Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
same-security-traffic through show asdm sessions

Table Of Contents

same-security-traffic through show asdmsessions Commands

same-security-traffic

sdi-pre-5-slave

sdi-version

secure-unit-authentication

security-level

serial-number

server-port

service resetinbound

service-policy

set connection

set connection timeout

set metric

set metric

setup

show aaa-server

show aaa local user

show access-list

show activation-key

show admin-context

show arp

show arp-inspection

show arp statistics

show asdm history

show asdm sessions


same-security-traffic through show asdmsessions Commands


same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description

inter-interface

Permits communication between different interfaces that have the same security level.

intra-interface

Permits communication in and out of the same interface.


Defaults

By default, these behaviors are disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command with the inter-interface keyword was introduced.

2.3(1)

Support for the intra-interface keyword was added.


Usage Guidelines

Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) lets you configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

If you enable NAT control, you do not need to configure NAT between same security level interfaces.

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed.


Note We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.

If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.

To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned.


Examples

The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

Related Commands

Command
Description

show running-config same-security-traffic

Displays the same-security-traffic configuration.


sdi-pre-5-slave

To specify the IP address or name of an optional SDI AAA "slave" server to use for this host connection that uses a version of SDI prior to SDI version 5, use the sdi-pre-5-slave command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-pre-5-slave host

no sdi-pre-5-slave

Syntax Description

host

Specify the name or IP address of the slave server host.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is available for any host in an SDI AAA server group, but it is relevant only if the SDI version for the host is set to sdi-pre-5 in the sdi-version command. Prior to using this command, you must have configured the AAA server to use the SDI protocol.

The sdi-pre-5-slave command lets you identify an optional secondary server that is to be used if the primary server fails. The address specified by this command must be that of a server that is configured as a "slave" to the primary SDI server. In this situation, if you are using a pre-5 version, you must configure the sdi-pre-5-slave command so that the FWSM can access the appropriate SDI configuration record that is downloaded from the server. This is not an issue with version 5 and later versions.

Examples

The following example configures the AAA SDI server group "svrgrp1" that uses an SDI version prior to SDI version 5.

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# sdi-version sdi-pre-5
hostname(config-aaa-server-host)# sdi-pre-5-slave 209.165.201.31

Related Commands

Command
Description

aaa-server host

Enter AAA server host configuration mode so that you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Removes all AAA server configurations.

sdi-version

Specifies the version of SDI to use for this host connection.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


sdi-version

To specify the version of SDI to use for this host connection, use the sdi-version command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-version version

no sdi-version

Syntax Description

version

Specify the version of SDI to use.Valid values are:

sdi-5—SDI version 5.0 (default)

sdi-pre-5—SDI versions prior to 5.0


Defaults

The default version is sdi-5.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is valid only for SDI AAA servers. If you configure a secondary (failover) SDI AAA server, and if the SDI version for that server is earlier than version 5, you must also specify the sdi-pre-5-slave command.

Examples

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 6
hostname(config-aaa-server-host)# retry-interval 7
hostname(config-aaa-server-host)# sdi-version sdi-5

Related Commands

Command
Description

aaa-server host

Enter AAA server host configuration mode so that you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Remove all AAA configurations.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


secure-unit-authentication

To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.

secure-unit-authentication {enable | disable}

no secure-unit-authentication

Syntax Description

disable

Disables secure unit authentication.

enable

Enables secure unit authentication.


Defaults

Secure unit authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group policy


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password.


Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.


Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use.

If you require secure unit authentication on the primary FWSM, be sure to configure it on any backup servers as well.

Examples

The following example shows how to enable secure unit authentication for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# secure-unit-authentication enable

Related Commands

Command
Description

ip-phone-bypass

Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.

leap-bypass

Lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.

user-authentication

Requires users behind a hardware client to identify themselves to the FWSM before connecting.


security-level

To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two.

security-level number

no security-level

Syntax Description

number

An integer between 0 (lowest) and 100 (highest).


Defaults

By default, the security level is 0.

If you name an interface "inside" and you do not set the security level explicitly, then the FWSM sets the security level to 100 (see the nameif command). You can change this level if desired.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

3.1(1)

This command was introduced. It moved from a keyword of the nameif command to an interface configuration mode command.


Usage Guidelines

The level controls the following behavior:

Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the FWSM.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.

If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Examples

The following example configures the security levels for two interfaces to be 100 and 0:

hostname(config)# interface gigabitethernet0
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet1
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown

Related Commands

Command
Description

clear local-host

Resets all connections.

interface

Configures an interface and enters interface configuration mode.

nameif

Sets the interface name.


serial-number

To include the FWSM serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

serial-number

no serial-number

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is to not include the serial number.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FWSM serial number in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# serial-number
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.


server-port

To configure a AAA server port for a host, use the server-port command in AAA-server host mode. To remove the designated server port, use the no form of this command:

server-port port-number

no server-port

Syntax Description

port-number

A port number in the range 0 through 65535.


Defaults

The default server ports are as follows:

SDI—5500

LDAP—389

Kerberos—88

NT—139

TACACS+—49

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server group


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example configures an SDI AAA server named "svrgrp1" to use server port number 8888:

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10
hostname(config-aaa-server-host)# server-port 8888

Related Commands

Command
Description

aaa-server host

Configures host-specific AAA server parameters.

clear configure aaa-server

Removes all AAA-server configuration.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


service resetinbound

To send a reset to inbound TCP connections when they are denied, use the service command in global configuration mode. To not send a reset, use the no form of this command.

service resetinbound

no service resetinbound

Syntax Description

This command has no arguments or keywords.

Defaults

By default, no resets are sent.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The service command works with all inbound TCP connections whose access lists or uauth (user authorization) do not allow inbound connections. One use is for resetting identity request (IDENT) connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the keyword, the FWSM drops the packet without returning an RST.

The FWSM sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that outbound e-mail can be transmitted without having to wait for IDENT to time out. The FWSM sends a syslog message stating that the incoming connection was denied. Without entering the service resetinbound command, the FWSM drops packets that are denied and generates a syslog message stating that the SYN was denied. However, outside hosts keep retransmitting the SYN until the IDENT times out.

When an IDENT connection times out, the connections slow down. Perform a trace to determine that IDENT is causing the delay and then enter the service command.

Use the service resetinbound command to handle an IDENT connection through the FWSM. These methods for handling IDENT connections are ranked from most secure to the least secure:

1. Use the service resetinbound command.

2. Use the established command with the permitto tcp 113 keyword.

3. Enter the static and access-list commands to open TCP port 113.

When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is as follows:

Unable to connect to remote host: Connection timed out

The following is the expected behavior of traffic on the FWSM in regards to the reset flag.

1. If resetinbound is configured and if denied traffic flows from a low security interface to high security interface, then a reset is sent.

2. If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent.

3. If resetinbound is not configured and if denied traffic flows from high security interface to low security interface, then a reset is sent.

Examples

This example shows how to enable system services:

hostname(config)# service resetinbound

Related Commands

Command
Description

show running-config service

Displays the system services.


service-policy

To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in privileged EXEC mode. To disable, use the no form of this command. Use the service-policy command to enable a set of policies on an interface. In general, a service-policy command can be applied to any interface that can be defined by the nameif command.

service-policy policymap_name [ global | interface intf ]

no service-policy policymap_name [ global | interface intf ]

Syntax Description

policymap_name

A unique alphanumeric policy map identifier.

global

Applies the policy map to all interfaces.

interface

Applies the policy map to a specific interface

intf

The interface name defined in the nameif command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

If an interface name is specified, the policy-map only applies to the interface. The interface name is defined in the nameif command, and an interface policy-map overrides a global policy-map. Only one policy-map is allowed per interface.

Only one global policy is allowed.

Examples

The following example shows the syntax of the service-policy command:

hostname(config)# service-policy outside_security_map outside

Related Commands

Command
Description

show service-policy

Displays the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.

clear service-policy

Clears service policy statistics.

clear configure service-policy

Clears service policy configurations.


set connection

To set the maximum TCP and UDP connections or to enable or disable TCP sequence number randomization for a traffic class, use the set connection command in class configuration mode. The class configuration mode is accessible from the policy-map configuration mode. To remove these specifications, thereby allowing unlimited connections, use the no form of this command.

set connection {[conn-max number] [random-seq# {enable | disable}]}

no set connection {[conn-max number] [random-seq# {enable | disable}]}

Syntax Description

conn-max number

Sets the maximum number of simultaneous TCP and UDP connections.

disable

Turns off TCP sequence number randomization.

enable

Turns on TCP sequence number randomization.

random-seq#

Enables or disables TCP sequence number randomization. TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the connection is between two interfaces with the same security level, then the ISN will be randomized in the SYN in both directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.


Defaults

For the conn-max keyword, the default value of number is 0, which allows unlimited connections.

Sequence number randomization is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

After you identify the traffic using the class-map command, enter the policy-map command to identify the actions associated with each class map. Enter the class command to identify the class map, and then enter the set connection command to set connections for that class map.


Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration (the nat and static commands). If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.

Unlike the set connection command, NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack.


Examples

The following example configures the maximum number of simultaneous connections as 256 and disables TCP sequence number randomization:

hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection conn-max 256 random-seq# disable

Related Commands

Command
Description

class

Identifies a class map in the policy map.

class-map

Creates a class map for use in a service policy.

policy-map

Configures a policy map that associates a class map and one or more actions.

service-policy

Assigns a policy map to an interface.

set connection timeout

Sets the connection timeouts.


set connection timeout

To configure the timeout period after which an embryonic, half-closed, or idle TCP connection is disconnected, use the set connection timeout command in class mode. To remove the timeout, use the no form of this command.

set connection timeout {[embryonic hh:mm:ss] [half-closed hh:mm:ss] [tcp hh:mm:ss [reset]]}

no set connection timeout {[embryonic hh:mm:ss] [half-closed hh:mm:ss] [tcp hh:mm:ss [reset]]}

Syntax Description

embryonic hh:mm:ss

Defines the timeout period in seconds until an embryonic connection is closed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set the value to 0, which means the connection never times out. Although you cannot set the maximum embryonic connections using the set connection command, you can set the timeout using this command.

half-closed hh:mm:ss

Defines the timeout period until a TCP half-closed connection is freed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set the value to 0, which means the connection never times out.

reset

(Optional) Sends a reset to TCP endpoints when the connection times out. The FWSM sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the rest packet. The host application can then attempt to establish a new connection using a SYN packet.

tcp hh:mm:ss

Defines the idle time after which a TCP established connection closes, between 0:5:0 and 1092:15:0. The default is 0:60:0. You can also set the value to 0, which means the connection never times out.


Defaults

The default embryonic connection timeout value is 20 seconds.

The default half-closed connection timeout value is 20 seconds.

The default tcp connection timeout value is 60 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

After you identify the traffic using the class-map command, enter the policy-map command to identify the actions associated with each class map. Enter the class command to identify the class map, and then enter the set connection timeout command to set connection timeouts for that class map.

Examples

The following is an example of a set connection timeout command that specifies a TCP connection timeout of two hours:

hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server

hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit

hostname(config)# policy-map global_policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection 
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection timeout tcp 2:0:0

Related Commands

Command
Description

class

Identifies a class map in the policy map.

class-map

Creates a class map for use in a service policy.

policy-map

Configures a policy map that associates a class map and one or more actions.

service-policy

Assigns a policy map to an interface.

set connection

Configures the maximum TCP and UDP connections.


set metric

To set the metric value for the destination routing protocol, use the set metric command in route-map configuration mode. To return to the default metric value, use the no form of this command.

set metric value

no set metric value

Syntax Description

value

Metric value.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The no set metric value command allows you to return to the default metric value. In this context, the value is an integer from 0 to 4294967295.

Examples

The following example shows how to configure a route map for OSPF routing:

hostname(config)# route-map maptag1 permit 8
hostname(config-route-map)# set metric 5
hostname(config-route-map)# match metric 5
hostname(config-route-map)# show route-map
route-map maptag1 permit 8
set metric 5
match metric 5
hostname(config-route-map)# exit
hostname(config)# 

Related Commands