Table Of Contents
match interface (route map submode)
match ip next-hop (route map submode)
match ip route-source (route map submode)
match metric (route map submode)
match route-type (route map submode)
mac-address-table static
To add a list of interfaces and associated MAC addresses to the Layer 2 forwarding table, use the mac-address-table static command. To delete the list, use the no form of this command.
[no] mac-address-table static interface_name mac
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: transparent mode
Command History
Usage Guidelines
The mac-address-table static command allows you to enter static MAC addresses into the Layer 2 forwarding table. You can enter the mac-address-table static command multiple times with the same interface_name argument to group a set of MAC addresses.
The clear mac-address-table interface_name command allows you to remove the mac-address-table interface entries from the Layer 2 forwarding table.
The show mac-address-table static command allows you to display only the static MAC entries on the Layer 2 forwarding table.
Examples
This example shows how to configure a list of interfaces and MAC addresses:
fwsm/context_name(config)# mac-address-table static inside 5678.aeb0.4325Added <5678.aeb0.4325> to the bridge tablefwsm(config)# show mac-address staticinterface mac address type Age(min)------------------------------------------------------------------inside 0000.0bff.0000 staticRelated Commands
clear mac-address-table
mac-address-table aging-time
show mac-address-tablemac-address-table aging-time
To specify the aging time for the bridge timeout value in the Layer 2 forwarding table, use the mac-address-table aging-time command. To remove the bridge timeout value from the configuration, use the no form of this command.
[no] mac-address-table aging-time minutes
no mac-address-table aging-time
Syntax Description
Defaults
The timeout is 5 minutes.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: transparent mode
Command History
Usage Guidelines
The clear mac-address-table aging-time command allows you to remove the bridge timeout aging time value.
Examples
This example shows how to configure the bridge timeout aging time:
fwsm/context_name(config)# mac-address-table aging-time 5Related Commands
clear mac-address-table
mac-address-table static
show mac-address-tablemac-learn
To acquire a list of MAC addresses per interface, use the mac-learn command. To delete the list, use the no form of this command.
[no] mac-learn interface_name disable
Syntax Description
interface_name
Specifies the interface name.
disable
Disables MAC learning on the specified interface.
Defaults
Enabled
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: transparent mode
Command History
Usage Guidelines
The clear mac-learn command allows you to disable the MAC address learning from all of the interfaces.
The show mac-learn command allows you to display the status of the MAC address learning feature on all of the interfaces.
Examples
This example shows how to learn MAC addresses, display the results, and then clear the MAC learning:
fwsm/context_name(config)# mac-learn soccerfwsm#/(config)# show mac-learninterface mac learn-------------------------------------------inside enabledoutside enabledfwsm(config)# clear mac-learnEnabling learning on insideEnabling learning on outsideRelated Commands
clear mac-learn
show mac-learnmatch (route map submode)
To define the conditions for redistributing routes from one routing protocol into another, use the match command in the route-map submode. To restore the default settings, use the no form of this command.
match [interface interface_name | metric metric_value | ip address acl_id | route-type {local | internal | [external [type-1 | type-2]]} | nssa-external [type-1 | type-2] | ip next-hop acl_id | ip route-source acl_id]
Syntax Description
Defaults
The default is type-2.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The match ip next-hop and match ip route-source commands can accept more than one acl_id; they accept acl_id [...acl_id].
Examples
This example shows how to define the redistributed routes:
fwsm(config-route-map)# match interface soccer ip next-hop 77Related CommandsRelated Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match ip route-source (route map submode)
match metric (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
match interface (route map submode)
To distribute any routes that have their next hop out one of the interfaces specified, use the match interface command in the route-map submode. To remove the match interface entry, use the no form of this command.
[no] match interface interface-name
Syntax Description
Defaults
No match interfaces are defined.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the interface-type interface-number arguments.
The route-map global configuration command and the match and set route-map configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions that are given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored; the route is not advertised for outbound route maps and is not accepted for inbound route maps. If you want to modify only some data, you must configure a second route map section and specify an explicit match.
Examples
This example shows that the routes with their next hop out Ethernet interface 0 is distributed:
fwsm/context_name(config)# route-map namefwsm(config-route-map)# match interface ethernet 0Related CommandsRelated Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match ip route-source (route map submode)
match metric (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
match ip next-hop (route map submode)
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in the route-map submode. To remove the next-hop entry, use the no form of this command.
[no] match ip next-hop {acl-id...}
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-number or access-list-name argument.
The route-map global configuration command and the match and set route-map configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. The route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
This example shows how to distribute routes that have a next-hop router address passed by access list 5 or 80:
fwsm(config)# route-map namefwsm(config-route-map)# match ip next-hop 5 80Related Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip route-source (route map submode)
match metric (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
match ip route-source (route map submode)
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the access lists, use the match ip route-source command in the route-map submode. To remove the route-source entry, use the no form of this command.
[no] match ip route-source {acl-id ...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-number or access-list-name argument.
The route-map global configuration command and the match and set route-map configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. The route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
This example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by access lists 5 and 80:
fwsm(config)# route-map namefwsm(config-route-map)# match ip route-source 5 80Related Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match metric (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
match metric (route map submode)
To redistribute routes with the metric specified, use the match metric command in the route-map submode. To remove the entry, use the no form of this command.
[no] match metric number
Syntax Description
Defaults
No filtering on a metric value.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The route-map global configuration command and the match and set route-map configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. The route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
This example shows how to redistrube routes with the metric 5:
fwsm(config)# route-map namefwsm(config-route-map)# match metric 5Related Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match ip route-source (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
match route-type (route map submode)
To redistribute routes of the specified type, use the match route-type command in the route-map submode. To remove the route type entry, use the no form of this command.
[no] match route-type {local | internal | {external [type-1 | type-2]} | nssa-external | [type-1 | type-2]}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The route-map global configuration command and the match and set route-map configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. The route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section and specify an explicit match.
For OSPF, the external type-1 keywords match only type 1 external routes and the external type-2 keywords match only type 2 external routes.
Examples
This example shows how to redistribute internal routes:
fwsm(config)# route-map namefwsm(config-route-map)# match route-type internalRelated Commands
ip local pool
match (route map submode)
match interface (route map submode)
match ip next-hop (route map submode)
match metric (route map submode)
route-map
set metric (route map submode)
set metric-type (route map submode)
member (context submode)
To determine the class to which a context belongs, use the member command in the context submode. To remove a context from a class, use the no form of this command.
member class_name
[no] member class_name
Syntax Description
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The class sets resource limitations for each class member. To use the settings of a class, assign the context to the class. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to a default using this command. See the class command to add a class. You can assign a context to one resource class only. An exception is that limits that are undefined in the member class are inherited from the default class; a context could be a member of a default plus another class.
Examples
This example shows how to assign a context to a class:
fwsm/context_name(config)# member regulusRelated Commands
Other Context Subconfiguration Commands
allocate-interface (context submode)
config-url (context submode)
limit-resourceOther Related Commands
admin-context
changeto
class
clear context
show class
show contextmgcp
To configure additional support for the Media Gateway Control Protocol (MGCP) fixup (packet application inspection), use the mgcp command. To remove MGCP support, use the no form of this command.
[no] mgcp call-agent ip_address group_id
[no] mgcp command-queue limit
[no] mgcp gateway ip_address group_id
Syntax Description
Defaults
The MGCP command queue limit is 200.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The mgcp command allows you to provide additional support for the MGCP fixup. The MGCP fixup is enabled with the fixup protocol mgcp command.
The mgcp call-agent command is used to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for the call agents in the group (other than the one to which the gateway sends a command) so that any of the call agents can send the response. Call agents with the same group_id belong to the same group. A call agent may belong to more than one group.
The mgcp command-queue command allows you to specify the maximum number of MGCP commands that are queued while waiting for a response. When the limit has been reached and a new command arrives, the command that has been in the queue for the longest time is removed.
The mgcp gateway command allows you to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address argument. The group_id argument must correspond with the group_id of the call agents that are managing the gateway. A gateway may belong to one group only.
Examples
This example shows how to limit the MGCP command queue to 150 commands, allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:
fwsm(config)# mgcp call-agent 10.10.11.5 101fwsm(config)# mgcp call-agent 10.10.11.6 101fwsm(config)# mgcp call-agent 10.10.11.7 102fwsm(config)# mgcp call-agent 10.10.11.8 102fwsm(config)# mgcp command-queue 150fwsm(config)# mgcp gateway 10.10.10.115 101fwsm(config)# mgcp gateway 10.10.10.116 102fwsm(config)# mgcp gateway 10.10.10.117 102Related Commands
clear mgcp
debug
fixup protocol
show conn
show mgcp
timeoutmkdir
To create a new directory, use the mkdir command.
mkdir [disk:] path
Syntax Description
disk:
(Optional) Changes the current working directory.
path
Specifies the path for the new directory.
Defaults
If you do not specify a directory, the directory is changed to disk:.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If a directory with the same name already exists, then the new directory is not created. The mkdir disk: command prompts you to enter a directory name.
Examples
This example shows how to make a new directory:
fwsm(config)# mkdir disk:Create directory filename [running-config]? my_context.cfgCreated dir disk:my_context.cfgfwsm(config)# dirDirectory of disk:/1 -rw- 1519 10:03:50 Jul 14 2003 my_context1.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context2.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg10 drw- 0 09:24:38 Jul 16 2003 my_context3.cfg60985344 bytes total (60968960 bytes free)Related Commands
cd
copy disk
copy flash
copy startup-config
copy tftp
dir
format
more
pwd
rename
rmdir
show filemode
To change the FWSM to single context mode or multiple context mode, use the mode command.
mode {single | multiple}
Syntax Description
single
Sets the FWSM to the single context mode.
multiple
Sets the FWSM to the multiple context mode.
Defaults
The default setting depends on whether Cisco shipped the FWSM to you with the Security Context feature enabled (multiple context mode), or whether you are upgrading your FWSM (single context mode).
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: System and Context
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
This command allows you to change the behavior of the FWSM and prompts you to reboot the module. By default, multiple mode allows you to use two contexts. To enable more than two contexts, you must enter an activation key (if it was not already entered by Cisco).
If you are changing from single context mode to multiple context mode, the FWSM converts the running configuration into two files: a new startup.cfg (in the Flash) that has the system configuration and admin.cfg (in the disk partition) that has the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved.
If you convert from multiple context mode to single context mode, the startup configuration is not automatically converted back to the original running configuration. You must copy the backup version to the running and startup configurations. Because the system configuration does not have any network interfaces as part of its configuration, you must session into the FWSM from the switch to perform the copy as follows:
fwsm# copy disk:old_running.cfg running-configfwsm# copy running-config startup-configExamples
This example shows how to change the context mode:
fwsm# mode multipleRelated Commands
show mode
monitor-interface
To enable interface monitoring on a specific interface within a context, use the monitor-interface command.
[no] monitor-interface interface_name
Syntax Description
Defaults
Not configured
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The number of interfaces that can be monitored for the FWSM is 250 per module. Hello messages are exchanged during every interface poll frequency time period between the FWSM failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
•
Unknown—Initial status. This status can also mean the status cannot be determined.
•
•
•
•
•
Examples
This example shows how to start interface monitoring:
fwsm(config)# monitor-interface insideRelated Commands
clear failover
failover
failover interface ip address
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
failover reset
show failover
show monitor-interface
write standbymore
To display the contents of a file, use the more command.
more [/ascii] || [/binary] [disk:] path
Syntax Description
Defaults
ACSII mode
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The more disk: command prompts you to enter a filename.
Examples
This example shows how to display the contents of a file named "test.cfg":
fwsm(config)# more test.cfg: Saved: Written by enable_15 at 10:04:01 Jul 14 2003FWSM Version 2.2(0)141nameif vlan300 outside security10enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname testfixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list 100 extended permit icmp any anyaccess-list 100 extended permit ip any anypager lines 24icmp permit any outsidemtu outside 1500ip address outside 172.29.145.35 255.255.0.0no pdm history enablearp timeout 14400access-group 100 in interface outside!interface outside!route outside 0.0.0.0 0.0.0.0 172.29.145.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localsnmp-server host outside 128.107.128.179snmp-server location my_context, USAsnmp-server contact admin@my_context.comsnmp-server community publicno snmp-server enable trapsfloodguard enablefragment size 200 outsideno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 511gdb enablemgcp command-queue 0Cryptochecksum:00000000000000000000000000000000: endRelated Commands
cd
copy disk
copy flash
copy startup-config
copy tftp
dir
format
mkdir
pwd
rename
rmdir
show file
mtu
To specify the maximum transmission unit (MTU) for an interface, use the mtu command. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command.
[no] mtu interface_name bytes
Syntax Description
interface_name
Internal or external network interface name.
bytes
Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.
Defaults
bytes is 1500 for Ethernet interfaces.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The mtu command allows you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.
The FWSM supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the FWSM cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.
When using the Layer 2 Timeline Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPSec header length.
Examples
This example shows how to specify the MTU for an interface:
fwsm/context_name(config)# mtu inside 8192fwsm/context_name(config)# show mtufwsm/context_name(config)# mtu outside 1500fwsm/context_name(config)# mtu inside 8192Related Commands
show mtu
name
To associate a name with an IP address, use the name command. To enable the association, use the names command. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
[no] name ip_address name
names
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Use the names command to enble association of a name with an IP address.
When defining the name, you can use characters a to z, A to Z, 0 to 9, a dash, and an underscore. The name cannot start with a number. If the name is over 16 characters, the name command fails.
The name command allows you to identify a host by a text name and map text strings to IP addresses. The no names command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear name command to clear the list of names from the FWSM configuration.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
To disable displaying name values, use the no names command.
You can associate only one name with an IP address.
Both the name and names commands are saved in the configuration.
While the name command lets you assign a name to a network mask, no other FWSM command requiring a mask lets you use the name as a mask value. For example, this command is accepted:
fwsm/context_name(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes fwsm_inside for references to 192.168.42.3 and fwsm_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
fwsm(config)# namesfwsm(config)# name 192.168.42.3 fwsm_insidefwsm(config)# name 209.165.201.3 fwsm_outsidefwsm(config)# ip address inside fwsm_inside 255.255.255.0fwsm(config)# ip address outside fwsm_outside 255.255.255.224fwsm(config)# show ip addressSystem IP Addresses:inside ip address fwsm_inside mask 255.255.255.0outside ip address fwsm_outside mask 255.255.255.224fwsm(config)# no namesfwsm(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224fwsm(config)# namesfwsm(config)# show ip addressSystem IP Addresses:inside ip address fwsm_inside mask 255.255.255.0outside ip address fwsm_outside mask 255.255.255.224Related Commands
clear name
show namenameif
To name interfaces and assign the security level, use the nameif command.
no nameif interface interface_name security_lvl
no nameif interface [interface_name] [security_lvl]
Syntax Description
interface
VLAN name or mapped name.
interface_name
Name for the network interface; this name can have up to 48 characters.
security_lvl
Specifies the security level; valid values are from 0-100.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You cannot change the name of an interface; you can only change the security level. The interface identification is either vlan num, or for multiple mode, it is the mapped name that is configured with the allocate interface command. There is no hardware ID for the FWSM, only VLAN IDs are allowed.
Caution
The security level between two interfaces determines the way the adaptive security algorithm is applied. A lower security_level interface is outside a higher level interface, and equivalent interfaces are outside each other. Refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Software Configuration Guide for more information about security levels.
Examples
This example shows a configuration in single mode:
fwsm(config)# nameif vlan18 perimeter1 sec50fwsm(config)# nameif vlan23 perimeter2 sec20This example shows a configuration in multiple mode:
fwsm(config-context)# allocate-interface vlan7 intf-outfwsm(config-context)# allocate-interface vlan17 intf-infwsm(config-context)# allocate-interface vlan23 intf-dmzfwsm(config-context)# changeto context_namefwsm/context_name(config)# nameif intf-out outside security0fwsm/context_name(config)# nameif intf-in inside security90fwsm/context_name(config)# nameif intf-dmz dmz security50Related Commands
allocate-interface (context submode)
interface
global
nat
staticnames
To enable IP address to the name conversions that you can configure with the name command, use the names command. To disable address to name conversion, use the no form of this command.
[no] names
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to enable names:
fwsm(config)# namesRelated Commands
clear name
name
show name
show namesnat
To associate a network with a pool of global IP addresses, use the nat command. To remove the nat command, use the no form of this command.
[no] nat local_interface nat_id local_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
[no] nat local_interface nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
1.1(1)
Support for this command was introduced on the FWSM.
2.2(1)
This command was modified to support UDP maximum connections for local hosts.
Usage Guidelines
An embyonic connection is a connection request that has not finished the necessary handshake between source and destination.
The nat command allows you to enable or disable address translation for one or more internal addresses. Address translation occurs when a host starts an outbound connection and the IP addresses in the internal network are translated into global addresses. NAT allows your network to have any IP addressing scheme and the FWSM protects these addresses from visibility on the external network.
Note
Note
The outside keyword lets you enable or disable address translation for the external addresses. For access control, IPSec, and AAA, use the real outside address.
Note
The nat interface_name 0 access-list access_list_name command allows you to exempt traffic that is matched by the access-list commands from the NAT services. The extent to which the inside hosts are accessible from the outside depends on the access-list commands that you use to permit inbound access. The interface_name is the higher security level interface name. The access_list_name is the name that you use to identify the access-list command.
Adding the access-list keyword changes the behavior of the nat 0 command. Without the access-list keyword, the command is backward compatible with previous versions. The nat 0 command disables NAT. Specifically, proxy ARPing for the IP addresses is disabled when you enter the nat 0 command.
Note
fwsm/context_name(config)# access-list no-nat permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
fwsm/context_name(config)# nat (inside) 0 access-list no-natAfter changing or removing the nat command, use the clear xlate command.
The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria that you specify. This limit lets you prevent a type of attack where processes are started without being completed.
Use the no nat command to remove the nat command.
See Table 2-10 for a list of interface access commands. The security levels for the demilitarized zones are 40 for dmz1 and 60 for dmz2.
To obtain access from a higher security level interface to a lower security level interface, use the nat command. From a lower security level interface to a higher security level interface, use the static command.
Enable identity address translation with the nat 0 command.The nat 0 command requires that traffic initiates from an inside host. Use this command when you have IP addresses that are the same as those commands that are used on more than one interface. The extent to which the inside hosts are accessible from the outside depends on the access-list commands that permit inbound access.
Addresses on each interface must be on a different subnet.
Entering the nat 0 10.2.3.0 command allows those IP addresses in the 10.2.3.0 net to appear on the outside without translation. All other hosts are translated depending on how their nat commands appear in the configuration.
Entering the nat 1 0 0 command allows all outbound connections to pass through the FWSM with address translation. If you use the nat (inside) 1 0 0 command, you can start connections on any interface with a lower security level on both the perimeter interfaces and the outside interface. With NAT, you must also use the global keyword to provide a pool of addresses through which translated connections pass. The NAT ID must be the same on the nat and global commands.
Entering the nat 1 10.2.3.0 command allows only outbound connections originating from the inside host 10.2.3.0 to pass through the FWSM to go to their destinations with address translation.
When specifying the network mask for local_ip, you can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0.
The nat_id is referenced by the global command to associate a global pool with the local_ip.
nat_id values can be 0, 0 access list access_list_name, or any number from 1 to 256. A nat_id of 0 indicates that no address translation takes place for local_ip.
A nat_id of 0 access list access_list_name specifies the traffic to exempt from NAT processing, based on the access list that is specified by the access_list_name. This command is useful in a VPN configuration where traffic between private networks should be exempted from NAT.
A nat_id that is a number from 1 to 256 specifies the inside hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool that is created when you enter the global command. The nat_id number must match the global_id number of the global address pool that you want to use for dynamic address translation.
The local_ip determines the group of hosts or networks that are referred to by nat_id. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0. An IP address not found in a more explicit nat_id group defaults to a less explicit or a 0 which indicates the least explicit.
Idle connections are closed after the idle timeout is specified by the timeout conn command.
In both the nat and static statements, the udp_max_conn field is applicable even when the TCP max_conns limit is not set, by using the keyword udp. This allows the two limits to be exclusively configured.
Examples
This example shows how to make the addresses visible from the outside network:
fwsm/context_name(config)# nat (inside) 0 209.165.201.0 255.255.255.224fwsm/context_name(config)# static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224fwsm/context_name(config)# access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftpfwsm/context_name(config)# access-group acl_out in interface outsidefwsm/context_name(config)# nat (inside) 0 209.165.202.128 255.255.255.224fwsm/context_name(config)# static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.224fwsm/context_name(config)# access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftpfwsm/context_name(config)# access-group acl_out in interface outside...This example shows how to use the nat 0 access-list command to permit access to internal host 10.1.1.15 through the inside interface, "inside," to bypass NAT when connecting to outside host 10.2.1.3:
fwsm/context_name(config)# access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3fwsm/context_name(config)# nat (inside) 0 access-list no-natThis command shows how to disable all NAT on the FWSM with three interfaces:
fwsm/context_name(config)# access-list all-ip-packet permit ip 0 0 0 0fwsm/context_name(config)# nat (dmz) 0 access-list all-ip-packetfwsm/context_name(config)# nat (inside) 0 access-list all-ip-packetThese examples show how to specify that all the hosts on the 10.0.0.0 and 3.3.3.0 inside networks can start outbound connections:
fwsm/context_name(config)# nat (inside) 1 10.0.0.0 255.0.0.0fwsm/context_name(config)# global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224fwsm/context_name(config)# global (outside) 1 209.165.201.30fwsm/context_name(config)# nat (inside) 3 10.3.3.0 255.255.255.0fwsm/context_name(config)# global (outside) 3 209.165.201.10-209.165.201.25 netmask 255.255.255.224Related Commands
access-list deny-flow-max
clear nat
global
interface
nameif
show nat
staticobject-group
To define object groups that you can use to optimize your configuration, use the object-group command. Use the no form of this command to remove object groups from the configuration.
[no] object-group icmp-type obj_grp_id
icmp-type group subcommands
description description_text
icmp-object icmp_type[no] object-group network obj_grp_id
network group subcommands
description description_text
network-object host host_addr | host_name
network-object net_addr netmask
group-object[no] object-group protocol obj_grp_id
protocol group subcommands
description description_text
protocol-object protocol[no] object-group service obj_grp_id {tcp | udp | tcp-udp}
service group subcommands
description description_text
port-object range begin_service end_service
port-object eq serviceSyntax Description
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.
When you define a group with the object-group command and then use any FWSM command, the command applies to every item in that group. This feature can significantly reduce your configuration size.
Once you define an object group, you must use the object-group keyword before the group name in all applicable FWSM commands as follows:
fwsm# show object-group group_namewhere group_name is the name of the group.
This example shows the use of an object group once it is defined:
fwsm/context_name(config)# access-list access_list_name permit tcp any object-group group_nameIn addition, you can group the access-list command arguments as shown in Table 2-11.
You can group commands hierarchically; an object group can be a member of another object group.
To use object groups, you must do the following:
•
fwsm/context_name(config)# access-list acl permit tcp object-group remotes object-group locals object-group eng_svcwhere remotes and locals are sample object group names.
•
•
After you enter a main object-group command, the command mode changes to its corresponding submode. The object group is defined in the submode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:
fwsm_name (config-type)#where fwsm_name is the name of the FWSM.
However, when you enter the object-group command, the prompt appears as follows:
fwsm#_name (config-type)#where fwsm_name is the name of the FWSM, and type is the object-group type.
Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group submode and exit the object-group main command.
The show object-group command displays all defined object groups by their grp_id when the show object-group id grp_id command is entered, and by their group type when you enter the show object-group grp_type command. When you enter the show object-group comnmand without an argument, all defined object groups are shown.
Use the no object-group command to remove a group of previously defined object-group commands. Without an argument, the clear object-group command allows you to remove all defined object groups that are not being used in a command. The grp_type argument removes all defined object groups that are not being used in a command for that group type only.
See Table 2-12 for a listing of ICMP type numbers and names.
You can use all other FWSM commands in submode, including the show and clear commands.
Subcommands appear indented when displayed or saved by the show config, write, or config commands.
Subcommands have the same command privilege level as the main command.
When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked together, starting with the first group's elements with the second group's elements, then the first and second group's elements together with the third group's elements, and so on.
The starting position of the description text is the character right after the white space (a blank or a tab) following the description keyword.
Examples
This example shows how to use the object-group icmp-type submode to create a new icmp-type object group:
fwsm(config)# object-group icmp-type icmp-allowedfwsm(config-icmp-type)# icmp-object echofwsm(config-icmp-type)# icmp-object time-exceededfwsm(config-icmp-type)# exitThis example shows how to use the object-group network subcommand to create a new network object group:
fwsm(config)# object-group network sjc_eng_ftp_serversfwsm(config-network)# network-object host sjc.eng.ftp.servcersfwsm(config-network)# network-object host 172.23.56.194fwsm(config-network)# network-object 192.1.1.0 255.255.255.224fwsm(config-network)# exitThis example shows how to use the object-group network subcommand to create a new network object group and map it to an existing object-group:
fwsm(config)# object-group network sjc_ftp_serversfwsm(config-network)# network-object host sjc.ftp.serversfwsm(config-network)# network-object host 172.23.56.195fwsm(config-network)# network-object 193.1.1.0 255.255.255.224fwsm(config-network)# group-object sjc_eng_ftp_serversfwsm(config-network)# exitThis example shows how to use the object-group protocol submode to create a new protocol object group:
fwsm(config)# object-group protocol proto_grp_1fwsm(config-protocol)# protocol-object udpfwsm(config-protocol)# protocol-object ipsecfwsm(config-protocol)# exitfwsm(config)# object-group protocol proto_grp_2fwsm(config-protocol)# protocol-object tcpfwsm(config-protocol)# group-object proto_grp_1fwsm(config-protocol)# exitThis example shows how to use the object-group service submode to create a new port (service) object group:
fwsm(config)# object-group service eng_service tcpfwsm(config-service)# group-object eng_www_servicefwsm(config-service)# port-object eq ftpfwsm(config-service)# port-object range 2000 2005fwsm(config-service)# exitThis example shows how to add and remove a text description to an object group:
fwsm(config)# object-group protocol protos1fwsm(config-protocol)# description This group of protocols is for our internal networkfwsm(config-protocol)# show object-group id protos1object-group protocol protos1description: This group of protocols is for our internal networkfwsmdocipsec1(config-protocol)# no descriptionfwsmdocipsec1(config-protocol)# show object-group id protos1object-group protocol protos1This example shows how to use the group-object submode to create a new object group that consists of previously defined objects:
fwsm(config)# object-group network host_grp_1fwsm(config-network)# network-object host 192.168.1.1fwsm(config-network)# network-object host 192.168.1.2fwsm(config-network)# exitfwsm(config)# object-group network host_grp_2fwsm(config-network)# network-object host 172.23.56.1fwsm(config-network)# network-object host 172.23.56.2fwsm(config-network)# exitfwsm(config)# object-group network all_hostsfwsm(config-network)# group-object host_grp_1fwsm(config-network)# group-object host_grp_2fwsm(config-network)# exitfwsm(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftpfwsm(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtpfwsm(config)# access-list all permit tcp object-group all_hosts any eq wwwWithout the group-object command, you need to define the all_hosts group to include all the IP addresses that have already been defined in host_grp_1 and host_grp_2. With the group-object command, the duplicated definitions of the hosts are eliminated.
These examples show how to use object groups to simplify the access list configuration:
fwsm/context_name(config)# object-group network remotefwsm/context_name(config-network)# network-object host kqk.suu.dri.ixxfwsm/context_name(config-network)# network-object host kqk.suu.pyl.gnlfwsm/context_name(config)# object-group network localsfwsm/context_name(config-network)# network-object host 172.23.56.10fwsm/context_name(config-network)# network-object host 172.23.56.20fwsm/context_name(config-network)# network-object host 172.23.56.194fwsm/context_name(config-network)# network-object host 172.23.56.195fwsm/context_name(config)# object-group service eng_svc ftpfwsm/context_name(config-service)# port-object eq wwwfwsm/context_name(config-service)# port-object eq smtpfwsm/context_name(config-service)# port-object range 25000 25100This grouping enables the access list to be configured in 1 line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:
fwsm/context_name(config)# access-list acl permit tcp object-group remote object-group locals object-group eng_svc
Note
Related Commands
clear object-group
show object-groupospf (interface submode)
To configure interface-specific Open Shortest Path First (OSPF) parameters, use the ospf command in the interface submode. To return to the default setting, use the no form of this command.
ospf {authentication [message-digest | null]} | {authentication-key password} | {cost interface_cost} | {database-filter all out} | {dead-interval seconds} | {hello-interval seconds} | {message-digest-key key-id md5 key} | {mtu-ignore} | {priority number} | {retransmit-interval seconds} | {transmit-delay seconds}
no ospf
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The routing interface command is the main command for all interface-specific OSPF interface mode commands. Enter this command with the name of the FWSM interface (interface_name) that you want to configure, and then proceed with interface-specific configuration through the routing interface subcommands.
Once you enter the routing interface command, the command prompt appears as (config-routing)#, indicating that you are in the submode.
The show routing interface command allows you to display the configuration for the interface specified.
ospf authentication
The ospf authentication [message-digest | null] subcommand allows you to specify the authentication type for an interface. To remove the authentication type for an interface, use the no ospf authentication [message-digest | null] subcommand. The default for authentication is null, which means that there is no authentication. The null subcommand overrides password or message digest authentication (if configured) for an OSPF area.
ospf authentication-key
The ospf authentication-key password subcommand allows you to assign a password to be used by neighboring routers that are using the OSPF simple password authentication. The password argument can be any continuous string of characters that can be entered from the keyboard up to 8 bytes.
The no ospf authentication-key subcommand allows you to remove a previously assigned OSPF password.
ospf cost
The ospf cost interface_cost subcommand allows you to explicitly specify the cost of sending a packet on an interface. The interface_cost parameter is an unsigned integer value from 0 to 255.
The no ospf cost subcommand allows you to reset the path cost to the default value.
ospf database-filter all out
The ospf database-filter subcommand allows you to filter outgoing link-state advertisements (LSAs) to an OSPF interface. The no ospf database-filter all out subcommand allows you to restore the forwarding of LSAs to the interface.
ospf dead-interval
The ospf dead-interval seconds subcommand allows you to set the dead interval before neighbors to declare the router down (the length of time during which no hello packets are seen). seconds specifies the dead interval and must be the same for all nodes on the network. The default for seconds is four times the interval set by the ospf hello-interval command from 1 to 65535. The no ospf dead-interval subcommand allows you to return to the default interval value.
ospf hello-interval
The ospf hello-interval seconds subcommand allows you to specify the interval between hello packets that the FWSM sends on the interface. The no ospf hello-interval subcommand allows you to return to the default intervalt. The default is 10 seconds with a range from 1 to 65535.
ospf mtu-ignore
The ospf mtu-ignore subcommand allows you to disable OSPF MTU mismatch detection on receiving DBD packets and is enabled by default.
ospf message-digest-key key_id md5 key
The ospf message-digest-key key_id md5 key subcommand allows you to enable OSPF Message Digest 5 (MD5) authentication. The no ospf message-digest-key key_id md5 key subcommand allows you to remove an old MD5 key. key_id is a numerical identifier from 1 to 255 for the authentication key. key is an alphanumeric password of up to 16 bytes. White space characters, such as a tab or space, are not supported. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
ospf priority
The ospf priority number subcommand allows you to set the router priority, which helps determine the designated router for this network. The no ospf priority number subcommand allows you to return to the default value.
ospf retransmit-interval
The ospf retransmit-interval seconds subcommand allows you to specify the time between LSA retransmissions for adjacencies belonging to the interface. The no ospf retransmit-interval subcommand allows you to return to the default value. The default value is 5 seconds with a range from 1 to 65535.
ospf transmit-delay
The ospf transmit-delay seconds subcommand allows you to set the estimated time required to send a link-state update packet on the interface. The no ospf transmit-delay subcommand allows you to return to the default value. The default value is 1 second with a range from 1 to 65535.
Examples
This example shows how to enter the submode on the outside interface of the FWSM (needed to configure OSPF routing):
fwsm(config)# routing interface outsideIn the routing submode, the command prompt appears as "(config-routing)#."
This example shows the configuration for two concurrently running OSPF processes, with the IDs 5 and 12, on the outside interface of the firewall:
fwsm(config)# routing interfacefwsm(config)# show ospfRouting Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 0. Checksum Sum 0x 0Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 0. 0 normal 0 stub 0 nssaExternal flood list length 0Routing Process "ospf 12" with ID 172.23.59.232 and Domain ID 0.0.0.12Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 0. Checksum Sum 0x 0Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 0. 0 normal 0 stub 0 nssaExternal flood list length 0This example shows how to change the retransmit interval to 15 seconds:
fwsm(config-interface)# ospf retransmit-interval 15Related Commands
clear ospf
routing interface
show ospf
show ospf border-routers
show ospf database
show ospf flood-list
show ospf interface
show ospf neighbor
show ospf request-list
show ospf retransmission-list
show ospf summary-address
show ospf virtual-links
show routing interfacepager
To enable screen paging, use the pager command. To disable screen paging and let the output display without interruption, use the no form of this command.
[no] pager [lines lines]
Syntax Description
lines lines
(Optional) Specifies the number of lines before the "---more---" prompt appears; valid values are from 1 to 25.
Defaults
number is 25.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: Unprivileged
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If you set the pager lines command to a value and want to revert back to the default, enter the pager command without keywords or arguments. This command is session based. If the pager value is changed in a session, the value is not changed globally for other sessions. Use the pager 0 command to disable paging.
When you enable paging, the "---more---" prompt appears. The "---more---" prompt uses syntax that is similar to the UNIX more command as follows:
•
•
•
Examples
This example shows how to enable screen paging:
fwsm(config)# pager lines 2fwsm(config)# ping inside 10.0.0.4210.0.0.42 NO response received -- 1010ms10.0.0.42 NO response received -- 1000ms<--- more --->Related Commands
clear pager
show pagerpassword/passwd
To set the password for Telnet access to the FWSM console, use the password command.
{password | passwd} password [encrypted]
Syntax Description
password
Case-sensitive password of up to 16 alphanumeric and special characters.
encrypted
(Optional) Specifies that the password you entered is already encrypted.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The password/passwd command allows you to set a password for Telnet access to the FWSM console. The passwd keyword is also accepted as a shortened form of password. Additionally, the FWSM configuration displays the password using the short form, passwd.
Any character can be used in the password except a question mark and a space.The password that you specify with the encrypted keyword must be 16 characters.
An empty password is changed into an encrypted string. However, any use of the write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text.
Note
Examples
This example shows how to set the password for Telnet access to the FWSM console:
fwsm(config)# (config)# password watag00s1amfwsm(config)# show passwwordpasswd jMorNbK0514fadBh encryptedRelated Commands
clear passwd
enable
show passwd
telnetpdm
To configure the support communication between the FWSM and a browser running the PDM, use the pdm command.
pdm disconnect session_id
[no] pdm history enable
pdm history [view {all | 12h | 5d | 60m | 10m}] [snapshot] [feature {all | blocks | cpu | failover | ids | interface interface_name | memory | perfmon | xlates}] [pdmclient]
pdm group real_group_name associated_intf_name
pdm group ref_group_name ref_intf_name reference real_group_name
pdm location ip_address netmask interface_name
pdm logging [level [messages]]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The associated_intf_name name is defined by the nameif command.
The ref_intf_name name is defined by the nameif command.
The pdm location command is an internal PDM command.
Once the message buffer exceeds the specified message, old messages are discarded.
The pdm history enable command allows you to enable the PDM data sampling. If not specified, the history for all features is displayed. PDM data sampling takes a data sample and stores the sample data to the PDM history buffer. The no form of this command disables PDM data sampling.
The pdm disconnect command and the show pdm sessions commands are accessible through the FWSM command-line interface.
The failover keyword history display is similar to the output of the show failover command.
The memory keyword history display is similar to the output of the show perfmon command.
The xlates keyword history display is similar to the output of the show xlate command.
The clear pdm, pdm group, pdm history, pdm location, and pdm logging commands may appear in your configuration, but they are designed to work as internal PDM-to-FWSM commands that are accessible only to the PDM.
You can only associate one interface to an ip_address/netmask pair when you enter the pdm location command. Specifying a new pair replaces the old definition.
Examples
This example shows how to report the last data point in PDM-display format:
fwsm(config)# pdm history enablefwsm(config)# show pdm history view 10m snapshot pdmclientINTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0| RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:FWSMoutsideINTER FACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTOR Y|SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0 |METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:FWSMinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0 |METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP| OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:FWSMS YS:METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_H ISTORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|B LK1550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10| 0|METRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HIS TORY|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUP S|VIEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIE W|10|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0| METRIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|This example shows how to report the data formatted for the FWSM CLI:
fwsm(config)# pdm history enablefwsm(config)# show pdm history view 10m snapshotAvailable 4 byte Blocks: [ 10s] : 1600Used 4 byte Blocks: [ 10s] : 0Available 80 byte Blocks: [ 10s] : 400Used 80 byte Blocks: [ 10s] : 0Available 256 byte Blocks: [ 10s] : 500Used 256 byte Blocks: [ 10s] : 0Available 1550 byte Blocks: [ 10s] : 931Used 1550 byte Blocks: [ 10s] : 385Available 1552 byte Blocks: [ 10s] : 0Used 1552 byte Blocks: [ 10s] : 0Available 2560 byte Blocks: [ 10s] : 0Used 2560 byte Blocks: [ 10s] : 0Available 4096 byte Blocks: [ 10s] : 0Used 4096 byte Blocks: [ 10s] : 0Available 8192 byte Blocks: [ 10s] : 0Used 8192 byte Blocks: [ 10s] : 0Available 16384 byte Blocks: [ 10s] : 0Used 16384 byte Blocks: [ 10s] : 0Available 65536 byte Blocks: [ 10s] : 0Used 65536 byte Blocks: [ 10s] : 0CPU Utilization: [ 10s] : 0IP Options Bad: [ 10s] : 0Record Packet Route: [ 10s] : 0IP Options Timestamp: [ 10s] : 0Provide s,c,h,tcc: [ 10s] : 0Loose Source Route: [ 10s] : 0SATNET ID: [ 10s] : 0Strict Source Route: [ 10s] : 0IP Fragment Attack: [ 10s] : 0Impossible IP Attack: [ 10s] : 0IP Teardrop: [ 10s] : 0ICMP Echo Reply: [ 10s] : 0ICMP Unreachable: [ 10s] : 0ICMP Source Quench: [ 10s] : 0ICMP Redirect: [ 10s] : 0ICMP Echo Request: [ 10s] : 0ICMP Time Exceeded: [ 10s] : 0ICMP Parameter Problem: [ 10s] : 0ICMP Time Request: [ 10s] : 0ICMP Time Reply: [ 10s] : 0ICMP Info Request: [ 10s] : 0ICMP Info Reply: [ 10s] : 0ICMP Mask Request: [ 10s] : 0ICMP Mask Reply: [ 10s] : 0Fragmented ICMP: [ 10s] : 0Large ICMP: [ 10s] : 0Ping of Death: [ 10s] : 0No Flags: [ 10s] : 0SYN & FIN Only: [ 10s] : 0FIN Only: [ 10s] : 0FTP Improper Address: [ 10s] : 0FTP Improper Port: [ 10s] : 0Bomb: [ 10s] : 0Snork: [ 10s] : 0Chargen: [ 10s] : 0DNS Host Info: [ 10s] : 0DNS Zone Transfer: [ 10s] : 0DNS Zone Transfer High Port: [ 10s] : 0DNS All Records: [ 10s] : 0Port Registration: [ 10s] : 0Port Unregistration: [ 10s] : 0RPC Dump: [ 10s] : 0Proxied RPC: [ 10s] : 0ypserv Portmap Request: [ 10s] : 0ypbind Portmap Request: [ 10s] : 0yppasswd Portmap Request: [ 10s] : 0ypupdated Portmap Request: [ 10s] : 0ypxfrd Portmap Request: [ 10s] : 0mountd Portmap Request: [ 10s] : 0rexd Portmap Request: [ 10s] : 0rexd Attempt: [ 10s] : 0statd Buffer Overflow: [ 10s] : 0Input KByte Count: [ 10s] : 41804Output KByte Count: [ 10s] : 526456Input KPacket Count: [ 10s] : 364Output KPacket Count: [ 10s] : 450Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 90076Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 8895LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 3138Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Input KByte Count: [ 10s] : 61835Output KByte Count: [ 10s] : 26722Input KPacket Count: [ 10s] : 442Output KPacket Count: [ 10s] : 418Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 308607Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 0LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 2Lost Carrier: [ 10s] : 707Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Available Memory: [ 10s] : 45293568Used Memory: [ 10s] : 21815296Xlate Count: [ 10s] : 0Connection Count: [ 10s] : 0TCP Connection Count: [ 10s] : 0UDP Connection Count: [ 10s] : 0URL Filtering Count: [ 10s] : 0URL Server Filtering Count: [ 10s] : 0TCP Fixup Count: [ 10s] : 0TCP Intercept Count: [ 10s] : 0HTTP Fixup Count: [ 10s] : 0FTP Fixup Count: [ 10s] : 0AAA Authentication Count: [ 10s] : 0AAA Authorzation Count: [ 10s] : 0AAA Accounting Count: [ 10s] : 0Current Xlates: [ 10s] : 0Max Xlates: [ 10s] : 0ISAKMP SAs: [ 10s] : 0IPSec SAs: [ 10s] : 0L2TP Sessions: [ 10s] : 0L2TP Tunnels: [ 10s] : 0PPTP Sessions: [ 10s] : 0PPTP Tunnels: [ 10s] : 0Related Commands
clear pdm
fixup protocol
setup
show pdmperfmon
To display performance information, use the perfmon command.
perfmon {verbose | interval seconds | quiet | settings}
Syntax Description
Defaults
The seconds is 120 seconds.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The perfmon command allows you to monitor the performance of the FWSM. Use the show perfmon command to display the information immediately. Use the perfmon verbose command to display the information every 2 minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds that you specify.
An example of the performance information is displayed as follows:
This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.
Examples
This example shows how to display the performance monitor statistics every 30 seconds on the FWSM console:
fwsm/context_name(config)# perfmon interval 120fwsm/context_name(config)# perfmon quietfwsm/context_name(config)# perfmon settingsinterval: 120 (seconds)quietRelated Commands
show perfmon
ping
To determine if other IP addresses are visible from the FWSM, use the ping command.
ping [interface_name] ip_address
Syntax Description
interface_name
(Optional) Internal or external network interface name.
ip_address
IP address of a host on the inside or outside networks.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The ping command allows you to determine if the FWSM has connectivity or if a host is available on the network. If the FWSM is connected also ensure that the icmppermit any interface command is configured. This configuration is required to allow the FWSM to respond and accept these messages. The command output shows if the response was received. If a host is not responding, when you enter the ping command, you see the display "NO response received." Use the show interface command to ensure that the FWSM is connected to the network and is passing traffic.
The address of the specified interface_name is used as the source address of the ping.
If you want internal hosts to ping external hosts, you must create an ICMP access-list command for an echo reply; for example, to give ping access to all hosts, use the access-list acl_grp permit icmp any any command and bind the access-list command to the interface that you want to test using the access-group command.
If you are pinging through the FWSM between hosts or routers, but the pings are not successful, use the debug icmp trace command to monitor the success of the ping. Pings are successful when they are both inbound and outbound.
The FWSM ping command does not require an interface name. If you do not specify an interface name, the FWSM checks the routing table to find the address that you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.
An example of the usage is as follows:
fwsm(config)# ping 10.0.0.110.0.0.1 response received -- 10ms10.0.0.1 response received -- 10ms10.0.0.1 response received -- 0msYou can enter the command specifying the interface as follows:
fwsm(config)# ping outside 10.0.0.110.0.0.1 response received -- 10ms10.0.0.1 response received -- 10ms10.0.0.1 response received -- 0ms
Examples
This example shows how to determine if other IP addresses are visible from the FWSM:
fwsm(config)# ping 192.168.42.54192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0MsRelated Commands
icmp
show interfaceprivilege
To configure the command privilege levels, use the privilege command. To disallow the configuration, use the no form of this command.
[no] privilege [show | clear | configure] level level [mode {enable | configure}] command command
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The privilege command allows you to set user-defined privilege levels for the FWSM commands. This command is useful for setting different privilege levels for related configuration, show, and clear commands. Make sure that you verify privilege level changes in your commands with your security policies before using the new privilege levels.
When commands and users have privilege levels set, the two are compared to determine if a given user can execute a given command. If the user's privilege level is lower than the privilege level of the command, the user is prevented from executing the command.
To change between privilege levels, use the login command to access another privilege level and the appropriate logout, exit, or quit command to exit that level.
The mode enable and mode configure keywords are for commands with both enable and configure modes.
Lower privilege level numbers are lower privilege levels.
Note
Examples
This example shows how to set the privilege level "5" for an individual user as follows:
username intern1 password pass1 privilege 5This example shows how to define a set of show commands with the privilege level "5" as follows:
fwsm(config)# level:fwsm(config)# privilege show level 5 command aliasfwsm(config)# privilege show level 5 command applyfwsm(config)# privilege show level 5 command arpfwsm(config)# privilege show level 5 command auth-promptfwsm(config)# privilege show level 5 command blocksThis example shows how to apply privilege level 11 to a complete AAA authorization configuration:
fwsm(config)# privilege configure level 11 command aaafwsm(config)# privilege configure level 11 command aaa-serverfwsm(config)# privilege configure level 11 command access-groupfwsm(config)# privilege configure level 11 command access-listfwsm(config)# privilege configure level 11 command activation-keyfwsm(config)# privilege configure level 11 command agefwsm(config)# privilege configure level 11 command aliasfwsm(config)# privilege configure level 11 command applyRelated Commands
aaa authentication
clear privilege
login
object-group
show curpriv
show privilege
usernamepwd
To display the current working directory, use the pwd command.
pwd
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Fiewall Mode: Routed and Transparent
Command History
Examples
This example shows how to display the current working directory:
fwsm(config)# pwddisk:Related Commands
cd
copy disk
copy flash
copy startup-config
copy tftp
dir
format
mkdir
more
rename
rmdir
show filequit
To exit the current privilege level or mode, use the quit command.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: System Context Command Line
Command Mode: Unprivileged
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You may also use the key sequence ^Z to exit.
Examples
This example shows how to use the quit command:
fwsm(config)# quitfwsm# quitfwsm>Related Commands
redistribute
To configure redistribution between the Open Shortest Path First (OSPF) processes according to the specified parameters, use the redistribute command. To remove redistribution configurations, use the no form of this command.
redistribute {static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: Routed
Command History
Usage Guidelines
The show ospf command allows you to display the configured router ospf subcommands.
You assign the pid locally on the FWSM; it can be from 1 to 65535. You must assign a unique value for each OSPF routing process.
Examples
This example shows how to configure redistribution between the OSPF processes according to the specified parameters:
fwsm(config)# redistribute staticRelated Commands
router ospf
show ip ospf
show redistribute
reload
To reboot and reload the configuration, use the reload command..
reload [noconfirm]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: systemcommand line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The reload command allows you to reboot the FWSM and reload the configuration from a bootable floppy disk. If a disk is not present, it allows you to reboot and reload from the Flash partition.
The FWSM does not accept abbreviations for noconfirm.
You are prompted for confirmation before the "Proceed with reload?" message displays. Any response other than n causes the reboot to occur.
Note
Examples
This example shows how to reboot and reload the configuration:
fwsm(config)# reloadProceed with reload? [confirm] yRebooting...fwsm Bios V2.7...Related Commands
shutdown
rename
To rename a file or a directory from the source filename to the destination filename, use the rename command.
rename [disk:] [source-path] [disk:] [destination-path]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The rename disk: disk: command prompts you to enter a source and destination filename.
Examples
This example shows how to show the contents of a file named test1:
fwsm(config)# rename disk: disk:Source filename [running-config]? testDestination filename [n]? test1Related Commands
cd
copy disk
copy flash
copy startup-config
copy tftp
dir
format
mkdir
more
pwd
rmdir
show filerip
To enable and change Routing Information Protocol (RIP) settings, use the rip command. To disable the FWSM IP routing table updates, use the no form of this command.
[no] rip interface_name {default | passive} [version [1 | 2]] [authentication [text | md5 key [key_id]]]
no rip interface_name
Syntax Description
Defaults
Enabled
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The rip command allows you to enable IP routing table updates from received RIP broadcasts. If you specify RIP version 2, you can encrypt RIP updates using MD5 encryption. The version 1 keyword provides backward compatibility with the older version.
Ensure that the key and key_id arguments are the same that are used on any other device in your network that makes RIP version 2 updates. The key is a text string of up to 16 characters.
The FWSM cannot pass RIP updates between interfaces.
You configure RIP version 2 in passive mode. The FWSM listens for RIP routing broadcasts and uses that information to populate its routing tables. The FWSM accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. For RIP version 2 default mode, the FWSM transmits default route updates using an IP destination of 224.0.0.9. Configuring RIP version 2 registers the multicast address 224.0.0.9 so that the interface can accept multicast RIP version 2 updates.
Only Intel 10/100 and Gigabit interfaces support multicasting.
When you remove the RIP version 2 commands for an interface, you are unregistering the multicast address from the interface card.
Examples
This example shows how to sample output from the version 1 show rip and rip inside default commands:
fwsm/context_name(config)# show riprip outside passiveno rip outside defaultrip inside passiveno rip inside defaultfwsm/context_name(config)# rip inside defaultfwsm/context_name(config)# show riprip outside passiveno rip outside defaultrip inside passiverip inside defaultThe next example shows how to combine version 1 and version 2 commands and list the information with the show rip command after entering the rip commands. The rip commands allow you to do the following.
•
•
•
fwsm/context_name(config)# rip outside passive version 2 authentication md5 thisisakey 2fwsm/context_name(config)# rip outside default version 2 authentication md5 thisisakey 2fwsm/context_name(config)# rip inside passivefwsm/context_name(config)# rip dmz passive version 2fwsm/context_name(config)# show riprip outside passive version 2 authentication md5 thisisakey 2rip outside default version 2 authentication md5 thisisakey 2rip inside passive version 1rip dmz passive version 2This example shows how to use the version 2 feature that passes the encryption key in text form:
fwsm/context_name(config)# rip out default version 2 authentication text thisisakey 3fwsm/context_name(config)# show riprip outside default version 2 authentication text thisisakey 3Related Commands
clear rip
show riprmdir
To remove the existing directory, use the rmdir command.
rmdir [disk:] [path]
Syntax Description
disk:
(Optional) Changes the current working directory.
path
(Optional) Specifies the directory location.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If a file exists in the directory, the command fails. The rmdir command asks you for confirmation before removing the directory. The rmdir disk: command prompts you to enter the name of the directory that you are removing.
Examples
This example shows how to remove an existing directory:
fwsm(config)# rmdir testRelated Commands
cd
copy disk
copy flash
copy startup-config
copy tftp
dir
format
mkdir
more
pwd
rename
show fileroute
To enter a static or default route for the specified interface, use the route command. Use the no form of this command to remove routes from the specified interface.
[no] route interface_name ip_address netmask gateway_ip [metric]
Syntax Description
Defaults
metric is 1.
Command Modes
Security Context Mode: single context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or use the shortened form of 0. All routes that are entered using the route command are stored in the configuration when it is saved.
If you are not sure about the number of hops to gateway_ip, enter 1. Your network administrator can supply this information or you can use a traceroute command to obtain the number of hops.
Create static routes to access networks that are connected outside a router on any interface. For example, the FWSM sends all packets that are destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route command.
fwsm/context_name(config)# route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1The routing table automatically specifies the IP address of a FWSM interface in the route command. Once you enter the IP address for each interface, the FWSM creates a route statement entry that is not deleted when you use the clear route command.
If the route command uses the IP address from one of the FWSM's interfaces as the gateway IP address, the FWSM will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
Examples
This example shows how to specify one default route command for an outside interface:
fwsm/context_name(config)# route outside 0 0 209.165.201.1 1This example shows how to add these static route commands to provide access to the networks:
fwsm/context_name(config)# route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1fwsm/context_name(config)# route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1Related Commands
clear route
show routeroute-map
To define the conditions for redistributing routes from one routing protocol into another, use the route-map command. To delete a map, use the no form of this command.
[no] route-map map_tag [permit | deny] [seq_num]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: privileged mode
Transparent Mode: Routed
Command History
Usage Guidelines
The route-map command allows you to redistribute routes or to subject packets to policy routing.
The route-map global configuration command and the match and set route-map configuration commands define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria that are the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions, which are the redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order, and all match commands must pass to cause the route to be redistributed according to the set actions given with the set commands. The no form of the match commands removes the specified match criteria.
Use route maps when you want detailed control over how routes are redistributed between routing processes. You specify the destination routing protocol with the router global configuration command. You specify the source routing protocol with the redistribute router configuration command.
When you pass routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored; the route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section with an explicit match specified.
Another purpose of route maps is to enable policy routing. Use the ip policy route-map command, in addition to the route-map command, and the match and set commands to define the conditions for policy routing packets. The match commands specify the conditions under which policy routing occurs. The set commands specify the routing actions to perform if the criteria enforced by the match commands are met. You might want to specify policy route packets in a way other than the obvious shortest path.
The seq_number argument is as follows:
1.
2.
3.
If the no route-map map-tag command is specified (with no seq-num argument), the whole route map is deleted.
If the match criteria are not met, and you specify the permit keyword, the next route map with the same map_tag is tested. If a route passes none of the match criteria for the set of route maps sharing the same name, it is not redistributed by that set.
Examples
This example show how to configure a route map in OSPF routing:
fwsm(config)# route-map maptag1 permit 8fwsm#(config-route-map)# set metric 5fwsm#(config-route-map)# match metric 5fwsm#(config-route-map)# set metric-type type-2fwsm#(config-route-map)# show route-maproute-map maptag1 permit 8set metric 5set metric-type type-2match metric 5fwsm#(config-route-map)# exitfwsm#(config)#Related Commands
clear route-map
match interface (route map submode)
match ip next-hop (route map submode)
match ip route-source (route map submode)
match metric (route map submode)
match route-type (route map submode)
set ip next-hop
set ip next-hop (route map submode)
set metric
set metric-type
show route-maprouter
To configure the router's IP address, use the router command. To remove the router ID, use the no form of this command.
[no] router ip_address
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Transparent Mode: Routed
Command History
Examples
This example shows how to configure the router's IP address:
fwsm(config)# router 122.34 45.10Related Commands
router-id
To configure the fixed router ID for an Open Shortest Path First (OSPF) process, use the router-id command. To use the previous OSPF router ID behavior, use the no form of this command to reset the OSPF.
[no] router-id ip_address
Syntax Description
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Transparent Mode: Routed
Command History
Usage Guidelines
If the highest-level IP address on the FWSM is a private address, then this address is sent in hello packets and database definitions (DBDs). To prevent this situation, set the router-id ip_address to a global address.
Examples
This example shows how to configure the fixed router ID for OSPF:
fwsm(config)# router-id 123.45.46.10Related Commands
router ospf
show ospf
show routing
show router-idrouter ospf
To enable OSPF routing through the FWSM, use the router ospf command. To terminate the OSPF routing process specified by its pid, use the no form of this command.
[no] router ospf pid
Syntax Description
pid
Internally used identification parameter for an OSPF routing process; valid values are from 1 to 65534.
Defaults
OSPF routing is disabled on the FWSM.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The OSPF protocol is used instead of the Routing Information Protocol (RIP). Do not attempt to configure the FWSM for both OSPF and RIP at the same time.
The router ospf command is the global configuration command for OSPF routing processes running on the FWSM.
Once you enter the router ospf command, the command prompt appears as (config-router)#, indicating that you are in the submode.
When using the no router ospf command, you do not need to specify optional arguments unless they provide necessary information. The no router ospf command terminates the OSPF routing process specified by its pid.
The show ospf command displays the configured router ospf subcommands.
You assign the pid locally on the firewall. You must assign a unique value for each OSPF routing process.
Once you enter the route-ospf command, the command prompt appears as (config-router)#, indicating that you are in the submode.
The router ospf command is used with the following OSPF-specific subcommands to configure OSPF routing processes:
•
•
•
•
•
•
•
•
•
•
•
Examples
This example shows how to enter the submode on the outside interface of the FWSM:
fwsm(config)# router ospf 5Related Commands
route-map
routing interface
show ip ospf
See also the list of subcommands in the "Usage Guidelines" section.routing interface
To configures interface-specific Open Shorttest Path First (OSPF) routing parameters, use the routing interface command. To remove the routing configuration for the interface specified only, use the no form of this command.
[no] routing interface interface_name
Syntax Description
Defaults
OSPF routing is disabled on the FWSM interfaces.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Usage Guidelines
The routing interface interface_name command is the main command for all interface-specific OSPF interface mode commands. Enter this command with the name of the FWSM interface (interface_name) that you want to configure, and then proceed with interface-specific configuration through the routing interface subcommands. You do not need to specify optional arguments in the no forms of the routing interface subcommands (unless they provide necessary information).
Examples
This example shows how to enter the submode on the outside interface of the FWSM:
fwsm(config)# routing interface outside
Note
This example shows the configuration for two concurrently running OSPF processes, with the IDs 5 and 12, on the outside interface of the FWSM:
fwsm(config)# routing interfacefwsm(config)# show ospfRouting Process "ospf 5" with ID 127.0.0.1 and Domain ID 0.0.0.5Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 0. Checksum Sum 0x 0Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 0. 0 normal 0 stub 0 nssaExternal flood list length 0Routing Process "ospf 12" with ID 172.23.59.232 and Domain ID 0.0.0.12Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 0. Checksum Sum 0x 0Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 0. 0 normal 0 stub 0 nssaExternal flood list length 0This example shows how to change the retransmit interval to 15 seconds:
fwsm(config)# ospf retransmit-interval 15Related Commands
ospf (interface submode)
route-map
router ospfrpc-server
To create the remote processor call (RPC) services table, use the rpc-server command. To remove the RPC services table from the configuration, use the no form of this command.
[no] rpc-server ifc_name ip_addr mask service service_type protocol [TCP | UDP] port port [-port] timeout hh:mm:ss
no rpc-server active service service_type server ip_addr
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Command History
Examples
This example shows how to create an RPC services table:
fwsm/context_name(config)# rpc-server inside 30.26.0.23 255.255.0.0 service 2147483647 protocol TCP port 2222 timeout 0:03:00Related Commands
