-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
-
About This Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
activation-key through auto-update timeout
-
backup-servers through bridge-group
-
cache-time through clear capture
-
clear configure through clear configure virtual
-
clear console-output through clear xlate
-
client-access-rule through crl-configure
-
crypto ca authenticate through crypto map set trustpoint
-
debug aaa through debug xdmcp
-
default through drop
-
email through ftp-map
-
gateway through http-map
-
icmp through ignore lsa mospf
-
inspect ctiqbe through inspect xdmcp
-
interface through issuer-name
-
join-failover-group through kill
-
ldap-base-dn through log-adj-changes
-
logging asdm through logout
-
mac-address-table aging-time through multicast-routing
-
name through ospf transmit-delay
-
pager through pwd
-
quit through router-id
-
same-security-traffic through show asdm sessions
-
show asp drop through show curpriv
-
show debug through show ipv6 traffic
-
show isakmp sa through show route
-
show running-config through show running-config isakmp
-
show running-config logging through show running-config vpn-sessiondb
-
show service-policy through show xlate
-
shun through sysopt uauth allow-http-cache
-
telnet through tunnel-limit
-
upgrade-mp through write terminal
-
Table Of Contents
name through ospf transmit-delay Commands
ospf network point-to-point non-broadcast
name through ospf transmit-delay Commands
name
To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
name ip_address name
no name ip_address [name]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.
To disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
The name command does not support assigning a name to a network mask. For example, this command would be rejected:
hostname(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
nameif
To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the FWSM instead of the interface type and ID (such as gigabitethernet1), and is therefore required before traffic can pass through the interface.
nameif name
no nameif
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
1.1(1)
This command was introduced.
3.1(1)
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
Examples
The following example configures the names for two interfaces to be "inside" and "outside:"
hostname(config)# interface gigabitethernet1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
names
To enable IP address to the name conversions that you can configured with the name command, use the names command in global configuration mode. To disable address to name conversion, use the no form of this command.
names
no names
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.
Examples
The following example shows how to enable the association of a name with an IP address:
hostname(config)# namesRelated Commands
nat
To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
Syntax Description
Defaults
The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
The FWSM translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the FWSM assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.
Dynamic NAT has these disadvantages:
•
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
•
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.
PAT translates multiple real addresses to a single mapped IP address. Specifically, the FWSM translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the FWSM interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.
Note
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:
•
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.
•
Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.
When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the FWSM automatically translates the secondary ports.
Note
You can alternatively set connection limits (but not embryonic connection limits) using the Modular Policy Framework. See the set connection commands for more information. You can only set embryonic connection limits using NAT. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
nat-control
To enforce NAT control use the nat-control command in global configuration mode. NAT control requires NAT for inside hosts when they access the outside. To disable NAT control, use the no form of this command.
nat-control
no nat-control
Syntax Description
This command has no arguments or keywords.
Defaults
NAT control is disabled by default (no nat-control command). If you upgraded from an earlier version of software, however, NAT control might be enabled on your system because it was the default in some earlier versions.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
Interfaces at the same security level are not required to use NAT to communicate.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.
Note
If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.
Note
Examples
The following example enables NAT control:
hostname(config)# nat-controlRelated Commands
neighbor
To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.
neighbor ip_address [interface name]
no neighbor ip_address [interface name]
Syntax Description
interface name
(Optional) The interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.
The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.
Examples
The following example defines a neighbor router with an address of 192.168.1.1:
hostname(config-router)# neighbor 192.168.1.1Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
nem
To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.
nem {enable | disable}
no nem
Syntax Description
Defaults
Network extension mode is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Usage Guidelines
Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the FWSM. PAT does not apply. Therefore, devices behind the FWSM have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Command History
Examples
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# nem enablenetwork area
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.
network addr mask area area_id
no network addr mask area area_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.
There is no limit to the number of network area commands you can use on the FWSM.
Examples
The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:
hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network-object
To add a network object to a network object group, use the network-object command in network configuration mode. To remove network objects, use the no form of this command.
network-object host host_addr | host_name
no network-object host host_addr | host_name
network-object net_addr netmask
no network-object net_addr netmask
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Network configuration
•
•
•
•
—
Command History
Usage Guidelines
The network-object command is used with the object-group command to define a host or a subnet object in network configuration mode.
Examples
The following example shows how to use the network-object command in network configuration mode to create a new network object group:
hostname(config)# object-group network sjj_eng_ftp_servershostname(config-network)# network-object host sjj.eng.ftphostname(config-network)# network-object host 172.16.56.195hostname(config-network)# network-object 192.168.1.0 255.255.255.224hostname(config-network)# group-object sjc_eng_ftp_servershostname(config-network)# quithostname(config)#Related Commands
nt-auth-domain-controller
To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in AAA-server host mode. To remove this specification, use the no form of this command:
nt-auth-domain-controller hostname
no nt-auth-domain-controller
Syntax Description
hostname
Specify the name, up to 16 characters long, of the Primary Domain Controller for this server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for NT authentication servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.
Examples
The following example configures the name of the NT Primary Domain Controller for this server as "primary1".
hostname(config)# aaa-server svrgrp1 protocol nthostname(configaaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# nt-auth-domain-controller primary1Related Commands
object-group
To define object groups that you can use to optimize your configuration, use the object-group command in global configuration mode. Use the no form of this command to remove object groups from the configuration. This command supports IPv4 and IPv6 addresses.
object-group {protocol | network | icmp-type} obj_grp_id
no object-group {protocol | network | icmp-type} obj_grp_id
object-group service obj_grp_id {tcp | udp | tcp-udp}
no object-group service obj_grp_id {tcp | udp | tcp-udp}
Syntax Description
