Cisco PIX Firewall Command Reference, Version 6.3
C Commands
Downloads: This chapterpdf (PDF - 807.0KB) The complete bookPDF (PDF - 4.41MB) | Feedback

C Commands

Table Of Contents

C Commands

ca

ca generate rsa key

capture

clear

clock

conduit

configure

console

copy

crashinfo

crypto dynamic-map

crypto ipsec

crypto map


C Commands


ca

Configure the PIX Firewall to interoperate with a certification authority (CA).

ca authenticate ca_nickname [fingerprint]

[no] ca configure ca_nickname ca | ra retry_period retry_count [crloptional]

[no] ca crl request ca_nickname

[no] ca enroll ca_nickname challenge_password [serial] [ipaddress]

ca generate rsa {key | specialkey} key_modulus_size

[no] ca identity ca_nickname [ca_ipaddress| hostname [:ca_script_location] [ldap_ip address| hostname]]

[no] ca save all

[no] ca subject-name ca_nickname X.500_string

[no] ca verifycertdn X.500_string

ca zeroize rsa [keypair_name]

show ca certificate

show ca crl

show ca configure

show ca identity

show ca mypubkey rsa

show ca subject-name

show ca verifycertdn

Syntax Description

ca_ipaddress

The CA's IP address.

ca_nickname

The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

Currently, the PIX Firewall supports only one CA at a time.

ca | ra

Indicates whether to contact the CA or registration authority (RA) when using the ca configure command.

Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.

:ca_script_location

The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command.

A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.

challenge_password

A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.

crloptional

Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate certificate revocation list (CRL) is not accessible to your PIX Firewall. The default is without the crloptional option.

fingerprint

A key consisting of alphanumeric characters the PIX Firewall uses to authenticate the CA's certificate.

hostname

The host name.

ipaddress

Return the PIX Firewall unit's IP address in the certificate.

key

Specifies that one general-purpose RSA key pair will be generated.

key_modulus_size

The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.

ldap_ipaddress

The IP address of the Lightweight Directory Access Protocol (LDAP) server.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

retry_count

Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.

retry_period

Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute.

serial

Return the PIX Firewall unit's serial number in the certificate.

specialkey

This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.

subject-name

Configures the device certificate request with the specified subject name.

verifycertdn

Verifies the certificate's Distinguished Name (DN) and acts as a subject name filter, based on the X.500_string. If the subject name of the peer certificate matches the X.500_string, then it is filtered out and ISAKMP negotiation fails.

X.500_string

Specify per RFC1779. The entered string will be the Distinguished Name (DN) sent.


Defaults

The retry_count default is 0.

Command Modes

Configuration mode.

Usage Guidelines

The sections that follow describe each ca command.

The PIX Firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft. Refer to the Cisco PIX Firewall and VPN Configuration Guide for a list of specific CA server versions the PIX Firewall supports.

The lifetime of a certificate and the certificate revocation list (CRL) is checked in UTC, which is the same as GMT. Set the PIX Firewall clock to UTC to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock.

The PIX Firewall authenticates the entity certificate (the device certificate). The PIX Firewall assumes the entity certificate is issued by the same trusted point or root (the CA server). As a result, they should have the same root certificate (issuer certificate). Therefore, the PIX Firewall assumes the entity exchanges the entity certificate only, and cannot process a certificate chain that includes both the entity and root certificates.

ca authenticate

The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.

To authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in an out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.

If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.

The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command. To view the CA's certificate, use the show ca certificate command.


Note If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.


ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 crloptional

ca crl request

The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall.

A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your PIX Firewall.

The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. When the CRL does expire, the PIX Firewall automatically updates it by downloading a new CRL and replaces the expired CRL with the new CRL.

If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

The ca crl request command is not saved with the PIX Firewall configuration between reloads.

The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:

ca crl request myca

The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded.

The following is sample output from the show ca crl command. See Table 4-2 for descriptions of the strings within the following sample output.

show ca crl

CRL:
    CRL Issuer Name:
        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA
=<16> username@example.com
    LastUpdate:17:07:40 Jul 11 2000

    NextUpdate:05:27:40 Jul 19 2000

ca enroll

The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.

The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.

The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.


Note This password is not stored anywhere, so you must remember this password.


If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate, but will require further manual authentication of the PIX Firewall administrator identity.

The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.

The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.


Note When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command for information about the isakmp identity address command.


The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.

ca enroll myca.example.com 1234567890 serial

ca generate rsa

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.


Note Before issuing this command, make sure your PIX Firewall has a host name and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a host name and domain name.


The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

In this example, one general-purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048


Note You cannot generate both special usage and general purpose keys; you can only generate one or the other.


ca identity

The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.

The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the previously listed location, include the location and the name of the script within the ca identity command statement.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.

The following example indicates that the CA myca.example.com is declared as the PIX Firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.

ca identity myca.example.com 205.139.94.231 

ca save all

The ca save all commands lets you save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.

The ca save command itself is not saved with the PIX Firewall configuration between reloads.

To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user can issue this show command.

ca subject-name ca_nickname X.500_string

The ca subject-name ca_nickname X.500_string command is a certificate enrollment enhancement that supports X.500 directory names.

When the ca subject-name ca_nickname X.500_string command is configured, the firewall enrolls the device certificate with the subject Distinguished Name (DN) that is specified in the X.500_string, using RFC 1779 format. The supported DN attributes are listed in Table 4-1

Table 4-1 Supported Distinguished Name attributes.

Attribute
Description

ou

OrganizationalUnitName

o

OrganizationName

st

StateOrProvinceName

c

CountryName

ea

Email address (a non-RFC 1779 format attribute)


For more information on RFC 1779, refer to http://www.ietf.org/rfc/rfc1779.txt.

PIX Firewall software Version 6.3 supports X.509 (certificate support) on the VPN client. Cisco IOS software, the VPN 3000 concentrator, and the PIX Firewall look for the correct VPN group (mode config group) according to the ou attribute. (The ou attribute is part of the subject DN of the device certificate when the Easy VPN client negotiates the RSA signature.) For example,

ca subject-name myca ou=my_department, o=my_org, st=CA, c=US

where my_department is the VPN group.


Note If the X.500_string is being using to communicate between a Cisco VPN 3000 headend and the firewall, the VPN 3000 headend must not be configured to use DNS names for its backup servers. Instead, the backup servers must be specified by their IP addresses.


ca verifycertdn X.500_string

The ca verifycertdn X.500_string command verifies the certificate's Distinguished Name (DN) and acts as a subject name filter, based on the X.500_string. If the subject name of the peer certificate matches the X.500_string, then it is filtered out and ISAKMP negotiation fails.

ca zeroize rsa

The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

1. Use the no ca identity command to manually remove the PIX Firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.

2. Ask the CA administrator to revoke your PIX Firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall unit's certificates using the crypto ca enroll command.

To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.


Note You may have more than one pair of RSA keys due to SSH. See the ssh command in "S Commands" for more information.


show ca commands

The show ca certificate command displays the CA Server's subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the PIX Firewall's certificates.

The following is sample output from the show ca certificate command. The CA certificate stems from a Microsoft CA server previously generated for this PIX Firewall.

show ca certificate

RA Signature Certificate
  Status:Available
  Certificate Serial Number:6106e08a000000000005
  Key Usage:Signature
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:09 Jul 11 2000

    end   date:17:27:09 Jul 11 2001


Certificate
  Status:Available
  Certificate Serial Number:1f80655400000000000a
  Key Usage:General Purpose
  Subject Name
    Name:pixfirewall.example.com
  Validity Date:
    start date:20:06:23 Jul 17 2000

    end   date:20:16:23 Jul 17 2001


CA Certificate
  Status:Available
  Certificate Serial Number:25b81813efe58fb34726eec44ae82365
  Key Usage:Signature
    CN = MSCA
     OU = Cisco
     O = VSEC
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:07:34 Jul 11 2000
RA KeyEncipher Certificate
  Status:Available
  Certificate Serial Number:6106e24c000000000006
  Key Usage:Encryption
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:10 Jul 11 2000

    end   date:17:27:10 Jul 11 01 

Table 4-2 describes strings within the show ca certificate command sample output.

Table 4-2 show ca certificate command Output Strings

Sample Output String
Description

CN

common name

C

country

EA

E-mail address

L

locality

ST

state or province

O

organization name

OU

organizational unit name

DC

domain component


The show ca crl command displays whether there is a certificate revocation list (CRL) in the PIX Firewall RAM, and where and when the CRL downloaded.

The show ca configure command displays the current communication parameter settings stored in the PIX Firewall RAM.

The show ca identity command displays the the current certification authority (CA) settings stored in RAM.

The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.

The following is sample output from the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command.

show ca mypubkey rsa

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com
 Usage: Signature Key
 Key Data:
            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
            6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
            6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com
 Usage: Encryption Key
 Key Data:
            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a
            48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98
            908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

Examples

In the following example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 5432
%Error in verifying the received fingerprint. Type help or `?' for a list of 
available commands.

ca generate rsa key

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key.

ca generate rsa key modulus

Syntax Description

ca generate rsa key

Generates an RSA key for the PIX Firewall.

modulus

Defines the modulus used to generate the RSA key. This is a size measured in bits. You can specify a modulus between 512, 768, 1024, and 2048.



Note Before issuing this command, make sure your PIX Firewall host name and domain name have been configured (using the hostname and domain-name commands). If a domain name is not configured, the PIX Firewall uses a default domain of ciscopix.com.


Defaults

RSA key modulus default (during PDM setup) is 768. The default domain is ciscopix.com.

Command Modes

Configuration mode.

Usage Guidelines

If your PIX Firewall already has RSA keys when you issue this command, you are warned and prompted to replace the existing keys with new keys.


Note The larger the key modulus size you specify, the longer it takes to generate an RSA. We recommend a default value of 768.


PDM uses the Secure Sockets Layer (SSL) communications protocol to communicate with the PIX Firewall.

SSL uses the private key generated with the ca generate rsa command. For a certificate, SSL uses the key obtained from a certification authority (CA). If that does not exist, it uses the PIX Firewall self-signed certificate created when the RSA key pair was generated.

If there is no RSA key pair when an SSL session is initiated, the PIX Firewall creates a default RSA key pair using a key modulus of 768.

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the show ca my rsa key command.

Examples

The following example demonstrates how one general purpose RSA key pair is generated. The selected size of the key modulus is 1024.

router(config) ca generate rsa key 1024
Key name:pixfirewall.cisco.com
 Usage:General Purpose Key
 Key Data:
  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c8ed4c
  9f5e0b52 aea931df 04db2872 5c4c0afd 9bd0920b 5e30de82 63d834ac f2e1db1f
  1047481a 17be5a01 851835f6 18af8e22 45304d53 12584b9c 2f48fad5 31e1be5a
  bb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 7bb44b4c a64a9cf0 efaacd42
  e291e4ea 67efbf6c 90348b75 320d7fd3 c573037a ddb2dde8 00df782c 39020301 0001

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

capture capture_name [access-list acl_name][buffer bytes] [ethernet-type type][interface name] [packet-length bytes] [circular-buffer]

no capture capture_name [access-list [acl_name]] [interface name] [circular-buffer]

clear capture capture_name

show capture [capture_name] [access-list acl_name] [detail] [dump]

Syntax Description

access-list

Selects packets based on IP or higher fields. By default, all IP packets are matched.

acl_name

The access list id.

buffer

Defines the buffer size used to store the packet. The default size is 512 KB. Once the buffer is full, packet capture stops.

bytes

The number of bytes (b) to allocate.

capture_name

A name to uniquely identify the packet capture.

circular-buffer

Overwrites the buffer, starting from the beginning, when the buffer is full.

detail

Shows additional protocol information for each packet.

dump

Shows a hexidecimal dump of the packet transported over the data link transport. (However, the MAC information is not shown in the hex dump.)

ethernet-type

Selects packets based on the Ethernet type. An exception is the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching. By default, all Ethernet types are accepted.

interface

The interface for packet capture.

name

The name of the interface on which to use packet capture.

packet-length

Sets the maximum number of bytes of each packet to store in the capture buffer. By default, the maximum is 68 bytes.

type

An Ethernet type to exclude from capture. The default is 0, so you can restore the default at any time by setting type to 0.


Defaults

The default type is 0.

Command Modes

Configuration mode.

Usage Guidelines

To enable packet capturing, attach the capture to an interface with the interface option. Multiple interface statements attach the capture to multiple interfaces.

If the buffer contents are copied to a TFTP server in ASCII format, then only the headers can be seen. The details and hex dump of the packets can not be seen. To see the details and hex dump, transfer the buffer in PCAP format and then read with TCPDUMP or Ethereal using the options to show the detail and hex dump of the packets.

The ethernet-type and access-list options select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.

The capture capture_name circular-buffer command enables the capture buffer to overwrite itself, starting from the beginning, when the capture buffer is full.

Enter the no capture command with either the access-list or interface option unless you want to clear the capture itself. Entering no capture without options deletes the capture. If the access-list option is specified, the access list is removed from the capture and the capture is preserved. If the interface option is specified, the capture is detached from the specified interface and the capture is preserved.

To clear the capture buffer, use the clear capture capture_name command. The short form of clear capture is not supported to prevent accidental destruction of all packet captures.


Note The capture command is not saved to the configuration, and the capture command is not replicated to the standby unit during failover.


Use the copy capture: capture_name tftp://location/path [pcap] command to copy capture information to a remote TFTP server.

Use the https://pix-ip-address/capture/capture_name[/pcap] command to view the packet capture information with a web browser.

If the pcap option is specified, then a libpcap-format file is downloaded to your web browser and can be saved using your web browser. (A libcap file can be viewed with Tcpdump or Ethereal.)

The show capture command displays the capture configuration when no options are specified. If the capture_name is specified, then it displays the capture buffer contents for that capture.

Output Formats

The decoded output of the packets are dependent on the protocol of the packet. In Table 4-3, the bracketed output is displayed when the detail option is specified.

Table 4-3 Packet Capture Output Formats 

Packet Type
Capture Output Format

802.1Q

HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet

ARP

HH:MM:SS.ms [ether-hdr] arp-type arp-info

IP/ICMP

HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]

IP/UDP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len

IP/TCP

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

IP/Other

HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length

Other

HH:MM:SS.ms ether-hdr: hex-dump


Examples

On a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:

https://209.165.200.232/capture/mycapture/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://209.165.200.232/capture/http/pcap

In the following example, the traffic is captured from an outside host at 209.165.200.241 to an inside HTTP server.

access-list http permit tcp host 10.120.56.15 eq http host 209.165.200.241
access-list http permit tcp host 209.165.200.241 host 10.120.56.15 eq http
capture http access-list http packet-length 74 interface inside

To capture ARP packets, enter the following:

pixfirewall(config)# capture arp ethernet-type arp interface outside

To display the packets captured by an ARP capture, enter the following:

pixfirewall(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 209.165.200.228 tell 209.165.200.10
19:12:26.784294 arp who-has 209.165.200.228 tell 209.165.200.10
2 packets shown

To capture PPPoE Discovery packets on multiple interfaces, enter the following:

pixfirewall(config)# capture pppoed ethernet-type pppoed interface outside
pixfirewall(config)# capture pppoed interface inside

The following stores a PPPoED trace to a file name "pppoed-dump" on a TFTP server at 209.165.201.17. (Some TFTP servers require that the file exists and is world writable, so check your TFTP server for the appropriate permissions and file first.)

pixfirewall(config)# copy capture:pppoed tftp://209.165.201.17/pppoed-dump
Writing to file '/tftpboot/pppoed-dump' at 209.165.201.17 on outside

To display the capture configuration, use the show capture command without specifying any options as follows:

pixfirewall(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside

clear

Removes configuration files and commands from the configuration, or resets command values. However, using the no form of a command is preferred to using the clear form to change your configuration because the no form is usually more precise.

clear file configuration | pdm | pki

clear command

no command

Command Modes

Configuration mode for clear commands that remove or reset firewall configurations. Privilege mode for commands that clear items such as counters in show commands. Additionally, the clear commands available in less secure modes are available in subsequent (more secure) modes. However, commands from a more secure mode are not available in a less secure mode.

Syntax Description

Table 4-4, Table 4-5, and Table 4-6 list the clear commands available in each mode.

Table 4-4 Unprivileged Mode Clear Command

Clear Command
Description
Used in the following command(s)

clear pager

Resets the number of displayed lines to 24.

pager


Table 4-5 Privileged Mode Clear Commands  

Clear Command
Description
Used in the following command(s)

clear aaa accounting

To clear the local, TACACS+, or RADIUS user account.

aaa accounting {include | exclude}

clear aaa authentication

To clear the local or TACACS+ user authentication.

aaa authentication

clear aaa authorization

To clear the local or TACACS+ user authorization.

aaa authorization {include | exclude}

clear aaa-server

To remove a defined server group.

aaa authorization,

aaa authentication

aaa-server

clear arp

Clears the ARP table.

arp

clear auth-prompt

Removes an auth-prompt command statement from the configuration.

auth-prompt

clear banner

Removes all configured banners.

banner

clear blocks

Resets the show blocks command statement counters.

show blocks / clear blocks

clear configure

Resets command parameters in the configuration to their default values.

configure

clear crashinfo

Deletes the crash information file from the Flash memory of the firewall.

crashinfo

clear flashfs

Clears Flash memory prior to downgrading the PIX Firewall software version.

fragment

clear floodguard

Removes Flood Defender, which protects against flood attacks from configuration.

floodguard

clear local-host

Resets the information displayed for the show local-host command.

show local-host/clear local host

clear passwd

Resets the Telnet password back to "cisco."

password

clear traffic

Resets the counters for the show traffic command.

show traffic/clear traffic

clear uauth

Deletes one user's or all users' AAA authorization caches, which forces the users to reauthenticate the next time they create a connection.

show uauth/clear uauth

clear xlate

Clears the contents of the translation slots.

show xlate/clear xlate


Table 4-6 Configuration Mode Clear Commands 

Clear Command
Description
Used in the following command(s)

clear aaa

Removes aaa command statements from the configuration.

aaa accounting

clear aaa accounting

Removes aaa-server command statements from the configuration.

aaa authorization

clear aaa-server

Remove a defined server group from the configuration.

aaa authorization

clear access-group

Removes access-group command statements from the configuration.

access-group

clear access-list

Removes access-list command statements from the configuration. This command also stops all traffic through the PIX Firewall on the affected access-list command statements.

access-list

clear access-list aclname counters

Clears the counters shown by the show access-list command.

access-list

clear alias

Removes alias command statements from the configuration.

alias

clear apply

Removes apply command statements from the configuration.

outbound / apply

clear capture

Clears the packet capture.

capture

clear clock

Removes clock command statements from the configuration.

clock

clear conduit

Removes conduit command statements from the configuration.

conduit

clear dhcpd

Removes dhcpd command statements from the configuration.

dhcpd

clear established

Removes established command statements from the configuration.

established

clear filter

Removes filter command statements from the configuration.

filter

clear fixup

Resets fixup protocol command statements to their default values.

fixup protocol

clear flashfs

Clears Flash memory before downgrading to a previous PIX Firewall version.

fragment

clear global

Removes global command statements from the configuration.

global

clear http

Removes all HTTP hosts and disables the server.

http

clear icmp

Removes icmp command statements from the configuration.

icmp

clear igmp

Removes IGMP groups.

igmp

clear ip

Sets all PIX Firewall interface IP addresses to 127.0.0.1 and stops all traffic.

ip address

clear ip address

Clears all PIX Firewall interface IP addresses (configuration mode).

ip address

clear ip audit

Clears the IDS signature on the interface (configuration mode).

ip audit

clear ip local pool

Clears pool of local IP addresses for dynamic assignment to a VPN.

ip local pool

clear ip verify reverse-path

Clears RPF IP spoofing protection (configuration mode).

ip verify reverse-path

clear [crypto] dynamic-map

Remove crypto dynamic-map command statements from the configuration.The keyword crypto is optional.

crypto dynamic-map and dynamic-map

clear [crypto] ipsec sa

Delete the active IPSec security associations. The keyword crypto is optional.

crypto ipsec

clear [crypto] ipsec sa counters

Clear the traffic counters maintained for each security association. The keyword crypto is optional.

crypto ipsec

clear [crypto] ipsec sa entry destination-address protocol spi

Delete the active IPSec security association with the specified address, protocol, and SPI. The keyword crypto is optional.

crypto ipsec

clear [crypto] ipsec sa map map-name

Delete the active IPSec security associations for the named crypto map set. The keyword crypto is optional.

crypto ipsec

clear [crypto] ipsec sa peer

Delete the active IPSec security associations for the specified peer. The keyword crypto is optional.

crypto ipsec

clear [crypto] isakmp sa

Delete the active IKE security associations. The keyword crypto is optional.

isakmp

clear [crypto] map

Delete all parameters entered through the crypto map command belonging to the specified map. Does not delete dynamic maps.

crypto map

clear isakmp

Remove isakmp command statements from the configuration.

isakmp

clear isakmp log

Clears events in the isakmp log buffer

isakmp

clear interface

Clear counters for the show interface command.

interface

clear logging

Clear syslog message queue accumulated by the logging buffered command.

logging

clear mroute

Clear a multicast route.

mroute

clear names

Removes name command statements from the configuration.

name / names

clear nameif

Reverts nameif command statements to default interface names and security levels.

nameif

clear nat

Removes nat command statements from the configuration.

nat

clear ntp

Removes ntp command statements from the configuration.

ntp

clear outbound

Removes outbound command statements from the configuration.

outbound / apply

clear ospf [process-id] {process | counters | neighbor [neighbor-intf] [neighbr-id]}

Clears and restarts the OSPF process with the specified ID, resets OSPF interface counters, neighbor interface router designation, or neighbor router ID, depending on the option selected. This command does not remove any configuration. Use the no form of the router ospf or routing interface command to remove the OSPF configuration.

routing interface

clear pdm

Removes all locations, disables logging and clears the PDM buffer. Internal PDM command.

pdm

clear privilege

Removes privilege command statements from the configuration.

privilege

clear rip

Removes rip command statements from the configuration.

rip

clear route

Removes route command statements from the configuration that do not contain the CONNECT keyword.

route

clear service

Removes service command statements from the configuration.

service

clear snmp-server

Removes snmp-server command statements from the configuration.

· When this feature is off, regular SIP Fixup will work as it does under PIX 6.3.3

clear ssh

Removes ssh command statement from the configuration.

ssh

clear static

Removes static command statements from the configuration.

static

clear sysopt

Removes sysopt command statements from the configuration.

sysopt

clear telnet

Removes telnet command statements from the configuration.

telnet

clear tftp-server

Removes tftp-server command statements from the configuration.

tftp-server

clear timeout

Resets timeout command durations to their default values.

timeout

clear url-cache

Removes url-cache command statements from the configuration.

url-cache

clear url-server

Removes url-server command statements from the configuration.

url-server

clear username

Removes username command statements from the configuration.

username

clear virtual

Removes virtual command statements from the configuration.

virtual

clear vpdn

Removes vpdn command statements from the configuration.

vpdn

clear vpnclient

Removes vpnclient command statements from the configuration.

vpnclient


clock

Set the PIX Firewall clock for use with the PIX Firewall Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol.

clock set hh:mm:ss {day month | month day} year

clear clock

[no] clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

[no] clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]

[no] clock timezone zone hours [minutes]

show clock [detail]

Syntax Description

date

The date command form is used as an alternative to the recurring form of the clock summer-time command. It specifies that summertime should start on the first date entered and end on the second date entered. If the start date month is after the end date month, the summer time zone is accepted and assumed to be in the Southern Hemisphere.

day

The day of the month to start, from 1 to 31.

detail

Displays the clock source and current summertime settings.

hh:mm:ss

The hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0.

hours

The hours of offset from UTC.

minutes

The minutes of offset from UTC.

month

The month expressed as the first three characters of the month; for example, apr for April.

offset

The number of minutes to add during summertime. The default is 60 minutes.

recurring

Specifies the start and end dates for local summer "daylight savings" time. The first date entered is the start date and the second date entered is the end date. (The start date is relative to UTC and the end date is relative to the specified summer time zone.) If no dates are specified, United States Daylight Savings Time is used. If the start date month is after the end date month, the summer time zone is accepted and assumed to be in the Southern Hemisphere.

summer-time

The clock summer-time command displays summertime hours during the specified summertime date range. This command affects the clock display time only.

timezone

clock timezone sets the clock display to the time zone specified. It does not change internal PIX Firewall time, which remains UTC.

week

Specifies the week of the month. The week is 1 through 4 and first or last for partial weeks at the begin or end a month, respectively. For example, week 5 of any month is specified by using last.

weekday

Specifies the day of the week: Monday, Tuesday, Wednesday, and so on.

year

The year expressed as four digits; for example, 2000. The year range supported for the clock command is 1993 to 2035.

zone

The name of the time zone.


Command Modes

Configuration mode.

Usage Guidelines

The clock command lets you specify the time, month, day, and year for use with time stamped syslog messages, which you can enable with the logging timestamp command. You can view the time with the clock or the show clock command.

The clear clock command removes all summertime settings and resets the clock display to UTC.

The show clock command outputs the time, time zone, day, and full date.


Note The lifetime of a certificate and the certificate revocation list (CRL) is checked in UTC, which is the same as GMT. If you are using IPSec with certificates, set the PIX Firewall clock to UTC to ensure that CRL checking works correctly.


You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.

The maximum date range for the clock command is 1993 through 2035. A time prior to January 1, 1993, or after December 31, 2035, will not be accepted.

While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.

The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall unit's motherboard. Should this battery fail, contact Cisco TAC for a replacement PIX Firewall unit.

Cisco's PKI (Public Key Infrastructure) protocol uses the clock to make sure that a certificate revocation list (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Refer to the Cisco PIX Firewall and VPN Configuration Guide for a description of IPSec concepts.

Examples

To enable PFSS time stamp logging for the first time, use the following commands:

clock set 21:0:0 apr 1 2000
show clock
21:00:05 Apr 01 2000
logging host 209.165.201.3
logging timestamp
logging trap 5

In this example, the clock command sets the clock to 9 p.m. on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.

The following clock summer-time command specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m.:

pix_name (config)# clock summer-time PDT recurring 1 Sunday April 2:00 
last Sunday October 2:00

If you live in a place where summertime follows the Southern Hemisphere pattern, you can specify the exact date and times. In the following example, daylight savings time (summer time) is configured to start on October 12, 2001, at 2 a.m. and end on April 26, 2002, at 2 a.m.:

pix_name (config)# clock summer-time PDT date 12 October 2001 2:00 
26 April 2002 2:00

conduit

Add, delete, or show conduits through the PIX Firewall for incoming connections. However, the conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility.

[no] conduit permit  |  deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]

[no] conduit deny|permit protocol | object-group protocol_obj_grp_id global_ip global_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] foreign_ip foreign_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]

[no] conduit deny|permit icmp global_ip global_mask | object-group network_obj_grp_id foreign_ip foreign_mask | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]

clear conduit

clear conduit counters

show conduit

Syntax Description

deny

Deny access if the conditions are matched.

foreign_ip

An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option.

If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip.

For example:

conduit permit tcp any eq ftp host 209.165.201.2

This example lets foreign host 209.165.201.2 access any global address for FTP.

foreign_mask

Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting.

For example: 255.255.255.192.

global_ip

A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses.

If global_ip is a host, you can omit global_mask by specifying the host command before global_ip.

For example:

conduit permit tcp host 209.165.201.1 eq ftp any

This example lets any foreign host access global address 209.165.201.1 for FTP.

global_mask

Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.

icmp_type

The type of ICMP message. Table 4-7 lists the ICMP type literals that you can use in this command. Omit this option to include all ICMP types. The conduit permit icmp any   any command permits all ICMP types and lets ICMP pass inbound and outbound.

icmp_type
_obj_grp_id

An existing ICMP type object group.

object-group

Specifies an object group.

operator

A comparison operand that lets you specify a port or a port range.

Use without an operator and port to indicate all ports.

For example:

conduit permit tcp any any

Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:

conduit deny tcp host 209.165.200.247 eq ftp 209.165.201.1 

Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well-known ports (1 to 1024).

conduit permit tcp host 209.165.200.247 lt 1025 any

Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535.

conduit deny udp host 209.165.200.247 gt 42 host 209.165.201.2 

Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535.

conduit deny tcp host 209.165.200.247 neq 10 host 209.165.201.2 neq 
42

Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.

conduit deny tcp any range ftp telnet any

By default, all ports are denied until explicitly permitted.

network_obj_grp_id

An existing network object group.

permit

Permit access if the conditions are matched.

port

Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value.

For example:

conduit deny tcp any any

This command is the default condition for the conduit command in that all ports are denied until explicitly permitted.

You can view valid port numbers online at the following website:

http://www.iana.org/assignments/port-numbers

See ""Ports""in "Using PIX Firewall Commands" for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.

protocol

Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following website:

http://www.iana.org/assignments/protocol-numbers

If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See "Usage Guidelines" for a complete list of the ICMP types.

protocol_obj_grp_id

An existing protocol object group.

service_obj_grp_id

An existing service (port) object group.


Command Modes

Configuration mode.

Usage Guidelines

We recommend that you use the access-list command instead of the conduit command because using an access list is a more secure way of enabling connections between hosts. Specifically, the conduit command functions by creating an exception to the PIX Firewall Adaptive Security Algorithm that then permits connections from one PIX Firewall network interface to access hosts on another.

The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.

When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.

The show conduit command displays the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.

Converting conduit Commands to access-list Commands

Follow these steps to convert conduit command statements to access-list commands:


Step 1 View the static command format. This command normally precedes both the conduit and access-list commands. The static command syntax is as follows.

static (high_interface,low_interface) global_ip local_ip netmask mask

For example:

static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255

This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.


Step 2 View the conduit command format. The conduit command is similar to the access-list command in that it restricts access to the mapping provided by the static command. The conduit command syntax is as follows.

conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]

For example:

conduit permit tcp host 209.165.201.5 eq www any

This command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.

The static command identifies the interface that the conduit command restricts access to.


Step 3 Create the access-list command from the conduit command options. The acl_name in the access-list command is a name or number you create to associate access-list command statements with an access-group or crypto map command statement.

Normally the access-list command format is as follows:

access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port

However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows.

access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]

For example:

access-list acl_out permit tcp any host 209.165.201.5 eq www

This command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for your own identifier. (In this example the identifier, "acl" is from ACL, which means access control list and "out" is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.


Step 4 Create the access-group command using the acl_name from the access-list command and the low_interface option from the static command. The format for the access-group command is as follows.

access-group acl_name in interface low_interface

For example:

access-group acl_out in interface outside

This command associates with the "acl_out" group of access-list command statements and states that the access-list command statement restricts access to the outside interface.


More on the conduit Command

If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.


Note The conduit command statements are processed in the order they are entered into the configuration.


The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the PIX Firewall because the permit option precedes the deny option.

conduit permit tcp host 209.165.201.4 eq 80 any
conduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any

Note If you want internal users to be able to ping external hosts, use the conduit permit icmp any any command.


After changing or removing a conduit command statement, use the clear xlate command.

You can remove a conduit command statement with the no conduit command. The clear conduit command removes all conduit command statements from your configuration. The clear conduit counters command clears the current conduit hit count.

If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 4-7 lists possible ICMP types values.

Table 4-7 ICMP Type Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

mask-request

18

mask-reply

31

conversion-error

32

mobile-redirect


Usage Notes

1. By default, all ports are denied until explicitly permitted.

2. The conduit command statements are processed in the order entered in the configuration. If you remove a command, it affects the order of all subsequent conduit command statements.

3. To remove all conduit command statements, cut and paste your configuration onto your console computer, edit the configuration on the computer, use the write erase command to clear the current configuration, and then paste the configuration back into the PIX Firewall.

4. If you use Port Address Translation (PAT), you cannot use a conduit command statement using the PAT address to either permit or deny access to ports.

5. Two conduit command statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit command statement for TCP.

The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in the following example:

static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
conduit permit tcp host 209.165.201.5 eq 1723 any
conduit permit gre host 209.165.201.5 any

In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.

6. The RPC conduit command support fixes up UDP portmapper and rpcbind exchanges. TCP exchanges are not supported. This lets simple RPC-based programs work; however, remote procedure calls, arguments, or responses that contain addresses or ports will not be fixed up.

For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.

Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:

rpcinfo -u unix_host_ip_address 150001

Replace unix_host_ip_address with the IP address of the UNIX host.

7. You can overlay host statics on top of a net static range to further refine what an individual host can access:

static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0
conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp any
static (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0
conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3

In this case, the host at 209.165.202.3 has Intel Internet Phone access in addition to its blanket FTP access.

Examples

1. The following commands permit access between an outside UNIX gateway host at 209.165.201.2, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for PIX Firewall with the fixup protocol smtp 25 command. The global address on the PIX Firewall is 209.165.201.1.

static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2 

To disable Mail Guard, enter the following command:

no fixup protocol smtp 25

2. You can set up an inside host to receive H.323 Intel Internet Phone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global addresses on the outside network are referenced via the 209.165.201.0 network address with a 255.255.255.224 mask.

static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0
conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 any
conduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any

3. You can create a web server on the perimeter interface that can be accessed by any outside host as follows:

static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.4 eq 80 any

In this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.

configure

Configure from the terminal, Flash memory, the network, or factory default. The new configuration merges with the active configuration except for the factory default, in which case the active configuration is cleared first and then replaced by the factory default. The factory default option is available only on the PIX 501 and PIX 506/506E.

clear configure [terminal | memory]

clear configure [primary | secondary | all]

[no] configure http[s] :// [user:password@] location [ :port ] / http_pathname

configure net [[location]:[filename]]

clear configure primary | secondary | all

show configure

For the PIX 501 and PIX 506/506E only:
configure factory-default [inside_ip_address [address_mask]]

For older PIX Firewall units that have a floppy drive only:
configure floppy

Syntax Description

address_mask

Specifies the address mask for the inside interface IP address. The default address mask is 255.255.255.0.

all

Combines the primary and secondary options.

clear

Clears aspects of the current configuration in RAM. Use the write erase command to clear the complete configuration.

factory-default

Specifies to clear the current configuration and regenerate the default, factory-loaded configuration. This command is supported for the PIX 501 and PIX 506/506E only in PIX Firewall software Version 6.2.

filename

A filename you specify to qualify the location of the configuration file on the TFTP server named in server_ip. If you set a filename with the tftp-server command, do not specify it in the configure command; instead just use a colon ( : ) without a filename.

floppy

Merges the current configuration with that on diskette.

http_pathname

The name of the HTTP server path that contains the PIX Firewall configuration to copy.

http[s]

Specifies to retrieve configuration information from an HTTP server. (SSL is used when https is specified.)

inside_ip_address

Specifies the inside IP address. The default inside interface IP address is 192.168.1.1.

location

The IP address (or defined name) of the HTTP server to log into.

memory

Merges the current configuration with that in Flash memory.

net

Loads the configuration from a TFTP server and the path you specify. Comments in the configuration preceded by a colon (:) or exclamation mark (!) will be pruned and will not be visible in the PIX Firewall configuration listing.

password

The password for logging into the HTTP server.

pathname

The name of the resource that contains the PIX Firewall configuration to copy.

port

Specifies the port to contact on the HTTP server. It defaults to 80 for http and 443 for https.

primary

Sets the interface, ip, mtu, nameif, and route commands to their default values. In addition, interface names are removed from all commands in the configuration.

secondary

Removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from your configuration.

location

The IP address or name of the server from which to merge in a new configuration. This server address or name is defined with the tftp-server command.

terminal

Starts configuration mode to enter configuration commands from a terminal. Exit configuration mode by entering the quit command.

user

The username for logging into the HTTP server.


Command Modes

The configure terminal command (with the short form "config t") is available in privileged mode, and it changes the firewall over to configuration mode. All other configure commands are available in configuration mode.

Usage Guidelines

You must be in configuration mode to use the configuration commands, except for the configure terminal (config t) command. The configure terminal command starts configuration mode from privileged mode. You can exit configuration mode with the quit command. After exiting configuration mode, use the write memory command to store your changes in Flash memory or write floppy to store the configuration on diskette.

Each command statement from Flash memory (with configure memory), TFTP transfer (with configure net), or diskette (with configure floppy) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with the following rules:

If the command in Flash memory or on diskette is identical to an existing command in the current configuration, it is ignored.

If the command in Flash memory or on diskette is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the diskette configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration.

If the command redefines an existing command, the command on diskette or Flash memory overwrites the command in the current configuration in RAM. For example, if you have the hostname ram command in the current configuration and the hostname floppy command on diskette, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new hostname when that command is read from diskette.

The show configure and show startup-config commands display the startup configuration of the firewall. The write terminal and show running-config commands display the configuration currently running on the firewall.

The clear configure [all] command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration. The clear configure secondary command removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from the configuration. However, the clear configure secondary command does not remove tftp-server command statements.


Note Save your configuration before using a clear configure command. The clear configure primary and clear configure secondary commands do not prompt you before deleting lines from your configuration.


configure factory-default

On the PIX 501 and PIX 506/506E, the configure factory-default command reinstates the factory default configuration. (This command is not supported on other PIX Firewall platforms at this time.) Use this command carefully because, before reinstating the factory default configuration, this command has the same effect as the clear configure all command; it clears all existing configuration information.

With no options specified, the configure factory-default command gives a default IP address of 192.168.1.1, and a netmask of 255.255.255.0, to the PIX Firewall inside interface.

With the configure factory-default ip-address command, if you specify an inside IP address but no netmask, the default address mask is derived from the specified IP address and is based on the IP address class.

With the configure factory-default ip-address netmask command, the specified IP address and netmask are assigned to the inside interface of the firewall.

For the PIX 501, the 10-user license is limited to a DHCP pool of 32 addresses, the 50-user license is limited to a DHCP pool size of 128 addresses, and the unlimited user license is limited to a DHCP pool size of 253 addresses. (It would be 256 addresses for the unlimited user license, but the default IP address is class C and 256 DHCP addresses cannot be supported within a class C address.) The PIX 506/506E is limited to a DHCP pool size of 253.

configure http[s]

The configure http[s] command retrieves configuration information from an HTTP server for remotely managing a PIX Firewall configuration. The configuration can be either a text file or an XML file. Text files merge regardless of errors that may be in the cofiguration. XML files require the use of the message "config-data" in the XML file to explicitly control merging and error handling.

configure net

The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify  server_ip :filename as simply a colon ( : ).

For example:

	configure net :

Use the write net command to store the configuration in the file.

If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same filename on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration.


Note Many TFTP servers require the configuration file to be world-readable to be accessible.


configure floppy

The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.

configure memory

The configure memory command merges the configuration in Flash memory into the current configuration in RAM.

Examples

The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:

configure net 10.1.1.1:/tftp/config/pixconfig

The pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.

The following example shows how to configure the PIX Firewall from a diskette:

configure floppy

The following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:

configure memory

The following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.

Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.

pixfirewall> enable
password: 
pixfirewall# configure terminal
pixfirewall(config)# write terminal
:  Saved
[...current configuration...]
:  End

write memory

When you enter the configure factory-default command on a platform other than the PIX 501 or PIX 506/506E, the PIX Firewall displays a "not supported" error message. On the PIX 515/515E, for example, the following message is displayed:

pixdfirewall(config)# configure factory default
'config factory-default' is not supported on PIX-515

console

Sets the idle timeout for the serial-cable console session of the PIX Firewall.

[no] console timeout number

Syntax Description

number

Idle time in minutes (0-60) after which the serial-cable console session ends.


Defaults

The default timeout is 0, which means the console will not time out. The zero value in the command console timeout 0 has the same meaning as zero value in the command exec-timeout 0 0 in Cisco IOS software.

Command Modes

The console timeout command is available in configuration mode.

The show console timeout command is available in privileged and configuration mode.

Usage Guidelines

The console timeout command sets the timeout value for any authenticated, enable mode, or configuration mode user session when accessing the firewall console through a serial cable. This timeout does not alter the Telnet or SSH timeouts; these access methods maintain their own timeout values.

The no console timeout command resets the console timeout value to its default.

The show console timeout command displays the currently configured console timeout value.

Examples

The following example shows how to set the console timeout to fifteen (15) minutes:

pixfirewall(config)# console timeout 15

The following example shows how to display the configured timeout value:

pixfirewall(config)# show console timeout
console timeout 15

Related Commands

aaa authorization

Enable or disable LOCAL or TACACS+ user authorization services.

password

Sets the password for Telnet access to the PIX Firewall console.

ssh

Specifies a host for PIX Firewall console access through Secure Shell (SSH).

telnet

Specifies the host for PIX Firewall console access via Telnet.


copy

Change software images without requiring access to the TFTP monitor mode or copy a capture file to a TFTP server.

copy capture: capture_name tftp://location/path [pcap]

copy http[s]://[user:password@] location [:port ] / http_pathname flash [: [image | pdm] ]

copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]

Syntax Description

copy capture capture_name

Copies capture information to a remote TFTP server. capture_name is a unique name that identifies the capture.

copy http[s]

Downloads a software image into the Flash memory of the firewall from an HTTP server. (SSL is used when https is specified.)

copy tftp flash

Downloads a software image into Flash memory of the firewall via TFTP without using monitor mode.

http_pathname

The name of the resource that contains the PIX Firewall software image or PDM file to copy.

image

Download the selected PIX Firewall image to Flash memory. An image you download is made available to the PIX Firewall on the next reload (reboot).

location

Either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism.

password

The password for logging into the HTTP server.

pdm

Download the selected PDM image files to Flash memory. These files are available to the PIX Firewall immediately, without a reboot.

port

Specifies the port to contact on the HTTP server. It defaults to 80 for http and 443 for https.

tftp_pathname

PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration. The pathname can include any directory names in addition to the actual last component of the path to the file on the server.

user

The username for logging into the HTTP server.


Command Modes

Configuration mode.

Usage Guidelines

copy capture

The copy capture: capture_name tftp://location/path [pcap] command uses the capture name on the PIX Firewall (capture_name) as its source and the TFTP address (tftp://location/path) as the copy destination. (These parameters are similar to the copy tftp command options.) The addition of the pcap option at the end of a copy capture command transfers the file in libpcap format.

copy http[s]

The copy http[s]://[user:password@] location [:port ] / http_pathname flash [: [image | pdm] ] command enables you to download a software image into the Flash memory of the firewall from an HTTP server. SSL is used when the copy https command is specified. The user and password options are used for authentication when logging into the HTTP server. The location option is the IP address (or a name that resolves to an IP address) of the HTTP server. The :port option specifies the port on which to contact the server. The value for :port defaults to port 80 for HTTP and port 443 for HTTP through SSL. The pathname option is the name of the resource that contains the image or PDM file to copy.

copy tftp

The copy tftp flash command enables you to download a software image into the Flash memory of the firewall via TFTP. You can use the copy tftp flash command with any PIX Firewall model running Version 5.1 or higher.

The image you download is made available to the PIX Firewall on the next reload (reboot).

The command syntax is as follows:

copy tftp[:[[//location][/pathname]]] flash [:[image][pdm]]

If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.

The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration.

The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command.

If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.

The TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.

You can download a TFTP server from the following website:

http://tftpd32.jounin.net


Note Images prior to Version 5.1 cannot be retrieved using this mechanism.


Examples

copy capture

The following example shows the prompts provided when you enter the copy capture command without specifying the full path:

copy capture:abc tftp 
Address or name of remote host [209.165.200.228]? 
Source file name [username/cdisk]? 
copying capture to tftp://209.165.200.228/username/cdisk:
[yes|no|again]? y 
!!!!!!!!!!!!! 

Alternately, you can specify the full path as follows:

copy capture:abc tftp:209.165.200.228/tftpboot/abc.cap pcap

If the TFTP server is already configured, the location or file name can be left unspecified as follows:

tftp-server outside 209.165.200.228 tftp/cdisk
copy capture:abc tftp:/tftp/abc.cap

The following example shows how to use the defaults of the preconfigured TFTP server in the copy capture command:

copy capture:abc tftp:pcap 

copy http[s]

The following example shows how to copy the PIX Firewall software image from a public HTTP server into the Flash memory of your PIX Firewall:

copy http://209.165.200.228/auto/cdisk flash:image

The following example show how to copy the PDM software image through HTTPS (HTTP over SSL), where the SSL authentication is provided by the username robin and the password xyz:

copy https://robin:xyz@209.165.200.228/auto/pdm.bin flash:pdm

The following example show how to copy the PIX Firewall software image from an HTTPS server running on a non-standard port, where the file is copied into the software image space in Flash memory by default:

copy https://robin:zyx@209.165.200.228:8080/auto/cdisk flash

The following examples copy files from 192.133.219.25, which is the IP address for www.cisco.com, to the Flash memory of your PIX Firewall. To use these examples, replace the username and password "cco-username:cco-password" with your CCO username and password. Also note that the URL contains a '?'. To enter this while using the PIX Firewall CLI, it must be preceded by typing Ctrl-v.

To copy PIX Firewall software Version 6.2.2 into the Flash memory of your PIX Firewall from Cisco.com, enter the following command:

copy http://cco-username:cco-password@192.133.219.25/cgi-bin/Software/Tablebuild/ 
download.cgi/pix622.bin?&filename=cisco/ciscosecure/pix/pix622.bin flash:image

To copy PDM Version 2.0.2 into the Flash memory of your PIX Firewall from Cisco.com, enter the following command:

copy http://cco-username:cco-password@192.133.219.25/cgi-bin/Software/Tablebuild/ 
download.cgi/pdm-202.bin?&filename=cisco/ciscosecure/pix/pdm-202.bin flash:pdm

copy tftp

The following example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download:

copy tftp flash
Address or name of remote host [127.0.0.1]? 10.1.1.5
Source file name [cdisk]? pix512.bin
copying tftp://10.1.1.5/pix512.bin to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!...
Received 1695744 bytes.
Erasing current image.
Writing 1597496 bytes of image.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...
Image installed.

The next example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface. The example sets the filename and location from the tftp-server command, saves memory, and then downloads the image to Flash memory.

pixfirewall(config)# tftp-server outside 10.1.1.5 pix512.bin
Warning: 'outside' interface has a low security level (0).

pixfirewall(config)# write memory
Building configuration...
Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99
[OK]

pixfirewall(config)# copy tftp: flash
copying tftp://10.1.1.5/pix512.bin to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...

The next example overrides the information in the tftp-server command to let you specify alternate information about the filename and location. If you have not set the tftp-server command, you can also use the copy tftp flash command to specify all information as shown in the second example that follows.

copy tftp:/pix512.bin flash
copy tftp://10.0.0.1/pix512.bin flash

The next example maps an IP address to the TFTP host name with the name command and uses the tftp-host name in the copy commands:

name 10.1.1.6 tftp-host
copy tftp://tftp-host/pix512.bin flash
copy tftp://tftp-host/tftpboot/pix512.bin flash

crashinfo

Configure crash information to write to Flash memory, with the option to force a crash of the firewall.

crashinfo test

crashinfo force [page-fault | watchdog]

crashinfo save [enable | disable]

no crashinfo save disable

show crashinfo [save]

clear crashinfo

Syntax Description

page-fault

Forces a crash of the firewall with a page fault.

save disable

Disables crash information from writing to Flash memory.

save enable

Configures crash information to write to Flash memory. (This is the default behavior.)

test

Tests the firewall's ability to save crash information to Flash memory. This does not actually crash the firewall.

watchdog

Forces a crash of the firewall as a result of watchdogging.


Defaults

By default, the firewall saves the crash information file to Flash memory. In other words, by default the crashinfo save command is in your configuration.

Command Modes

The crashinfo save commands are available in configuration mode.

The show crashinfo commands are available in privileged mode.

Usage Guidelines

The crashinfo save enable command does not need to be entered to save crash information to the Flash memory of your firewall; this is the default behavior of the firewall. However, if the firewall unit crashes during start up, the crash information file is not saved, whether or not the crashinfo save enable command is in your configuration.The firewall must be fully initialized and running first, and then it can save crash information as it crashes.

The crashinfo save disable command turns off saving crash information to the Flash memory of the firewall. After a crashinfo save disable command is written to your configuration, crash information is dumped to your console screen only. Use the crashinfo save enable or no crashinfo save disable command to re-enable saving the crash information to Flash memory.

The crashinfo test command provides a simulated crash information file, which it saves to Flash memory. It does not crash the firewall. Use the crashinfo test command to test your crash information file configuration without actually having to crash your firewall. However, if a previous crash information file was in Flash memory, the test crash information file overwrites it automatically.

crashinfo force [page-fault | watchdog]


Caution Do not use the crashinfo force command in a production environment. The crashinfo force command truly crashes the firewall and forces it to reload.

The crashinfo force page-fault command crashes the firewall as a result of a page fault, and the crashinfo force watchdog command crashes the firewall as a result of watchdogging. In the crash output, there is nothing that differentiates a real crash from a crash resulting from the crashinfo force page-fault or crashinfo force watchdog command (because these are real crashes). The firewall reloads after the crash dump is complete. This command is available only in configuration mode.

If save to crash (crashinfo save enable) is enabled then the crash is first dumped to Flash memory and then to the console. Otherwise, it is only dumped to console.

When the crashinfo force page-fault command is issued, a warning prompt similar to the following is displayed:

pixfirewall(config)# crashinfo force page-fault
WARNING: This command will force the PIX to crash and reboot.
Do you wish to proceed? [confirm]: 

If you enter a carriage return (by pressing the return or enter key on your keyboard), "Y", or "y" the firewall crashes and reloads; all three of these are interpreted as confirmation. Any other character is interpreted as a no, and the firewall returns to the command-line configuration mode prompt.

show crashinfo

The show crashinfo save command displays whether or not the firewall is currently configured to save crash information to Flash memory.

The show crashinfo command displays the crash information file that is stored in the Flash memory of the firewall. If the crash information file is from a test crash (from the crashinfo test command), the first string of the crash information file is ": Saved_Test_Crash" and the last one is ": End_Test_Crash". If the crash information file is from a real crash, the first string of the crash information file is ": Saved_Crash" and the last one is ": End_Crash" (this includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands).

The clear crashinfo command deletes the crash information file from the Flash memory of the firewall.

Examples

The following example shows how to display the current crash information configuration:

pixfirewall(config)# show crashinfo save
crashinfo save enable

The following example shows the output for a crash information file test. (However, this test does not actually crash the firewall. It provides a simulated example file.)

pixfirewall(config)# crashinfo test
pixfirewall(config)# exit
pixfirewall# show crashinfo
: Saved_Test_Crash

Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)

Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
    vector 0x000000ff (user defined)
       edi 0x004f20c4
       esi 0x00000000
       ebp 0x00e88c20
       esp 0x00e88bd8
       ebx 0x00000001
       edx 0x00000074
       ecx 0x00322f8b
       eax 0x00322f8b
error code n/a
       eip 0x0010318c
        cs 0x00000008
    eflags 0x00000000
       CR2 0x00000000
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
0x00e89110-0x00e8910c: 0x00000000
0x00e89108-0x00e890ec: 0x12345678
0x00e890e8: 0x004f1bb4
0x00e890e4: 0x00103585
0x00e890e0: 0x00e8910c
0x00e890dc-0x00e890cc: 0x12345678
0x00e890c8: 0x00000000
0x00e890c4-0x00e890bc: 0x12345678
0x00e890b8: 0x004f1bb4
0x00e890b4: 0x001078db
0x00e890b0: 0x00e890e0
0x00e890ac-0x00e890a8: 0x12345678
0x00e890a4: 0x001179b3
0x00e890a0: 0x00e890b0
0x00e8909c-0x00e89064: 0x12345678
0x00e89060: 0x12345600
0x00e8905c: 0x20232970
0x00e89058: 0x616d2d65
0x00e89054: 0x74002023
0x00e89050: 0x29676966
0x00e8904c: 0x6e6f6328
0x00e89048: 0x31636573
0x00e89044: 0x7069636f
0x00e89040: 0x64786970
0x00e8903c-0x00e88e50: 0x00000000
0x00e88e4c: 0x000a7473
0x00e88e48: 0x6574206f
0x00e88e44: 0x666e6968
0x00e88e40: 0x73617263
0x00e88e3c-0x00e88e38: 0x00000000
0x00e88e34: 0x12345600
0x00e88e30-0x00e88dfc: 0x00000000
0x00e88df8: 0x00316761
0x00e88df4: 0x74706100
0x00e88df0: 0x12345600
0x00e88dec-0x00e88ddc: 0x00000000
0x00e88dd8: 0x00000070
0x00e88dd4: 0x616d2d65
0x00e88dd0: 0x74756f00
0x00e88dcc: 0x00000000
0x00e88dc8: 0x00e88e40
0x00e88dc4: 0x004f20c4
0x00e88dc0: 0x12345600
0x00e88dbc: 0x00000000
0x00e88db8: 0x00000035
0x00e88db4: 0x315f656c
0x00e88db0: 0x62616e65
0x00e88dac: 0x0030fcf0
0x00e88da8: 0x3011111f
0x00e88da4: 0x004df43c
0x00e88da0: 0x0053fef0
0x00e88d9c: 0x004f1bb4
0x00e88d98: 0x12345600
0x00e88d94: 0x00000000
0x00e88d90: 0x00000035
0x00e88d8c: 0x315f656c
0x00e88d88: 0x62616e65
0x00e88d84: 0x00000000
0x00e88d80: 0x004f20c4
0x00e88d7c: 0x00000001
0x00e88d78: 0x01345678
0x00e88d74: 0x00f53854
0x00e88d70: 0x00f7f754
0x00e88d6c: 0x00e88db0
0x00e88d68: 0x00e88d7b
0x00e88d64: 0x00f53874
0x00e88d60: 0x00e89040
0x00e88d5c-0x00e88d54: 0x12345678
0x00e88d50-0x00e88d4c: 0x00000000
0x00e88d48: 0x004f1bb4
0x00e88d44: 0x00e88d7c
0x00e88d40: 0x00e88e40
0x00e88d3c: 0x00f53874
0x00e88d38: 0x004f1bb4
0x00e88d34: 0x0010763c
0x00e88d30: 0x00e890b0
0x00e88d2c: 0x00e88db0
0x00e88d28: 0x00e88d88
0x00e88d24: 0x0010761a
0x00e88d20: 0x00e890b0
0x00e88d1c: 0x00e88e40
0x00e88d18: 0x00f53874
0x00e88d14: 0x0010166d
0x00e88d10: 0x0000000e
0x00e88d0c: 0x00f53874
0x00e88d08: 0x00f53854
0x00e88d04: 0x0048b301
0x00e88d00: 0x00e88d30
0x00e88cfc: 0x0000000e
0x00e88cf8: 0x00f53854
0x00e88cf4: 0x0048a401
0x00e88cf0: 0x00f53854
0x00e88cec: 0x00f53874
0x00e88ce8: 0x0000000e
0x00e88ce4: 0x0048a64b
0x00e88ce0: 0x0000000e
0x00e88cdc: 0x00f53874
0x00e88cd8: 0x00f7f96c
0x00e88cd4: 0x0048b4f8
0x00e88cd0: 0x00e88d00
0x00e88ccc: 0x0000000f
0x00e88cc8: 0x00f7f96c
0x00e88cc4-0x00e88cc0: 0x0000000e
0x00e88cbc: 0x00e89040
0x00e88cb8: 0x00000000
0x00e88cb4: 0x00f5387e
0x00e88cb0: 0x00f53874
0x00e88cac: 0x00000002
0x00e88ca8: 0x00000001
0x00e88ca4: 0x00000009
0x00e88ca0-0x00e88c9c: 0x00000001
0x00e88c98: 0x00e88cb0
0x00e88c94: 0x004f20c4
0x00e88c90: 0x0000003a
0x00e88c8c: 0x00000000
0x00e88c88: 0x0000000a
0x00e88c84: 0x00489f3a
0x00e88c80: 0x00e88d88
0x00e88c7c: 0x00e88e40
0x00e88c78: 0x00e88d7c
0x00e88c74: 0x001087ed
0x00e88c70: 0x00000001
0x00e88c6c: 0x00e88cb0
0x00e88c68: 0x00000002
0x00e88c64: 0x0010885c
0x00e88c60: 0x00e88d30
0x00e88c5c: 0x00727334
0x00e88c58: 0xa0ffffff
0x00e88c54: 0x00e88cb0
0x00e88c50: 0x00000001
0x00e88c4c: 0x00e88cb0
0x00e88c48: 0x00000002
0x00e88c44: 0x0032321b
0x00e88c40: 0x00e88c60
0x00e88c3c: 0x00e88c7f
0x00e88c38: 0x00e88c5c
0x00e88c34: 0x004b1ad5
0x00e88c30: 0x00e88c60
0x00e88c2c: 0x00e88e40
0x00e88c28: 0xa0ffffff
0x00e88c24: 0x00323143
0x00e88c20: 0x00e88c40
0x00e88c1c: 0x00000000
0x00e88c18: 0x00000008
0x00e88c14: 0x0010318c
0x00e88c10-0x00e88c0c: 0x00322f8b
0x00e88c08: 0x00000074
0x00e88c04: 0x00000001
0x00e88c00: 0x00e88bd8
0x00e88bfc: 0x00e88c20
0x00e88bf8: 0x00000000
0x00e88bf4: 0x004f20c4
0x00e88bf0: 0x000000ff
0x00e88bec: 0x00322f87
0x00e88be8: 0x00f5387e
0x00e88be4: 0x00323021
0x00e88be0: 0x00e88c10
0x00e88bdc: 0x004f20c4
0x00e88bd8: 0x00000000 *
0x00e88bd4: 0x004eabb0
0x00e88bd0: 0x00000001
0x00e88bcc: 0x00f5387e
0x00e88bc8-0x00e88bc4: 0x00000000
0x00e88bc0: 0x00000008
0x00e88bbc: 0x0010318c
0x00e88bb8-0x00e88bb4: 0x00322f8b
0x00e88bb0: 0x00000074
0x00e88bac: 0x00000001
0x00e88ba8: 0x00e88bd8
0x00e88ba4: 0x00e88c20
0x00e88ba0: 0x00000000
0x00e88b9c: 0x004f20c4
0x00e88b98: 0x000000ff
0x00e88b94: 0x001031f2
0x00e88b90: 0x00e88c20
0x00e88b8c: 0xffffffff
0x00e88b88: 0x00e88cb0
0x00e88b84: 0x00320032
0x00e88b80: 0x37303133
0x00e88b7c: 0x312f6574
0x00e88b78: 0x6972772f
0x00e88b74: 0x342f7665
0x00e88b70: 0x64736666
0x00e88b6c: 0x00020000
0x00e88b68: 0x00000010
0x00e88b64: 0x00000001
0x00e88b60: 0x123456cd
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008

Cisco PIX Firewall Version 6.3
Cisco PIX Device Manager Version 2.1

Compiled on Fri 15-Nov-02 14:35 by root

pixfirewall up 10 days 0 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This PIX has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2002

------------------ show clock ------------------

15:34:28.129 UTC Sun Nov 24 2002

------------------ show memory ------------------

Free memory:        50444824 bytes
Used memory:        16664040 bytes
-------------     ----------------
Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4   1600   1600   1600
    80    400    400    400
   256    500    499    500
  1550   1188    795    927

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0003.e300.73fd
  IP address 172.23.59.232, subnet mask 255.255.0.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        6139 packets input, 830375 bytes, 0 no buffer
        Received 5990 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        90 packets output, 6160 bytes, 0 underruns
        0 output errors, 13 collisions, 0 interface resets
        0 babbles, 0 late collisions, 47 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (5/128) software (0/2)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
  Hardware is i82559 ethernet, address is 0003.e300.73fe
  IP address 10.1.1.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1 packets output, 60 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
  Hardware is i82559 ethernet, address is 00d0.b7c8.139e
  IP address 127.0.0.1, subnet mask 255.255.255.255
  MTU 1500 bytes, BW 10000 Kbit half duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer
Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3792/4096 FragDBGC
Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace
Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger
Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast
Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow
Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean
Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean
Mrd 002e3a17 00c8f8d4 0053e600          0 00c8d93c 7908/8192 tcp_intercept_times
Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process
Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 PIX Garbage Collecr
Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr
Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon
Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPSec
Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler
Hwe 003864e3 00db26bc 00557920          0 00db0764 6904/8192 qos_metric_daemon
Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background
Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 pix/trace
Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 pix/tconsole
Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 pix/intf0
Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 pix/intf1
Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 pix/intf2
H*  001a6ff5 0009ff2c 0053e5b0       4820 00e8511c 12860/16384 ci/console
Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage
Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in
Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread
Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer
Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix
Crd 001db37f 00f32084 0053ea40  508286220 00f310fc 3688/4096 557poll
Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer
Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0
Cwe 001dcdad 00f4523c 00872b48        120 00f44344 3528/4096 ip/0:0
Hwe 001e5398 00f4633c 008121bc         10 00f453f4 3532/4096 icmp0
Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0
Hwe 001e5398 00f4849c 00812174          0 00f475a4 3456/4096 tcp_thread/0
Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1
Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1
Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1
Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1
Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1
Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2
Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2
Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2
Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2
Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2
Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1
Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 865565.090 secs):
                6139 packets    830375 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                90 packets      6160 bytes
                0 pkts/sec      0 bytes/sec
inside:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                1 packets       60 bytes
                0 pkts/sec      0 bytes/sec
intf2:
        received (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 865565.090 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup            0/s          0/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s
: End_Test_Crash

Related Commands

failover

Enable or disable the PIX Firewall failover feature on a standby PIX Firewall.


crypto dynamic-map

Create, view, or delete a dynamic crypto map entry.

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip_address

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2]

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]

clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]

show crypto dynamic-map [tag  dynamic-map-name]

Syntax Description

dynamic-map-name

Specify the name of the dynamic crypto map set.

dynamic-seq-num

Specify the sequence number that corresponds to the dynamic crypto map entry.

subcommand

Various subcommands (match address, set transform-set, and so on).

tag map-name

(Optional) Show the crypto dynamic map set with the specified map-name.



Note The crypto dynamic-map subcommands, such as match address, set peer, and set pfs are described with the crypto map command. If the peer initiates the negotiation and the local configuration specifies perfect forward secrecy (PFS), the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.


Command Modes

Configuration mode.

Usage Guidelines

The sections that follow describe each crypto dynamic-map command.

crypto dynamic-map

The crypto dynamic-map command lets you create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto map's sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command lets you view a dynamic crypto map set.

Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map lets you accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)

When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This lets you set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)

If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

The crypto dynamic-map command statements are used for determining whether or not traffic should be protected. The only parameter required in a crypto dynamic-map command statement is the set transform-set. All other parameters are optional.

Examples

The following example configures an IPSec crypto map set:

Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped in the following example.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set my_t_set1 my_t_set2
crypto map mymap 20 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10 match address 103

crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

The following is sample output from the how crypto dynamic-map command:

show crypto dynamic-map

Crypto Map Template "dyn1" 10

        access-list 152 permit ip host 172.21.114.67 any
        Current peer: 0.0.0.0
        Security association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={      tauth, t1,      }

The following partial configuration was in effect when the preceding show crypto dynamic-map command was issued:

crypto ipsec security-association lifetime seconds 120        
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto ipsec transform-set tauth ah-sha-hmac 
crypto dynamic-map dyn1 10 set transform-set tauth t1 
crypto dynamic-map dyn1 10 match address 152
crypto map to-firewall local-address Ethernet0
crypto map to-firewall 10 ipsec-isakmp 
crypto map to-firewall 10 set peer 172.21.114.123
crypto map to-firewall 10 set transform-set tauth t1 
crypto map to-firewall 10 match address 150
crypto map to-firewall 20 ipsec-isakmp dynamic dyn1
access-list 150 permit ip host 172.21.114.67 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 8.8.8.1
access-list 152 permit ip host 172.21.114.67 any

The following example shows output from the show crypto map command for a crypto map named "mymap":

pixfirewall(config)# show crypto map

Crypto Map: "mymap" interfaces: { outside }

Crypto Map "mymap" 1 ipsec-isakmp
        Peer = 209.165.200.241
        access-list no-nat; 1 elements
        access-list no-nat permit ip 209.165.201.16 255.255.255.0 1.1.1.0 255.255.255.0 
(hitcnt=0) 
        Current peer: 209.165.200.241
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={ mycrypt, }

crypto dynamic-map   match address

See the crypto map   match address command within the crypto map command for information about this command.

crypto dynamic-map  set peer

See the crypto map set peer command within the crypto map command for information about this command.

crypto dynamic-map   set pfs

See the crypto map set pfs command within the crypto map command for information about this command.

crypto dynamic-map   set security-association lifetime

See the crypto map   set security-association lifetime command within the crypto map command for information about this command.

crypto dynamic-map  set transform-set

See the crypto map   set transform-set command within the crypto map command for information about this command.


Note The crypto map   set transform-set command is required for dynamic crypto map entries.


crypto ipsec

Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets.

[no] crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

crypto ipsec transform-set transform-set-name mode transport

[no] crypto ipsec transform-set trans-name [ah-md5-hmac | ah-sha-hmac] [esp-aes |esp-aes-192 | esp-aes-256| esp-des | esp-3des| esp-null] [esp-md5-hmac | esp-sha-hmac]

clear [crypto] ipsec sa

clear [crypto] ipsec sa counters

clear [crypto] ipsec sa entry destination-address protocol spi

clear [crypto] ipsec sa map map-name

clear [crypto] ipsec sa peer

show crypto ipsec security-association lifetime

show crypto ipsec transform-set [tag transform-set-name]

show crypto ipsec sa [map map-name | address | identity] [detail]

Syntax Description

address

(Optional) Show all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP).

esp-aes

Selecting this option means that IPSec messages protected by this transform are encrypted using AES with a 128-bit key.

esp-aes-192

Selecting this option means that IPSec messages protected by this transform are encrypted using AES with a 192-bit key.

esp-aes-256

Selecting this option means that IPSec messages protected by this transform are encrypted using AES with a 256-bit key.

destination-address

Specify the IP address of your peer or the remote peer.

detail

(Optional) Show detailed error counters.

identity

(Optional) Show only the flow information. It does not show the security association information.

kilobytes kilobytes

Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes (10 megabytes per second for one hour).

map map-name

The name of the crypto map set.

mode transport

Specifies the transform set to accept transport mode requests in addition to the tunnel mode request.

protocol

Specify either the AH or ESP protocol.

seconds seconds

Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).

seq-num

The number you assign to the crypto map entry.

spi

Specify the Security Parameter Index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF).

tag transform-set-name

(Optional) Show only the transform sets with the specified transform-set-name.

transform1
transform2
transform3

Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

transform-set-name

Specify the name of the transform set to create or modify.


Command Modes

Configuration mode.

Usage Guidelines

The sections that follow describe each crypto ipsec command. To run the Known Answer Test (KAT), refer to the show crypto engine verify command.

crypto ipsec security-association lifetime

The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command lets you view the security-association lifetime value configured for a particular crypto map entry.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

clear [crypto] ipsec sa

Use the clear [crypto] ipsec sa command to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.

If the security associations are manually established, the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.


Note If you make significant changes to an IPSec configuration, such as to access lists or peers, the clear [crypto] ipsec sa command does not enable the new configuration. In such a case, rebind the crypto map to the interface with the crypto map interface command.


If the PIX Firewall is processing active IPSec traffic, we recommend that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.

The following example clears (and reinitializes if appropriate) all IPSec security associations at the PIX Firewall:

clear crypto ipsec sa

The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto ipsec sa entry 10.0.0.1 AH 256

show crypto ipsec sa

The show crypto ipsec sa command lets you view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).


Note While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid.

Output from the show crypto ipsec sa command lists the PCP protocol. This is a compression protocol supplied with the Cisco IOS software code on which the PIX Firewall IPSec implementation is based; however, the PIX Firewall does not support the PCP protocol.


crypto ipsec transform-set transform-set-name mode transport

This command specifies IPSec transport mode for a transform set. The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode must be selected on the transform set. The default is tunnel mode. For PIX Firewall Version 6.0 and higher, L2TP is the only protocol that can use the IPSec transport mode. All other types of packets using IPSec transport mode will be discarded by the PIX Firewall. Use the no form of the command to reset the mode to the default value of tunnel mode.


Note A transport mode transform can only be used on a dynamic crypto map, and the PIX Firewall CLI will display an error if you attempt to tie a transport-mode transform to a static crypto map.


Tunnel mode is automatically enabled for a transform set, so no mode needs to be explicitly configured when tunnel mode is desired.

The firewall uses tunnel mode except when it is talking to a Windows 2000 L2TP/IPSec client, with which it uses transport mode. Use the crypto ipsec transform-set trans_name mode transport command to configure the firewall to negotiate with a Windows 2000 L2TP/IPSec client. To reset the mode to the default value of tunnel mode, use the no crypto ipsec transform-set trans_name mode transport command.

The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.

A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

IPSec messages can be protected by a transform set using AES with a 128-bit key, 192-bit key, or 256-bit key.

The following example uses the AES 192-bit key transform:

pixfirewall(config)# crypto ipsec transform-set standard esp-aes-192 esp-md5-hmac


Note AES support is available on firewalls licensed for VPN-3DES only.


Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman group 5 instead of group 1 or group 2. This is done with the isakmp policy priority group 5 command.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.

When security associations are established manually, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.

To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you can specify the AH protocol or the ESP protocol. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

Examples of acceptable transform combinations are as follows:

ah-md5-hmac

esp-des

esp-des and esp-md5-hmac

ah-sha-hmac and esp-des and esp-sha-hmac

If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.

For more information about transform sets, refer to the Cisco PIX Firewall and VPN Configuration Guide.

show crypto ipsec commands

The show crypto ipsec security-association lifetime command displays the security-association lifetime value configured for a particular crypto map entry.

The show crypto ipsec transform-set [tag transform-set-name] command displays the configured transform sets.

The show crypto ipsec sa [map map-name | address | identity] [detail] command displays the settings used by current security associations.

Examples

The following example shortens the IPSec SA lifetimes. The time-out lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).

crypto ipsec security-association lifetime seconds 2700
crypto ipsec security-association lifetime kilobytes 2304000

The following is sample output from the show crypto ipsec security-association lifetime command:

show crypto ipsec security-association lifetime
Security-association lifetime: 4608000 kilobytes/120 seconds

The following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120

This example defines one transform set (named "standard"), which is used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example.

crypto ipsec transform-set standard esp-des esp-md5-hmac

The following is sample output for the show crypto ipsec transform-set command:

show crypto ipsec transform-set 

Transform set combined-des-sha: { esp-des esp-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set combined-des-md5: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t1: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t100: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t2: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   { esp-des } 
   will negotiate = { Tunnel, },

The following configuration was in effect when the preceding show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set t1 esp-des esp-md5-hmac
crypto ipsec transform-set t100 ah-sha-hmac
crypto ipsec transform-set t2 ah-sha-hmac esp-des

The following is sample output from the show crypto ipsec sa command:

show crypto ipsec sa

interface: outside
    Crypto map tag: firewall-robin, local addr. 172.21.114.123
 
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67/500
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 26, crypto map: firewall-robin
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-robin
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
interface: inside
    Crypto map tag: firewall-robin, local addr. 172.21.114.123
          
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
		inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-robin
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-robin
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:

crypto map

Create, modify, view or delete a crypto map entry. Also used to delete a crypto map set.

[no] crypto map map-name client [token] authentication aaa-server-name [LOCAL]

[no] crypto map map-name client configuration address initiate | respond

[no] crypto map map-name interface interface-name

[no] crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic   dynamic-map-name]

[no] crypto map map-name seq-num match address acl_name

[no] crypto map map-name seq-num set peer {ip_address | hostname}

[no] crypto map map-name seq-num set pfs [group1 | group2]

[no] crypto map map-name seq-num set security-association lifetime seconds   seconds | kilobytes kilobytes

[no] crypto map map-name seq-num set session-key inbound | outbound ah spi hex-key-string

[no] crypto map map-name seq-num set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string]

[no] crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]

show crypto map [interface interface-name | tag map-name]

Syntax Description

aaa-server-name

The name of the AAA server that will authenticate the user during IKE authentication. The AAA server options available are TACACS+, RADIUS, or LOCAL.

If LOCAL is specified and the local user credential database is empty, the following warning message appears:

Warning:local database is empty! Use \Qusername' command to define 
local users.

Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:

Warning:Local user database is empty and there are still commands 
using LOCAL for authentication.

acl_name

Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched.

ah

Set the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform.

AH protocol provides authentication via MD5-HMAC and SHA-HMAC.

authenticator

(Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.

cipher

Indicate that the key string to use with the ESP encryption transform.

dynamic

(Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map.

dynamic-map-name

(Optional) Specify the name of the dynamic crypto map set to be used as the policy template.

esp

Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform.

ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.

group1

Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2

Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

hex-key-string

Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes the following:

DES algorithm, specify at least 16 hexadecimal digits per key.

MD5 algorithm, specify at least 32 hexadecimal digits per key.

SHA algorithm, specify 40 hexadecimal digits per key.

Longer key sizes are simply hashed to the appropriate length.

hostname

Specify a peer by its IP address, or by its host name as defined by the PIX Firewall name command.

inbound

Set the inbound IPSec session key.

(You must set both inbound and outbound keys.)

initiate

Indicate that the PIX Firewall will attempt to set IP addresses for each peer.

interface interface-name

Specify the identifying interface to be used by the PIX Firewall to identify itself to peers.

If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

ip_address

Specify a peer by its IP address.

ipsec-isakmp

Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

ipsec-manual

Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

Note Manual configuration of SAs is not supported on the PIX 501.

kilobytes kilobytes

Specify the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires.
The default is 4,608,000 kilobytes.

map map-name

The name of the crypto map set.

match address

Specify an access list for a crypto map entry.

outbound

Set the outbound IPSec session key.

(You must set both inbound and outbound keys.)

respond

Indicate that the PIX Firewall will accept requests for IP addresses from any requesting peer.

seconds   seconds

Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).

seq-num

The number you assign to the crypto map entry.

set peer

Specify an IPSec peer in a crypto map entry.

set pfs

Specify that IPSec should ask for perfect forward secrecy (PFS).

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)

set security-association lifetime

Set the lifetime a security association will last in either seconds or kilobytes. For use with either seconds or kilobyte keywords.

set session-key

Manually specify the IPSec session keys within a crypto map entry.

set transform-set

Specify which transform sets can be used with the crypto map entry.

spi

Specify the Security Parameter Index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF).

You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the PIX Firewall if inbound, the peer if outbound.

tag map-name

(Optional) Show the crypto map set with the specified map name.

token

Indicate a token-based server for user authentication is used.

transform1
transform2
transform3

Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

transform-set-name

The name of the transform set.

For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.


Command Modes

Configuration mode.

Usage Guidelines

The sections that follow describe each crypto map command.


Note If a crypto map map-name client configuration address initiate | respond command configuration exists on the firewall, then the Cisco VPN Client version 3.x uses it.


crypto map client authentication

The crypto map client authentication command enables the Extended Authentication (Xauth) feature, which lets you prompt for a TACACS+, RADIUS, or LOCAL username and password during IKE authentication. You must first set up your AAA server configuration to use this feature, and be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.

This command tells the PIX Firewall during Phase 1 of IKE to use the Xauth (RADIUS, TACACS+, or LOCAL) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted. Use the no crypto map client authentication command to restore the default value. The Xauth feature is not enabled by default.


Note Normally, when Xauth is enabled, an entry is added to the uauth table (as shown by the show uauth/clear uauth command) for the IP address assigned to the client. However, when using Xauth with the Easy VPN Remote feature in Network Extension Mode, the IPSEC tunnel is created from network to network, so the users behind the firewall cannot be associated with a single IP address. For this reason, a uauth entry cannot be created upon completion of Xauth. If AAA authorization or accounting services are required, you can enable the AAA authentication proxy to authenticate users behind the firewall. For more information on AAA authentication proxies, please refer to the aaa commands.


You cannot enable Xauth or IKE Mode Configuration on a interface when terminating an L2TP/IPSec tunnel using the Microsoft L2TP/IPSec client v1.0 (which is available on Windows NT, Windows XP, Windows 98 and Windows ME OS). Instead, you can do either of the following:

Use a Windows 2000 L2TP/IPSec client, or

Use the isakmp key keystring address ip_address netmask mask no-xauth no-config-mode command to exempt the L2TP client from Xauth and IKE Mode Configuration. However, if you exempt the L2TP client from Xauth or IKE Mode Configuration, all the L2TP clients must be grouped with the same ISAKMP pre-shared key or certificate and have the same fully qualified domain name.

The crypto map client token authentication command enables the PIX Firewall to interoperate with a Cisco VPN 3000 Client that is set up to use a token-based server for user authentication. The keyword token tells the PIX Firewall that the AAA server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.


Note The remote user must be running one of the following:
Cisco VPN Client Version 3.x
Cisco VPN 3000 Client Version 2.5/2.6 or higher
Cisco Secure VPN Client Version 1.1 or higher


crypto map client configuration address

Use the crypto map client configuration address command to configure the IKE Mode Configuration on your PIX Firewall. IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With the crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.

Use the no crypto map client configuration address command to restore the default value. IKE Mode Configuration is not enabled by default.

The keyword initiate indicates that the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the PIX Firewall will accept requests for IP addresses from any requesting peer.


Note If you use IKE Mode Configuration on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. Cisco IOS Release 12.0(6)T and higher supports the IKE Mode Configuration.


Refer to the Cisco PIX Firewall and VPN Configuration Guide for more information about IKE Mode Configuration.

The following examples show how to configure IKE Mode Configuration on your PIX Firewall:

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

crypto map interface

The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.

Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services.

Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.


Note While a new crypto map instance is being added to the PIX Firewall, all clear and SSH traffic to the firewall interface stops because the crypto peer/ACL pair has not yet been defined. To workaround this, use PIX Device Manager (PDM) to add the new crypto map instance or, through the PIX Firewall CLI, remove the crypto map interface command from your configuration, add the new crypto map instance and fully configure the crypto peer/ACL pair, and then reapply the crypto map interface command back to the interface. In some conditions the CLI workaround is not acceptable as it temporarily stops VPN traffic also.

The use of the crypto map interface command re-initializes the security association database causing any currently established security associations to be deleted.


The following example assigns the crypto map set "mymap" to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).

crypto map mymap  interface outside

The following is sample output from the show crypto map command:

show crypto map

Crypto Map: "firewall-robin" pif: outside local address: 172.21.114.123
 
Crypto Map "firewall-robin" 10 ipsec-isakmp
        Peer = 172.21.114.67
        access-list 141 permit ip host 172.21.114.123 host 172.21.114.67
        Current peer: 172.21.114.67
        Security-association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={ t1, }

The following configuration was in effect when the preceding show crypto map command was issued:

crypto map firewall-robin 10 ipsec-isakmp 
crypto map firewall-robinrobin 10 set peer 172.21.114.67
crypto map firewall-robin 10 set transform-set t1 
crypto map firewall-robin 10 match address 141

The following is sample output from the show crypto map command when manually established security associations are used:

show crypto map

Crypto Map "multi-peer" 20 ipsec-manual
        Peer = 172.21.114.67
        access-list 120 permit ip host 1.1.1.1 host 1.1.1.2
        Current peer: 172.21.114.67
        Transform sets={ t2, }
        Inbound esp spi: 0, 
         cipher key: ,
         auth_key: ,
        Inbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
        Outbound esp spi: 0
         cipher key: ,
         auth key: , 
        Outbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,

The following configuration was in effect when the preceding show crypto map command was issued:

crypto map multi-peer 20 ipsec-manual 
crypto map multi-peer 20 set peer 172.21.114.67
crypto map multi-peer 20 set session-key inbound ah 256
010203040506070809010203040506070809010203040506070809
crypto map multi-peer 20 set session-key outbound ah 256
010203040506070809010203040506070809010203040506070809
crypto map multi-peer 20 set transform-set t2 
crypto map multi-peer 20 match address 120

crypto map   ipsec-manual | ipsec-isakmp

To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.


Note The crypto map command without a keyword creates an ipsec-isakmp entry by default.


After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.

Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link together definitions of the following:

What traffic should be protected

Which IPSec peer(s) the protected traffic can be forwarded to—these are the peers with which a security association can be established

Which transform sets are acceptable for use with the protected traffic

How keys and security associations should be used/managed (or what the keys are, if IKE is not used)

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.


Note Every static crypto map must define an access list and an IPsec peer. If either is missing, the crypto map is considered incomplete and any traffic that has not already been matched to an earlier, complete crypto map is dropped. Use the show conf command to ensure that every crypto map is complete. To fix an incomplete crypto map, remove the crypto map, add the missing entries, and reapply it.


The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap set transform-set my_t_set1
crypto map mymap set peer 10.0.0.1

The following example shows the minimum required crypto map configuration when the security associations are manually established:

crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.5
crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654
crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345
crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

crypto map   ipsec-isakmp dynamic

To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.

Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.

Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.

To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.

The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

The following example shows the configuration using "mydynamicmap":

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set peer 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap 10 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10
crypto dynamic-map mydynamicmap 10 match address 103
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

crypto map   match address

To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry.

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use the access-list command to define this access list.

The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)


Note The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access-group command makes that determination.


The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general). In the inbound case, the data flow identity specified by the peer must be "permitted" by the crypto access list.

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1

crypto map set peer

Use the crypto map   set peer command to specify an IPSec peer in a crypto map entry. Use the no crypto map   set peer command to remove an IPSec peer from a crypto map entry.

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.

The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map set pfs

The crypto map  set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map  set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.

During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group.

If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.

The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.


Note IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with the clear [crypto] isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.


The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set pfs group2

crypto map   set security-association lifetime

To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.

The crypto map's security associations are negotiated according to the global lifetimes.

This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.

If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details.

To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.

To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.

However, shorter lifetimes require more CPU processing time.

The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).

The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes).

crypto map mymap 10 ipsec-isakmp
set security-association lifetime seconds 2700

crypto map   set session-key

To manually specify the IPSec session keys within a crypto map entry, use the crypto map   set session-key command. Use the no crypto map   set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.

If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto map's transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.

When you define multiple IPSec session keys within a single crypto map, you can assign the same Security Parameter Index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.

You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.

Security associations established using this command do not expire (unlike security associations established using IKE).

The PIX Firewall unit's session keys must match its peer's session keys.

If you change a session key, the security association using the key will be deleted and reinitialized.

The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.

crypto ipsec transform-set t_set ah-sha-hmac
crypto map mymap 20 ipsec-manual
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set t_set
crypto map mymap 20 set peer 10.0.0.21
crypto map mymap 20 set session-key inbound ah 300 
1111111111111111111111111111111111111111
crypto map mymap 20 set session-key outbound ah 300 
2222222222222222222222222222222222222222

The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set session-key inbound ah 300 
9876543210987654321098765432109876543210
crypto map mymap 10 set session-key outbound ah 300 
fedcbafedcbafedcbafedcbafedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345
    authenticator 0000111122223333444455556666777788889999
crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd
    authenticator 9999888877776666555544443333222211110000

crypto map   set transform-set

To specify which transform sets can be used with the crypto map entry, use the crypto map   set transform-set command. Use the no crypto map   set transform-set command to remove all transform sets from a crypto map entry.

This command is required for all static and dynamic crypto map entries.

For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.

If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.

The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.

For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.

If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.

Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.

Examples

The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+ 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client token authentication RADIUS
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap set peer 10.0.0.1 10.0.0.2

In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority), depending on which transform set matches the remote peer's transform sets.