-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
-
About This Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
activation-key through auto-update timeout
-
backup-servers through bridge-group
-
cache-time through clear capture
-
clear configure through clear configure virtual
-
clear console-output through clear xlate
-
client-access-rule through crl-configure
-
crypto ca authenticate through crypto map set trustpoint
-
debug aaa through debug xdmcp
-
default through drop
-
email through ftp-map
-
gateway through http-map
-
icmp through ignore lsa mospf
-
inspect ctiqbe through inspect xdmcp
-
interface through issuer-name
-
join-failover-group through kill
-
ldap-base-dn through log-adj-changes
-
logging asdm through logout
-
mac-address-table aging-time through multicast-routing
-
name through ospf transmit-delay
-
pager through pwd
-
quit through router-id
-
same-security-traffic through show asdm sessions
-
show asp drop through show curpriv
-
show debug through show ipv6 traffic
-
show isakmp sa through show route
-
show running-config through show running-config isakmp
-
show running-config logging through show running-config vpn-sessiondb
-
show service-policy through show xlate
-
shun through sysopt uauth allow-http-cache
-
telnet through tunnel-limit
-
upgrade-mp through write terminal
-
Table Of Contents
shun through sysopt uauth allow-http-cache Commands
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
shun through sysopt uauth allow-http-cache Commands
shun
To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.
shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
no shun src_ip [vlan vlan_id]
Syntax Description
Defaults
The default protocol is 0 (any protocol).
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The shun command lets you block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you specify the destination address, source and destination ports, and the protocol, then you narrow the shun to connections that match those parameters.
You can only have one shun command per source IP address.
Because the shun command is used to block attacks dynamically, it is not displayed in the FWSM configuration.
Whenever an interface is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the FWSM connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCPApply the shun command using the following options:
hostname# shun 10.1.1.27 10.2.2.89 555 666 tcpThe command deletes the connection from the FWSM connection table and also prevents packets from 10.1.1.27:555 to 10.2.2.89:666 (TCP) from going through the FWSM.
Related Commands
clear shun
Disables all the shuns that are currently enabled and clears the shun statistics.
show conn
Shows all active connections.
show shun
Displays the shun information.
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.
shutdown
no shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
•
Command History
Usage Guidelines
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
Examples
The following example enables a subinterface:
hostname(config)# interface gigabitethernet2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example shuts down the subinterface:
hostname(config)# interface gigabitethernet2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# shutdownRelated Commands
clear xlate
Resets all translations for existing connections, causing the connections to be reset.
interface
Configures an interface and enters interface configuration mode.
sip-map
To identify a SIP application inspection map, which is required to enable the IP Address Privacy feature, use the sip-map command in global configuration mode. To remove the map, use the no form of this command.
sip-map map_name
no sip-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the sip-map command to identify a SIP application inspection map, which is required to enable the IP Address Privacy feature. When you enter this command, the system enters the SIP map configuration mode, which lets you enter the ip-address-privacy command. After defining the SIP map, you use the inspect sip command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify SIP traffic, define a SIP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list sip-acl permit tcp any any eq 5060hostname(config)# class-map sip-porthostname(config-cmap)# match access-list sip-aclhostname(config-cmap)# sip-map inbound_siphostname(config-sip-map)# ip-address-privacyhostname(config-sip-map)# policy-map S1_policyhostname(config-pmap)# class sip-porthostname(config-pmap-c)# inspect sip s1_policyhostname(config)#Related Commands
smtp-server
To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no version of this command.
The FWSM includes an internal SMTP client that the Events system can use to notify external entities that a certain event has occurred. You can configure SMTP servers to receive these event notices, and then forward them to specified e-mail addresses. The SMTP facility is active only when you enable E-mail events an the FWSM.
smtp-server {primary_server} [backup_server]
no smtp-server
Syntax Description
Defaults
No SMTP server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
Examples
The following example shows how to set an SMTP server with an IP address of 10.1.1.24, and a backup SMTP server with an IP address of 10.1.1.34:
hostname(config)# smtp-server 10.1.1.24 10.1.1.34snmp-map
To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map command in global configuration mode. To remove the map, use the no form of this command.
snmp-map map_name
no snmp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the snmp-map command to identify a specific map to use for defining the parameters for SNMP inspection. When you enter this command, the system enters the SNMP map configuration mode, which lets you enter the different commands used for defining the specific map. After defining the SNMP map, you use the inspect snmp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)# exitRelated Commands
snmp-server community
To set the SNMP community string, use the snmp-server community command in global configuration mode. To remove the community string, use the no form of this command.
snmp-server community text
no snmp-server community [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. The FWSM uses the key to determine if the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, FWSM, and the management station with this same string. The FWSM uses this string and does not respond to requests with an invalid community string.
Examples
The following example sets the community string to wallawallabingbang:
hostname(config)# snmp-server community wallawallabingbangRelated Commands
snmp-server contact
To set the SNMP contact name, use the snmp-server contact command in global configuration mode. To remove the contact name, use the no form of this command.
snmp-server contact text
no snmp-server contact [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the contact as Pat Johnson:
hostname(config)# snmp-server contact Pat JohnsonRelated Commands
snmp-server enable
To enable the SNMP server on the FWSM, use the snmp-server enable command in global configuration mode. To disable SNMP, use the no form of this command.
snmp-server enable
no snmp-server enable
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the SNMP server is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This command lets you enable and disable SNMP easily, without having to configure and reconfigure the SNMP traps or other configuration.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server enable traps
To enable the FWSM to send traps to the NMS, use the snmp-server enable traps command in global configuration mode. To disable traps, use the no form of this command.
snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
no snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
Syntax Description
Defaults
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, the clear configure snmp-server command restores the default enabling of SNMP traps.
If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.)
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Enter this command for each feature type to enable individual traps or sets of traps, or enter the all keyword to enable all traps.
To send traps to the NMS, enter the logging history command, and enable logging using the logging enable command.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server host
To specify the NMS that can use SNMP on the FWSM, use the snmp-server host command in global configuration mode. To disable the NSM, use the no form of this command.
snmp-server host interface_name ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
no snmp-server host interface_name ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
Syntax Description
Defaults
The default UDP port is 162.
The default version is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can specify up to 32 NMSs.
Examples
The following example sets the host to 10.1.2.42 attached to the perimeter interface:
hostname(config)# snmp-server host perimeter 10.1.2.42Related Commands
snmp-server listen-port
To set the listen port for SNMP requests, use the snmp-server listen-port command in global configuration mode. To restore the default port, use the no form of the command.
snmp-server listen-port lport
no snmp-server listen-port lport
Syntax Description
Defaults
The default port is 161.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Examples
The following example sets the listen port to 192:
hostname(config)# snmp-server listen-port 192Related Commands
snmp-server location
To set the FWSM location for SNMP, use the snmp-server location command in global configuration mode. To remove the location, use the no form of this command.
snmp-server location text
no snmp-server location [text]
Syntax Description
location text
Specifies the security appliance location. The location text is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the location as Building 42, Sector 54:
hostname(config)# snmp-server location Building 42, Sector 54Related Commands
split-dns
To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.
split-dns {value domain-name1 domain-name2 domain-nameN | none}
no split-dns [domain-name domain-name2 domain-nameN]
Syntax Description
Defaults
Split DNS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy
•
—
•
—
—
Command History
Usage Guidelines
Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).
To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.
When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.
Examples
The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4Related Commands