Table Of Contents

gateway through http-map Commands

gateway

global

group-delimiter

group-lock

group-object

group-policy

group-policy attributes

gtp-map

h225-map

hello-interval

help

hold-time

hostname

hsi

hsi-group

http

http authentication-certificate

http server enable

http-map

gateway through http-map Commands

---

gateway

To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.

gateway ip_address [group_id]

Syntax Description

gateway	Specifies the group of call agents that are managing a particular gateway.
group_id	The ID of the call agent group, from 0 to 2147483647.
ip_address	The IP address of the gateway.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Mgcp map configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:

hostname(config)# mgcp-map mgcp_policy

hostname(config-mgcp-map)# call-agent 10.10.11.5 101

hostname(config-mgcp-map)# call-agent 10.10.11.6 101

hostname(config-mgcp-map)# call-agent 10.10.11.7 102

hostname(config-mgcp-map)# call-agent 10.10.11.8 102

hostname(config-mgcp-map)# gateway 10.10.10.115 101

hostname(config-mgcp-map)# gateway 10.10.10.116 102

hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands	Description
debug mgcp	Enables the display of debug information for MGCP.
mgcp-map	Defines an MGCP map and enables mgcp map configuration mode.
show mgcp	Displays MGCP configuration and session information.

global

To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

Syntax Description

interface	Uses the interface IP address as the mapped address.
mapped_ifc	Specifies the name of the interface connected to the mapped IP address network.
mapped_ip[-mapped_ip]	Specifies the mapped address(es) to which you want to translate the real addresses when they exit the mapped interface. If you specify a single address, then you configure PAT. If you specify a range of addresses, then you configure dynamic NAT. If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC).
nat_id	Specifies an integer for the NAT ID. This ID is referenced by the nat command to associate a mapped pool with the real addresses to translate. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535. Do not specify a global command for NAT ID 0; 0 is reserved for identity NAT and NAT exemption, which do not use a global command.
netmask mask	(Optional) Specifies the network mask for the mapped_ip. This mask does not specify a network when paired with the mapped_ip; rather, it specifies the subnet mask assigned to the mapped_ip when it is assigned to a host. If you want to configure a range of addresses, you need to specify mapped_ip-mapped_ip. If you do not specify a mask, then the default mask for the address class is used.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.
3.2.(1)	NAT is now supported in transparent firewall mode.

Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

See the nat command for more information about dynamic NAT and PAT.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

The following example hows how to translate the 10.1.1.0/24 network on the inside interface:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.5

hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

To translate the lower security DMZ network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns

hostname(config)# global (inside) 1 10.1.1.45

To identify a single real address with two different destination addresses using policy NAT, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224

hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224

hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000

hostname(config)# global (outside) 2 209.165.202.130

To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80

hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23

hostname(config)# nat (inside) 1 access-list WEB

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list TELNET

hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command	Description
clear configure global	Removes global commands from the configuration.
nat	Specifies the real addresses to translate.
show running-config global	Displays the global commands in the configuration.
static	Configures a one-to-one translation.

group-delimiter

To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.

group-delimiter delimiter

no group-delimiter

Syntax Description

delimiter

Specifies the character to use as the group-name delimiter. Valid values are: @, #, and !.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	—	—	•

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

By default, no delimiter is specified, disabling group-name parsing.

Examples

The following example shows the group-delimiter command to change the group delimiter to the hash mark (#):

hostname(config)# group-delimiter #

Related Commands

Command	Description
show running-config group-delimiter	Displays the current group-delimiter value.
strip-group	Enables or disables strip-group processing.

group-lock

To restrict remote users to access through the tunnel group only, use the group-lock command in group-policy configuration mode or username configuration mode. To remove the group-lock attribute from the running configuration, use the no form of this command.

group-lock {value tunnel-grp-name | none}

no group-lock

Syntax Description

none	Sets group-lock to a null value, thereby allowing no group-lock restriction. Prevents inheriting a group-lock value from a default or specified group policy.
value tunnel-grp-name	Specifies the name of an existing tunnel group that the FWSM requires for the user to connect.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—
Username configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This option allows inheritance of a value from another group policy. To disable group-lock, use the group-lock none command.

Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the FWSM prevents the user from connecting. If you do not configure group-lock, the FWSM authenticates users without regard to the assigned group.

Examples

The following example shows how to set group lock for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# group-lock value tunnel group name

This option allows inheritance of a value from another group policy. To disable group-lock, use the group-lock none command.

Group-lock restricts users by checking if the group configured in the VPN client is the same as the 
tunnel group to which the user is assigned. If it is not, the FWSM prevents the user from connecting. If 
you do not configure group-lock, the FWSM authenticates users without regard to the assigned group.

group-object

To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.

group-object obj_grp_id

no group-object obj_grp_id

Syntax Description

obj_grp_id

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Protocol configuration	•	•	•	•	—
Network configuration	•	•	•	•	—
Service configuration	•	•	•	•	—
Icmp-type configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.

Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.

The maximum allowed levels of a hierarchical object group is 10.

Examples

The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts:

hostname(config)# object-group network host_grp_1

hostname(config-network)# network-object host 192.168.1.1

hostname(config-network)# network-object host 192.168.1.2 

hostname(config-network)# exit

hostname(config)# object-group network host_grp_2

hostname(config-network)# network-object host 172.23.56.1

hostname(config-network)# network-object host 172.23.56.2

hostname(config-network)# exit

hostname(config)# object-group network all_hosts

hostname(config-network)# group-object host_grp_1

hostname(config-network)# group-object host_grp_2

hostname(config-network)# exit

hostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp

hostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp

hostname(config)# access-list all permit tcp object-group all-hosts any eq w

Related Commands

Command	Description
clear configure object-group	Removes all the object-group commands from the configuration.
network-object	Adds a network object to a network object group.
object-group	Defines object groups to optimize your configuration.
port-object	Adds a port object to a service object group.
show running-config object-group	Displays the current object groups.

group-policy

To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.

group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}

no group-policy name

Syntax Description

external server-group server_group	Specifies the group policy as external and identifies the AAA server group for the FWSM to query for attributes.
from group-policy_name	Initializes the attributes of this internal group policy to the values of a pre-existing group policy.
internal	Identifies the group policy as internal.
name	Specifies the name of the group policy.
password server_password	Provides the password to use when retrieving attributes from the external AAA server group.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

A default group policy, named "DefaultGroupPolicy," always exists on the FWSM. However, this default group policy does not take effect unless you configure the FWSM to use it. For configuration instructions, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

The DefaultGroupPolicy has these AVPs:

Attribute	Default Value
wins-server	none
dns-server	none
vpn-access-hours	unrestricted
vpn-simultaneous-logins	3
vpn-idle-timeout	30 minutes
vpn-session-timeout	none
vpn-filter	none
vpn-tunnel-protocol	IPSec WebVPN
ip-comp	disable
re-xauth	disable
group-lock	none
pfs	disable
client-access-rules	none
banner	none
password-storage	disabled
ipsec-udp	disabled
ipsec-udp-port	10000
backup-servers	keep-client-config
split-tunnel-policy	tunnelall
split-tunnel-network-list	none
default-domain	none
split-dns	none
client-firewall	none
secure-unit-authentication	disabled
user-authentication	disabled
user-authentication-idle-timeout	none
ip-phone-bypass	disabled
leap-bypass	disabled
nem	disabled

Examples

The following example shows how to create an internal group policy with the name "FirstGroup":

hostname(config)# group-policy FirstGroup internal

The following example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678":

hostname(config)# group-policy ExternalGroup external server-group BostonAAA password 
12345678

Related Commands

Command	Description
clear configure group-policy	Removes the configuration for a particular group policy or for all group policies.
group-policy attributes	Enters group-policy attributes mode, which lets you configure AVPs for a specified group policy.
show running-config group-policy	Displays the running configuration for a particular group policy or for all group policies.

group-policy attributes

To enter the group-policy attributes mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no form of this command. The attributes mode lets you configure AVPs for a specified group policy.

group-policy name attributes

no group-policy name attributes

Syntax Description

name	Specifies the name of the group policy.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The syntax of the commands in attributes mode have the following characteristics in common:

•The no form removes the attribute from the running configuration, and enables inheritance of a value from another group policy.

•The none keyword sets the attribute in the running configuration to a null value, thereby preventing inheritance.

•Boolean attributes have explicit syntax for enabled and disabled settings.

Examples

The following example shows how to enter group-policy attributes mode for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)#

Related Commands

Command	Description
clear configure group-policy	Removes the configuration for a particular group policy or for all group policies.
group-policy	Creates, edits, or removes a group policy.
show running-config group-policy	Displays the running configuration for a particular group policy or for all group policies.

gtp-map

To identify a specific map to use for defining the parameters for GTP, use the gtp-map command in global configuration mode. To remove the map, use the no form of this command.

gtp-map map_name

no gtp-map map_name

---

Note GTP inspection requires a special license. If you enter the gtp-map command on a FWSM without the required license, the FWSM displays an error message.

---

Syntax Description

map_name

The name of the GTP map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP and how the FWSM ensures secure access over wireless networks, refer to the "Applying Application Layer Protocol Inspection" chapter in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.

Table 13-1 GTP Map Configuration Commands

Command	Description
description	Specifies the GTP configuration map description.
drop	Specifies the message ID, APN, or GTP version to drop.
mcc	Specifies the three-digit Mobile Country Code (000 - 999). One or two- digit entries will be prepended with 0s
message-length	Specifies the message length min and max.
permit errors	Permits packets with errors or different GTP versions.
request-queue	Specifies the maximum requests allowed in the queue.
timeout (gtp-map)	Specifies the idle timeout for the GSN, PDP context, requests, signaling connections, and tunnels.
tunnel-limit	Specifies the maximum number of tunnels allowed.

Examples

The following example shows how to use the gtp-map command to identify a specific map (gtp-policy) to use for defining the parameters for GTP:

hostname(config)# gtp-map qtp-policy

hostname(config-gtpmap)# 

The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:

hostname(config)# access-list gtp-acl permit udp any any eq 3386 

hostname(config)# access-list gtp-acl permit udp any any eq 2123

hostname(config)# class-map gtp-traffic 

hostname(config-cmap)# match access-list gtp-acl 

hostname(config-cmap)# exit

hostname(config)# gtp-map gtp-policy

hostname(config-gtpmap)# request-queue 300

hostname(config-gtpmap)# permit mcc 111 mnc 222

hostname(config-gtpmap)# message-length min 20 max 300

hostname(config-gtpmap)# drop message 20

hostname(config-gtpmap)# tunnel-limit 10000 

hostname(config)# policy-map inspection_policy 

hostname(config-pmap)# class gtp-traffic 

hostname(config-pmap-c)# inspect gtp gtp-policy 

hostname(config)# service-policy inspection_policy outside

Related Commands

Commands	Description
class-map	Defines the traffic class to which to apply security actions.
clear service-policy inspect gtp	Clears global GTP statistics.
debug gtp	Displays detailed information about GTP inspection.
inspect gtp	Applies a specific GTP map to use for application inspection.
show service-policy inspect gtp	Displays the GTP configuration.

h225-map

To define an H.225 application inspection map, use the h225-map command in global configuration mode. To remove the map, use the no form of this command.

h225-map map_name

no h225-map map_name

Syntax Description

map_name

The name of the H.225 map.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
FWSM 3.1	This command was introduced.

Usage Guidelines

An H.225 map allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.

The H.225 map provides information about the HSI and its associated endpoints, which is required to establish this connection without compromising the security of the network protected by the FWSM.

When you enter the h225-map command, the system enters the h225 map configuration mode, which lets you enter the different commands used for defining the specific map.

One H.225 map can contain a maximum of five HSI groups. Each HSI group can contain a maximum of ten endpoints.

Examples

The following example shows how to define an H.225 map:

hostname(config)# h225-map sample_map

hostname(config-h225-map)# hsi-group 1

hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11 

hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 inside

hostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outside

hostname(config-h225-map-hsi-grp)# exit

Related Commands

Commands	Description
endpoint	Defines the endpoint associated with an HSI group.
hsi	Defines the HSI associated with an HSI group.
hsi-group	Defines an HSI group and enables hsi group configuration mode.
inspect h323 h225	Applies an H.225 map to H.323 application inspection.

hello-interval

To specify the interval between EIGRP hello packets sent on an interface, use the hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.

hello-interval eigrp as-number seconds

no hello-interval eigrp as-number seconds

Syntax Description

as-number	The autonomous system number of the EIGRP routing process.
seconds	Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.

Defaults

The default seconds is 5 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	—	—

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.

Examples

The following example sets the EIGRP hello interval to 10 seconds and the hold time to 30 seconds:

hostname(config-if)# hello-interval eigrp 100 10

hostname(config-if)# hold-time eigrp 100 30

Related Commands

Command	Description
hold-time	Configures the EIGRP hold time advertised in hello packets.

help

To display help information for the command specified, use the help command in user EXEC mode.

help {command | ?