Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.2
gateway -- http-map
Downloads: This chapterpdf (PDF - 566.0KB) The complete bookPDF (PDF - 41.41MB) | Feedback

gateway through hw-module module reset Commands

Table Of Contents

gateway through hw-module module reset Commands

gateway

global

group-delimiter

group-lock

group-object

group-policy

group-policy attributes

gtp-map

h225-map

help

hostname

hsi

hsi-group

http

http authentication-certificate

http server enable

http-map

hw-module module reset (IOS)


gateway through hw-module module reset Commands


gateway

To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.

gateway ip_address [group_id]

Syntax Description

gateway

Specifies the group of call agents that are managing a particular gateway

ip_address

The IP address of the gateway.

group_id

The ID of the call agent group, from 0 to 2147483647.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

MGCP map configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:

hostname(config)# mgcp-map mgcp_policy
hostname(config-mgcp-map)# call-agent 10.10.11.5 101
hostname(config-mgcp-map)# call-agent 10.10.11.6 101
hostname(config-mgcp-map)# call-agent 10.10.11.7 102
hostname(config-mgcp-map)# call-agent 10.10.11.8 102
hostname(config-mgcp-map)# gateway 10.10.10.115 101
hostname(config-mgcp-map)# gateway 10.10.10.116 102
hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands
Description

debug mgcp

Enables the display of debug information for MGCP.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show mgcp

Displays MGCP configuration and session information.


global

To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

Syntax Description

interface

Uses the interface IP address as the mapped address.

mapped_ifc

Specifies the name of the interface connected to the mapped IP address network.

mapped_ip[-mapped_ip]

Specifies the mapped address(es) to which you want to translate the real addresses when they exit the mapped interface. If you specify a single address, then you configure PAT. If you specify a range of addresses, then you configure dynamic NAT.

If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC).

nat_id

Specifies an integer for the NAT ID. This ID is referenced by the nat command to associate a mapped pool with the real addresses to translate.

For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Do not specify a global command for NAT ID 0; 0 is reserved for identity NAT and NAT exemption, which do not use a global command.

netmask mask

(Optional) Specifies the network mask for the mapped_ip. This mask does not specify a network when paired with the mapped_ip; rather, it specifies the subnet mask assigned to the mapped_ip when it is assigned to a host. If you want to configure a range of addresses, you need to specify mapped_ip-mapped_ip.

If you do not specify a mask, then the default mask for the address class is used.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

3.2.(1)

NAT is now supported in transparent firewall mode.


Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

See the nat command for more information about dynamic NAT and PAT.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

To translate the lower security DMZ network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45

To identify a single real address with two different destination addresses using policy NAT, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130

To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command
Description

clear configure global

Removes global commands from the configuration.

nat

Specifies the real addresses to translate.

show running-config global

Displays the global commands in the configuration.

static

Configures a one-to-one translation.


group-delimiter

To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.

group-delimiter delimiter

no group-delimiter

Syntax Description

delimiter

Specifies the character to use as the group-name delimiter.
Valid values are: @, #, and !.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

By default, no delimiter is specified, disabling group-name parsing.

Examples

This example shows the group-delimiter command to change the group delimiter to the hash mark (#):

hostname(config)# group-delimiter #

Related Commands

Command
Description

show running-config group-delimiter

Displays the current group-delimiter value.

strip-group

Enables or disables strip-group processing.


group-lock

To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode.

To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To disable group-lock, use the group-lock none command.

Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the FWSM prevents the user from connecting. If you do not configure group-lock, the FWSM authenticates users without regard to the assigned group.

group-lock {value tunnel-grp-name | none}

no group-lock

Syntax Description

none

Sets group-lock to a null value, thereby allowing no group-lock restriction. Prevents inheriting a group-lock value from a default or specified group policy.

value tunnel-grp-name

Specifies the name of an existing tunnel group that the FWSM requires for the user to connect.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example shows how to set group lock for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# group-lock value tunnel group name

group-object

To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.

group-object obj_grp_id

no group-object obj_grp_id

Syntax Description

obj_grp_id

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Protocol, network, service, icmp-type configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.

Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.

The maximum allowed levels of a hierarchical object group is 10.

Examples

The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts:

hostname(config)# object-group network host_grp_1
hostname(config-network)# network-object host 192.168.1.1
hostname(config-network)# network-object host 192.168.1.2 
hostname(config-network)# exit
hostname(config)# object-group network host_grp_2
hostname(config-network)# network-object host 172.23.56.1
hostname(config-network)# network-object host 172.23.56.2
hostname(config-network)# exit
hostname(config)# object-group network all_hosts
hostname(config-network)# group-object host_grp_1
hostname(config-network)# group-object host_grp_2
hostname(config-network)# exit
hostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
hostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
hostname(config)# access-list all permit tcp object-group all-hosts any eq w

Related Commands

Command
Description

clear configure object-group

Removes all the object-group commands from the configuration.

network-object

Adds a network object to a network object group.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


group-policy

To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.

group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}

no group-policy name

Syntax Description

external server-group server_group

Specifies the group policy as external and identifies the AAA server group for the FWSM to query for attributes.

from group-policy_name

Initializes the attributes of this internal group policy to the values of a pre-existing group policy.

internal

Identifies the group policy as internal.

name

Specifies the name of the group policy.

password server_password

Provides the password to use when retrieving attributes from the external AAA server group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

A default group policy, named "DefaultGroupPolicy," always exists on the FWSM. However, this default group policy does not take effect unless you configure the FWSM to use it. For configuration instructions, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

The DefaultGroupPolicy has these AVPs:

Attribute
Default Value

wins-server

none

dns-server

none

vpn-access-hours

unrestricted

vpn-simultaneous-logins

3

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-filter

none

vpn-tunnel-protocol

IPSec WebVPN

ip-comp

disable

re-xauth

disable

group-lock

none

pfs

disable

client-access-rules

none

banner

none

password-storage

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

backup-servers

keep-client-config

split-tunnel-policy

tunnelall

split-tunnel-network-list

none

default-domain

none

split-dns

none

client-firewall

none

secure-unit-authentication

disabled

user-authentication

disabled

user-authentication-idle-timeout

none

ip-phone-bypass

disabled

leap-bypass

disabled

nem

disabled


Examples

The following example shows how to create an internal group policy with the name "FirstGroup":

hostname(config)# group-policy FirstGroup internal

The following example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678":

hostname(config)# group-policy ExternalGroup external server-group BostonAAA password 
12345678

Related Commands

Command
Description

clear configure group-policy

Removes the configuration for a particular group policy or for all group policies.

group-policy attributes

Enters group-policy attributes mode, which lets you configure AVPs for a specified group policy.

show running-config group-policy

Displays the running configuration for a particular group policy or for all group policies.


group-policy attributes

To enter the group-policy attributes mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no version of this command. The attributes mode lets you configure AVPs for a specified group policy.

group-policy name attributes

no group-policy name attributes

Syntax Description

name

Specifies the name of the group policy.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The syntax of the commands in attributes mode have the following characteristics in common:

The no form removes the attribute from the running configuration, and enables inheritance of a value from another group policy.

The none keyword sets the attribute in the running configuration to a null value, thereby preventing inheritance.

Boolean attributes have explicit syntax for enabled and disabled settings.

Examples

The following example shows how to enter group-policy attributes mode for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)#

Related Commands

Command
Description

clear configure group-policy

Removes the configuration for a particular group policy or for all group policies.

group-policy

Creates, edits, or removes a group policy.

show running-config group-policy

Displays the running configuration for a particular group policy or for all group policies.


gtp-map

To identify a specific map to use for defining the parameters for GTP, use the gtp-map command in global configuration mode. To remove the map, use the no form of this command.

gtp-map map_name

no gtp-map map_name


Note GTP inspection requires a special license. If you enter the gtp-map command on a FWSM without the required license, the FWSM displays an error message.


Syntax Description

map_name

The name of the GTP map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP and how the FWSM ensures secure access over wireless networks, refer to the "Applying Application Layer Protocol Inspection" chapter in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.

Table 13-1 GTP Map Configuration Commands

Command
Description

description

Specifies the GTP configuration map description.

drop

Specifies the message ID, APN, or GTP version to drop.

mcc

Specifies the three-digit Mobile Country Code (000 - 999). One or two- digit entries will be prepended with 0s

message-length

Specifies the message length min and max.

permit errors

Permits packets with errors or different GTP versions.

request-queue

Specifies the maximum requests allowed in the queue.

timeout (gtp-map)

Specifies the idle timeout for the GSN, PDP context, requests, signaling connections, and tunnels.

tunnel-limit

Specifies the maximum number of tunnels allowed.


Examples

The following example shows how to use the gtp-map command to identify a specific map (gtp-policy) to use for defining the parameters for GTP:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# 

The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:

hostname(config)# access-list gtp-acl permit udp any any eq 3386 
hostname(config)# access-list gtp-acl permit udp any any eq 2123
hostname(config)# class-map gtp-traffic 
hostname(config-cmap)# match access-list gtp-acl 
hostname(config-cmap)# exit
hostname(config)# gtp-map gtp-policy
hostname(config-gtpmap)# request-queue 300
hostname(config-gtpmap)# permit mcc 111 mnc 222
hostname(config-gtpmap)# message-length min 20 max 300
hostname(config-gtpmap)# drop message 20
hostname(config-gtpmap)# tunnel-limit 10000 
hostname(config)# policy-map inspection_policy 
hostname(config-pmap)# class gtp-traffic 
hostname(config-pmap-c)# inspect gtp gtp-policy 
hostname(config)# service-policy inspection_policy outside

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


h225-map

To define an H.225 application inspection map, use the h225-map command in global configuration mode. To remove the map, use the no form of this command.

h225-map map_name

no h225-map map_name

Syntax Description

map_name

The name of the H.225 map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

FWSM 3.1

This command was introduced.


Usage Guidelines

An H.225 map allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.

. The H.225 map provides information about the HSI and its associated endpoints, which is required to establish this connection without compromising the security of the network protected by the FWSM.

When you enter the h225-map command, the system enters the H.225 map configuration mode, which lets you enter the different commands used for defining the specific map.

One H.225 map can contain a maximum of five HSI groups. Each HSI group can contain a maximum of ten endpoints.

Examples

The following example shows how to define an H.225 map.

hostname(config)# h225-map sample_map
hostname(config-h225-map)# hsi-group 1
hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11 
hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 inside
hostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outside
hostname(config-h225-map-hsi-grp)# exit

Related Commands

Commands
Description

endpoint

Defines the endpoint associated with an HSI group.

hsi

Defines the HSI associated with an HSI group.

hsi-group

Defines an HSI group and enables HSI group configuration mode.

inspect h323 h225

Applies an H.225 map to H.323 application inspection.


help

To display help information for the command specified, use the help command in user EXEC mode.

help {command | ?}

Syntax Description

command

Specifies the command for which to display the CLI help.

?

Displays all commands that are available in the current privilege level and mode.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The help command displays help information about all commands. You can see help for an individual command by entering the help command followed by the command name. If you do not specify a command name and enter ? instead, all commands that are available in the current privilege level and mode display.

If you enable the pager command and when 24 lines display, the listing pauses, and the following prompt appears:

<--- More --->

The More prompt uses syntax similar to the UNIX more command as follows:

To see another screen of text, press the Space bar.

To see the next line, press the Enter key.

To return to the command line, press the q key.

Examples

The following example shows how to display help for the rename command:

hostname# help rename

USAGE:

        rename /noconfirm [{disk0:|disk1:|flash:}] <source path> [{disk0:|disk1:
|flash:}] <destination path>

DESCRIPTION:

rename          Rename a file

SYNTAX:

/noconfirm                      No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<source path>           Source file path
<destination path>      Destination file path

hostname#

The following examples shows how to display help by entering the command name and a question mark:

hostname(config)# enable ?
usage: enable password <pwd> [encrypted]

Help is available for the core commands (not the show, no, or clear commands) by entering   ? at the command prompt:

hostname(config)# ?
aaa                                                                                          Enable, disable, or view TACACS+ or RADIUS
                                                                                                                user authentication, authorization and accounting
...

Related Commands

Command
Description

show version

Displays information about the operating system software.


hostname

To set the FWSM hostname, use the hostname command in global configuration mode. To restore the default hostname, use the no form of this command. The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands.

hostname name

no hostname [name]

Syntax Description

name

Specifies a hostname up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.


Defaults

The default is FWSM.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts.

The hostname that you optionally set within a context does not appear in the command line, but can be used for the banner command $(hostname) token.

Examples

The following example sets the hostname to firewall1:

hostname(config)# hostname firewall1
firewal11(config)# 

Related Commands

Command
Description

banner

Sets a login, message of the day, or enable banner.

domain-name

Sets the default domain name.


hsi

To associate an HSI with an HSI group, use the hsi command in HSI group configuration mode. To remove the HSI, use the no form of this command.

hsi ip address

no hsi ip address

Syntax Description

ip address

The IP address of the HSI.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HSI group configuration


Command History

Release
Modification

FWSM 3.1

This command was introduced.


Usage Guidelines

An HSI group allows the FWSM to open dynamic, port-specific pinholes for enabling H.323 connections when a Cisco CallManager tries to establish a connection between H.323 endpoints.

Up to five HSI groups can be associated with a single H.225 map. Each HSI group can contain a maximum of ten endpoints.

Examples

The following example shows how to define an H.225 map.

hostname(config)# h225-map hmap
hostname(config-h225-map)# hsi-group 1
hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11 
hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 inside
hostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outside
hostname(config-h225-map-hsi-grp)# exit

Related Commands

Commands
Description

endpoint

Defines the endpoint associated with an HSI group.

hsi-group

Defines an HSI group and enables HSI group configuration mode.

h225-map

Defines an H.225 map and enables H.225 map configuration mode.

inspect h323 h225

Applies an H.225 map to H.323 application inspection.


hsi-group

To define an HSI group, use the hsi-group command in H.225 map configuration mode. To remove the HSI group, use the no form of this command.

hsi-group group_ID

no hsi-group group_ID

Syntax Description

group_name

A number, from 0 to 2147483647, that identifies the HSI group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

H.225 map configuration


Command History

Release
Modification

FWSM 3.1

This command was introduced.


Usage Guidelines

When you enter the hsi-group command, the system enters the HSI group configuration mode, which lets you enter the different commands used for defining the specific map.

A HSI group allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.

Up to five HSI groups can be associated with a single H.225 map. Each HSI group can contain a maximum of ten endpoints. You must configure an HSI within the group before configuring any endpoints. You must remove all endpoints and the HSI before removing the HSI group.

Examples

The following example shows how to define an H.225 map.

hostname(config)# h225-map hmap
hostname(config-h225-map)# hsi-group 1
hostname(config-h225-map-hsi-grp)# hsi 192.168.100.1
hostname(config-h225-map-hsi-grp)# endpoint 192.168.100.101 
hostname(config-h225-map-hsi-grp)# endpoint 192.168.100.102 
hostname(config-h225-map-hsi-grp)# exit
hostname(config-h225-map)# hsi-group 2
hostname(config-h225-map-hsi-grp)# hsi 192.168.200.1
hostname(config-h225-map-hsi-grp)# endpoint 192.168.200.101 
hostname(config-h225-map-hsi-grp)# endpoint 192.168.200.102 
hostname(config-h225-map-hsi-grp)# exit

Related Commands

Commands
Description

endpoint

Defines the endpoint associated with an HSI group.

hsi

Defines the HSI associated with an HSI group.

h225-map

Defines an H.225 map and enables H.225 map configuration mode.

inspect h323 h225

Applies an H.225 map to H.323 application inspection.


http

To specify hosts that can access the HTTP server internal to the FWSM, use the http command in global configuration mode. To remove one or more hosts, use the no form of this command. To remove the attribute from the configuration, use the no form of this command without arguments.

http ip_address subnet_mask interface_name

no http

Syntax Description

interface_name

Provides the name of the FWSM interface through which the host can access the HTTP server.

ip_address

Provides the IP address of a host that can access the HTTP server.

subnet_mask

Provides the subnet mask of a host that can access the HTTP server.


Defaults

No hosts can access the HTTP server.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Examples

The following example shows how to allow the host with the IP address of 10.10.99.1 and the subnet mask of 255.255.255.255 access to the HTTP server via the outside interface:

hostname(config)# http 10.10.99.1 255.255.255.255 outside

The next example shows how to allow any host access to the HTTP server via the outside interface:

hostname(config)# http 0.0.0.0 0.0.0.0 outside

Related Commands

Command
Description

clear configure http

Removes the HTTP configuration: disables the HTTP server and removes hosts that can access the HTTP server.

http authentication-certificate

Requires authentication via certificate from users who are establishing HTTPS connections to the FWSM.

http server enable

Enables the HTTP server.

show running-config http

Displays the hosts that can access the HTTP server, and whether or not the HTTP server is enabled.


http authentication-certificate

To require authentication via certificate from users who are establishing HTTPS connections, use the http authentication-certificate command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all http authentication-certificate commands from the configuration, use the no version without arguments.

The FWSM validates certificates against the PKI trust points. If a certificate does not pass validation, the FWSM closes the SSL connection.

http authentication-certificate interface

no http authentication-certificate [interface]

Syntax Description

interface

Specifies the interface on the FWSM that requires certificate authentication.


Defaults

HTTP certificate authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

You can configure certificate authentication for each interface, such that connections on a trusted/inside interface do not have to provide a certificate. You can use the command multiple times to enable certificate authentication on multiple interfaces.

Validation occurs before the URL is known, so this affects both WebVPN and ASDM access.

The ASDM uses its own authentication method in addition to this value. That is, it requires both certificate and username/password authentication if both are configured, or just username/password if certificate authentication is disabled.

Examples

The following example shows how to require certificate authentication for clients connecting to the interfaces named outside and external:

hostname(config)# http authentication-certificate inside
hostname(config)# http authentication-certificate external

Related Commands

Command
Description

clear configure http

Removes the HTTP configuration: disables the HTTP server and removes hosts that can access the HTTP server.

http

Specifies hosts that can access the HTTP server by IP address and subnet mask. Specifies the FWSM interface through which the host accesses the HTTP server.

http server enable

Enables the HTTP server.

show running-config http

Displays the hosts that can access the HTTP server, and whether or not the HTTP server is enabled.


http server enable

To enable the FWSM HTTPS server for ASDM, use the http server enable command in global configuration mode. To disable the HTTPS server, use the no form of this command.

http server enable

no http server enable

Defaults

The HTTP server is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Examples

The following example shows how to enable the HTTPS server.

hostname(config)# http server enable

Related Commands

Command
Description

clear configure http

Removes the HTTP configuration: disables the HTTP server and removes hosts that can access the HTTPS server.

http

Specifies hosts that can access the HTTPS server by IP address and subnet mask. Specifies the FWSM interface through which the host accesses the HTTPS server.

http authentication-certificate

Requires authentication via certificate from users who are establishing HTTPS connections to the FWSM.

show running-config http

Displays the hosts that can access the HTTPS server, and whether or not the HTTPS server is enabled.


http-map

To create an HTTP map for applying enhanced HTTP inspection parameters, use the http-map command in global configuration mode. To remove the command, use the no form of this command.

http-map map_name

no http-map map_name

Syntax Description

map_name

The name of the HTTP map.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined and supported extension methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.


Note When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled.


In many cases, you can configure the criteria and how the FWSM responds when the criteria are not met. The criteria that you can apply to HTTP messages include the following:

Does not include any method on a configurable list.

Message body size is within configurable limits.

Request and response message header size is within a configurable limit.

URI length is within a configurable limit.

The content-type in the message body matches the header.

The content-type in the response message matches the accept-type field in the request message.

The content-type in the message is included in a predefined internal list.

Message meets HTTP RFC format criteria.

Presence or absence of selected supported applications.

Presence or absence of selected encoding types.


Note The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.


Table 13-2 summarizes the configuration commands available in HTTP map configuration mode. For detailed syntax for a command, see the corresponding command entry in this guide.

Table 13-2 HTTP Map Configuration Commands

Command
Description

content-length

Enables inspection based on the length of the HTTP content.

content-type-verification

Enables inspection based on the type of HTTP content.

max-header-length

Enables inspection based on the length of the HTTP header.

max-uri-length

Enables inspection based on the length of the URI.

port-misuse

Enables port misuse application inspection.

request-method

Enables inspection based on the HTTP request method.

strict-http

Enables strict HTTP inspection.

transfer-encoding

Enables inspection based on the transfer encoding type.


Examples

The following is sample output showing how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface.

hostname(config)# class-map http-port 
hostname(config-cmap)# match port tcp eq 80
hostname(config-cmap)# exit
hostname(config)# http-map inbound_http
hostname(config-http-map)# content-length min 100 max 2000 action reset log
hostname(config-http-map)# content-type-verification match-req-rsp reset log
hostname(config-http-map)# max-header-length request bytes 100 action log reset
hostname(config-http-map)# max-uri-length 100 action reset log
hostname(config-http-map)# exit
hostname(config)# policy-map inbound_policy 
hostname(config-pmap)# class http-port
hostname(config-pmap-c)# inspect http inbound_http 
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)# service-policy inbound_policy interface outside

This example causes the FWSM to reset the connection and create a syslog entry when it detects any traffic that contain the following:

Messages less than 100 bytes or exceeding 2000 bytes

Unsupported content types

HTTP headers exceeding 100 bytes

URIs exceeding 100 bytes

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about HTTP application inspection.

debug http-map

Displays detailed information about traffic associated with an HTTP map.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


hw-module module reset (IOS)

To restart the FWSM from the switch CLI, enter the hw-module module reset command in privileged EXEC mode.

hw-module module mod_num reset [cf:n] [mem-test-full]

Syntax Description

cf:n

(Optional) Reboots from a particular boot partition. Application partitions include cf:4 (the default) and cf:5. The maintenance partition is cf:1.

mem-test-full

(Optional) Runs a full memory test, which takes approximately 6 minutes.

mod_num

Specifies the module number. Use the show module command to view installed modules and their numbers.


Defaults

The default boot partition is cf:4.

Command Modes

Privileged EXEC.

Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example shows how to reset the FWSM installed in slot 9. The default boot partition is used.

Router# hw-module module 9 reset

Proceed with reload of module? [confirm] y
% reset issued for module 9

Router#
00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...

Related Commands

Command
Description

boot device

Specifies the default boot partition.

show boot device

Shows the boot partitions of each module.

show module

Shows all installed modules.