Table Of Contents

same-security-traffic through show asdmsessions Commands

same-security-traffic

sdi-pre-5-slave

sdi-version

secondary

secure-unit-authentication

security-level

serial-number

server-port

service-acceleration

service reset no-connection

service resetinbound

service-policy

set boot device (Catalyst OS)

set connection

set connection advanced-options service-acceleration

set connection advanced-options tcp-state-bypass

set connection timeout

set metric

set metric-type

setup

show aaa local user

show aaa-server

show access-list

show activation-key

show admin-context

show arp

show arp statistics

show arp-inspection

show asdm history

show asdm log_sessions

show asdm sessions

same-security-traffic through show asdmsessions Commands

---

same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description

inter-interface	Permits communication between different interfaces that have the same security level.
intra-interface	Permits communication in and out of the same interface.

Defaults

By default, these behaviors are disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
2.2(1)	This command with the inter-interface keyword was introduced.
2.3(1)	Support for the intra-interface keyword was added.

Usage Guidelines

Allowing communication between same security interfaces (enabled by the same-security-traffic inter-interface command) lets you configure more than 101 communicating interfaces. If you use different levels for each interface, you can configure only one interface per level (0 to 100).

If you enable NAT control, you do not need to configure NAT between same security level interfaces.

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed.

---

Note If you use a same-security interface for both the outside and inside interfaces, you might want to enable the xlate-bypass command; in some situations, you can exceed the maximum number of xlates using that configuration (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for limits). For example, without xlate-bypass, the FWSM creates xlates for all connections (even if you do not configure NAT). In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it. If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted.

---

Examples

The following example shows how to enable the same-security interface communication:

hostname(config)# same-security-traffic permit inter-interface

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

Related Commands

Command	Description
show running-config same-security-traffic	Displays the same-security-traffic configuration.

sdi-pre-5-slave

To specify the IP address or name of an optional SDI AAA "slave" server to use for this host connection that uses a version of SDI prior to SDI version 5, use the sdi-pre-5-slave command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-pre-5-slave host

no sdi-pre-5-slave

Syntax Description

host	Specify the name or IP address of the slave server host.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Aaa-server host	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This command is available for any host in an SDI AAA server group, but it is relevant only if the SDI version for the host is set to sdi-pre-5 in the sdi-version command. Prior to using this command, you must have configured the AAA server to use the SDI protocol.

The sdi-pre-5-slave command lets you identify an optional secondary server that is to be used if the primary server fails. The address specified by this command must be that of a server that is configured as a "slave" to the primary SDI server. In this situation, if you are using a pre-5 version, you must configure the sdi-pre-5-slave command so that the FWSM can access the appropriate SDI configuration record that is downloaded from the server. This is not an issue with version 5 and later versions.

Examples

The following example configures the AAA SDI server group "svrgrp1" that uses an SDI version prior to SDI version 5.

hostname(config)# aaa-server svrgrp1 protocol sdi

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10

hostname(config-aaa-server-host)# sdi-version sdi-pre-5

hostname(config-aaa-server-host)# sdi-pre-5-slave 209.165.201.31

Related Commands

Command	Description
aaa-server host	Enter AAA server host configuration mode so that you can configure AAA server parameters that are host-specific.
clear configure aaa-server	Removes all AAA server configurations.
sdi-version	Specifies the version of SDI to use for this host connection.
show running-config aaa-server	Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol

sdi-version

To specify the version of SDI to use for this host connection, use the sdi-version command in AAA-server host configuration mode. To remove this specification, use the no form of this command:

sdi-version version

no sdi-version

Syntax Description

version

Specify the version of SDI to use.Valid values are: •sdi-5—SDI version 5.0 (default) •sdi-pre-5—SDI versions prior to 5.0

Defaults

The default version is sdi-5.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Aaa-server host	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This command is valid only for SDI AAA servers. If you configure a secondary (failover) SDI AAA server, and if the SDI version for that server is earlier than version 5, you must also specify the sdi-pre-5-slave command.

Examples

hostname(config)# aaa-server svrgrp1 protocol sdi

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4

hostname(config-aaa-server-host)# timeout 6

hostname(config-aaa-server-host)# retry-interval 7

hostname(config-aaa-server-host)# sdi-version sdi-5

Related Commands

Command	Description
aaa-server host	Enter AAA server host configuration mode so that you can configure AAA server parameters that are host-specific.
clear configure aaa-server	Remove all AAA configurations.
show running-config aaa-server	Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol

secondary

To give the secondary unit higher priority in a failover group, use the secondary command in failover group configuration mode. To restore the default, use the no form of this command.

secondary

no secondary

Syntax Description

This command has no arguments or keywords.

Defaults

If primary or secondary is not specified for a failover group, the failover group defaults to primary.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Failover group configuration	•	•	—	—	•

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simulataneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.

Examples

The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command so that the groups will automatically become active on their preferred unit as the units become available.

hostname(config)# failover group 1 

hostname(config-fover-group)# primary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# exit

hostname(config)# failover group 2

hostname(config-fover-group)# secondary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# exit

hostname(config)#

Related Commands

Command	Description
failover group	Defines a failover group for Active/Active failover.
preempt	Forces the failover group to become active on its preferred unit when the unit becomes available.
primary	Gives the primary unit a higher priority than the secondary unit.

secure-unit-authentication

To enable secure unit authentication, use the secure-unit-authentication enable command in group-policy configuration mode. To disable secure unit authentication, use the secure-unit-authentication disable command. To remove the secure unit authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for secure unit authentication from another group policy.

secure-unit-authentication {enable | disable}

no secure-unit-authentication

Syntax Description

disable	Disables secure unit authentication.
enable	Enables secure unit authentication.

Defaults

Secure unit authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group policy	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password.

---

Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.

---

Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use.

If you require secure unit authentication on the primary FWSM, be sure to configure it on any backup servers as well.

Examples

The following example shows how to enable secure unit authentication for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# secure-unit-authentication enable

Related Commands

Command	Description
ip-phone-bypass	Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.
leap-bypass	Lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.
user-authentication	Requires users behind a hardware client to identify themselves to the FWSM before connecting.

security-level

To set the security level of an interface, use the security-level command in interface configuration mode. To set the security level to the default, use the no form of this command. The security level protects higher security networks from lower security networks by imposing additional protection between the two.

security-level number

no security-level

Syntax Description

number

An integer between 0 (lowest) and 100 (highest).

Defaults

By default, the security level is 0.

If you name an interface "inside" and you do not set the security level explicitly, then the FWSM sets the security level to 100 (see the nameif command). You can change this level if desired.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced. It moved from a keyword of the nameif command to an interface configuration mode command.

Usage Guidelines

The level controls the following behavior:

•Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

–NetBIOS inspection engine—Applied only for outbound connections.

–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the FWSM.

•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

•established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, see the same-security-traffic command. You might want to assign two interfaces to the same level and allow them to communicate if you want to create more than 101 communicating interfaces, or you want protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.

If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Examples

The following example configures the security levels for two interfaces to be 100 and 0:

hostname(config)# interface gigabitethernet0

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface gigabitethernet1

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.2.1 255.255.255.0

hostname(config-if)# no shutdown

Related Commands

Command	Description
clear local-host	Resets all connections.
interface	Configures an interface and enters interface configuration mode.
nameif	Sets the interface name.

serial-number

To include the FWSM serial number in the certificate during enrollment, use the serial-number command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

serial-number

no serial-number

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is to not include the serial number.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FWSM serial number in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# serial-number

hostname(ca-trustpoint)# 

Related Commands

Command	Description
crypto ca trustpoint	Enters trustpoint configuration mode.

server-port

To configure a AAA server port for a host, use the server-port command in AAA-server host mode. To remove the designated server port, use the no form of this command:

server-port port-number

no server-port

Syntax Description

port-number

A port number in the range 0 through 65535.

Defaults

The default server ports are as follows:

•SDI—5500

•LDAP—389

•Kerberos—88

•NT—139

•TACACS+—49

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Aaa-server group	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Examples

The following example configures an SDI AAA server named "svrgrp1" to use server port number 8888:

hostname(config)# aaa-server svrgrp1 protocol sdi

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.10.10

hostname(config-aaa-server-host)# server-port 8888

Related Commands

Command	Description
aaa-server host	Configures host-specific AAA server parameters.
clear configure aaa-server	Removes all AAA-server configuration.
show running-config aaa-server	Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol

service-acceleration

To enable a context to use Trusted Flow Acceleration, use the service-acceleration command in context configuration mode. To disable Trusted Flow Acceleration, use the no form of this command.

service-acceleration

no service-acceleration

Syntax Description

This command has no arguments or keywords.

Defaults

Trusted Flow Acceleration is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Context configuration	•	—	—	—	•

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

In multiple context mode in the system configuration, you must configure whether a context can use Trusted Flow Acceleration. If it is enabled for a context, you can then configure the traffic you want to be accelerated within the context configuration using the set connection advanced-options service-acceleration command.

Examples

The following example enables acceleration for a context:

hostname(config)# context admin

hostname(config-ctx)# service-acceleration

Related Commands

Command	Description
class	Identifies a class map in the policy map.
class-map	Creates a class map for use in a service policy.
context	Enters context configuration mode.
policy-map	Configures a policy map that associates a class map and one or more actions.
service-policy	Assigns a policy map to an interface.
set connection advanced-options service-acceleration	Enables Trusted Flow Acceleration for traffic within a context.
set connection advanced-options tcp-state-bypass	Bypasses the TCP state checks for specified traffic.
set connection timeout	Sets the connection timeouts.
show conn	Shows connection information.

service reset no-connection

To send a reset for a TCP packet for which the FWSM does not have any connection history, use the service reset no-connection command in global configuration mode. To disable sending a reset, use the no form of this command.

service reset no-connection

no service reset no-connection

Syntax Description

This command has no arguments or keywords.

Defaults

By default, resets are sent.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

If the FWSM receives an ACK or SYN-ACK packet without first receiving a SYN packet, then the FWSM does not have any connection history for the packet. By default, the FWSM sends a RST for the packet. To disable the sending of the RST, enter the no service reset no-connection command.

See the service resetinbound command to set the reset bahavior for SYN packets that attempt to establish a connection with the FWSM but are denied based on access lists or AAA configuration.

Examples

The following example shows how to disable the sending of the RST:

hostname(config)# no service reset no-connection

Related Commands

Command	Description
service resetinbound	Sets whether to send a reset for TCP SYN packets that are denied.
show running-config service	Displays the system services.

service resetinbound

To send a reset to inbound TCP connections when they are denied, use the service resetinbound command in global configuration mode. To not send a reset, use the no form of this command.

service resetinbound

no service resetinbound

Syntax Description

This command has no arguments or keywords.

Defaults

By default, no resets are sent.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The service resetinbound command works with all inbound TCP connections whose access lists or uauth (user authorization) do not allow inbound connections. One use is for resetting identity request (IDENT) connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the keyword, the FWSM drops the packet without returning an RST.

To configure whether to send a reset for packets that do not have a connection on the FWSM, see the service reset no-connection command. For example, if the FWSM receives an ACK or SYN-ACK packet without first receiving a SYN packet, then the FWSM does not have any connection history for the packet. The service resetinbound command applies only to SYN packets that attempt to establish a connection with the FWSM.

The FWSM sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that outbound e-mail can be transmitted without having to wait for IDENT to time out. The FWSM sends a syslog message stating that the incoming connection was denied. Without entering the service resetinbound command, the FWSM drops packets that are denied and generates a syslog message stating that the SYN was denied. However, outside hosts keep retransmitting the SYN until the IDENT times out.

When an IDENT connection times out, the connections slow down. Perform a trace to determine that IDENT is causing the delay and then enter the service command.

Use the service resetinbound command to handle an IDENT connection through the FWSM. These methods for handling IDENT connections are ranked from most secure to the least secure:

1. Use the service resetinbound command.

2. Use the established command with the permitto tcp 113 keyword.

3. Enter the static and access-list commands to open TCP port 113.

When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is as follows:

Unable to connect to remote host: Connection timed out

The following is the expected behavior of traffic on the FWSM in regards to the reset flag.

1. If resetinbound is configured and if denied traffic flows from a low security interface to high security interface, then a reset is sent.

2. If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent.

3. If resetinbound is not configured and if denied traffic flows from high security interface to low security interface, then a reset is sent.

Examples

This example shows how to enable system services:

hostname(config)# service resetinbound

Related Commands

Command	Description
show running-config service	Displays the system services.

service-policy

To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in global configuration mode. To disable the service policy, use the no form of this command. Use the service-policy command to enable a set of policies on an interface.

service-policy policymap_name [ global | interface intf ]

no service-policy policymap_name [ global | interface intf ]

Syntax Description

policymap_name	Specifies the policy map name that you configured in the policy-map command. You can only specify a Layer 3/4 policy map, and not an inspection policy map (policy-map type inspect).
global	Applies the policy map to all interfaces.
interface intf	Applies the policy map to a specific interface.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Interface service policies take precedence over the global service policy.

By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one.

The default service policy includes the following command:

service-policy global_policy global

Examples

The following example shows how to enable the inbound_policy policy map on the outside interface:

hostname(config)# service-policy inbound_policy interface outside

The following commands disable the default global policy, and enables a new one called new_global_policy on all other FWSM interfaces:

hostname(config)# no service-policy global_policy global

hostname(config)# service-policy new_global_policy global

Related Commands

Command	Description
show service-policy	Displays the service policy.
show running-config service-policy	Displays the service policies configured in the running configuration.
clear service-policy	Clears service policy statistics.
clear configure service-policy	Clears service policy configurations.

set boot device (Catalyst OS)

By default, the FWSM boots from the cf:4 application partition. However, you can choose to boot from the cf:5 application partition or into the cf:1 maintenance partition. To change the default boot partition, enter the set boot device command in privileged EXEC mode.

set boot device cf:n mod_num

Syntax Description

mod_num	Specifies the module number. Use the show module command to view installed modules and their numbers.
cf:n	Sets the boot partition. Application partitions include cf:4 and cf:5. The maintenance partition is cf:1.

Defaults

The default boot partition is cf:4.

Command Modes

Privileged EXEC.

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Each application partition has its own startup configuration.

To view the current boot partition, enter the show boot device command:

Console> show module

Mod Slot Ports Module-Type               Model               Sub Status

--- ---- ----- ------------------------- ------------------- --- ------

1   1    2     1000BaseX Supervisor      WS-X6K-SUP1A-2GE    yes ok

15  1    1     Multilayer Switch Feature WS-F6K-MSFC         no  ok

4   4    2     Intrusion Detection Syste WS-X6381-IDS        no  ok

5   5    6     Firewall Module           WS-SVC-FWM-1        no  ok

6   6    8     1000BaseX Ethernet        WS-X6408-GBIC       no  ok

Examples

The following example shows how to set the boot partition to the maintenance partition:

Console> (enable) set boot device cf:1 1

Related Commands

Command	Description
reset