-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 2.3
-
About This Guide
-
Chapter 1 Using Firewall Services Module Commands
-
A through B Commands
-
C Commands
-
D through F Commands
-
G through L Commands
-
M through R Commands
-
S Commands
-
T through Z Commands
-
Appendix A: Acronyms
-
Appendix B Port and Protocol Values
-
Index
-
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Command Reference Guide Release 2.3
-
Table Of Contents
clear crypto interface counters
copy running-config/copy startup-config
crypto ipsec security-association lifetime
crypto map set security-association lifetime
23ca authenticate
To allow the FWSM to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key, use the ca authenticate command.
ca authenticate ca_nickname [fingerprint]
Syntax Description
ca_nickname
Name of the certification authority (CA).
fingerprint
(Optional) Key consisting of alphanumeric characters that the FWSM uses to authenticate the CA's certificate.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can enter any string for ca_nickname. If you previously declared the CA and want to update its characteristics, specify the name you previously created. The CA might require a particular name, such as its domain name.
The FWSM supports only one CA at a time.
The FWSM supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft.
The certificate lifetime and the certificate revocation list (CRL) are checked in coordinated universal time (UTC). The FWSM clock is synchronized with the switch. This clock setting determines the certificate lifetime and revocation.
The FWSM authenticates the entity certificate (the device certificate). The FWSM assumes that the certificate is issued by the same trusted point or root (the CA server). As a result, the trusted point or root should have the same root certificate (issuer certificate). The FWSM assumes that the entity exchanges the entity certificate only and cannot process a certificate chain that includes both the entity and root certificates.
To authenticate a peer's certificate(s), the FWSM must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, you should authenticate the key manually by contacting the CA administrator. You can authenticate the public key in that certificate by including the key's fingerprint within the ca authenticate command. The FWSM will discard the received CA certificate and generate an error message if the fingerprint that you specified is different from the received one. You can also compare the two fingerprints without entering the key within the command.
If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates and the CA certificate are returned from the CA.
The ca authenticate command is not saved to the FWSM configuration. However, the public keys that are embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to the Flash partition, use the ca save all command. To see the CA's certificate, use the show ca certificate command.
Note
If the CA does not respond by a timeout period after this command is entered, the terminal control is returned so that it is not tied up. In this situation, you must reenter the command.
Examples
This example shows that a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the FWSM prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. If both fingerprints match, then the certificate is considered valid.
fwsm/context_name(config)# ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123This example shows the error message. The fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
fwsm/context_name(config)# ca authenticate myca 0123456789ABCDEF0123Certificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 5432%Error in verifying the received fingerprint. Type help or `?' for a list of available commands.Related Commands
ca configure
To specify the communication parameters between the FWSM and the CA, use the ca configure command. To return to the default settings, use the no form of this command.
[no] ca configure ca_nickname {ca | ra} retry_period retry_count [crloptional]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can enter any string for ca_nickname. If you previously declared the CA and want to update its characteristics, specify the name that you previously created. The CA might require a particular name, such as its domain name.
The FWSM supports only one CA at a time.
Examples
This example shows that myca is the name of the CA and that the CA is contacted rather than the RA. It also indicates that the FWSM will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the FWSM to accept other peer's certificates.
fwsm/context_name(config)# ca configure myca ca 5 15 crloptionalRelated Commands
ca crl request
To allow the FWSM to obtain an updated CRL from the CA at any time, use the ca crl request command. To delete the CRL from the FWSM, use the no form of this command.
[no] ca crl request ca_nickname
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can enter any string for ca_nickname. If you previously declared the CA and want to update its characteristics, specify the name you previously created. The CA might require a particular name, such as its domain name.
The FWSM supports only one CA at a time.
A CRL lists all the network devices certificates that have been revoked. The FWSM will not accept revoked certificates; any peer with a revoked certificate cannot exchange IPSec traffic with the FWSM.
The first time that the FWSM receives a certificate from a peer, it downloads a CRL from the CA. The FWSM then checks the CRL to make sure that the peer's certificate has not been revoked. If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.
A CRL can be reused with subsequent certificates until the CRL expires. When the CRL expires, the FWSM automatically updates it by downloading a new CRL and replaces the expired CRL with the new CRL.
If the FWSM has a CRL that has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL is downloaded to replace the old CRL.
The ca crl request command is not saved with the FWSM configuration between reloads.
The show ca crl command allows you to know whether there is a CRL in RAM, and where and when the CRL is downloaded.
Examples
This example shows how the FWSM obtains an updated CRL from the CA with the name myca:
fwsm/context_name(config)# ca crl request mycaRelated Commands
ca enroll
To send an enrollment request to the CA requesting a certificate for all of the FWSM's key pairs, use the ca enroll command. To cancel the current enrollment request, use the no form of this command.
[no] ca enroll ca_nickname challenge_password [serial] [ipaddress]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can enter any string for ca_nickname. (If you previously declared the CA and want to update its characteristics, specify the name that you previously created.) The CA might require a particular name, such as its domain name.
The FWSM supports only one CA at a time.
You can use the ca enroll command to send an enrollment request to the CA requesting a certificate for all of the FWSM's key pairs. This action is also known as "enrolling" with the CA.
The FWSM needs a signed certificate from the CA for each of its RSA key pairs. If you previously generated general-purpose keys, entering the ca enroll command obtains one certificate corresponding to the one general-purpose RSA key pair. If you previously generated special usage keys, entering this command obtains two certificates corresponding to each of the special-usage RSA key pairs.
If you already have a certificate for the keys, you will not be able to complete this command; instead, you are prompted to remove the existing certificate first.
The ca enroll command is not saved with the FWSM configuration between reloads. To verify if the enrollment process succeeded and to display the FWSM's certificate, use the show ca certificate command.
The required challenge password is necessary in the event that you need to revoke the FWSM's certificate(s). When you ask the CA administrator to revoke the certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the FWSM's certificate but will require further manual authentication of the FWSM administrator identity.
The FWSM's serial number is optional. If you provide the serial optional keyword, the serial number is included in the obtained certificate. The serial number is not used by IPSec or Internet Key Exchange (IKE) but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask the CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial optional keyword.
The FWSM's IP address is optional. If you enter the ipaddress optional keyword, the IP address is included in the obtained certificate. Normally, you do not include the ipaddress optional keyword because the IP address binds the certificate to a specific entity. If you move the FWSM, you need to issue a new certificate.
Note
Examples
This example shows how the FWSM sends an enrollment request to the CA myca.example.com:
fwsm/context_name(config)# ca enroll myca.example.com 1234567890 serialRelated Commands
ca generate rsa
To generate the RSA key pairs for your FWSM, use the ca generate rsa command.
ca generate rsa {key | specialkey} key_modulus_size
Syntax Description
Note
Defaults
The defaults are as follows:
•
•
Command Modes
Configuration mode.
Command History
Usage Guidelines
RSA keys are generated in pairs—one public RSA key and one private RSA key
If your FWSM already has RSA keys when you use this command, you are warned and prompted to replace the existing keys with new keys.
Note
PDM uses the Secure Socket Layer (SSL) communications protocol to communicate with the firewall.
SSL uses the private key generated with the ca generate rsa command. For a certificate, SSL uses the key obtained from a certification authority (CA). If that does not exist, it uses the FWSM self-signed certificate that was created when the RSA key pair was generated.
The ca generate rsa command is not saved in the FWSM configuration. However, the keys generated by this command are saved in a persistent data file in the Flash partition, which you can save with the ca save all command and view with the show ca my rsa key command.
Examples
This example shows how one general-purpose RSA key pair is generated. The selected size of the key modulus is 1024.
fwsm(config) ca generate rsa key 1024Key name:firewall.cisco.comUsage:General Purpose KeyKey Data:30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c8ed4c9f5e0b52 aea931df 04db2872 5c4c0afd 9bd0920b 5e30de82 63d834ac f2e1db1f1047481a 17be5a01 851835f6 18af8e22 45304d53 12584b9c 2f48fad5 31e1be5abb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 7bb44b4c a64a9cf0 efaacd42e291e4ea 67efbf6c 90348b75 320d7fd3 c573037a ddb2dde8 00df782c 39020301 0001Related Commands
ca identity
To declare the CA that the FWSM uses, use the ca identity command. To remove the ca identity command from the configuration and delete all the certificates that are issued by the specified CA and CRLs, use the no form of this command.
[no] ca identity ca_nickname [ca_ipaddress | hostname [:ca_script_location] [ldap_ip address | hostname]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If the CA supports LDAP, the query functions may also use LDAP.
The FWSM supports one CA at one time.
If the CA administrator has not put the CGI script in this location, you need to provide the location and the name of the script in the ca identity command.
The FWSM uses a subset of the HTTP protocol to contact the CA and must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the previously listed location, you need to include the location and the name of the script within the ca identity command.
By default, querying a certificate or a CRL is done through the Cisco's PKI protocol. If the CA supports the Lightweight Directory Access Protocol (LDAP), the query functions may use LDAP. You must include the IP address of the LDAP server within the ca identity command.
Examples
This example shows that the CA myca.example.com is declared as the FWSM's supported CA. The CA's IP address of 205.139.94.231 is provided.
fwsm/context_name(config)# ca identity myca.example.com 205.139.94.231Related Commands
ca save all
To save the FWSM's RSA key pairs, the CA, RA, and FWSM's certificates, and the CA's CRLs in the persistent data file in the Flash partition between reloads, use the ca save all command. To remove the saved data from the FWSM's Flash partition, use the no form of this command.
[no] ca save all
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The ca save command is not saved with the FWSM configuration between reloads.
To see the current status of the requested certificates and relevant information of the received certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user can issue this show command.
Examples
This command shows how to save the FWSM RSA key pairs:
fwsm/context_name(config)# ca save allRelated Commands
ca subject-name
To create the device certificate with the subject distinguished name (DN), use the ca subject-name command. To remove the subject names, use the no form of this command.
[no] ca subject-name ca_nickname X.500_string
Syntax Description
ca_nickname
Name of the certification authority (CA).
X.500_string
Character string indicating the DN sent.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Specify the X.500_string using the RFC 1779 format.
The ca subject-name ca_nickname X.500_string command is a certificate enrollment enhancement that supports X.500 directory names.
When the ca subject-name ca_nickname X.500_string command is configured, the FWSM enrolls the device certificate with the subject DN that is specified in the X.500_string using the RFC 1779 format. The supported DN attributes are listed in Table 2-4.
Table 2-4 Supported DN Attributes
ou
Organizational Unit Name
o
Organization Name
st
State or Province Name
c
Country Name
ea
E-mail address (a non-RFC 1779 format attribute)
For more information on RFC 1779, refer to http://www.ietf.org/rfc/rfc1779.txt.
FWSM software version 2.2(1) supports X.509 (certificate support) on the VPN client. The Cisco IOS software, the VPN 3000 concentrator, and the FWSM look for the correct VPN group (mode configuration group) according to the "ou" attribute. (The "ou" attribute is part of the subject DN of the device certificate when the Easy VPN client negotiates the RSA signature.)
Note
Examples
This example shows how to create the device certificate with the subject DN (where my_department is the VPN group):
fwsm/context_name(config)# ca subject-name myca ou=my_department, o=my_org, st=CA, c=USRelated Commands
ca verifycertdn
To verify the certificate's Distinguished Name (DN) and act as a subject name filter that is based on the X.500_string, use the ca verifycertdn command. To disable subject name filtering, use the no form of this command.
[no] ca verifycertdn X.500_string
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If you enter the ca verifycertdn command and the subject name of the peer certificate matches the X.500_string, then it is filtered out and ISAKMP negotiation fails.
Examples
This example shows how to verify the certificate's DN:
fwsm/context_name(config)# ca verifycertdn woeruweoruRelated Commands
ca zeroize rsa
To delete all the RSA keys that were previously generated by the FWSM, use the ca zeroize rsa command.
ca zeroize rsa [keypair_name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The ca zeroize rsa command deletes all the RSA keys that were previously generated by the FWSM. If you use this command, you must also perform two additional tasks as follows:
1.
2.
To save the RSA key pair, enter the ca save all command. To delete a specific RSA key pair, specify the name of the RSA key that you want to delete using the optional keyword keypair_name within the ca zeroize rsa command.
Note
Examples
This example shows how to delete the RSA keys:
fwsm/context_name(config)# ca zeroize rsa keysRelated Commands
capture
To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command. To disable packet capture capabilities, use the no form of this command.
capture capture_name [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer]
no capture capture-name [access-list access_list_name] [circular-buffer] [ interface interface_name]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. The FWSM can track packet information for traffic that passes through the general-purpose processor, including management traffic and inspection engines. The FWSM cannot capture traffic that goes through the network processors (such as most through traffic). We recommend contacting technical support if you want to use the packet capture feature.
When selecting an EtherType to exclude from capture, an exception occurs with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner EtherType is used for matching. By default, all the EtherTypes are accepted.
Once the byte buffer is full, packet capture stops.
To enable packet capturing, attach the capture to an interface with the interface optional argument. Multiple interface statements attach the capture to multiple interfaces.
If you copy the buffer contents to a TFTP server in ASCII format, then you will see only the headers, not the details and hexadecimal dump of the packets. To see the details and hexadecimal dump, you need to transfer the buffer in PCAP format and then read it with TCPDUMP or Ethereal.
The ethernet-type and access-list optional keywords select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.
The capture capture_name circular-buffer command allows you to enable the capture buffer to overwrite itself, starting from the beginning, when the capture buffer is full.
Enter the no capture command with either the access-list or interface optional keyword unless you want to clear the capture itself. Entering no capture without optional keywords deletes the capture. If the access-list optional keyword is specified, the access list is removed from the capture and the capture is preserved. If the interface optional keyword is specified, the capture is detached from the specified interface and the capture is preserved.
Note
Use the copy capture: capture_name tftp://server/path [pcap] command to copy capture information to a remote TFTP server.
Use the https://fwsm-ip-address/capture/capture_name[/pcap] command to see the packet capture information with a web browser.
If you specify the pcap optional keyword, then a libpcap-format file is downloaded to the web browser and can be saved using the web browser. (A libcap file can be viewed with TCPDUMP or Ethereal.)
Examples
To enable packet capture, enter the following:
fwsm(config)# capture captest interface inside interface outsideOn a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:
https://171.69.38.95/capture/mycapture/pcap
To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:
https://171.69.38.95/capture/http/pcapThis example shows that the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server:
fwsm/context_name(config)# access-list http permit tcp host 10.120.56.15 eq http host 171.71.69.234fwsm/context_name(config)# access-list http permit tcp host 171.71.69.234 host 10.120.56.15 eq httpfwsm/context_name(config)# capture http access-list http packet-length 74 interface insideThis example shows how to capture ARP packets:
fwsm/context_name(config)# capture arp ethernet-type arp interface outsideRelated Commands
clear capture
copy capture
show capturecd
To change the current working directory to the one specified, use the cd command.
cd disk: path
Syntax Description
Defaults
If you do not specify a directory, the directory is changed to the root of the disk.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to change to the config directory:
fwsm#(config)# cd disk:/config/Related Commands
copy disk
copy flash
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
changeto
To change the execution space in which commands are applied, use the changeto command.
changeto {system | context name}
Syntax Description
system
Changes the command execution space to system.
context
Changes the command execution space to context.
name
Execution space name.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The name of the context is inserted in the command line prompt. The prompt changes only when you are working within a context. The prompt does not change when you change from single context mode to multiple context mode.
Examples
This example shows how to change to a context named "test1":
fwsm(config)# changeto context test1fwsm#/my_context(config)#This example shows how to change from the context named "test1" back to the system context:
fwsm#/my_context(config)# changeto systemfwsm#(config)#Related Commands
checkheaps
To configure checkheaps verification intervals, use the checkheaps command in global configuration mode. To set the value to the default, use the no form of this command. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.
checkheaps {check-interval | validate-checksum} seconds
[no] checkheaps {check-interval | validate-checksum} [seconds]
Syntax Description
Defaults
The default intervals are 60 seconds each.
Command Modes
Security Context Mode: single context and system mode
Access Location: system and context command line
Command Mode: global configuration
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
The following example sets the buffer allocation interval to 200 seconds and the code space checksum interval to 500 seconds:
fwsm(config)# checkheaps check-interval 200fwsm(config)# checkheaps validate-checksum 500Related Commands
show checkheaps
class
To create a class to which you can assign contexts and then enter the class submode, use the class command. Use the no form of this command to remove a class.
[no] class name
Syntax Description
Defaults
The default class is a special class to which all the unassigned contexts belong.
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The class parameters determine the resource limitations for each class member.The class name is limited to 20 characters. The default class cannot be removed. Enter default for the name to change the limits for the default class. To remove a class, use the no form of this command. After you enter the class command, the FWSM enters the class subconfiguration mode. In this submode, you can enter the limit-resource (class submode) command.
By default, all the security contexts have access to most of the FWSM resources. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, then you can configure resource management to limit the use of resources per context.
See the limit-resource (class submode) command for a list of resources. See also the show resource types command.
Note
Default Class
All the contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default.
If a context belongs to another class, the other class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, you create a class with a 2 percent limit for all the concurrent connections, but no other limits. All other limits are inherited from default. Conversely, if you create a class with a 2 percent limit for all the resources, the class uses no settings from default.
By default, the default class provides unlimited access to most resources for all the contexts. The following resources are limited by per context:
•
•
•
•
All other contexts provide unlimited access.
Resource Members
To use the settings of a resource class, assign the context to the class. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default. You can only assign a context to one resource class. The exception is that the limits that are undefined in the member class are inherited from the default class. A context could be a member of the default plus another class.
To assign a context to a class, enter the member (context submode) command.
Examples
This example shows how to create a class named "empire":
fwsm(config)# class empirefwsm#(config-class)# limit-resource all 50%fwsm#(config-class)# limit-resource empire 50%(config-class)# exitfwsm(config)# show classClass Name Members ID Flagsdefault All 1 0001empire 0 2 0000This example shows how to change the default class parameters:
fwsm(config)# class defaultfwsm#(config-class)# limit-resource all 10%fwsm#(config-class)# limit-resource default 50%fwsm#(config-class)# exitRelated Commands
config-url (context submode)
limit-resource (class submode)
show class
show context
show resource allocation
show resource typesclear
To remove configuration files and commands from the configuration or reset command values, use a form of the clear command.
clear command
Syntax Description
Defaults
The default setting depends on which clear command is used.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can use the no form of a command to change the configuration.
The clear commands can be used in modes with different security levels. The clear commands that can be used in less secure modes can also be used in more secure modes. However, if a clear command appears in a more secure mode, that command is not available in a less secure mode.
clear aaa
To enable, disable, or view TACACS+, RADIUS, or local user authentication, authorization, and accounting, use the clear aaa command.
clear aaa authentication | authorization | accounting
Syntax Description
authentication
Specifies AAA authentication.
authorization
Specifies AAA authorization.
accounting
Specifies AAA accounting.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove a defined server group:
fwsm/context_name(config)# clear aaa authenticationRelated Commands
aaa-server
clear aaa accounting
clear aaa authentication
clear aaa authorization
clear aaa accounting
To clear the local, TACACS+, or RADIUS user account, use the clear aaa accounting command.
clear aaa accounting {include | exclude} service interface_name source_ip source_mask [destination_ip destination_mask] server_tag
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
When specifying the service, use any to provide accounting for all the TCP services. To provide accounting for UDP services, use the protocol/port argument. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and the port is the TCP or UDP destination port. A port value of 0 (zero) indicates all the ports. For protocols other than TCP and UDP, the port is not applicable and should not be used. Enter LOCAL to use the local FWSM user authentication database.
Examples
This example shows how to clear the user account:
fwsm/context_name(config)# clear aaa accountingRelated Commands
clear aaa authentication
To clear the local, TACACS+, or RADIUS user authentication, use the clear aaa authentication command.
clear aaa authentication {include | exclude} authen_service interface_name source_ip source_mask [destination_ip destination_mask] server_tag
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Enter LOCAL to use the local FWSM user authentication database.
Examples
This example shows how to clear AAA authentication:
fwsm/context_name(config)# clear aaa authenticationRelated Commands
clear aaa authorization
To clear the local or TACACS+ user authentication, use the clear aaa authorization command.
clear aaa authorization {include | exclude} authen_service interface_name source_ip source_mask [destination_ip destination_mask] server_tag
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The aaa authorization command is supported for use with local and TACACS+ servers but not with RADIUS servers. Enter LOCAL to use the local FWSM user authentication database.
Examples
This example shows how to clear AAA authorization:
fwsm/context_name(config)# clear aaa authorizationRelated Commands
aaa accounting
clear aaa authenticationclear aaa-server
To remove a defined server group, use the clear aaa-server command.
clear aaa-server [tag]
Syntax Description
tag
(Optional) AAA server group tag; enter LOCAL to use the local FWSM user authentication database.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove a defined server group:
fwsm/context_name(config)# clear aaa-server LOCALRelated Commands
clear access-group
To remove access groups from all the interfaces, use the clear access-group command.
clear access-group
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the access groups:
fwsm/context_name(config)# clear access-groupRelated Commands
clear access-list
To remove an access list or clear an access-list counter, use the clear access-list command.
clear access-list [id [counters]]
Syntax Description
Defaults
All the access lists are cleared.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
When you enter the clear access-list command, all the access-list commands, including the access-list deny-flow-max command, are cleared if you do not specify an id. Also removed are commands that refer to an ACL, for example, the access-group command.
Examples
This example shows how to clear a specific access-list counter:
fwsm/context_name(config)# clear access-list 77 23 countersThis example shows how to clear all the access-list counters:
fwsm/context_name(config)# clear access-list inbound countersRelated Commands
access-list extended
show access-listclear activation-key
To clear the FWSM activation key and revert the FWSM to the default feature set, use the clear activation-key command.
clear activation-key
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
In multiple security context mode, the default feature set allows two contexts.
Examples
This example shows how to clear an activation key:
fwsm(config)# clear activation-keyRelated Commands
clear alias
To remove all the alias commands from the configuration, use the clear alias command.
clear alias
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Examples
This example shows how to remove all the alias commands from the configuration:
fwsm/context_name(config)# clear aliasRelated Commands
clear arp
To clear all the entries in the ARP cache table except for those you configure directly with the arp interface_name ip mac command, use the clear arp command.
clear arp [timeout | statistics]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the ARP cache table entries:
fwsm/context_name(config)# clear arpRelated Commands
clear arp-inspection
To clear the ARP inspection configuration, use the clear arp-inspection command.
clear arp-inspection
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: Transparent
Command History
Examples
This example shows how to clear the ARP inspection configuration:
fwsm/context_name(config)# clear arp-inspectionRelated Commands
clear auth-prompt
To clear the AAA challenge text for HTTP, FTP, and Telnet access, use the clear auth-prompt command.
clear auth-prompt
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the AAA challenge text in the authorization prompt:
fwsm/context_name(config)# clear auth-promptRelated Commands
clear banner
To remove all the banners, use the clear banner command.
clear banner
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear banners:
fwsm/context_name(config)# clear bannerUsage Guidelines
clear blocks
To remove all block information, use the clear blocks command.
clear blocks queue history
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear banners:
fwsm/context_name(config)# clear blocksUsage Guidelines
clear ca
To remove the Certificate Authority (CA) configuration, use the clear ca command.
clear ca
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the ca configuration:
fwsm/context_name(config)# clear caUsage Guidelines
clear capture
To clear the capture buffer, use the clear capture capture_name command.
clear capture capture_name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The shortened form of the clear capture (for example, cl cap or clear cap) is not supported to prevent accidental destruction of all the packet captures.
Examples
This example shows how to clear the capture buffer for the capture buffer "orlando":
fwsm/context_name(config)# clear capture orlandoRelated Commands
clear class
To remove all the classes and restore the default class to its default settings, use the clear class command.
clear class
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: config mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the classes:
fwsm(config)# clear classRelated Commands
clear configure
To clear aspects of the running configuration, use the clear configure command.
clear configure {primary | secondary | all}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear configure all command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all the values.
Using the clear config all command in context mode clears the entire running configuration for a context, but it does not clear that context's configuration URL or delete the context. In addition, the parameters that are entered in the system configuration are not deleted.
Note
The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands to their default values, removes interface names from all the commands in the configuration, and returns to the default settings.
The clear configure secondary command allows you to remove the aaa-server, alias, access-list, apply, global, outbound, static, telnet, and url-server commands from the configuration, and return to the default settings, but does not remove the tftp-server commands.
Use the write erase command to clear the startup configuration in the Flash partition.
Examples
This example shows how to clear the configuration in RAM:
fwsm/context_name(config)# clear configure allRelated Commands
clear conn
To remove the connections from the system, use the clear conn command.
clear conn
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: multiple context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the connections from the system:
fwsm/context_name# clear connRelated Commands
clear console-output
To remove the currently captured console output, use the clear console-output command.
clear console-output
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the currently configured console output:
fwsm/context_name# clear console-outputRelated Commands
clear context
To stop all contexts (including the admin context) from running and remove the context entries from the system configuration, use the clear context command.
clear context
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear context command clears all contexts, their configuration, and any context subcommands (member and config-url) for all contexts. The clear context command does not remove the RM class definitions.
Examples
This example show how to stop all the running contexts and remove the context entries from the system configuration:
fwsm(config)# clear contextRelated Commands
clear counters
To clear the protocol stack counters, use the clear counters command.
clear counters [context context-name | top N | all | summary] [protocol protocol_name [:counter_name] | detail]
Syntax Description
Defaults
clear counters summary detail
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the protocol stack counters:
fwsm(config)# clear countersRelated Commands
clear crashdump
To delete the crash information file from the Flash partition of the FWSM, use the clear crashdump command.
clear crashdump
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to delete the crash information file:
fwsm(config)# clear crashdumpRelated Commands
clear crypto dynamic-map
To remove the crypto dynamic-map commands from the configuration, use the clear crypto dynamic-map command.
clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The crypto keyword is optional.
Examples
This example shows how to remove the crypto dynamic-map commands from the configuration:
fwsm/context_name(config)# clear crypto dynamic-map alarms 323Related Commands
crypto dynamic-map
show crypto engineclear crypto interface counters
To clear the crypto interface counters, use the clear crypto interface counters command.
clear crypto interface counters
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear crypto interface counters command clears only the packet, payload byte, queue length, and moving average counters. It does not affect any actual packets that are queued.
Examples
This example shows how to clear the crypto interface counters:
fwsm#/context_name(config)# clear crypto interface countersRelated Commands
crypto map interface
show crypto interfaceclear crypto ipsec sa
To delete IPSec security associations, use the clear crypto ipsec sa command.
clear [crypto] ipsec sa [counters | entry {destination-address protocol spi} | map map-name | peer]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If the security associations were established through the Internet Key Exchange (IKE), they are deleted. Future IPSec traffic requires new security associations. When IKE is used, the IPSec security associations are established only when needed.
If the security associations are manually established, the security associations are deleted.
If you enter the clear [crypto] ipsec sa command with no arguments, all the IPSec security associations are deleted.
If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)
If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations that were established during the same Internet Key Exchange (IKE) negotiation are deleted as well.
The counters optional keyword clears the traffic counters that are maintained for each security association; it does not clear the security association.
If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all the security associations so that they use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations, you must use the clear [crypto] ipsec sa command before the changes take effect.
Note
If the FWSM is processing active IPSec traffic, we recommend that you clear only the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.
The clear [crypto] ipsec sa command clears only the IPSec security associations. To clear the IKE security associations, use the clear [crypto] isakmp sa command.
Examples
This example shows how to clear (and reinitialize, if appropriate) all the IPSec security associations at the FWSM:
fwsm/context_name(config)# clear crypto ipsec saThis example shows how to clear (and reinitialize, if appropriate) the inbound and outbound IPSec security associations that are established for address 10.0.0.1 using the AH protocol with the SPI of 256:
fwsm/context_name(config)# clear crypto ipsec sa entry 10.0.0.1 AH 256Related Commands
crypto ipsec security-association lifetime
crypto map interface
show crypto mapclear crypto isakamp sa
To remove the isakamp policy commands for IKE SAs from the configuration, use the clear crypto isakamp sa command.
clear crypto isakamp sa
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the isakamp policy commands from the configuration:
fwsm/context_name(config)# clear isakamp saRelated Commands
isakmp
isakmp policy
show isakmp
show isakmp policy
clear dhcpd
To clear all of the DHCP server commands, binding, and statistics information, use the clear dhcp command.
clear dhcpd [binding | statistics]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information. The clear dhcp statistics command clears the show dhcp statistics counters.
Examples
This example shows how to clear the dhcpd commands:
fwsm/context_name(config)# clear dhcpd statisticsRelated Commands
dhcpd
dhcprelay
show dhcpd
show dhcprelayclear dhcprelay
To clear the DHCP-relay configuration commands, use the clear dhcprelay command.
clear dhcprelay [statistics]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: Routed
Command History
Usage Guidelines
The clear dhcprelay command clears all DHCP relay configurations. The clear dhcprelay statistics command clears the show dhcprelay statistics counters.
Examples
This example shows how to clear all DHCP relay configurations:
fwsm/context_name(config)# clear dhcprelay statisticsRelated Commands
dhcpd
dhcprelay
show dhcpd
show dhcprelayclear dispatch stats
To clear dispatch layer statistics, use the clear dispatch stats command.
clear dispatch stats [funcid | all]
Syntax Description
funcid
(Optional) Specifies the dispatch layer statistics function ID.
all
(Optional) Specifies all dispatch layer statistics.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all of the dispatch layer statistics:
fwsm(config)# clear dispatch stats allRelated Commands
show dispatch stats
show dispatch table
clear dynamic-map
To delete a dynamic crypto map entry, use the clear dynamic-map command.
clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]
Syntax Description
crypto
(Optional) Specifies the crypto configuration
dynamic-map-name
(Optional) Map name.
dynamic-seq-num
(Optional) Map sequence number.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove a dynamic map entry:
fwsm/context_name(config)# clear dynamic-mapRelated Commands
clear established
To remove all established commands, use the clear established command.
clear established
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
To remove an established connection created by the established command, enter the clear xlate command.
Examples
This example shows how to remove established commands:
fwsm/context_name(config)# clear establishedRelated Commands
clear failover
To remove all failover configurations, use the clear failover command.
clear failover
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the failover configuration:
fwsm(config)# clear failoverRelated Commands
failover
failover interface ip
failover interface-policy
failover lan interface
failover lan unit
failover link
failover polltime
failover replication http
failover reset
show failover
write standbyclear filter
To remove all filter commands from the configuration, use the clear filter command
clear filter
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all filter commands:
fwsm/context_name(config)# clear filterRelated Commands
filter ftp
filter https
filter url
clear firewall
To set the firewall mode to the default setting, use the clear firewall command
clear firewall
Syntax Description
This command has no arguments or keywords.
Defaults
The default firewall mode is routed.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to set the firewall mode to routed:
fwsm/context_name(config)# clear firewallRelated Commands
clear fixup
To reset the fixup configuration, use the clear fixup command.
clear fixup
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear fixup command does not remove the default fixup protocol commands.
Examples
This example shows how to reset the fixup configuration:
fwsm/context_name(config)# clear fixupRelated Commands
clear flashfs
To clear the file system part of the Flash partition in the FWSM, use the clear flashfs command.
clear flashfs
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear flashfs command clears the file system part of the Flash partition in the FWSM.
The clear flashfs command does not affect the configuration that is stored in the Flash partition.
Examples
This example shows how to clear the file system part of the Flash partition on the FWSM:
fwsm# clear flashfsRelated Commands
clear flashfs
no flashfs
show flashfsclear floodguard
To disable flood guard, use the clear floodguard command.
clear floodguard
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to disable flood guard:
fwsm/context_name(config)# clear floodguardRelated Commands
clear fragment
To reset the fragment databases and defaults, use the clear fragment command.
clear fragment
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear fragment command resets the fragment databases. Specifically, all fragments awaiting reassembly are discarded. In addition, the size is reset to 200, the chain limit is reset to 24, and the timeout is reset to 5 seconds.
All fragments currently waiting for reassembly are discarded and the size, chain, and timeout optional keywords are reset to their default values.
The sysopt security fragguard and fragguard commands have been replaced by the fragment command.
Examples
This example shows how to reset the fragment database and defaults:
fwsm/context_name(config)# clear fragmentRelated Commands
clear ftp
To set the FTP mode to the default setting, use the clear ftp command.
clear ftp
Syntax Description
This command has no arguments or keywords.
Defaults
The default FTP mode is passive.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
Tis example shows how to set the FTP mode to passive:
fwsm(config)# clear ftpRelated Commands
clear gc
To remove the garbage collection process statistics, use the clear gc command.
clear gc
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the garbage collection process statistics:
fwsm# clear gcRelated Commands
clear global
To remove the global commands from the configuration, use the clear global command.
clear global
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: Transparent
Command History
Examples
This example shows how to remove the global commands from the configuration:
fwsm/context_name(config)# clear globalRelated Commands
clear hostname
To clear the host name in the FWSM command line prompt, use the clear hostname command.
clear hostname
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to change a host name:
fwsm(config)# clear hostnamefwsm(config)#Related Commands
clear http
To remove all HTTP hosts and disable the server, use the clear http command.
clear http
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all HTTP hosts and disable the HTTP servers:
fwsm/context_name(config)# clear httpRelated Commands
clear icmp
To remove the access for ICMP traffic that terminates at an interface, use the clear icmp command.
clear icmp
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear icmp command clears the ICMP entries.
Examples
This command shows how to remove the access for ICMP traffic:
fwsm/context_name(config)# clear icmpRelated Commands
clear interface stats
To clear the interface statistics, use the clear interface stats command.
clear interface [interface] stats
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear interface command clears all the interface statistics. This command does not shut down all the system interfaces. The clear interface command also clears the packet drop count of Unicast RPF for all interfaces.
Examples
This command shows how to clear the statistics for the inside interface:
fwsm/context_name(config)# clear interface inside statsRelated Commands
clear ip address
To clear all the IP addresses, use the clear ip address command.
clear ip address
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
After changing an ip address command, use the clear xlate command.
Examples
This example shows how to clear all the interface IP addresses and stop all traffic through the FWSM module:
fwsm/context_name(config)# clear ip addressRelated Commands
clear ip verify reverse-path
ip address
ip prefix-list
ip verify reverse-path
show ip address
show ip verifyclear ip ospf
To clear information about the IP OSPF, use the clear ospf command.
clear ip ospf [pid] {process | counters | neighbor [neighbor-intf] [neighbr-id]}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: Routed
Command History
Usage Guidelines
This command does not remove any part of the configuration. To remove the OSPF configuration, use the no form of the router ospf or routing interface command.
Examples
This example shows how to clear the OSPF IP parameters:
fwsm/context_name(config)# clear ip ospfRelated Commands
clear ip verify reverse-path
To remove the ip verify reverse-path commands from the configuration, use the clear ip verify reverse-path command.
clear ip verify reverse-path [interface int_name] [statistics]
Syntax Description
interface int_name
Removes the ip verify reverse-path command configuration from the configuration.
statistics
(Optional) Removes the statistical information.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode
Command History
Usage Guidelines
The clear ip verify command allows you to remove the ip verify commands from the configuration. Unicast reverse path forwarding (RPF) is a unidirectional input function that screens inbound packets arriving on an interface. The outbound packets are not screened.
Examples
This example shows how to remove the ip verify reverse-path commands from the configuration:
fwsm/context_name(config)# clear ip verify reverse-pathRelated Commands
clear ip address
ip address
ip prefix-list
ip verify reverse-path
show ip address
show ip verifyclear local-host
To clear the information that is displayed for the local hosts, use the clear local-host command.
Note
clear local-host [ip_address]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Use the ip_address option to limit the display to a single host.
On the FWSM, the cleared hosts are released from the license limit. You can see the number of hosts that are counted toward the license limit by entering the show local-host command.
Examples
This example shows how the clear local-host command clears the information about the local hosts:
fwsm/context_name(config)# clear local-host 10.1.1.15fwsm/context_name(config)# show local-host 10.1.1.15After the information is cleared, nothing more displays until the hosts reestablish their connections.
Related Commands
clear logging
To clear the logging buffer, turn on suppressed messages, or reset disallowed messages to the original set, use the clear logging command.
clear logging [rate-limit | disabled]
Syntax Description
rate-limit
Resets the disallowed messages to the original set.
disabled
Turns on all suppressed messages.
Defaults
Entering this command without options clears the logging buffer.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
To clear the logging buffer, enter the clear logging command without any options. To turn on all suppressed messages, enter the clear logging disabled command. To reset disallowed messages, enter the clear logging rate-limit command.
Examples
This example shows how to reset the disallowed messages:
fwsm/context_name(config)# clear logging rate-limitAfter the information is cleared, nothing more displays.
Related Commands
clear mac-address-table
To remove the interface name entries from the bridge table, use the clear mac-address-table command.
clear mac-address-table interface_name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: Transparent
Command History
Examples
This example shows how to remove the interface name entries from the bridge table:
fwsm/context_name(config)# clear mac-address-table my_contextRelated Commands
mac-address-table aging-time
mac-address-table static
show mac-address-tableclear mac-learn
To stop MAC learning, use the clear mac-learn command.
clear mac-learn
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: Transparent
Command History
Examples
This example shows how to stop MAC learning:
fwsm(config)# clear mac-learnRelated Commands
clear mgcp
To remove the Media Gateway Command Protocol (MGCP) configuration and reset the command queue limit to the default of 200, use the clear mgcp command.
clear mgcp
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the MGCP configuration and reset the command queue:
fwsm/context_name(config)# clear mgcpRelated Commands
clear monitor-interface
To remove the interface-monitor configuration for failover, use the clear monitor-interface command.
clear monitor-interface
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the interface monitor configuration:
fwsm/context_name(config)# clear monitor-interfaceRelated Commands
failover
monitor-interface
show monitor-interfaceclear mp-passwd
To remove the maintenance partition password and reset to the default password, use the clear mp-passwd command.
clear mp-passwd
Syntax Description
This command has no arguments or keywords.
Defaults
The default password is "cisco."
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the maintenance partition password:
fwsm(config)# clear mp-passwdRelated Commands
clear nat
To remove the NAT configuration, use the clear nat command.
clear nat
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
1.1(1)
Support for this command was introduced on the FWSM.
2.2(1)
This command was modified to support UDP maximum connections for local hosts.
Usage Guidelines
Note
Examples
This example shows how to remove the NAT configuration:
fwsm/context_name(config)# clear natRelated Commands
clear name
To clear the list of names from the FWSM configuration, use the clear name command.
clear name
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the name list from the FWSM:
fwsm/context_name(config)# clear nameRelated Commands
clear names
name
names
show name
show namesclear names
To disable the use of the name commands, use the clear names command.
clear names
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to disable the use of the names:
fwsm/context_name(config)# clear namesRelated Commands
clear name
name
names
show name
show namesclear object-group
To remove all the object group commands from the configuration, use the clear object-group command.
clear object-group [{protocol | service | icmp-type | network}] [obj_grp_id]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the object-group commands from the configuration:
fwsm/context_name(config)# clear object-groupRelated Commands
clear pager
To restore the pager command default settings, use the clear pager command.
clear pager
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: unprivileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to restore the pager command default settings:
fwsm> clear pagerRelated Commands
clear password
To reset the password to "cisco," use the clear password command.
clear {password | passwd}
Syntax Description
password
Specifies that you are clearing the password.
passwd
Specifies that you are clearing the password
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: config mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to reset the password to "cisco":
fwsm(config)# clear passwordRelated Commands
password/passwd
show password/passwd
clear pdm
To remove all the FWSM Device Manager locations, disable logging, and clear the PDM buffer, use the clear pdm command.
clear pdm [location | group | logging]
Syntax Description
location
(Optional) Specifies the PDM location.
group
(Optional) Specifies the PDM group.
logging
(Optional) Specifies the logging messages and level.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear pdm, pdm group, pdm history, pdm location, and pdm logging commands may appear in the configuration, but they are designed to work as internal PDM-to-FWSM commands accessible only to the PDM buffer.
Examples
This example shows how to remove all the FWSM Device Manager locations, disable logging, and clear the PDM buffer:
fwsm(config)# clear pdmRelated Commands
clear privilege
To remove the configuration or display privilege levels for the commands, use the clear privilege command.
clear privilege
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the configuration or display privilege levels for the commands:
fwsm(config)# clear privilegeRelated Commands
clear resource usage
To set the peak counter to the value of the current counter and clear the denied counter, use the clear resource usage command.
clear resource usage [context context_name | top n | all | summary | system] [resource {[rate] resource_name | all} | detail]
Syntax Description
Defaults
All configurable resources.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear resource usage command operates on the resources specified in the command. If no resource type is specified, the command uses the default for all resources. If the resource type detail is specified, all resource types are cleared.
Examples
This example show how to remove the list of system resources that were used:
fwsm(config)# clear resource usageRelated Commands
show resource allocation
show resource types
show resource usageclear rip
To remove the Routing Information Protocol (RIP) settings, use the clear rip command.
clear rip
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Command Mode: configuration mode
Firewall Mode: Routed
Command History
Examples
This example shows how to remove the RIP settings:
fwsm(config)# clear ripRelated Commands
clear route
To remove the route commands from the configuration that does not contain the connect keyword, use the clear route command.
clear route [interface_name ip_address [netmask gateway_ip]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
Use 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 IP address as 0 and the 0.0.0.0 netmask as 0.
Examples
This example shows how to remove the route commands from the configuration that does not contain the connect keyword:
fwsm(config)# clear route
Related Commands
clear route-map
To remove the conditions for redistributing the routes from one routing protocol into another routing protocol, use the clear route-map command.
clear route-map map_tag [permit | deny] [seq_num]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: transparent firewall mode
Command History
Usage Guidelines
If the match criteria are not met, and the permit keyword is specified, the next route map with the same map_tag is tested. If a route passes none of the match criteria for the set of route maps sharing the same name, it is not redistributed by that set.
Examples
This example shows how to remove the conditions of redistributing routes from one routing protocol into another routing protocol:
fwsm(config)# clear route-map 77 permit
Related Commands
clear routing
To reset the interface-specific routing configuration to its defaults and remove the interface-specific routing configuration, use the clear routing command.
clear routing
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: transparent firewall mode
Command History
Usage Guidelines
This command does not remove any OSPF data structures that have been defined.
Examples
This example shows how to reset the interface-specific routing configuration to its default settings and remove the interface-specific routing configuration:
fwsm(config)# clear routing
Related Commands
clear rpc-server
To clear the remote processor call (RPC) services from the FWSM, use the clear rpc-server command.
clear rpc-server [active]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The rpc-server command displays the configured router ospf subcommands.
Note
Examples
This example shows how to clear the RPC services from the FWSM:
fwsm(config)# clear rpc-server active
Related Commands
clear same-security-traffic
To disable the same-security interface communication, use the clear same-security-traffic command.
clear same-security-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to disable the same-security interface communication:
fwsm(config)# clear same-security-traffic
Related Commands
same-security-traffic
show routingclear service
To remove the service commands from the configuration, use the clear service command.
clear service
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the service commands from the configuration:
fwsm/context_name(config)# clear service
Related Commands
clear shun
To disable all the shuns that are currently enabled and clear the shun statistics, use the clear shun command.
clear shun [statistics]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: privileged mode
Command History
Examples
This example shows how to disable all the shuns that are currently enabled and clear the shun statistics:
fwsm/context_name(config)# clear shun
Related Commands
clear snmp-server
To disable the Simple Network Management Protocol (SNMP) server, use the clear snmp-server command.
clear snmp-server
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to disable the SNMP server:
fwsm/context_name(config)# clear snmp-serverRelated Commands
clear ssh
To remove all the ssh commands from the configuration, use the clear ssh command.
clear ssh
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the ssh commands from the configuration:
fwsm/context_name(config)# clear sshRelated Commands
clear static
To remove all the static commands from the configuration, use the clear static command.
clear static
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
1.1(1)
Support for this command was introduced on the FWSM.
2.2(1)
This command was modified to support UDP maximum connections for local hosts.
Examples
This example shows how to remove all the static commands from the configuration:
fwsm/context_name(config)# clear staticRelated Commands
clear sysopt
To remove all the sysopt commands from the configuration, use the clear sysopt command.
clear sysopt
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the sysopt commands from the configuration:
fwsm/context_name(config)# clear sysoptRelated Commands
clear tacacs-server
To remove all the tacacs-server commands from the configuration, use the clear tacacs-server command.
clear tacacs-server
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove all the tacacs-server commands from the configuration:
fwsm/context_name(config)# clear tacacs-serverRelated Commands
clear telnet
To remove the Telnet connection and the idle timeout from the configuration, use the clear telnet command.
clear telnet [ip_address [netmask] [interface_name]]
Syntax Description
ip_address
(Optional) IP address of a host or network that can access the FWSM Telnet console.
netmask
(Optional) Bit mask of ip_address.
interface_name
(Optional) Unsecure interface name.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of source_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address.
If IPSec is operating, you can specify an unsecure interface name, typically, the outside interface. At a minimum, you must configure the crypto map command to specify an interface name with the telnet command.
If you do not specify an interface name, the address is assumed to be on an internal interface. The FWSM automatically verifies the IP address against the IP addresses that are specified by the ip address commands to ensure that the address that you specify is on an internal interface. If an interface name is specified, the FWSM checks only the host against the interface that you specify.
Up to 16 hosts or networks are allowed access to the FWSM console with Telnet; 5 hosts or networks are allowed access to the console at the same time. Use the no telnet or clear telnet commands to remove Telnet access from a previously set IP address. Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the FWSM. The clear telnet command does not affect the telnet timeout command duration. You cannot use the no telnet command with the telnet timeout command.
Examples
This example shows how to remove the Telnet connection and the idle timeout from the FWSM configuration:
fwsm/context_name(config)# clear telnetRelated Commands
clear terminal
To remove the console terminal line parameter settings, use the clear terminal command.
clear terminal
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the console terminal line parameter settings from the FWSM configuration:
fwsm/context_name(config)# clear terminalRelated Commands
clear tftp-server
To remove the Trivial File Transfer Protocol (TFTP) server address and directory from the configuration, use the clear tftp-server command.
clear tftp-server [[interface_name] ip_address path]
Syntax Description
interface_name
(Optional) Interface name on which the TFTP server resides.
ip_address
(Optional) IP address or network of the TFTP server.
path
(Optional) Path and filename of the configuration file.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If not specified, an internal interface is assumed. If you specify the outside interface, a warning message informs you that the outside interface is unsecure. The contents of the path are passed directly to the server without interpretation or checking. The format for the path differs by the type of operating system on the server. The configuration file must exist on the TFTP server. Many TFTP servers require the configuration file to be world-writable to write to it and world-readable to read from it.
Examples
This example shows how to remove the TFTP server address and directory from the configuration:
fwsm/context_name(config)# clear tftp-serverRelated Commands
clear timeout
To remove the maximum idle time durations from the configuration, use the clear timeout command.
clear timeout
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the maximum idle time durations from the configuration:
fwsm/context_name(config)# clear timeoutRelated Commands
clear uauth
To delete all the authorization caches for a user, use the clear uauth command.
clear uauth [username]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear uauth command deletes one user or all the users' AAA authorization and authentication caches, which forces the user or users to reauthenticate the next time that they create a connection.
This command is used with the timeout command.
Each user host IP address has an authorization cache attached to it. If you attempt to access a service that has been cached from the correct host, the FWSM considers it preauthorized and immediately proxies the connection. Once you are authorized to access a website, the authorization server is not contacted for each image as it is loaded (assuming the images come from the same IP address). This process significantly increases performance and reduces the load on the authorization server.
The cache allows up to 16 address and service pairs for each user host.
The output from the show uauth command displays the username that is provided to the authorization server for authentication and authorization purposes, the IP address to which the username is bound, and whether the user is authenticated only or has cached services.
Note
Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all the authorization caches for all the users, which will cause them to have to reauthenticate the next time that they create a connection.
Examples
This example shows how to cause the user "Pat" to reauthenticate:
fwsm(config)# clear uauth patRelated Commands
aaa authorization
show uauth
timeoutclear url-block
To clear the pending URL block buffer and long URL support usage counters, use the clear url-block command.
clear url-block
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The "Current number of packets held (global)" counter is not cleared.
Examples
This example shows how to clear the pending URL block buffer and long URL support usage counters:
fwsm/context_name(config)# clear url-blockRelated Commands
clear url-cache
To disable URL caching, use the clear url-cache command.
clear url-cache
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to disable URL caching:
fwsm/context_name(config)# clear url-cacheRelated Commands
clear url-server
To remove the URL filter server from the configuration, use the clear url-server command.
clear url-server
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the URL filter server from the configuration:
fwsm(config)# clear url-serverRelated Commands
clear username
To remove usernames from the user authentication local database, use the clear username command.
clear username
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove usernames from the user authentication local database:
fwsm(config)# clear usernameRelated Commands
clear virtual
To remove the authentication virtual server from the configuration, use the clear virtual command.
clear virtual
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to remove the authentication virtual server from the configuration:
fwsm/context_name(config)# clear virtualRelated Commands
clear vpngroup
To clear the Easy VPN Remote configuration and security policy that is stored in the Flash partition, use the clear vpngroup command.
clear vpngroup
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Examples
This example shows how to clear the Easy VPN Remote configuration and security policy that is stored in the Flash partition:
fwsm/context_name(config)# clear vpngroupRelated Commands
clear xlate
To clear the current translation and connection slot information, use the clear xlate command.
clear xlate [global | local ip1[-ip2] [netmask mask]] {gport | lport port1 [-port2]]
[interface if1[,ifn]] [state static [,portmap] [,norandomseq] [,identity]] [debug] [count]Syntax Description
global | local ip1 -ip2 netmask mask
(Optional) Clears the active translations by global IP address or local IP address using the network mask to qualify the IP addresses.
interface if1 ,if2 ,ifn
(Optional) Clears the active translations by interface.
gport | lport port -port2
(Optional) Clears the active translations by local and global port specifications. See the "Specifying Port Values" section in "Port and Protocol Values," for a list of valid port literal names.
interface
(Optional) Displays the active translations by interface.
if1 ,if2
(Optional) Specifies the interface.
state static
(Optional) Clears the active translations by state; valid values are static translation (static), dump (cleanup), PAT global (portmap), nat or static translation with the norandomseq setting (norandomseq), or the use of the nat 0, or identity feature (identity).
,portmap
(Optional) Specifies the port map.
norandomseq
(Optional) Specifies no random sequence.
,identity
(Optional) Specifies the identity.
debug
(Optional) Specifies debugging.
count
(Optional) Specifies the count.
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The clear xlate command clears the contents of the translation slots. ("xlate" refers to the translation slot.) Always use the clear xlate command because translation slots can persist after adding, changing, or removing the aaa-server, access-list, alias, global, nat, route, or static commands in the configuration.
Examples
This example shows how to clear the current translation and connection slot information:
fwsm/context_name(config)# clear xlate global
Related Commands
show conn
show uauth
show xlate
timeoutcompatible rfc1583
To restore the method that is used to calculate the summary route costs per RFC 1583, use the compatible rfc1583 subcommand. To disable RFC 1583 compatibility, use the no form of this command.
[no] compatible rfc1583
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
Security Context Mode: single context mode
Access Location: context command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The Open Shortest Path First (OSPF) protocol is used instead of the Routing Information Protocol (RIP). Do not attempt to configure the FWSM for both OSPF and RIP simultaneously.
The compatible rfc1583 command is a subcommand of the router ospf command. The router ospf command is the global configuration command for OSPF routing processes running on the FWSM. The compatible rfc1583 command is the main command for all of the OSPF configuration commands.
The show ip ospf command displays the configured router ospf subcommands.
The compatible rfc1583 subcommand is displayed in the configuration only if it is disabled by the no compatible rfc1583 subcommand. It displays as "no compatible rfc1583."
Examples
This example shows how to restore the method that is used to calculate the summary route costs per RFC 1583:
fwsm#/context_name(config)# compatible rfc1583Related Commands
configure
To configure from the terminal, Flash partition, or the network, use the configure command. To remove configurations, use the clear configure command.
configure [terminal | memory]
configure net [[tftp_ip]:[filename]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
You can configure from the terminal, Flash partition, or the network. The new configuration merges with the active configuration.
You must be in privileged mode to use the configuration commands, except for the configure terminal (config t) command which allows you to start configuration mode from the privileged mode. You can exit configuration mode with the quit command. Use the write memory command to store the changes in the Flash partition, or use the write floppy command to store the configuration on disk.
Each command from the Flash partition (with configure memory) and TFTP transfer (with configure net) is read and evaluated as follows:
•
•
•
If you set a filename with the tftp-server command, do not specify it in the configure command; instead use a colon ( : ) without a filename.
The guidelines for the configure net command are as follows:
•
•
•
Note
The configure memory command allows you to merge the configuration in the Flash partition into the current configuration in RAM.
Examples
This example shows how to configure the FWSM using a configuration retrieved with TFTP:
fwsm/context_name(config)# configure net 10.1.1.1:/tftp/config/fwsmconfigThe FWSM configuration file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.
This example shows how to configure the FWSM from the configuration that is stored in the Flash partition:
fwsm/context_name(config)# configure memoryAccess privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save the configuration to the Flash partition using the write memory command.
fwsm> enablepassword:fwsm# configure terminalfwsm(config)# write terminal: Saved[... current configuration ...]: Endfwsm(config)# write memoryWhen you enter the configure factory-default command on a platform other than the FWSM, the FWSM displays a "not supported" error message. On the FWSM, this message is displayed:
fwsm(config)# configure factory default'config factory-default' is not supported on FWSMRelated Commands
config-url (context submode)
To set the URL from which the FWSM downloads the context file, use the config-url command.
[no] config-url url
Syntax Description
Defaults
None.
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available.
Note
See the following URL syntax:
•
The disk is a 64-MB partition of Flash that uses a navigable file system. The disk partition is used only for context storage. The system configuration and the software image reside in the Flash partition (called flash). The filename does not require a file extension, although we recommend using ".cfg". If the configuration file is not available, you see the following message:
%Error opening disk:/filename (File not found)You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to Flash memory.
Note
•
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".
•
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".
•
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".
•
The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using ".cfg".
To change the URL, reenter the config-url command with a new URL. However, the new configuration does not overwrite the existing one; instead, the FWSM merges the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used.
Examples
This example shows how to set the console timeout to 15 minutes:
fwsm(config)# context ciscofwsm/cisco(config)# allocate-interface vlan100 int0fwsm/cisco(config)# allocate-interface vlan101 int1fwsm/cisco(config)# member goldfwsm/cisco(config)# config-url tftp://10.1.1.1/contexts/cisco.cfgfwsm/cisco(config)# exitfwsm(config)#Related Commands
Other context submode commands
allocate-interface (context submode)
config-url (context submode)
member (context submode)Other related commands
class
context
limit-resource (class submode)context
To create a context and enter the context submode, use the context command. To remove the contexts from the running configuration and remove the context entry from the system configuration use the clear context command. To delete a single context, use the no form of this command.
[no] context name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: multiple context mode
Access Location: system command line
Command Mode: configuration mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The FWSM supports 100 contexts.
You cannot enter any context commands until you have created the first context with the admin-context command. You cannot remove the current admin context with the context command. See the admin-context command for more information.
When you enter the context submode, the following commands are available:
•
•
•
•
•
Examples
This example shows how to create a context:
fwsm(config)# context admincontextfwsm(config_context)# allocate-interface vlan100 int0fwsm(config_context)# allocate-interface vlan101 int1fwsm(config_context)# member goldfwsm(config_context)# config-url disk:/admin.cfgfwsm(config_context)# exitRelated Commands
admin-context
allocate-interface (context submode)
changeto
class
clear context
config-url (context submode)
description (submode)
member (context submode)
show contextcopy capture
To copy a capture file to a TFTP server, use the copy capture command.
copy capture: [[context-name/] capture_name tftp://server/pathname [pcap]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
The FWSM must know how to reach the location (specified by the tftp_pathname argument) through its routing table information. This information is determined by the ip address command, the route command, or the RIP, depending upon the configuration. The tftp_pathname can include any directory names in addition to the last component of the path to the file on the server.
The pathname can include any directory names in addition to the last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command.
Note
Examples
This example shows the prompts that are provided when you enter the copy capture command without specifying the full path:
fwsm/context_name(config)# copy capture:abc tftpAddress or name of remote host [171.68.11.129]?Source file name [username/cdisk]?copying capture to tftp://171.68.11.129/username/cdisk:[yes|no|again]? y!!!!!!!!!!!!!You can specify the full path as follows:
fwsm/context_name(config)# copy capture:abc tftp:171.68.11.129/tftpboot/abc.cap pcapIf the TFTP server is already configured, the location or filename can be unspecified as follows:
fwsm/context_name(config)# tftp-server outside 171.68.11.129 tftp/cdiskfwsm/context_name(config)# copy capture:abc tftp:/tftp/abc.capThis example shows how to use the defaults of the preconfigured TFTP server in the copy capture command:
fwsm/context_name(config)# copy capture:abc tftp:pcapRelated Commands
cd
clear flashfs
copy disk
copy flash
copy http(s)
copy running-config/copy startup-config
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show disk
show file
show flashfs
show http
show running-config
show startup-config
show tftp-servercopy disk
To copy a file from the disk partition to a TFTP server, another location on the disk partition, to the Flash partition, or to the startup or running configuration, use the copy disk command.
copy [/noconfirm] disk:[path] tftp[:[[//server][/pathname]]]
copy [/noconfirm] disk:[path] disk:[path]
copy [/noconfirm] disk:[path] [flash:[image | pdm]
copy [/noconfirm] disk:[path] [startup-config | running-config]
copy [/noconfirm] disk:[path] ftp://[user[:password]@] server [pathname] [;type=xx]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system and context command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
When you copy the image to Flash on the FWSM, the image is not available until you reboot. The downloaded PDM image files are available to the FWSM immediately without a reboot. If you copy a file to the startup partition, you must either reboot or use the copy start run command. If you specify TFTP without the : (colon), you get a prompt.
Examples
This example shows how to copy a file from the disk to a TFTP server:
fwsm/context_name(config)# copy disk:my_context/my_context.cfg tftp://10.7.0.80/my_context/my_context.cfgThis example shows how to copy a file from one location on the disk to another location on the disk. The name of the destination file can be either the name of the source file or a different name.
fwsm/context_name(config)# copy disk:my_context.cfg disk:my_context/my_context.cfgThis example shows how to copy an image or a PDM file from the disk to the Flash partition:
fwsm/context_name(config)# copy disk:cdisk flash:imagefwsm/context_name(config)# copy disk:pdm flash:pdmThis example shows how to copy a file from the disk to the startup configuration or a running configuration:
fwsm/context_name(config)# copy disk:my_context/my_context.cfg startup-configfwsm/context_name(config)# copy disk:my_context/my_context.cfg running-configRelated Commands
cd
clear flashfs
copy capture
copy flash
copy http(s)
copy running-config/copy startup-config
copy tftp
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show disk
show file
show flashfs
show running-config
show startup-config
show tftp-servercopy flash
To copy a file from the Flash partition to a TFTP server, to the disk partition, or to the startup or running configuration, use the copy flash command.
copy flash[:[image | pdm]] tftp[:[[//server][/pathname]]]
copy [/noconfirm] flash:[image | pdm] disk:[path]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If you specify TFTP without the : (colon), you get a prompt.
Examples
This example show how to copy an image or a PDM file from the Flash partition to a TFTP server:
fwsm/context_name(config)# copy flash:image tftp://10.7.0.80/imagefwsm/context_name(config)# copy flash:pdm tftp://10.7.0.80/FWSM/pdmThis example shows how to copy an image or PDM file from the Flash partition to a disk:
fwsm/context_name(config)# copy flash:image disk:cdiskfwsm/context_name(config)# copy flash:pdm disk:pdmRelated Commands
cd
clear flashfs
copy capture
copy http(s)
copy running-config/copy startup-config
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show disk
show file
show flashfs
show running-config
show startup-config
show tftp-servercopy ftp
To copy a file from the Flash partition to a TFTP server, to the disk partition, or to the startup or running configuration, use the copy flash command.
copy ftp://[user[:password]@] location/pathname [;type=<xx>] [startup-config running-config]
copy [/noconfirm] ftp://[user[:password]@] location/pathname [;type=<xx>] [startup-config running-config]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Security Context Mode: single context mode and multiple context mode
Access Location: system command line
Command Mode: privileged mode
Firewall Mode: routed firewall mode and transparent firewall mode
Command History
Usage Guidelines
If you specify FTP without the : (colon), you get a prompt.
Examples
This example shows how to copy a file from the disk to the startup configuration or a running configuration:
fwsm/context_name(config)# copy ftp:my_context/my_context.cfg startup-configfwsm/context_name(config)# copy ftp:my_context/my_context.cfg running-configRelated Commands
cd
clear flashfs
copy capture
copy http(s)
copy running-config/copy startup-config
copy tftp
dir
format
mkdir
more
pwd
rename
rmdir
show disk
show file
show flashfs
show running-config
show startup-config
show tftp-servercopy http(s)
To copy files from an HTTPS server, use the copy http[s] command.
copy http[s]://[user:password@] server [:port]/pathname flash:[image | pdm]
copy [/noconfirm] http[s]://[user:password@]location [:port]/pathname disk:[pathname]
copy http[s]://[user:password@]server[:port]/pathname {startup-config | running-config}
Syntax Description
