Table Of Contents

pager through pwd Commands

pager

passwd

password (crypto ca trustpoint)

password-storage

peer-id-validate

perfmon

perfmon interval

perfmon settings

periodic

permit errors

pfs

pim

pim accept-register

pim dr-priority

pim hello-interval

pim join-prune-interval

pim old-register-checksum

pim rp-address

pim spt-threshold infinity

ping

policy

policy-map

polltime interface

port-misuse

port-object

preempt

prefix-list

prefix-list description

prefix-list sequence-number

pre-shared-key

primary

privilege

prompt

protocol http

protocol ldap

protocol-object

protocol scep

pwd

pager through pwd Commands

---

pager

To set the default number of lines on a page before the "---more---" prompt appears for Telnet sessions, use the pager command in global configuration mode.

pager [lines] lines

Syntax Description

[lines] lines

Sets the number of lines on a page before the "---more---" prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The lines keyword is optional and the command is the same with or without it.

Defaults

The default is 24 lines.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
3.1(1)	This command was changed from a privileged EXEC mode command to a global configuration mode command. The terminal pager command was added as the privileged EXEC mode command.

Usage Guidelines

This command changes the default pager line setting for Telnet sessions. If you want to temporarily change the setting only for the current session, use the terminal pager command.

If you Telnet to the admin context or session to the system execution space, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.

Examples

The following example changes the number of lines displayed to 20:

hostname(config)# pager 20

Related Commands

Command	Description
clear configure terminal	Clears the terminal display width setting.
show running-config terminal	Displays the current terminal settings.
terminal	Allows system log messsages to display on the Telnet session.
terminal pager	Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is not saved to the configuration.
terminal width	Sets the terminal display width in global configuration mode.

passwd

To set the login password, use the passwd command in global configuration mode. To set the password back to the default of "cisco," use the no form of this command. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.

{passwd | password} password [encrypted]

no {passwd | password} password

Syntax Description

encrypted	(Optional) Specifies that the password is in encrypted form. The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. If for some reason you need to copy the password to another FWSM but do not know the original password, you can enter the passwd command with the encrypted password and this keyword. Normally, you only see this keyword when you enter the show running-config passwd command.
passwd | password	You can enter either command; they are aliased to each other.
password	Sets the password as a case-sensitive string of up to 80 characters. The password must not contains spaces.

Defaults

The default password is "cisco."

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

This login password is for the default user. If you configure CLI authentication per user for Telnet or SSH using the aaa authentication console command, then this password is not used.

Examples

The following example sets the password to Pa$$w0rd:

hostname(config)# passwd Pa$$w0rd

The following example sets the password to an encrypted password that you copied from another FWSM:

hostname(config)# passwd jMorNbK0514fadBh encrypted

Related Commands

Command	Description
clear configure passwd	Clears the login password.
enable	Enters privileged EXEC mode.
enable password	Sets the enable password.
show curpriv	Shows the currently logged in username and the user privilege level.
show running-config passwd	Shows the login password in encrypted form.

password (crypto ca trustpoint)

To specify a challenge phrase that is registered with the CA during enrollment, use the password command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate a subsequent revocation request. To restore the default setting, use the no form of the command.

password string

no password

Syntax Description

string

Specifies the name of the password as a character string. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, hello 21 is a legal password, but 21 hello is not. The password checking is case sensitive. For example, the password Secret is different from the password secret.

Defaults

The default setting is to not include a password.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This command lets you specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the FWSM.

If this command is enabled, you will not be prompted for a password during certificate enrollment.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# password zzxxyy

hostname(ca-trustpoint)# 

Related Commands

Command	Description
crypto ca trustpoint	Enters trustpoint configuration mode.
default enrollment	Returns enrollment parameters to their defaults.

password-storage

To let users store their login passwords on the client system, use the password-storage enable command in group-policy configuration mode or username configuration mode. To disable password storage, use the password-storage disable command.

To remove the password-storage attribute from the running configuration, use the no form of this command. This enables inheritance of a value for password-storage from another group policy.

password-storage {enable | disable}

no password-storage

Syntax Description

disable	Disables password storage.
enable	Enables password storage.

Defaults

Password storage is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy	•	—	•	—	—
Username	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Enable password storage only on systems that you know to be in secure sites.

This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.

Examples

The following example shows how to enable password storage for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# password-storage enable

peer-id-validate

To specify whether to validate the identity of the peer using the peer certificate, use the peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the no form of this command.

peer-id-validate option

no peer-id-validate

Syntax Description

option

Specifies one of the following options: •req: required •cert: if supported by certificate •nocheck: do not check

Defaults

The default setting for this command is req.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tunnel-group ipsec attributes	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, requires validating the peer using the identity of the peer's certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L

hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes

hostname(config-ipsec)# peer-id-validate req

hostname(config-ipsec)# 

Related Commands

Command	Description
clear configure tunnel-group	Clears all configured tunnel groups.
show running-config tunnel-group	Shows the configuration for the indicated tunnel group or for all tunnel groups.
tunnel-group-map default-group	Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.

perfmon

To enable the FWSM to capture performance information on a periodic basis, use the perfmon verbose command in privileged EXEC mode. To disable performance information output, use the perfmon quiet command. To view the performance information that was captured, use the show console-output command.

perfmon {verbose | quiet}

Syntax Description

verbose	Captures performance information.
quiet	Disables performance monitoring.

Defaults

The default interval is 120 seconds. See the perfmon interval command to set the interval.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	·	·	·	·	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

To enable performance monitoring, enter the perfmon verbose command. To disable it, enter the perfmon quiet command. Output from the perfmon command displays in the Telnet or SSH session terminal window and is directed to the console only if the session terminates. If a terminated session is re-established, the command output appears in the new session window.

Examples

This example shows how to capture the performance monitor statistics every 30 seconds:

hostname# perfmon interval 30

hostname# perfmon verbose

hostname# show console-output

Context: my_context

PERFMON STATS:    Current      Average

Xlates               0/s          0/s

Connections          0/s          0/s

TCP Conns            0/s          0/s

UDP Conns            0/s          0/s

URL Access           0/s          0/s

URL Server Req       0/s          0/s

WebSns Req           0/s          0/s

TCP Fixup            0/s          0/s

TCP Intercept        0/s          0/s

HTTP Fixup           0/s          0/s

FTP Fixup            0/s          0/s

AAA Authen           0/s          0/s

AAA Author           0/s          0/s

AAA Account          0/s          0/s

Related Commands

Command	Description
perfmon settings	Shows the performance monitoring settings.
perfmon interval	Sets the performance monitoring capture interval.
show console-output	Shows the console buffer.
show perfmon	Displays performance information immediately.

perfmon interval

To set the interval in seconds to capture performance information, use the perfmon interval command in privileged EXEC mode.

perfmon interval seconds

Syntax Description

seconds

Specifies the number of seconds before the performance display is refreshed.

Defaults

The seconds is 120 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	·	·	·	·	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

To enable performance monitoring, enter the perfmon verbose command. To disable it, enter the perfmon quiet command. Output displays in the Telnet or SSH terminal window.

Examples

This example shows how to capture the performance monitor statistics every 30 seconds:

hostname# perfmon interval 30

hostname# perfmon verbose

Related Commands

Command	Description
perfmon	Enables the FWSM to capture performance monitoring information.
perfmon settings	Shows the performance monitoring settings.
show console-output	Shows the console buffer.
show perfmon	Displays performance information.

perfmon settings

To view the performance monitoring configuration settings, use the perfmon settings command in privileged EXEC mode.

perfmon settings

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	·	·	·	·	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Examples

This example shows how to display the perfmon settings:

hostname# perfmon settings

interval: 120 (seconds)

quiet

Related Commands

Command	Description
perfmon	Enables the FWSM to capture performance monitoring information.
perfmon interval	Sets the performance monitoring capture interval.
show console-output	Shows the console buffer.
show perfmon	Displays performance information immediately.

periodic

To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic command in time-range configuration mode. To disable, use the no form of this command.

periodic days-of-the-week time to [days-of-the-week] time

no periodic days-of-the-week time to [days-of-the-week] time

Syntax Description

days-of-the-week	(Optional) The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: •daily—Monday through Sunday •weekdays—Monday through Friday •weekend—Saturday and Sunday If the ending days of the week are the same as the starting days of the week, you can omit them.
time	Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
to	Entry of the to keyword is required to complete the range "from start-time to end-time."

Defaults

If a value is not entered with the periodic command, access to the FWSM as defined with the time-range command is in effect immediately and always on.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Time-range configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command.

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

Examples

The following examples show how to configure the periodic command:

If you want:	Enter this:
Monday through Friday, 8:00 a.m. to 6:00 p.m. only	periodic weekdays 8:00 to 18:00
Every day of the week, from 8:00 a.m. to 6:00 p.m. only	periodic daily 8:00 to 18:00
Every minute from Monday 8:00 a.m. to Friday 8:00 p.m.	periodic monday 8:00 to friday 20:00
All weekend, from Saturday morning through Sunday night	periodic weekend 00:00 to 23:59
Saturdays and Sundays, from noon to midnight	periodic weekend 12:00 to 23:59

The following example shows how to allow access to the FWSM on Monday through Friday, 8:00 a.m. to 6:00 p.m. only:

hostname(config-time-range)# periodic weekdays 8:00 to 18:00

hostname(config-time-range)#

The following example shows how to allow access to the FWSM on specific days (Monday, Tuesday, and Friday), 10:30 a.m. to 12:30 p.m.:

hostname(config-time-range)# periodic Monday Tuesday Friday 10:30 to 12:30

hostname(config-time-range)#

Related Commands

Command	Description
absolute	Defines an absolute time when a time range is in effect.
access-list extended	Configures a policy for permitting or denying IP traffic through the FWSM.
time-range	Defines access control to the FWSM based on time.

permit errors

To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, use the permit errors command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to remove the command.

permit errors

no permit errors

Syntax Description

This command has no arguments or keywords.

Defaults

By default, all invalid packets or packets that failed, during parsing, are dropped.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
GTP map configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Use the permit errors command in GTP map configuration mode to allow invalid GTP packets or packets that otherwise would fail parsing and be dropped.

Examples

The following example permits traffic containing invalid packets or packets that failed, during parsing:

hostname(config)# gtp-map qtp-policy

hostname(config-gtpmap)# permit errors

Related Commands

Commands	Description
clear service-policy inspect gtp	Clears global GTP statistics.
debug gtp	Displays detailed information about GTP inspection.
gtp-map	Defines a GTP map and enables GTP map configuration mode.
inspect gtp	Applies a specific GTP map to use for application inspection.
show service-policy inspect gtp	Displays the GTP configuration.

pfs

To enable PFS, use the pfs enable command in group-policy configuration mode. To disable PFS, use the pfs disable command. To remove the PFS attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for PFS from another group policy.

In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.

pfs {enable | disable}

no pfs

Syntax Description

disable	Disables PFS.
enable	Enables PFS.

Defaults

PFS is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The PFS setting on the VPN client and the FWSM must match.

Examples

The following example shows how to set PFS for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# pfs enable

pim

To reenable PIM on an interface, use the pim command in interface configuration mode. To disable PIM, use the no form of this command.

pim

no pim

Syntax Description

This command has no arguments or keywords.

Defaults

The multicast-routing command enables PIM on all interfaces by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The multicast-routing command enables PIM on all interfaces by default. Only the no form of the pim command is saved in the configuration.

---

Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols that use ports.

---

Examples

The following example disables PIM on the selected interface:

hostname(config)# interface Vlan101

hostname(config-subif)# no pim

Related Commands

Command	Description
multicast-routing	Enables multicast routing on the FWSM.

pim accept-register

To configure the FWSM to filter PIM register messages, use the pim accept-register command in global configuration mode. To remove the filtering, use the no form of this command.

pim accept-register {list acl | route-map map-name}

no pim accept-register

Syntax Description

list acl	Specifies an access list name or number. Use standard host ACLs with this command; extended ACLs are not supported.
route-map map-name	Specifies a route-map name. Use standard host ACLs with the route-maps referenced by this command; extended ACLs are not supported.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the FWSM will immediately send back a register-stop message.

Examples

The following example restricts PIM register messages to those from sources defined in the access list named "no-ssm-range":

hostname(config)# pim accept-register list no-ssm-range

Related Commands

Command	Description
multicast-routing	Enables multicast routing on the FWSM.

pim dr-priority

To configure the neighbor priority on the FWSM used for designated router election, use the pim dr-priority command in interface configuration mode. To restore the default priority, use the no form of this command.

pim dr-priority number

no pim dr-priority

Syntax Description

number

A number from 0 to 4294967294. This number is used to determine the priority of the device when determining the designated router. Specifying 0 prevents the FWSM from becoming the designated router.

Defaults

The default value is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The device with the largest priority value on an interface becomes the PIM designated router. If multiple devices have the same designated router priority, then the device with the highest IP address becomes the DR. If a device does not include the DR-Priority Option in hello messages, it is regarded as the highest-priority device and becomes the designated router. If multiple devices do not include this option in their hello messages, then the device with the highest IP address becomes the designated router.

Examples

The following example sets the DR priority for the interface to 5:

hostname(config)# interface Vlan101

hostname(config-if)# pim dr-priority 5

Related Commands

Command	Description
multicast-routing	Enables multicast routing on the FWSM.

pim hello-interval

To configure the frequency of the PIM hello messages, use the pim hello-interval command in interface configuration mode. To restore the hello-interval to the default value, use the no form of this command.

pim hello-interval seconds

no pim hello-interval [seconds]

Syntax Description

seconds

The number of seconds that the FWSM waits before sending a hello message. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.

Defaults

30 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.