            1  unlimited             0 c1
chunk:route                 2            2  unlimited             0 c1
chunk:static                1            1  unlimited             0 c1
tcp-intercept-rate      16056        16254  unlimited             0 c1
globals                     1            1  unlimited             0 c1
np-statics                  3            3  unlimited             0 c1
statics                     1            1  unlimited             0 c1
nats                        1            1  unlimited             0 c1
ace-rules                   2            2        N/A             0 c1
console-access-rul          2            2        N/A             0 c1
fixup-rules                14           15        N/A             0 c1
memory              232695716    232020648  unlimited             0 system
chunk:channels             17           20  unlimited             0 system
chunk:dbgtrace              3            3  unlimited             0 system
chunk:fixup                15           15  unlimited             0 system
chunk:ip-users              4            4  unlimited             0 system
chunk:list-elem          1014         1014  unlimited             0 system
chunk:list-hdr              1            1  unlimited             0 system
chunk:route                 1            1  unlimited             0 system
block:16384               510          885  unlimited             0 system
block:2048                 32           34  unlimited             0 system

This example shows the resources being used by TCP intercept for the entire system (sample text in :

FWSM(config)# show resource usage summary detail
Resource              Current         Peak      Limit        Denied Context
memory              238421312    238434336  unlimited             0 Summary
chunk:channels             46           48  unlimited             0 Summary
chunk:dbgtrace              4            4  unlimited             0 Summary
chunk:fixup                45           45  unlimited             0 Summary
chunk:global                1            1  unlimited             0 Summary
chunk:hole                  3            3  unlimited             0 Summary
chunk:ip-users             24           24  unlimited             0 Summary
chunk:udp-ctrl-blk          1            1  unlimited             0 Summary
chunk:list-elem          1059         1059  unlimited             0 Summary
chunk:list-hdr             10           11  unlimited             0 Summary
chunk:nat                   1            1  unlimited             0 Summary
chunk:route                 5            5  unlimited             0 Summary
chunk:static                2            2  unlimited             0 Summary
block:16384               510          885       8192(S)          0 Summary
block:2048                 32           35       1000(S)          0 Summary
tcp-intercept-rate     341306       811579  unlimited             0 Summary
globals                     1            1       1051(S)          0 Summary
np-statics                  6            6       4096(S)          0 Summary
statics                     2            2       2048(S)          0 Summary
nats                        1            1       2048(S)          0 Summary
ace-rules                   3            3     116448(S)          0 Summary
console-access-rul          4            4       4356(S)          0 Summary
fixup-rules                43           44       8032(S)          0 Summary
S = System:Total exceeds the system limit; the system limit is shown

Related Commands

clear resource usage

show resource allocation

show resource types

show rip

To display the information about the Routing Information Protocol (RIP) configuration, use the show rip command.

show rip [interface_name]

Syntax Description

interface_name

(Optional) Internal or external network interface to display.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: Routed

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display RIP information:

fwsm(config)# show rip
rip outside passive
no rip outside default
rip inside passive
no rip inside default

Related Commands

clear rip
rip

show rpc-server

To display the information about the remote processor call (RPC) configuration, use the show rpc-server command.

show rpc-server ifc_name ip_addr mask service service_type protocol [TCP | UDP] port port
[
- port] timeout hh:mm:ss

Syntax Description

ifc_name

Server interface name.

ip_addr

RPC server IP address.

mask

Network mask.

service

Specifies a service.

service_type

RPC service program number as specified in the rpcinfo command.

protocol

Specifies the RPC transport protocol.

tcp

(Optional) Specifies the RPC transport protocol.

udp

(Optional) Specifies the RPC transport protocol.

port port [- port ]

Specifies the RPC protocol port range.

port- port

(Optional) Specifies the RPC protocol port range.

timeout hh:mm:ss

Specifies the timeout idle time after which the access for the RPC service traffic is closed.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The service_type is specified in the rpcinfo command.

Examples

This example shows how to display informaton about the RPC configuration:

fwsm(config)# show rpc-server
inside 30.26.0.23 255.255.0.0 service 2147483647 protocol TCP port 2222 timeout 0:03:00

Related Commands

clear rpc-server
rpc-server

show route

To display a default or static route for an interface, use the show route command.

show route [interface_name ip_address netmask gateway_ip]

Syntax Description

interface_name

(Optional) Internal or external network interface name.

ip_address

(Optional) Internal or external network IP address.

netmask

(Optional) Network mask to apply to ip_address.

gateway_ip

(Optional) IP address of the gateway router (the next-hop address for this route).


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system or context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display routes:

fwsm(config)# show route
C    10.30.10.0 255.255.255.0 is directly connected, outside
C    10.40.10.0 255.255.255.0 is directly connected, inside
C    127.0.0.0 255.255.255.0 is directly connected, eobc
C    192.168.2.0 255.255.255.0 is directly connected, faillink
C    192.168.3.0 255.255.255.0 is directly connected, statelink

Related Commands

clear route
route

show route-map

To display the information about the route map configuration, use the show route-map command.

show route-map [map_tag]

Syntax Description

map_tag

(Optional) Text for the route-map tag.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

Multiple route maps may share the same map tag name.

Examples

This example shows how to display a route map for use in OSPF routing:

fwsm(config)# show route-map
route-map maptag1 permit 8
  set metric 5
  set metric-type type-2
  match metric 5

Related Commands

route-map

show router

To display information about the router configuration, use the show router command.

show router ip_address

Syntax Description

ip_address

Router ID in IP address format.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information about the router configuration:

fwsm(config)# show router 123.456.45.10

Related Commands

router
router ospf

show router-id

To display the fixed router ID for an OSPF process, use the show router-id command.

show router-id ip_address

Syntax Description

ip_address

Router ID in IP address format.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Transparent Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines


Note If the highest-level IP address on the FWSM is a private address, then this address is sent in hello packets and database definitions (DBDs). To prevent this situation, set the router-id ip_address to a global address.


Examples

This example shows how to display the fixed router ID for an OSPF process:

fwsm(config)# show router-id 123.456.78.10

Related Commands

router-id
router ospf
show ip ospf

show routing

To display the nondefault interface-specific routing configuration, use the show routing command.

show routing [interface interface_name]

Syntax Description

interface

(Optional) Specifies the interface.

interface_name

(Optional) Name of the interface for which to display the configuration.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Transparent Mode: routed firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The OSPF routing-related show commands are available in privileged mode on the FWSM. You do not need to be in an OSPF configuration submode to use the OSPF-related show commands.

Examples

This example shows how to display the nondefault interface-specific routing configurations:

fwsm/context_name(config)# show routing
routing interface outside
  ospf retransmit-interval 15
routing interface inside
  ospf cost 206

fwsm/context_name(config)# show routing
Type help or '?' for a list of available commands.
2003 Jul 22 12:42:44 %ETHC-5-PORTTOSTP:Port 4/2 joined
bridge port 4/2

This example shows how to display the name of the interface:

fwsm/context_name(config)# show routing interface outside
routing interface outside
  ospf retransmit-interval 15

Related Commands

route-map

router ospf

routing interface

show running-config

To display the configuration that is running on the FWSM, use the show running-config command.

show running-config

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Transparent Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show running-config command allows you to display the current running configuration on the FWSM. Use the running-config keyword to match the Cisco IOS software command. The show running-config command output is the same as the preexisting FWSM write terminal command.

You can use the running-config keyword only in the show running-config command. You cannot use this keyword with no or clear, or as a standalone command, because the CLI treats it as a nonsupported command. When you enter the ?, no ?, or clear ? keywords, a running-config keyword is not listed in the command list.


Note The device manager commands will appear in the configuration after you use PDM to connect to or configure your FWSM.


Examples

This example show how to display the configuration that is running on the FWSM:

fwsm/context_name(config)# show running-config
: Saved
:
FWSM Version 2.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname fwsmdoc515
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.2.0  
access-list inside_outbound_nat0_acl permit ip any any 
access-list outside_cryptomap_20 permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255. 
access-list outside_cryptomap_40 permit ip any any 
access-list 101 permit ip any any 
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 100full shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.23.59.230 255.255.0.0 pppoe
ip address inside 10.1.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm location 10.1.2.1 255.255.255.255 outside
pdm location 10.1.2.0 255.255.255.0 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (inside) 6 192.168.1.2-192.168.1.3
global (inside) 3 192.168.4.1
nat (inside) 0 access-list inside_outbound_nat0_acl
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.23.59.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 172.23.59.231
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 123.5.5.5
isakmp key ******** address 172.23.59.231 netmask 255.255.255.255 no-xauth no-c 
isakmp peer fqdn no-xauth no-config-mode 
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 10
dhcprelay timeout 60
terminal width 80
Cryptochecksum:4d600490f46b5d335c0fbf2eda0015a2
: end

Related Commands

configure

show same-security-traffic

To enable the same-security interface communication, use the show same-security-traffic command. To disable the same-security interfaces, use the no form of this command.

[no] show same-security-traffic

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: transparent firewall mode

Command History

Release
Modification

2.2(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to enable the same-security interface communication:

fwsm/context_name(config)# show same-security-traffic
same-security-traffic permit inter-interface

Related Commands

clear same-security-traffic

same-security-traffic

show service

To display the system services, use the show service command.

show service

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This command shows how to display the system services:

fwsm/context_name(config)# show service

service resetinbound

Related Commands

clear service
service

show serial

To display the system serial number and licensed services, use the show serial command.

show serial

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display the system serial number and licensed services:

fwsm(config)# show serial
FWSM Firewall Version 2.2(0)141
c6000-fwm-2-1-0-141  #126: Wed Jun 18 16:31:27 MDT 2003
msgreene@boulder-view3:/users/msgreene/projects/firecat/mainline/XFWSM/obj
fwsm up 2 hours 37 mins
Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash  ?V1.01   SMART ATA FLASH DISK @ 0xc321, 20MB
0: gb-ethernet0: irq 5
1: gb-ethernet1: irq 7
2: ethernet0: irq 11
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 100 (per security context)
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Throughput:         Unlimited
ISAKMP peers:       Unlimited
Security Contexts:  2
This machine has an Unrestricted (UR) license.
Serial Number: SAD0649034U
Configuration last modified by enable_15 at 13:56:05 Jul 22 2003

Related Commands

uptime

show session

To display an internal AccessPro router console, use the show session command.

show session

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to access an internal AccessPro router console:

fwsm(config)# show session
Session is disabled

Related Commands

set (route map submode)

show set

To display information about the system service setup, use the show set command.

show set

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information about the system service setup:

fwsm(config)# show set

service resetinbound

Related Commands

set metric (route map submode)
set metric-type (route map submode)

show shun

To display shun information, use the show shun command.

show shun [src_ip | statistics]

Syntax Description

src_ip

(Optional) Address of the attacking host.

statistics

(Optional) Interface counters only.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display shun information:

fwsm/context_name(config)# show shun

Related Commands

clear shun
shun

show snmp-server

To display information about the SNMP server configuration, use the show snmp-server command.

show snmp-server

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Examples

This example shows how to display information about the SNMP server configuration:

fwsm/context_name(config)# show snmp-server
snmp-server host perimeter 10.1.2.42
snmp-server location Building 42, Sector 54
snmp-server contact Sherlock Holmes
snmp-server community wallawallabingbang

Related Commands

clear snmp-server
snmp-server

show ssh

To list all active Secure Shell (SSH) sessions on the FWSM, use the show ssh command.

show ssh sessions [client_ip]

show ssh timeout

Syntax Description

sessions

Displays all active SSH sessions on the FWSM.

ip_address

(Optional) IP address of the host or network that is authorized to initiate an SSH connection to the FWSM.

timeout

Specifies the SSH timeout.


Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption that the SSH client is using. The State column lists the progress that the client is making as it interacts with the FWSM. The Username column lists the login username that has been authenticated for the session. The "FWSM" username appears when non-AAA authentication is used.

Table 2-26 lists the SSH states that appear in the State column:

Table 2-26 SSH States 

Number
SSH State

0

SSH_CLOSED

1

SSH_OPEN

2

SSH_VERSION_OK

3

SSH_SESSION_KEY_RECEIVED

4

SSH_KEYS_EXCHANGED

5

SSH_AUTHENTICATED

6

SSH_SESSION_OPEN

7

SSH_TERMINATE

8

SSH_SESSION_DISCONNECTING

9

SSH_SESSION_DISCONNECTED

10

SSH_SESSION_CLOSED


Examples

This example shows how to list all active SSH sessions on the FWSM:

fwsm/context_name(config)# show ssh sessions
Session ID      Client IP       Version Encryption      State   Username
    0           172.16.25.15    1.5     3DES            4       -
    1           172.16.38.112   1.5     DES             6       FWSM
    2           172.16.25.11    1.5     3DES            4       -

Related Commands

clear ssh
ssh

show startup-config

To display information about the FWSM startup configuration, use the show start-config command.

show startup-config

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Security Context Mode: single context mode and multiple context mode

Access Location: system and context command line

Command Mode: configuration and privileged mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Release
Modification

1.1(1)

Support for this command was introduced on the FWSM.


Usage Guidelines

The show startup-config command allows you to display the startup configuration of the FWSM. The startup-config keyword is used to match the Cisco IOS software command. The show startup-config command output is the same as the preexisting FWSM show configure command. The show startup-config command is not needed for PDM but is provided for compatibility with Cisco IOS software.

You can use the startup-config keyword only in the show startup-config command. You cannot use the keyword with the no or clear, or as a standalone command. Because the CLI treats it as a nonsupported command, when you enter the ?, no ?, or clear ? keywords, the startup-config keyword is not listed in the command list.

Examples

This example shows how to display the FWSM startup configuration:

fwsm/context_name(config)# show startup-config
: Saved
: Written by enable_15 at 17:14:09.092 UTC Tue Apr 9 2002
FWSM Version 2.2(0)227
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname fwsmdoc515
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.2.0  
access-list inside_outbound_nat0_acl permit ip any any