-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
-
About This Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
activation-key through auto-update timeout
-
backup-servers through bridge-group
-
cache-time through clear capture
-
clear configure through clear configure virtual
-
clear console-output through clear xlate
-
client-access-rule through crl-configure
-
crypto ca authenticate through crypto map set trustpoint
-
debug aaa through debug xdmcp
-
default through drop
-
email through ftp-map
-
gateway through http-map
-
icmp through ignore lsa mospf
-
inspect ctiqbe through inspect xdmcp
-
interface through issuer-name
-
join-failover-group through kill
-
ldap-base-dn through log-adj-changes
-
logging asdm through logout
-
mac-address-table aging-time through multicast-routing
-
name through ospf transmit-delay
-
pager through pwd
-
quit through router-id
-
same-security-traffic through show asdm sessions
-
show asp drop through show curpriv
-
show debug through show ipv6 traffic
-
show isakmp sa through show route
-
show running-config through show running-config isakmp
-
show running-config logging through show running-config vpn-sessiondb
-
show service-policy through show xlate
-
shun through sysopt uauth allow-http-cache
-
telnet through tunnel-limit
-
upgrade-mp through write terminal
-
Table Of Contents
email through ftp-map Commands
email through ftp-map Commands
To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
email address
no email [address]
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the email address jjh@nhf.net in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# email jjh@nhf.nethostname(ca-trustpoint)#Related Commands
enable
To enter privileged EXEC mode, use the enable command in user EXEC mode.
enable [level]
Syntax Description
Defaults
Enters privilege level 15 unless you are using command authorization, in which case the default level depends on the level configured for your username.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The default enable password is blank. See the enable password command to set the password.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Enter the disable command to exit privileged EXEC mode.
Examples
The following example enters privileged EXEC mode:
hostname> enablePassword: Pa$$w0rdhostname#The following example enters privileged EXEC mode for level 10:
hostname> enable 10Password: Pa$$w0rd10hostname#Related Commands
enable password
To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.
enable password password [level level] [encrypted]
no enable password level level
Syntax Description
Defaults
The default password is blank. The default level is 15.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.
For multiple context mode, you can create an enable password for the system configuration as well as for each context.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Examples
The following example sets the enable password to Pa$$w0rd:
hostname(config)# enable password Pa$$w0rdThe following example sets the enable password to Pa$$w0rd10 for level 10:
hostname(config)# enable password Pa$$w0rd10 level 10The following example sets the enable password to an encrypted password that you copied from another FWSM:
hostname(config)# enable password jMorNbK0514fadBh encryptedRelated Commands
endpoint
To associate endpoints with an HSI group, use the endpoint command in HSI group configuration mode. To remove the endpoint, use the no form of this command.
endpoint ip address interface
no endpoint ip address interface
Syntax Description
ip address
The IP address of the endpoint.
interface
The interface on the FWSM that is connected to the endpoint.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
HSI group configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the endpoint command to identify the endpoints associated with an HSI group. An HSI group allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.
Each HSI group can contain a maximum of ten endpoints. You must configure an HSI within the group before configuring any endpoints. You must remove all endpoints and the HSI before removing the HSI group.
Examples
The following example shows how to define an H.225 map.
hostname(config)# h225-map hmaphostname(config-h225-map)# hsi-group 1hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 insidehostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outsidehostname(config-h225-map-hsi-grp)# exithostname(config-h225-map-hsi-grp)# exitRelated Commands
enforcenextupdate
To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in crl configure configuration mode. If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the FWSM allows a missing or lapsed NextUpdate field in a CRL.
To permit a lapsed or missing NextUpdate field, use the no form of this command.
enforcenextupdate
no enforcenextupdate
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is enforced (on).
Command Modes
The following table shows the modes in which you can enter the command:
CRL configure configuration
•
•
•
•
—
Command History
Examples
The following example enters crl configure configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# enforcenextupdatehostname(ca-crl)#Related Commands
cache-time
Specifies a cache refresh time in minutes.
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
enrollment retry count
To specify a retry count, use the enrollment retry count command in crypto ca trustpoint configuration mode. To restore the default setting of the retry count, use the no form of the command. After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the configured retry period, it sends another certificate request. The FWSM repeats the request until either it receives a response or reaches the end of the configured retry period.
enrollment retry count number
no enrollment retry count
Syntax Description
number
Sets the maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.
Defaults
The default setting for number is 0 (unlimited).
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry count 20hostname(ca-trustpoint)#Related Commands
enrollment retry period
To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. To restore the default setting of the retry period, use the no form of the command. After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the specified retry period, it sends another certificate request.
enrollment retry period minutes
no enrollment retry period
Syntax Description
minutes
Sets the number of minutes between attempts to send an enrollment request. the valid range is 1- 60 minutes.
Defaults
The default setting is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry period 10hostname(ca-trustpoint)#Related Commands
enrollment terminal
To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment terminalhostname(ca-trustpoint)#Related Commands
enrollment url
To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment url url
no enrollment url
Syntax Description
url
Specifies the name of the URL for automatic enrollment. The maximum length is 1K characters (effectively unbounded).
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url https://enrollsitehostname(ca-trustpoint)#Related Commands
erase
To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.
erase [flash:]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The erase command erases all data on the Flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command.
Examples
The following example erases and reformats the file system:
hostname# erase flash:Related Commands
delete
Removes all visible files, excluding hidden system files.
format
Erases all files (including hidden system files) and formats the file system.
established
To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.
established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
no established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
1.1(1)
This command was introduced.
3.1(1)
The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.
Usage Guidelines
The established command lets you permit return access for outbound connections through the FWSM. This command works with an original connection that is outbound from a network and protected by the FWSM and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
Caution
Examples
The following set of examples shows potential security violations could occur if you do not use the established command correctly.
This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
hostname(config)# established tcp 4000 0You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.
hostname(config)# established tcp 0 0
Note
You can use the established command with the nat 0 command (where there are no global commands).
Note
The FWSM supports XDMCP with assistance from the established command.
Caution
XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:
hostname(config)# established tcp 6000 0 permitto tcp 6000 permitfrom tcp 1024-65535Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the source_port field as 0 (wildcard). The dest_port should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:
hostname(config)# setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The FWSM performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.
The following example shows a connection between two hosts using protocol A destined for port B from source port C. To permit return connections through the FWSM and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.
hostname(config)# established A B C permitto D E permitfrom D FThe following example shows how a connection is started by an internal host to an external host using TCP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and any TCP source port.
hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 0The following example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.
hostname(config)# established udp 6060 0 permitto tcp 6061 permitfrom tcp 1024-65535The following example shows how a local host starts a TCP connection on port 9999 to a foreign host. The example allows packets from the foreign host on port 4242 back to local host on port 5454.
hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242Related Commands
clear configure established
Removes all established commands.
show running-config established
Displays the allowed inbound connections that are based on established connections.
exit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the exit command in privileged or user EXEC modes, you log out from the FWSM. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:
hostname(config)# exithostname# exitLogoffThe following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# exithostname# disablehostname>Related Commands
failover
To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.
failover
no failover
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
1.1(1)
This command was introduced.
3.1(1)
This command was limited to enable or disable failover in the configuration (see the failover active command).
Usage Guidelines
Use the no form of this command to disable failover.
Caution
Examples
The following example disables failover:
hostname(config)# no failoverhostname(config)#Related Commands
