Cisco PIX Firewall Command Reference, Version 6.2
Using PIX Firewall Commands
Downloads: This chapterpdf (PDF - 205.0KB) | Feedback

Using PIX Firewall Commands

Table Of Contents

Using PIX Firewall Commands

Introduction

Tips

For more information

Access Modes

Ports

Protocols


Using PIX Firewall Commands


This chapter introduces the Cisco PIX Firewall Command Reference and contains the following sections:

Introduction

Access Modes

Ports

Protocols

Introduction

This section provides a brief introduction to using PIX Firewall commands and where to go for more information on configuring and using your PIX Firewall.

The following table lists some basic PIX Firewall commands.

Task
Related Command

Saving my configuration

write memory

Viewing my configuration

write terminal

Accumulating system log (syslog) messages

logging buffered debugging

Viewing system log (syslog) messages

show logging

Clearing the message buffer

clear logging


Tips

When using the PIX Firewall command-line interface (CLI), you can do the following:

Check the syntax before entering a command. Enter a command and press the Enter key to view a quick summary, or precede a command with help, as in, help aaa.

Abbreviate commands. For example, you can use the config t command to start configuration mode, the write t command statement to list the configuration, and write m to write to Flash memory. Also, in most commands, show can be abbreviated as sh. This feature is called command completion.

After changing or removing the alias, access-list, conduit, global, nat, outbound, and static commands, use the clear xlate command to make the IP addresses available for access.

Review possible port and protocol numbers at the following IANA websites:

http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers

Create your configuration in a text editor and then cut and paste it into the configuration. PIX Firewall lets you paste in a line at a time or the whole configuration. Always check your configuration after pasting large blocks of text to be sure everything copied.

For more information

For information about how to build your PIX Firewall configuration, please refer to the
Cisco PIX Firewall and VPN Configuration Guide.

Syslog messages are fully described in Cisco PIX Firewall System Log Messages.

For information about how to use Cisco PIX Device Manager (PDM), please refer to the online Help included in the PDM software (accessed through the PDM application Help button). For information about how to install PDM, please refer to the Cisco PIX Device Manager Installation Guide.

PIX Firewall technical documentation is located online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Access Modes

The PIX Firewall contains a command set based on Cisco IOS technologies and provides configurable command privilege modes:

Unprivileged mode is available when you first access the PIX Firewall and displays the ">" prompt. This mode lets you view restricted settings.

Privileged mode displays the "#" prompt and lets you change current settings. Any unprivileged command also works in privileged mode. Use the enable command to start privileged mode and the disable, exit, or quit commands to exit.

Configuration mode displays the "(config)#" prompt and lets you change system configurations. All privileged, unprivileged, and configuration commands work in this mode. Use the configure terminal command to start configuration mode and the exit or quit commands to exit.

Ports

Lliteral names can be used instead of a numerical port values in commands.

The PIX Firewall permits the following TCP literal names: bgp, chargen, cmd, citrix-ica, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, rpc, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and www.


Note PIX Firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.

PIX Firewall listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses ports 1812 and 1813, you will need to reconfigure it to listen on ports 1645 and 1646.

To assign a port for DNS access, use domain, not dns. The dns keyword translates into the port value for dnsix.


Permitted UDP literal names are biff, bootpc, bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp, time, who, and xdmcp.

Port numbers can be viewed online at the IANA website:

http://www.iana.org/assignments/port-numbers

Table 2-1 lists the port literal values.

Table 2-1 Port Literal Values 

Literal
Value
Description

bgp

179

Border Gateway Protocol, RFC 1163

biff

512

Used by mail system to notify users that new mail is received

bootpc

68

Bootstrap Protocol Client

bootps

67

Bootstrap Protocol Server

chargen

19

Character Generator

citrix-ica

1494

Citrix Independent Computing Architecture (ICA) protocol

cmd

514

Similar to exec except that cmd has automatic authentication

daytime

13

Day time, RFC 867

discard

9

Discard

domain

53

DNS (Domain Name System)

dnsix

195

DNSIX Session Management Module Audit Redirector

echo

7

Echo

exec

512

Remote process execution

finger

79

Finger

ftp

21

File Transfer Protocol (control port)

ftp-data

20

File Transfer Protocol (data port)

gopher

70

Gopher

hostname

101

NIC Host Name Server

nameserver

42

Host Name Server

ident

113

Ident authentication service

irc

194

Internet Relay Chat protocol

isakmp

500

ISAKMP

klogin

543

KLOGIN

kshell

544

Korn Shell

lpd

515

Line Printer Daemon - printer spooler

login

513

Remote login

mobile-ip

434

MobileIP-Agent

netbios-ns

137

NETBIOS Name Service

netbios-dgm

138

NETBIOS Datagram Service

nntp

119

Network News Transfer Protocol

ntp

123

Network Time Protocol

pim-auto-rp

496

Protocol Independent Multicast, reverse path flooding, dense mode

pop2

109

Post Office Protocol - Version 2

pop3

110

Post Office Protocol - Version 3

radius

1645, 1646

Remote Authentication Dial-In User Service

rip

520

Routing Information Protocol

smtp

25

Simple Mail Transport Protocol

snmp

161

Simple Network Management Protocol

snmptrap

162

Simple Network Management Protocol - Trap

sqlnet

1521

Structured Query Language Network

sunrpc

111

Sun RPC (Remote Procedure Call)

syslog

514

System Log

tacacs

49

TACACS+ (Terminal Access Controller Access Control System Plus)

talk

517

Talk

telnet

23

RFC 854 Telnet

tftp

69

Trivial File Transfer Protocol

time

37

Time

uucp

540

UNIX-to-UNIX Copy Program

who

513

Who

whois

43

Who Is

www

80

World Wide Web

xdmcp

177

X Display Manager Control Protocol, used to communicate between X terminals and workstations running UNIX


Protocols

Possible literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp. You can also specify any protocol by number. The esp and ah protocols only work in conjunction with Private Link.

Protocol numbers can be viewed online at the IANA website:

http://www.iana.org/assignments/port-numbers


Note Many routing protocols use multicast packets to transmit their data. If you send routing protocols across the PIX Firewall, configure the surrounding routers with the Cisco IOS software neighbor command. If routes on an unprotected interface are corrupted, the routes transmitted to the protected side of the firewall will pollute routers there as well.


Table 2-2 lists the numeric values for the protocol literals.

Table 2-2 Protocol Literal Values 

Literal
Value
Description

ah

51

Authentication Header for IPv6, RFC 1826

eigrp

88

Enhanced Interior Gateway Routing Protocol

esp

50

Encapsulated Security Payload for IPv6, RFC 1827

gre

47

General Routing Encapsulation

icmp

1

Internet Control Message Protocol, RFC 792

igmp

2

Internet Group Management Protocol, RFC 1112

igrp

9

Interior Gateway Routing Protocol

ip

0

Internet Protocol

ipinip

4

IP-in-IP encapsulation

nos

94

Network Operating System (Novell's NetWare)

ospf

89

Open Shortest Path First routing protocol, RFC 1247

pcp

108

Payload Compression Protocol

snp

109

Sitara Networks Protocol

tcp

6

Transmission Control Protocol, RFC 793

udp

17

User Datagram Protocol, RFC 768