Table Of Contents

interface through issuer-name Commands

interface

interface bvi

interface-policy

`ip address

ip-address

ip-address-privacy

ip local pool

ip verify reverse-path

ip-comp

ip-phone-bypass

ipsec-udp

ipsec-udp-port

ipv6 access-list

ipv6 access-list remark

ipv6 address

ipv6 enable

ipv6 icmp

ipv6 nd dad attempts

ipv6 nd ns-interval

ipv6 nd prefix

ipv6 nd ra-interval

ipv6 nd ra-lifetime

ipv6 nd reachable-time

ipv6 nd suppress-ra

ipv6 neighbor

ipv6 route

isakmp am-disable

isakmp disconnect-notify

isakmp enable

isakmp identity

isakmp keepalive

isakmp policy authentication

isakmp policy encryption

isakmp policy group

isakmp policy hash

isakmp policy lifetime

isakmp reload-wait

issuer-name

interface through issuer-name Commands

---

interface

To add an interface to the configuration and enter interface configuration mode, use the interface command in global configuration mode.

interface {vlan <n> | mapped_name}

Syntax Description

vlan <n>	In multiple context mode, lets you configure the name, sec level, IP address of the VLAN.
mapped_name	(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.
2.2(1)	This command was changed.
3.1(1)	This command was modified to change arguments to be separate commands under interface configuration mode.

Usage Guidelines

In multimode in the system, you can allocate interfaces to context which allows the FWSM to add them; you do not need to manually add interfaces. Similarly, if you assign a VLAN to the failover or state link, the interface command is added automatically.

In single mode, you need to enter the interface command for a given VLAN, to set parameters for it.

In interface configuration mode, you can assign a name, assign a VLAN, assign an IP address, and configure many other settings. If you add an interface for a VLAN that is not yet assigned to the FWSM by the switch, the interface will be in the down state. When you assign the VLAN to the FWSM, the interface changes to an up state. See the show interface command for more information about interface states.

When you assign a VLAN to a context using the allocate-interface command, the FWSM automatically adds the interface to the system configuration, if it is not already present. For example, when you allocate `VLAN 100' to a context, the interface vlan 100 command is added to the system configuration.

The failover lan interface interface_name vlan vlan command specifies the interface name and the VLAN used for communication between the active and the standby modules to determine the operating status of each module.

The failover link interface_name [vlan vlan] command specifies the interface name and VLAN for the stateful failover interface. The link passes all protocol state information between the active and the standby for stateful failover.

Examples

The following example shows how to enter the interface configuration mode:

fwsm(config-if)# interface vlan22

fwsm(config-if)# shutdown

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
clear configure interface	Clears all configuration for an interface.
clear interface	Clears counters for the show interface command.
show interface	Displays the runtime status and statistics of interfaces.

interface bvi

To configure the bridge virtual interface for a bridge group, use the interface bvi command in global configuration mode. To remove the bridge virtual interface configuration, use the no form of this command. Use this command to enter interface configuration mode so you can configure a management IP address for the bridge group.

interface bvi bridge_group_number

no interface bvi bridge_group_number

Syntax Description

bridge_group_number

Specifies the bridge group number as an integer between 1 and 100.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	—	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM.

Assign each interface to a bridge group using the interface vlan command, and then the bridge-group command. Use the interface bvi command, and then the ip address command to configure the management IP address for the bridge group. The management IP address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access.

Examples

The following example assigns VLANs 300 and 301 to bridge group 1, then sets the management address and standby address of bridge group 1:

hostname(config)# interface vlan 300

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# bridge-group 1

hostname(config-if)# interface vlan 301

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# bridge-group 1

hostname(config-if)# interface bvi 1

hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

Related Commands

Command	Description
bridge-group	Groups two transparent firewall interfaces into a bridge group.
clear configure interface bvi	Clears the bridge virtual interface configuration.
interface	Configures an interface.
ip address	Sets the management IP address for a bridge group.
show running-config interface bvi	Shows the bridge group interface configuration.

interface-policy

To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.

interface-policy num[%]

no interface-policy num[%]

Syntax Description

num	Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%	(Optional) Specifies that the number num is a percentage of the monitored interfaces.

Defaults

If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Failover group configuration	•	•	—	—	•

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

There is no space between the num argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other FWSM is functioning properly, the FWSM will mark itself as failed and a failover may occur (if the active FWSM is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.

Examples

The following partial example shows a possible configuration for a failover group:

hostname(config)# failover group 1 

hostname(config-fover-group)# primary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# interface-policy 25%

hostname(config-fover-group)# exit

hostname(config)#

Related Commands

Command	Description
failover group	Defines a failover group for Active/Active failover.
failover interface-policy	Configures the interface monitoring policy.
monitor-interface	Specifies the interfaces being monitored for failover.

`ip address

To set the IP address for an interface (in routed mode) or the management address for a bridge group (transparent mode), use the ip address command in interface configuration mode. For routed mode, enter interface configuration mode for the VLAN ID (the interface command). For transparent mode, enter interface configuration mode for the bridge group (the interface bvi command). To remove the IP address, use the no form of this command. This command also sets the standby address for failover.

ip address ip_address [mask] [standby ip_address]

no ip address [ip_address]

Syntax Description

ip_address	Sets the IP address for the interface (routed mode) or the management IP address for the bridge group (transparent mode).
mask	(Optional) Sets the subnet mask for the IP address. If you do not set the mask, the FWSM uses the default mask for the IP address class. Do not assign a host address (/32 or 255.255.255.255) to the transparent firewall. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The FWSM drops all ARP packets to or from the first and last addresses in a subnet. For example, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the FWSM drops the ARP request from the downstream router to the upstream router.
standby ip_address	(Optional) Sets the IP address for the standby unit for failover. The standby IP address must be on the same subnet as the main IP address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	•	•	•	—

Command History

Release	Modification
2.2(1)	This command was introduced.
3.1(1)	This command was changed from a global configuration command to an interface configuration mode command.

Usage Guidelines

In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.

In transparent firewall mode, each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. Each bridge group connects to a separate network. The management IP address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers.

Examples

The following example sets the IP addresses and standby addresses of two interfaces:

hostname(config)# interface vlan 100

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

hostname(config-if)# interface vlan 200

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

The following transparent firewall example assigns VLANs 300 and 301 to bridge group 1, then sets the management address and standby address of bridge group 1:

hostname(config)# interface vlan 300

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# bridge-group 1

hostname(config-if)# interface vlan 301

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# bridge-group 1

hostname(config-if)# interface bvi 1

hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

Related Commands

Command	Description
interface bvi	Configures a transparent firewall bridge group.
bridge-group	Assigns an interface to a bridge group.
interface	Configures an interface and enters interface configuration mode.
ip address dhcp	Sets the interface to obtain an IP address from a DHCP server.
show ip address	Shows the IP address assigned to an interface.

ip-address

To include the FWSM IP address in the certificate during enrollment, use the ip-address command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

ip-address ip-address

no ip-address

Syntax Description

ip-address

Specifies the IP address of the FWSM.

Defaults

The default setting is to not include the IP address.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FWSM IP address in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# ip-address 209.165.200.225

Related Commands

Command	Description
crypto ca trustpoint	Enters trustpoint configuration mode.
default enrollment	Returns enrollment parameters to their defaults.

ip-address-privacy

To enable the IP Address Privacy feature, use the ip-address-privacy command in SIP map configuration mode. To disable IP Address Privacy, use the no form of this command.

ip-address-privacy

no ip-address-privacy

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
SIP map configuration	•	•	•	•	—

Command History

Release	Modification
FWSM 3.1	This command was introduced.

Usage Guidelines

When IP Address Privacy is enabled, if any two SIP endpoints participating in an IP phone call or instant messaging session use the same internal firewall interface to contact their SIP proxy server on an external firewall interface, all SIP signaling messages go through the SIP proxy server.

IP Address Privacy can be enabled when SIP over TCP or UDP application inspection is enabled. By default, this feature is disabled. If IP Address Privacy is enabled, the FWSM does not translate internal and external host IP addresses embedded in the TCP or UDP payload of inbound SIP traffic, ignoring translation rules for those IP addresses.

Examples

The following example shows how to identify SIP traffic, define a SIP map, define a policy, and apply the policy to the outside interface.

hostname(config)# access-list sip-acl permit tcp any any eq 5060 

hostname(config)# class-map sip-port 

hostname(config-cmap)# match access-list sip-acl

hostname(config-cmap)# sip-map inbound_sip

hostname(config-sip-map)# ip-address-privacy

hostname(config-sip-map)# policy-map S1_policy 

hostname(config-pmap)# class sip-port

hostname(config-pmap-c)# inspect sip s1_policy 

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
inspect sip	Enables SIP application inspection.
policy-map	Associates a class map with specific security actions.
sip-map	Defines a SIP application inspection map.

ip local pool

To configure IP address pools to be used for VPN remote access tunnels, use the ip local pool command in global configuration mode. To delete address pools, use the no form of this command.

ip local pool poolname first-address—last-address [mask mask]

no ip local pool poolname

Syntax Description

first-address	Specifies the starting address in the range of IP addresses.
last-address	Specifies the final address in the range of IP addresses.
mask mask	(Optional) Specifies a subnet mask for the pool of addresses.
poolname	Specifies the name of the IP address pool.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	Support for this command was introduced.

Usage Guidelines

You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.

Examples

The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.

hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0

Related Commands

Command	Description
clear configure ip local pool	Removes all ip local pools.
show running-config ip local pool	Displays the ip pool configuration. To specify a specific IP address pool, include the name in the command.

ip verify reverse-path

To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the no form of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

ip verify reverse-path interface interface_name

no ip verify reverse-path interface interface_name

Syntax Description

interface_name

The interface on which you want to enable Unicast RPF.

Defaults

This feature is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information.

For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface.

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface.

Unicast RPF is implemented as follows:

•ICMP packets have no session, so each packet is checked.

•UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

Examples

The following example enables Unicast RPF on the outside interface:

hostname(config)# ip verify reverse-path interface outside

Related Commands

Command	Description
clear configure ip verify reverse-path	Clears the ip verify reverse-path configuration.
clear ip verify statistics	Clears the Unicast RPF statistics.
show ip verify statistics	Shows the Unicast RPF statistics.
show running-config ip verify reverse-path	Shows the ip verify reverse-path configuration.

ip-comp

To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.

To remove the ip-comp attribute from the running configuration, use the no form of this command. This enables inheritance of a value from another group policy.

ip-comp {enable | disable}

no ip-comp

Syntax Description

disable	Disables IP compression.
enable	Enables IP compression.

Defaults

IP compression is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.

---

Caution Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the FWSM. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

---

Examples

The following example shows how to enable IP compression for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# ip-comp enable

ip-phone-bypass

To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode. To disable IP Phone Bypass, use the ip-phone-bypass disable command. To remove the IP phone Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for IP Phone Bypass from another group policy.

IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.

ip-phone-bypass {enable | disable}

no ip-phone-bypass

Syntax Description

disable	Disables IP Phone Bypass.
enable	Enables IP Phone Bypass.

Defaults

IP Phone Bypass is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

You need to configure IP Phone Bypass only if you have enabled user authentication.

Examples

The following example shows how to enable IP Phone Bypass. for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# ip-phone-bypass enable

Related Commands

Command	Description
user-authentication	Requires users behind a hardware client to identify themselves to the FWSM before connecting.

ipsec-udp

To enable IPSec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To disable IPSec over UDP, use the ipsec-udp disable command. To remove the IPSec over UDP attribute from the running configuration, use the no form of this command. This enables inheritance of a value for IPSec over UDP from another group policy.

IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a FWSM that is running NAT.

ipsec-udp {enable | disable}

no ipsec-udp

Syntax Description

disable	Disables IPSec over UDP.
enable	Enables IPSec over UDP.

Defaults

IPSec over UDP is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

To use IPSec over UDP, you must also configure the ipsec-udp-port command.

The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.

IPSec over UDP is proprietary, it applies only to remote-access connections, and it requires mode configuration, means the FWSM exchanges configuration parameters with the client while negotiating SAs.

Using IPSec over UDP may slightly degrade system performance.

Examples

The following example shows how to set IPSec over UDP for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# ipsec-udp enable

Related Commands

Command	Description
ipsec-udp-port	Specifies the port on which the FWSM listens for UDP traffic.

ipsec-udp-port

To set a UDP port number for IPSec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.

In IPSec negotiations. the FWSM listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.

ipsec-udp-port port

no ipsec-udp-port

Syntax Description

port	Identifies the UDP port number using an integer in the range 4001 through 49151.

Defaults

The default port is 10000.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.

Examples

The following example shows how to set an IPSec UDP port to port 4025 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# ipsec-udp-port 4025

Related Commands

Command	Description
ipsec-udp	Lets a Cisco VPN client or hardware client connect via UDP to a FWSM that is running NAT.

ipv6 access-list

To configure an IPv6 access list, use the ipv6 access-list command in global configuration mode. To remove an ACE, use the no form of this command. Access lists define the traffic that the FWSM allows to pass through or blocks.

ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]

no ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]

ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]

no ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]

Syntax Description

any	An abbreviation for the IPv6 prefix ::/0, indicating any IPv6 address.
default	(Optional) Specifies that a syslog message 106100 is generated for the ACE.
deny	Denies access if the conditions are matched.
destination-ipv6-address	The IPv6 address of the host receiving the traffic.
destination-ipv6-prefix	The IPv6 network address where the traffic is destined.
disable	(Optional) Disables syslog messaging.
host	Indicates that the address refers to a specific host.
icmp6	Specifies that the access rule applies to ICMPv6 traffic passing through the FWSM.
icmp_type	Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 255) or one of the following ICMP type literals: •destination-unreachable •packet-too-big •time-exceeded •parameter-problem •echo-request •echo-reply •membership-query •membership-report •membership-reduction •router-renumbering •router-solicitation •router-advertisement •neighbor-solicitation •neighbor-advertisement •neighbor-redirect Omitting the icmp_type argument indicates all ICMP types.
icmp_type_obj_grp_id	(Optional) Specifies the object group ICMP type ID.
id	Name or number of an access list.
interval secs	(Optional) Specifies the time interval at which to generate an 106100 syslog message; valid values are from 1 to 600 seconds. The default interval is 300 seconds. This value is also used as the timeout value for deleting an inactive flow.
level	(Optional) Specifies the syslog level for message 106100; valid values are from 0 to 7. The default level is 6 (informational).
line line-num	(Optional) The line number where the access rule is being inserted into the list. If you do not specify a line number, the ACE is added to the end of the access list.
log	(Optional) Specifies the logging action for the ACE. If you do not specify the log keyword or you specify the log default keyword, then message 106023 is generated when a packet is denied by the ACE. If you sepcify the log keyword alone or with a level or interval, then message 106100 is generated when a packet is denied by the ACE. Packets that are denied by the implicit deny at the end of an access list are not logged. You must exp