Downloads |
Table Of Contents
Command Reference
Before using this chapter, read:
•
Chapter 1, "" for important information about command line guidelines including ports and protocols.
•
The following notes can help you as you configure the PIX Firewall:
•
•
•
•
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/syslog/
•
•
•
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
•
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the radius-server or tacacs-server commands.
(Configuration mode.)
aaa accounting acctg_service | except inbound|outbound| if_name local_ip local_mask
foreign_ip foreign_mask tacacs+ | radiusno aaa accounting authen_service | except inbound | outbound | if_name
aaa authentication authen_service | except inbound | outbound | if_name local_ip local_mask
foreign_ip foreign_mask tacacs+ | radiusno aaa authentication [authen_service | except inbound|outbound | if_name local_ip local_mask foreign_ip foreign_mask tacacs+ | radius]
aaa authentication [enable | any | telnet] console tacacs+ | radius
no aaa authentication [any | telnet] console tacacs+ | radius
aaa authorization author_service | except inbound| outbound | if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [author_service | except inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used either the radius-server or tacacs-server command to designate an authentication server.
acctg_service
The accounting service. Possible values are any, ftp, http, telnet, or protocol/port. For protocol/port, protocol is 6 for TCP, 17 for UDP, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used either the radius-server or tacacs-server command to designate an authentication server.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
•
aaa authorization udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
except
Create an exception to a previously specified set of services.
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or perimeter.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or perimeter.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. Refer to the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the highest security level interface from which or to which access is sought. You can set this address to 0 to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
foreign_ip
The IP address of the lowest security level interface from which or to which access is sought.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
console
Specify that access to the PIX Firewall console require authentication.
If used with the enable keyword, access to the serial console depends on acceptance of login credentials from an authentication server. In addition, any changes made to the configuration from the serial console (not from Telnet console sessions) are sent to syslog at level 4.
If used with the any keyword, access to the serial console or Telnet to the PIX Firewall's console must be authenticated with the authentication server. If used with the telnet keyword, then only Telnet access to the PIX Firewall console requires authentication from the authentication server.
Telnet access to the PIX Firewall console is only available from the inside interface and requires previous use of the tcpchecksum command.
Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
tacacs+
Authenticate using Terminal Access Controller Access Control System Plus (TACACS+).
radius
Authenticate using Remote Authentication Dial-In User Service (RADIUS).
Usage Guidelines
The aaa command enables or disables:
•
•
•
•
Note
Note
Usage Notes
1
2
3
aaa authentication any outbound 0 0 0 0 serveraaa authentication except outbound inside_net inside_mask perim_net perim_mask server4
5
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
6
7
8
9
10
11
12
13
14
15
16
17
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
18
19
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is:Unable to connect to remote host: Connection timed outSee also: radius-server, tacacs-server, virtual, tcpchecksum.
Examples
1
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication any outbound 192.168.1.0 255.255.255.0 204.31.17.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication any outbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication any inbound 192.168.1.0 255.255.255.0 204.31.17.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication any inbound 192.150.50.0 255.255.255.0 204.31.17.0 255.255.255.0 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication any perimeter 192.150.50.0 255.255.255.0 204.31.17.0 255.255.255.0 tacacs+2
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication any outbound 0 0 tacacs+aaa authentication except outb 10.0.0.42 255.255.255.255 tacacs+3
static (inside, outside) 204.31.17.0 10.16.1.0 netmask 255.255.255.0 10 60conduit permit tcp 204.31.17.0 255.255.255.0 10.16.1.0 255.255.255.0aaa authentication any inbound 0 0 tacacs+4
aaa authorization udp/53 inbound 0.0.0.0 0.0.0.05
aaa authorization 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
6
aaa authorization 1/8 outbound 0.0.0.0 0.0.0.0alias
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
show alias
Syntax Description
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 204.31.17.1, you can use alias to redirect traffic to another address, such as, 192.150.50.42.
After changing or removing an alias statement, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command and then reboot the PIX Firewall.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The no alias command disables a previously set alias statement. The show alias command displays alias statements in the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 10.1.1.0 204.31.17.0 255.255.255.0 creates aliases for each IP address between 204.31.17.1 and 204.31.17.254.
Examples
1
alias (inside) 192.168.1.0 192.159.1.0show aliasalias 192.168.1.0 192.159.1.0 255.255.255.0When client 192.159.1.123 connects to domain.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to: 192.168.1.33. If the PIX Firewall uses 204.31.17.1 through 204.31.17.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=192.159.1.123 and DST=192.168.1.33. The PIX Firewall translates it to SRC=204.31.17.254 and DST=192.159.1.33 on the outside.
2
The period at the end of the www.caguana.com. domain name must be included.
The alias command is:
alias 10.1.1.11 204.31.17.11 255.255.255.255PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The conduit command statement you would expect to use is:
conduit permit tcp host 204.31.17.11 eq telnet host 192.150.50.7But with the alias command, use this command:
conduit permit tcp host 204.31.17.11 eq telnet host 192.159.1.7
You can test the DNS entry for the host with the following nslookup command:
nslookup -type=any www.caguana.comarp
Change or view the PIX Firewall's ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias]
clear arp
no arp if_name ip_address
show arp [if_name] [ip_address mac_address alias]
arp timeout seconds
no arp timeout
show arp timeout
Syntax Description
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
arp inside 192.168.0.42 00e0.1e4e.2a7carp outside 192.168.0.43 00e0.1e4e.3d8b aliasshow arpoutside 192.168.0.43 00e0.1e4e.3d8b aliasinside 192.168.0.42 00e0.1e4e.2a7cclear arp inside 192.168.0.42arp timeout 42show arp timeoutarp timeout 42 secondsno arp timeoutshow arp timeoutarp timeout 14400 secondsauth-prompt
Change the AAA challenge text. (Configuration mode.)
auth-prompt string
clear auth-prompt
no auth-prompt string
show auth-prompt
Syntax Description
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
Example
auth-prompt XYZ Company Firewall AccessAfter this string is added to the configuration, users view:
XYZ Company Firewall AccessUser Name:Password:clock
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server. (Configuration mode.)
clock
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
Syntax Description
Usage Guidelines
The clock command lets you specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.
You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.
A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).
While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.
The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.
Example
To enable PFSS time-stamp logging for the first time, use these commands:
clock set 21:0:0 apr 1 2000show clock21:00:05 Apr 01 2000logging host 204.31.17.3logging timestamplogging trap 5In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 204.31.17.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap command specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
conduit
Add, delete, or show conduits through the firewall for incoming connections. (Configuration mode.)
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]
show conduit
permit
Permit access if the conditions are matched.
deny
Deny access if the conditions are matched.
protocol
Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at:
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. Refer to the Usage Guidelines for a complete list of the ICMP types.
global_ip
A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny to the global addresses.
If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 204.31.17.1 eq ftp anyThis example lets any foreign host access global address 204.31.17.1 for FTP.
global_mask
Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip
An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option.
If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 204.31.17.42This example lets foreign host 204.31.17.42 access any global address for FTP.
foreign_mask
Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192.
operator
A comparison operand that lets you specify a port or a port range.
Use without an operator and port to indicate all ports; for example:
conduit permit tcp any anyUse eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 204.31.17.1Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
conduit permit tcp host 192.168.1.1 lt 1025 anyUse gt and a port to permit or deny access to all ports greater than the port you specify.
For example, use gt 42 to permit or deny ports 43 to 65535:conduit deny udp host 192.168.1.1 gt 42 host 204.31.17.42Use neq and a port to permit or deny access to every port except the ports that you specify.
For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:conduit deny tcp host 192.168.1.1 neq 10 host 204.31.17.42 neq 42Use range and a port range to permit or deny access to only those ports named in the range.
For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.conduit deny tcp any range ftp telnet anyNote By default, all ports are denied until explicitly permitted.
port
Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example:
conduit deny tcp any anyThis command is the default condition for the conduit command in that all ports are denied until explicitly permitted.
You can view valid port numbers online at:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
The type of ICMP message. lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is: conduit permit icmp any any. This command lets ICMP pass inbound and outbound.
Syntax Description
Usage Guidelines
A conduit statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command with a global or static command through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
When used with a static, a conduit permits users on a lower security interface to access a higher security interface. When not used with a static, a conduit permits both inbound and outbound access.
If you associate a conduit with a static, only the interfaces specified on the static have access to the conduit. For example, if a static lets users on the dmz interface access the inside interface, only users on the dmz interface can access the static. Users on the outside do not have access.
Note
Conduit permit and deny options are processed in the order listed in the PIX Firewall configuration. In the following example host 192.159.1.250 is not denied access through the PIX Firewall because the permit option precedes the deny option:
conduit permit tcp host 204.31.17.4 255.255.255.255 eq 80 anyconduit deny tcp host 204.31.17.4 255.255.255.0 192.159.1.250 255.255.255.255 eq 80 any
Note
After changing or removing a conduit command, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command, and then reboot the PIX Firewall.
You can remove a conduit with the no conduit command. Use the show conduit command to view the conduit statements in the configuration.
If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. lists possible ICMP types values.
Usage Notes
1
2
3
4
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pixrn43.htm
5
6
The two conduit statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example:
static (dmz2,outside) 204.31.17.5 192.168.1.5 netmask 255.255.255.255conduit permit tcp host 204.31.17.5 eq 1723 anyconduit permit gre host 204.31.17.5 anyIn this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 204.31.17.5. The first conduit statement opens access for the PPTP protocol and gives access to any outside users. The second conduit permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit statement.
7
For MSRPC, two conduit statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit is required for UDP port 111.
Once you create a conduit for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001Replace unix_host_ip_address with the IP address of the UNIX host.
8
static (inside, outside) 204.31.17.0 10.1.1.0conduit permit tcp 204.31.17.0 255.255.255.0 eq ftp anystatic (inside, outside) 203.31.17.3 10.1.1.3conduit permit udp host 204.31.17.3 eq h323 host 1.2.3.3In this case, the host at 1.2.3.3 has InternetPhone access in addition to its blanket FTP access.
Examples
1
static (inside,outside) 204.31.17.1 192.168.1.49 netmask 255.255.255.255 0 0conduit permit tcp host 204.31.17.1 eq smtp host 204.31.17.42To disable Mail Guard, enter this command:
no fixup protocol smtp 252
static (inside,outside) 204.31.17.0 192.168.1.0 netmask 255.255.255.0 0 0conduit permit tcp 204.31.17.0 255.255.255.0 eq h323 anyconduit permit tcp 204.31.17.0 255.255.255.0 eq 113 192.150.50.0 255.255.255.03
static (perimeter,outside) 204.31.17.4 192.168.1.4 netmask 255.255.255.0 0conduit permit tcp host 204.31.17.4 eq 80 anyIn this example, the static command maps the perimeter host, 10.1.1.4. to the global address, 204.31.17.4. The conduit statement specifies that the global host can be accessed on port 80 (web server) by any outside host.
configure
Clear or merge current configuration with that on floppy or Flash, start configuration mode, or view current configuration. (Privileged mode.)
clear configure primary|secondary|all
configure net [[server_ip]:[filename]]
configure floppy
configure memory
configure terminal
show configure
Syntax Description
Usage Guidelines
The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration. The clear configure secondary removes alias, conduit, global, and static lines from the configuration.
Note
The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ); for example:
configure net :Use the write net command to store the configuration in the file.
Note
The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.
The configure memory command merges the configuration in Flash memory into the current configuration in RAM.
The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use write memory to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.
The show configure command lists the contents of the configuration in Flash memory.
Each statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:
•
•
•
Example
configure net 10.1.1.1:/tftp/config/pixconfigconfigure floppyconfigure memorypixfirewall> enablepassword: *****pixfirewall# configure terminalpixfirewall(config)# show config: Saved... config commands ...: Endwrite memorydebug
Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)
debug icmp trace
no debug icmp trace
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]no debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]debug sqlnet
no debug sqlnet
show debug
Syntax Description
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
src source_ip
Source IP address.
netmask mask
Network mask.
dst dest_ip
Destination IP address.
proto icmp
Display ICMP packets only.
proto tcp
Display TCP packets only.
sport src_port
Source port. Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names.
dport dest_port
Destination port.
proto udp
Display UDP packets only.
rx
Display only packets received at the PIX Firewall.
tx
Display only packets that were transmitted from the PIX Firewall.
both
Display both received and transmitted packets.
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with debug packet. The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall. The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall's own interfaces.
Use of the debug commands can slow down busy networks.
Trace Channel Feature
The debug icmp trace and debug sqlnet commands now send their output to the Trace Channel. The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
•
The debug commands are shared between all Telnet and serial console sessions.
Note
Additional debug Command Information
Note
Note
To stop a debug packet trace, enter:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace, enter:
no debug icmp traceExamples
The following example turns on this command:
debug icmp traceWhen you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (204.31.17.42) to the PIX Firewall's outside interface (204.31.71.1):
Inbound ICMP echo reply (len 32 id 1 seq 256) 204.31.17.1 > 204.31.17.42Outbound ICMP echo request (len 32 id 1 seq 512) 204.31.17.42 > 204.31.17.1Inbound ICMP echo reply (len 32 id 1 seq 512) 204.31.17.1 > 204.31.17.42Outbound ICMP echo request (len 32 id 1 seq 768) 204.31.17.42 > 204.31.17.1Inbound ICMP echo reply (len 32 id 1 seq 768) 204.31.17.1 > 204.31.17.42Outbound ICMP echo request (len 32 id 1 seq 1024) 204.31.17.42 > 204.31.17.1Inbound ICMP echo reply (len 32 id 1 seq 1024) 204.31.17.1 > 204.31.17.42NO DEBUG ICMP TRACEICMP trace offThis example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
You can debug the contents of packets with debug packet:
debug packet inside--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00 |....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46 | .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43 | CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01 | ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 | ......`......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
An example of show debug follows:
show debugdebug icmp trace offdebug packet offdebug sqlnet offdisable
Exit privileged mode and return to unprivileged mode. (Privileged mode.)
disable
Usage Guidelines
The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.
Example
pixfirewall# disablepixfirewall>enable
Start privileged mode. (Unprivileged mode.)
enable
Usage Guidelines
The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.
Example
pixfirewall> enablePassword:pixfirewall# configure terminalpixfirewall(config)#enable password
Set the privileged mode password. (Privileged mode.)
enable password password [encrypted]
show enable password
Syntax Description
password
A case-sensitive password of up to 16 alphanumeric characters.
encrypted
Specifies that the password you entered is already encrypted. The password must be 16 characters in length.
Usage Guidelines
The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). The show enable password command lists the encrypted form of the password.
You can return the enable password to its original value (press the Enter key at prompt) by entering:
pixfirewall# enable passwordpixfirewall#
Note
Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.
See also: passwd.
Examples
pixfirewall> enablePassword:pixfirewall# enable password w0ttal1fepixfirewall# configure terminalwrite terminalBuilding configuration......enable password 2oifudsaoid.9ff encrypted...The following shows the use of the encrypted option:
enable password 1234567890123456 encryptedshow enable passwordenable password 1234567890123456 encryptedenable password 1234567890123456show enable passwordenable password feCkwUGktTCAgIbD encryptedestablished
Allow or disallow return connections based on an established connection. (Configuration mode.)
established protocol dst_port_1 [permitto protocol [dst_port_2[-dst_port_2]]] [permitfrom protocol [src_port[-src_port]]]
no established protocol dst_port_1 [permitto protocol [dst_port_2[-dst_port_2]]] [permitfrom protocol [src_port[-src_port]]]
show established
Syntax Description
protocol
IP protocol type of udp or tcp.
dst_port_1
The destination port to which you want to establish a connection. Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names.
dst_port_2
The destination port that you want the PIX Firewall to permit the connection to return on.
src_port
The source port on the server from which the return connection will originate.
permitto
Permit inbound connections to the specified port or protocol. This option only opens the destination port.
permitfrom
Permit inbound connections from the specified port or protocol. Used with the permitto option, the permitfrom option provides a more specific source port. If the permitfrom option is used by itself, it requests access from a specific port to any port.
Usage Guidelines
The established command allows outbound connections return access to the PIX Firewall on different ports from which the original connection originated from. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection from a server on an external host. The PIX Firewall finds dst_port_1 in its translation table and associates the established command information with the outbound translation. The outbound translation indicates the source and destination IP addresses.
The first protocol and port you specify is for the destination of the original connection. The permitto and permitfrom options refine the information you specify for the return connection.
Note
The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall. The permitfrom option lets you specify a new protocol or port at the remote server. The no established command disables the established feature. The show established command shows the established commands in the configuration.
Note
You can use the established command with a PAT or a non-PAT global statement, as well as with the nat 0 statement (where there are no global statements).
The established command works as shown in the following format:
established A B permitto C D permitfrom E FThis command works as though it were written "For protocol A and port B, permit a connection back to the PIX Firewall through protocol C and port D, and, optionally, permit a return connection from the server over protocol E and port F."
For example:
established tcp 6060 permitto tcp 6061 permitfrom tcp 6059In this case, a source connection starts using TCP port 6060. The PIX Firewall then lets the return connection come back in over TCP port 6061 from a server that is providing the same service at TCP port 6059.
For multimedia applications such as RealAudio, VDO, Xing, VocalTec, H.323, and CuSeeMe, PIX Firewall handles return packet access through the firewalls transparently. For other applications, such as Internet gaming, if the return packets do not return correctly and the application does not work, the established command provides an alternative functionality.
Security Problem
While this command is running, all UDP or TCP traffic is permitted between the client and server for the current TCP connection. This command only allows the host to which the inside client is connected to deliver UDP data or make high TCP port connections back to the client.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, users outside the PIX Firewall can access any ports on servers behind the firewall that are accessible with the conduit and static commands.
The following example illustrates this problem:
static (inside,outside) 204.31.17.42 192.168.1.42 netmask 255.255.255.255conduit permit tcp host 204.31.17.42 eq http anyestablished tcp 0In this example, inside host 192.168.1.42 can be accessed from the outside interface for Web access as permitted by the conduit statement. Because this is a web server (using the HTTP port), access permission is granted to any outside host. However, the established command modifies the effect of the conduit statement and lets any user access any port on the 192.168.1.42 server.
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 204.31.17.1. The example allows packets from the foreign host 204.31.17.1 on port 4242 back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 204.31.17.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454exit
Exit an access mode. (All modes.)
exit
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as quit.
Example
pixfirewall(config)# exitpixfirewall# exitpixfirewall>failover
Change or view access to the optional failover feature. (Configuration mode.)
failover [active]
failover ip address if_name ip_address
failover reset
failover timeout hh:mm:ss
no failover active
show failover
Syntax Description
Usage Guidelines
Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
Note
The Standby unit must not be configured individually. Only use the default configuration initially. When the two units are connected and the Primary unit reboots, the Secondary unit will be automatically updated. You can force an update by using the write standby command. If you make changes to the Standby unit, it displays a warning but does not update the Active unit.
To take a unit out of the "failed" state, cycle the power or use the failover reset command. When a failed Primary unit is fixed and brought back on line it will not automatically resume as the Active unit. This ensures that active control will not resume on a unit that could immediately enter a failed state again. However, if a failure is due to a lost signal on a network interface card, failover will "auto-recover" when the network is available again.
Use the failover active command to initiate a failover switch from the Standby unit, or the no failover active command from the Active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an Active unit offline for maintenance. Because the Standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
Refer to the section "Configuring Firewall Units for Failover" in Chapter 3 "" for additional configuration information.
Usage Notes
1
2
3
4
(a)
(b)
(c)
5
6
7
If the unit is attached to a switch running spanning tree, this will take twice the forward delay time configured in the switch (typically 15 seconds) plus 30 seconds. This is because at bootup (and immediately following a failover event) the network switch will detect a temporary bridge loop.
When this bridge loop is detected, the switch will stop forwarding packets for the duration of the forwarding delay time. It will then enter "listen" mode for an additional forward delay time during which time the switch is listening for bridge loops but still not forwarding traffic (and thus not forwarding failover hello packets). After twice the forward delay time (30 seconds) traffic should resume. The PIX Firewall will remain in "waiting" mode until it hears two hello packets (1 every 15 seconds for a total of 30 seconds). During this time the PIX Firewall passes traffic, and will not fail the unit if it does not hear the hello packets. All other failover monitoring is still occurring (power, interface, and failover cable hello).
8
9
10
11
12
13
show failoverFailover OffCable Status: My side not connectedReconnect timeout: 0:00:00Examples
The following output shows that failover is enabled, and that the Primary unit state is active:
show failoverFailover OnCable status: NormalThis host: Primary - ActiveActive time: 42855 (sec)Interface dmz (10.2.3.1): Normal (Waiting)Interface outside (204.31.17.1): Normal (Waiting)Interface inside (192.168.1.1): Normal (Waiting)Other host: Secondary - StandbyActive time: 0 (sec)Interface dmz (10.2.3.2): Normal (Waiting)Interface outside (204.31.17.2): Normal (Waiting)Interface inside (192.168.1.2): Normal (WaitingWaiting indicates that monitoring the other unit's network interfaces has not yet started. When a PIX Firewall fails, the Normal message changes to Failed.
You can view the IP addresses of the Standby unit with the show ip address command:
show ip addressSystem IP Addresses:ip address outside 204.31.17.2 255.255.255.0ip address inside 192.168.2.1 255.255.255.0ip address perimeter 204.31.18.3 255.255.255.0Current IP Addresses:ip address outside 204.31.17.2 255.255.255.0ip address inside 192.168.2.1 255.255.255.0ip address perimeter 204.31.18.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.
filter
Enable or disable outbound URL filtering for use with WebSENSE servers. (Configuration mode.)
filter url http|except local_ip local_mask foreign_ip foreign_mask [allow]
no filter url http|except [local_ip local_mask foreign_ip foreign_mask]
show filter
Syntax Description
Usage Guidelines
This command lets you prevent users from accessing World Wide Web URLs that you designate using the WebSENSE filtering application.
The allow option to the filter command determines how the PIX Firewall behaves in the event that the WebSENSE server goes offline. If you use the allow option with the filter command and the WebSENSE server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.
Note
To filter URLs:
Step 1
Step 2
Step 3
Step 4
Information on WebSENSE is available at: http://www.websense.com/products/websense/
Example
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1filter url http 0 0 0 0filter url except 10.0.2.54 255.255.255.255 0 0fixup protocol
Change, enable, disable, or list a PIX Firewall application protocol feature. (Configuration mode.)
fixup protocol ftp [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol rsh [514]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
no fixup protocol protocol [port[-port]]
show fixup [protocol protocol]
Syntax Description
protocol
Specify the protocol to fix up: ftp, http, h323, rsh, smtp, sqlnet.
port
Specify the port number or range for the application protocol. The default ports are: 80 for http, 1720 for h323, 25 for smtp, and 1521 for sqlnet. The default port value for rsh cannot be changed, but additional port statements can be added. Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names.
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use of a through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh.
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
The fixup protocol commands are always present in the configuration and are enabled by default. You can add multiple port settings for each protocol with separate commands; for example:
fixup protocol ftp 21fixup protocol ftp 4254fixup protocol ftp 9090These commands cause PIX Firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.
The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.
You can disable a protocol definition with the no fixup command.
Examples
The following example enables access to an inside server running Mail Guard:
static (inside, outside) 204.31.17.1 192.168.42.1 netmask 255.255.255.0conduit permit tcp host 204.31.17.1 eq smtp anyfixup protocol smtp 25This example shows the default fixup protocol values:
show fixupfixup protocol ftp 21fixup protocol http 80fixup protocol smtp 25fixup protocol h323 1720fixup protocol rsh 514fixup protocol sqlnet 1521The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 204.31.17.1 10.1.1.1 netmask 255.255.255.255conduit permit tcp host 204.31.17.1 eq smtp anyno fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 204.31.17.1 address so that mail is sent to this address.) The conduit command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
floodguard
Enable or disable Flood Defender to protect against flood attacks. (Configuration mode.)
floodguard enable | disable
show floodguard
Syntax Description
Usage Guidelines
The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources.
When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers.
If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:
1
2
3
4
The floodguard command is enabled by default.
Example
floodguard enableshow floodguardfloodguard enableglobal
Create or delete entries from a pool of global addresses. (Configuration mode.)
global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask]
no global [(if_name)] nat_id [global_ip[-global_ip] [netmask global_mask]]
show global
Syntax Description
Usage Guidelines
The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global statements have the same nat_id.
After changing or removing a global statement, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command and then reboot the PIX Firewall.
Use the no global command to remove access to a nat ID, or to a PAT address or address range within a nat ID. Use the show global command to view the global statements in the configuration.
Usage Notes
1
2
3
4
5
6
1.17.31.204.in-addr.arpa. IN PTR pix.caguana.com.7
global (outside) 1 204.31.17.40-204.31.17.50Always add a PAT to the start of the range (the lowest IP address); for example:
global (outside) 1 204.31.17.39Then should addresses 204.31.17.40 through 204.31.17.50 be used up, PIX Firewall will assign the next connection to a port in 204.31.17.39.
Note
Examples
The following example declares two global pool ranges and a Port Address Translation address. Then the nat command permits all inside users to start connections to the outside network.
global (outside) 1 204.31.17.1-204.31.17.10 netmask 255.255.255.0global (outside) 1 204.31.17.42 netmask 255.255.255.0Global 204.31.17.42 will be Port Address Translatednat (inside) 1 0 0clear xlateThe next example creates a global pool from two contiguous Class C addresses and gives the perimeter hosts access to this pool of addresses:
global (outside) 1000 192.150.50.1-192.150.50.254global (outside) 1000 192.150.51.1-192.150.51.254nat (perimeter) 1000 0 0help
Display help information. (Unprivileged mode.)
help
?
Usage Guidelines
The help or ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a question mark or just the command name and pressing the Enter key.
If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command:
•
•
•
Example
age ?age <minutes>Help information is available on the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
?aaa Enable, disable, or view TACACS+ or RADIUSuser authentication, authorization and accounting...hostname
Change the host name in the PIX Firewall command line prompt. (Configuration mode.)
hostname newname
Syntax Description
newname
New host name for the PIX Firewall prompt. This name can be up to 16 alphanumeric characters and mixed case.
Usage Guidelines
The hostname command changes the host name label on prompts. The default host name is pixfirewall.
Example
pixfirewall(config# hostname spinnerspinner(config)# hostname pixfirewallpixfirewall(config#interface
Identify network interface speed and duplex. (Configuration mode.)
interface hardware_id hardware_speed
show interface
Syntax Description
Usage Guidelines
The interface command identifies the speed and duplex settings of the network interface boards.
Use show interface to view information about the interface.The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.
Note
Note
Usage Notes
1
2
show interface Notes
The show interface command lets you view network interface information for both Ethernet and Token Ring depending on which is installed in your PIX Firewall. This is one of the first commands you should use when establishing network connectivity after installing a PIX Firewall.
The information in the show interface display is as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Example
The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:
nameif ethernet0 outside security0nameif token-ring0 inside security100nameif ethernet1 DMZ security50interface ethernet0 autointerface token-ring0 16mbpsinterface ethernet1 autoshow interfaceinterface ethernet0 "outside" is up, line protocol is upHardware is i82557 ethernet, irq 10, address is 0060.7380.2f16IP address 192.150.50.1, subnet mask 255.255.0.0MTU 1500 bytes, BW 100000 Kbit half duplex0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 0 bytes, 0 underrunsinterface token-ring0 "inside" is up, line protocol is upHardware is o3137 token-ring, irq 9, address is 0000.8326.72c6IP address 10.0.0.1, subnet mask 255.0.0.0MTU 8192 bytes, BW 16000 Kbit, Ring-speed: 16Mbps116 packets input, 27099 bytes, 0 no bufferReceived 116 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 116 frame, 0 overrun, 0 ignored, 0 abort3 packets output, 150 bytes, 0 underrunsinterface ethernet1 "DMZ" is up, line protocol is upHardware is i82557 ethernet, irq 9, address is 00a0.c95d.0282IP address 127.0.0.1, subnet mask 255.255.255.0MTU 1500 bytes, BW 10000 Kbit half duplex0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underrunsip address
Identify the IP address for the PIX Firewall. (Configuration mode.)
ip address if_name ip_address [netmask]
show ip
Syntax Description
if_name
The internal or external interface name designated by the nameif command.
ip_address
PIX Firewall's network interface IP address.
netmask
Network mask of ip_address.
Usage Guidelines
The ip address command assigns an IP address to the PIX Firewall. Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, re-enter the command with the correct information.
After changing an ip address command, save your configuration with the write memory command and then reboot the PIX Firewall.
Note
The default address for an interface is 127.0.0.1.
PIX Firewall configurations using failover require a separate IP address for each network interface on the Standby unit. The system IP address is the address of the Active unit. When the show IP address command is executed on the Active unit, the current IP address is the same as the system IP address. When the show IP address command is executed on the Standby unit, the system IP address is the failover IP address configured for the Standby unit.
Example
nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 perimeter security50ip address inside 192.168.2.1 255.255.255.0ip address outside 204.31.17.2 255.255.255.0ip address perimeter 204.31.18.3 255.255.255.0show ip addressSystem IP Addresses:ip address outside 204.31.17.2 255.255.255.0ip address inside 192.168.2.1 255.255.255.0ip address perimeter 204.31.18.3 255.255.255.0Current IP Addresses:ip address outside 204.31.17.2 255.255.255.0ip address inside 192.168.2.1 255.255.255.0ip address perimeter 204.31.18.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.
kill
Terminate a Telnet session. (Privileged mode.)
kill telnet_id
Syntax Description
Usage Guidelines
The kill command terminates a Telnet session. Use the who command to view the Telnet session ID value. When you kill a Telnet session, the PIX Firewall lets any active commands terminate and then drops the connection without warning the user. The kill command does not affect PIX Firewall Manager sessions.
See also: show who, telnet.
Example
show who2: From 10.10.54.0kill 2link / linkpath / age
Specify a Private Link connection to a remote PIX Firewall. (Configuration mode.)
link [(if_name)] foreign_external_ip key-id key|md5
no link [(if_name)] foreign_external_ip key-id key|md5
show link
linkpath foreign_internal_ip netmask foreign_external_ip mtu
no linkpath foreign_internal_ip netmask foreign_external_ip mtu
show linkpath
age minutes
show age
Syntax Description
Usage Guidelines
The link command creates an encrypted path between version 4.3(x) Private Link-equipped PIX Firewall units. The PIX Firewall Private Link consists of an encryption circuit board and software that permits the PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet.
You can specify up to seven encryption keys for data access between your unit and the remote unit. The key-ID and key values must be the same on each side of the Private Link. Once you specify the same keys on both sides of the connection, the systems alert each other when a new key takes effect.
PIX Firewall selects the next Private Link encryption key by the "round-robin" method. The age command determines the length of time a key is current.
The no link command deletes a key from the link command. Use the show link command to list the remote IP address, keys, and the number of packets processed through Private Link.
The linkpath command identifies the internal and external network interfaces on the foreign PIX Firewall running Private Link. Use show linkpath to view the IP addresses you specify. Use no linkpath to stop access to a Private Link remote firewall. You can use multiple linkpath statements to define which networks on the remote PIX Firewall can access the Private Link connection.
The show age command lists the current aging duration.
Usage Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Examples
The following example specifies the remote IP address of the Private Link and specifies four keys for access to the remote system, and specifies the IP address of the inside network interface on the remote host.
link (perimeter) 204.31.17.2 1 fadebacfadebaclink (perimeter) 204.31.17.2 2 bacfadefadebaclink (perimeter) 204.31.17.2 3 baabaaafadebaclink (perimeter) 204.31.17.2 4 beebeeefadebaclinkpath 10.1.1.0 255.255.255.0 204.31.17.2route perimeter 10.1.1.0 255.255.255.0 192.150.50.1 1The link and linkpath commands in this example allow a Private Link to be established to or from the perimeter network at 204.31.17.2 and the remote network at 10.1.1.0. The route command is required to force the Private Link communications to the perimeter interface. The 192.150.50.1 IP address is that of the PIX Firewall's perimeter interface.
Another example follows:
link 204.31.17.42 1 12345678901234show linkTermIface Foreign IP KeyID Keyinside 204.31.17.42 1 0x12345678901234An age example follows:
age 10show agePrivate Link Key Aging: 10 minuteslogging
Enable or disable syslog and SNMP logging. (Configuration mode.)
logging on
no logging on
logging buffered level
clear logging
no logging buffered
logging console level
no logging console
logging facility facility
no logging facility facility
logging host [in_if_name] ip_address [protocol /port]
no logging host [in_if_name] ip_address
logging message syslog_id
no logging message syslog_id
clear logging disabled
show logging disabled
logging monitor level
no logging monitor level
logging timestamp
no logging timestamp
logging trap level
no logging trap level
show logging
Syntax Definition
Usage Guidelines
The logging command lets you enable or disable sending informational messages to the console, to a syslog server, or to an SNMP server.
You can also use this guide to get the message numbers that can be individually suppressed with the logging message command.
Important Notes
1
2
3
4
5
See also: clock, telnet, terminal
Viewing Syslog Messages from the Console
To view syslog messages from the PIX Firewall console:
Step 1
logging buffered 7The value 7 causes all syslog message levels to be stored in the buffer. If preferred, set the value to a lower number to view fewer messages.
Refer to Appendix A of the System Log Messages for the PIX Firewall Version 4.3 guide for a list of messages that appear at each severity level. You can view this document on line at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/syslog/
Step 2
show loggingStep 3
Step 4
New messages appear at the end of the logging listing.
Viewing Syslog Messages from a Telnet Console Session
To view syslog messages from a Telnet console session:
Step 1
telnet 192.168.1.2 255.255.255.255You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:
telnet timeout 15Step 2
telnet 192.168.1.1Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
terminal no monitorno logging monitorSending Syslog Messages to a Syslog Server
PIX Firewall can send syslog messages to any syslog server. In the event that all syslog servers are offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.
To send messages to a syslog server:
Step 1
logging host interface address [protocol/port]Replace interface with the interface on which the server exists and address with the IP address of the host. An example logging host command is as follows:
logging host outside 204.31.17.5If the syslog server is receiving messages on a non-standard port, you can replace protocol with udp and port with the new port value. The default protocol is UDP with a default port of 514. You can also specify TCP with a default of 1468. To date, there is only one TCP syslog server, the Cisco PIX Firewall Syslog Server (PFSS). Refer to "PIX Firewall Syslog Server (PFSS)" for more information.Only one logging host UDP or TCP statement is permitted for a specific syslog server. A subsequent statement overrides the previous one. Use the write terminal command to view the logging host command statement in the configuration—the UDP option is shown as "17" and the TCP option as "6."
Step 2
logging trap debuggingCisco recommends that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.
Step 3
Step 4
Step 5
clock set 14:25:00 apr 1 1999logging timestampIn this example, the clock is set to the current time of 2:25 pm on April 1, 1999, and time stamping is enabled. To disable time-stamp logging, use the no logging timestamp command.
Sending SNMP Traps to an SNMP Server
To send traps to an SNMP server:
Step 1
Step 2
Step 3
logging trap debuggingCisco recommends that you use the debugging level during initial set up and during testing. Thereafter, set the level from debugging to errors for production use.
Step 4
Only syslog messages in the syslog MIB are controlled by this command. Refer to "Compiling Cisco Syslog Enterprise MIB Files" in Chapter 3, "" for more information.
Suppressing Syslog Messages
To suppress syslog messages:
Step 1
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/syslog/
Step 2
no logging message 103012Step 3
Step 4
For example, to suppress the following message:
%PIX-6-305002: Translation built for gaddr IP_addr to IP_addrUse the following command to stop this message from being sent to the syslog server:
no logging message 305002You can view all disabled messages or just one with the following commands:
show logging disabledno logging message 305002show logging message 305002syslog 305002 disabledIf you want to let the message resume being sent, use the following command:
logging message 305002Additional logging Command Information
The PIX Firewall generates syslog messages for system events, such as security alerts and resource depletion. Using a UNIX syslog facility, you can specify which types of syslog messages create email alerts, are stored in log files, or display on the console of a designated inside network host. Use the logging monitor command to determine what messages display in a Telnet session to the PIX Firewall console.
To disable messages for a specific session, use the terminal no monitor command.
Because the PIX Firewall shares the eight facilities with other UNIX network devices, the logging facility command lets you choose the facility that the PIX Firewall marks on each message it sends to the syslog host. Messages are sent to the syslog host over UDP.
Use the show logging command to view the current syslog hosts and previously sent messages.
PIX Firewall Syslog Server (PFSS)
The PIX Firewall Syslog Server (PFSS) provides a syslog server that runs from a Windows NT system and receives TCP and UDP syslog messages from up to 10 PIX Firewalls. This server is provided at no charge from Cisco Connection Online (CCO).
Use of the PFSS gives you the additional benefit of reliability through receiving TCP event messages and being able to monitor whether the server is up or down from the PIX Firewall. Installation instructions for the PFSS are provided in the Quick Installation Guide for the PIX Firewall Version 4.3. You can view this document online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43qig.htm
Note
You can configure the PIX Firewall to send syslog messages via UDP or TCP. If syslog messages are sent using TCP, and if the Windows NT partition in which the log files are stored runs out of disk space, the PIX Firewall stops all traffic until the disk space is freed or until the PIX Firewall is directed to send messages to another syslog server. If you configure the PIX Firewall to send syslog messages using UDP, the PIX Firewall operates normally regardless of the ability of the PFSS to receive messages.
Windows NT installation and configuration instructions for the PIX Firewall Syslog Server (PFSS) are described in the Quick Installation Guide for the PIX Firewall Version 4.3.
Note
PFSS creates seven rotating syslog files monday.log, tuesday.log, wednesday.log, thursday.log, friday.log, saturday.log, and sunday.log. If a week has passed since the last log file was created, it will rename the old log file to day.mmddyy where day is the current day, mm is the month, dd is the day, and yy is the year.
PFSS also creates the pfss.log file where the values for the disk full percentage, and the UDP and TCP port values are stored.
If the Windows NT filesystem is full, the PIX Firewall Syslog Server disables all TCP connections from the PIX Firewall by closing its TCP listen socket.
The PIX Firewall tries to re-connect to the PIX Firewall Syslog Server five times, and during the retry, it stops all new connections through the PIX Firewall. If the TCP connection cannot be re-established, the status of the host log is set to disable after the fifth attempt.
Changing Windows NT PFSS Parameters
Note
Step 1
Step 2
•
•
•
•
•
Recovering After the Windows NT Disk is Full
To recover from a disk full situation:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Example
The following example shows how to start console logging and view the results:
logging buffered debuggingshow loggingSyslog logging: enabledTimestamp logging: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: level debugging, 37 messages loggedTrap logging: disabled305001: Portmapped translation built for gaddr 204.31.17.5/0 laddr 192.168.1.2/256...The line of output starting with 305001 shows a translation to a PAT global through global address 204.31.17.5 from a host at 192.168.1.2. The "305001" identifies a syslog message for creating a translation through a PAT global. Refer to System Log Messages for the PIX Firewall Version 4.3 for more information on syslog messages. You can view this document on line at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/syslog/
mtu
Specify the MTU (maximum transmission unit) for an interface. (Configuration mode.)
mtu if_name bytes
no mtu [if_name bytes]
show mtu
Syntax Description
Usage Guidelines
The mtu command sets the size of data sent on a connection. Data larger than the MTU value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes.
PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a router is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
For Ethernet interfaces, the default MTU is 1,500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it.
For Token Ring, the default is 8,192 bytes.
The no mtu command resets the MTU block size to 1,500 for Ethernet interfaces and 8,192 for Token Ring. The show mtu command displays the current block size. The show interface command also shows the MTU value.
Example
interface token-ring0 16mbpsinterface ethernet0 automtu inside 8192show mtumtu outside 1500mtu inside 8192name / names
Associate a name with an IP address. (Configuration mode.)
name ip_address name
no name [ip_address name]
names
no names
clear names
show names
Syntax Description
Usage Guidelines
Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you need to ensure that the host names either match existing names or you have a map to list the differences.
The names command enables use of the name command to map text strings to IP addresses. The clear names and no names commands are the same and disable use of the name text strings. The show names command lists the name statements in the configuration.
Notes
1
2
3
4
Example
In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 204.31.17.33. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name values from displaying. Subsequent use of the names command restores their display.
namesname 192.168.42.3 pix_insidename 204.31.17.33 pix_outsideip address inside pix_insideip address outside pix_outsideshow ip addressinside ip address pix_inside mask 255.255.255.255outside ip address pix_outside mask 255.255.255.255no namesshow ip addressinside ip address 192.168.42.3 mask 255.255.255.255outside ip address 204.31.17.33 mask 255.255.255.255namesshow ip addressinside ip address pix_inside mask 255.255.255.255outside ip address pix_outside mask 255.255.255.255nameif
Name interfaces and assign security level. (Configuration mode.)
nameif hardware_id if_name security_level
show nameif
Syntax Description
Usage Guidelines
The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall.
The first two interfaces have the default names inside and outside. The inside interface has default security level 100, the outside interface has default security level 0.
Usage Notes
1
2
3
4
See also: interface.
Example
nameif ethernet2 perimeter1 sec50nameif ethernet3 perimeter2 sec20nat
Associate a network with a pool of global IP addresses. (Configuration mode.)
nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]
no nat [[(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]]] [norandomseq]
show nat
Syntax Description
Usage Guidelines
The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) lets your network have any IP addressing scheme and the firewall protects these addresses from visibility on the external network.
After changing or removing a nat statement, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command and then reboot the PIX Firewall.
The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.
You can use the no nat command to remove a nat statement and you can use the show nat command to view nat statements in the current configuration.
helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.
The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.
Usage Notes
1
Addresses on each interface must be on a different subnet. Refer to Appendix D, "" for more information on subnetting.
The nat 0 1.2.3.0 command means let those IP addresses in the 1.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat statements appear in the configuration.
2
3
See also: global, outbound, apply.
Examples
The following example specifies with nat statements that all the hosts on the 10.0.0.0 and 3.3.3.0 inside networks can start outbound connections. The global statements create a pool of global addresses.
nat (inside) 1 10.0.0.0 255.0.0.0global (outside) 1 204.31.17.25-204.31.17.27global (outside) 1 204.31.17.28nat (inside) 3 3.3.3.0 255.255.255.0global (outside) 3 204.31.18.1-204.31.18.254When using the nat 0 command, if you want the addresses to be visible from the outside network, use the static and conduit command:
nat (inside) 0 204.31.17.0 255.255.255.0static (inside, outside) 207.31.17.1 207.31.17.1conduit permit tcp host 207.31.17.1 eq ftp host 10.0.0.1static (inside, outside) 207.31.17.2 207.31.17.2conduit permit tcp host 207.31.17.2 eq ftp host 10.0.0.1...outbound / apply
Create an access list for controlling Internet use. (Configuration mode.)
outbound list_ID permit|deny ip_address [netmask [java|port[-port]]] [protocol]
outbound list_ID except ip_address [netmask [java|port[-port]]] [protocol]
clear outbound
no outbound [list_ID permit|deny ip_address [netmask [java|port[-port]]] [protocol]]
no outbound [list_ID except ip_address [netmask [java|port[-port]]] [protocol]]
show outbound
apply [(if_name)] list_ID outgoing_src|outgoing_dest
clear apply
no apply [[(if_name)] list_ID outgoing_src|outgoing_dest]
show apply [(if_name)] [list_ID outgoing_src|outgoing_dest]
Syntax Description
list_ID
A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number. This number can be the same as what you use with nat and global. This number is just an arbitrary number that groups outbound statements to an apply statement.
permit
Allow the access list to access the specified IP address and port.
deny
Deny the access list access to the specified IP address and port.
except
Create an exception to a previous outbound command. An except statement applies to permit or deny statements only with the same access list ID.
When used with apply outgoing_src, the IP address of an except statement applies to the destination address.
When used with apply outgoing_dest, the IP address of an except statement applies to the source address.
Refer to "Outbound List Rules" for more information.
ip_address
The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0.
netmask
The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.
port
A port or range of ports that the access list is permitted or denied access to. Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names.
java
The java keyword indicates port 80 and when used with the deny option, means that the firewall blocks Java applets from being downloaded from ip_address (depending on use of the apply command). Java applets are permitted by default and do not have to be explicitly permitted.
protocol
Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.
if_name
The network interface originating the connection.
outgoing_src
Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command.
outgoing_dest
Deny or permit access to an external IP address using the service(s) specified in the outbound command.
Usage Guidelines
The outbound command creates an access list that lets you specify the following:
•
•
•
•
Outbound lists are filters on outgoing packets from the PIX Firewall. The filter can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command lets you specify whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
After adding, removing, or changing outbound statements, save your configuration with the write memory command and then reboot the PIX Firewall.
Use the no outbound command to remove a single outbound statement from the configuration. Use the clear outbound command to remove all outbound statements from the configuration. The show outbound command displays the outbound statements in the configuration.
Use the no apply command to remove a single apply statement from the configuration. Use the clear apply statement to remove all the apply statements from the configuration. The show apply command displays the apply statements in the configuration.
Outbound List Rules
Rules, written as outbound list_ID ... statements are global to the PIX Firewall, they are activated by apply list_ID outgoing_src|outgoing_dest statements. When applied to outgoing_src, the source IP address, the destination port, and protocol are filtered. When applied to outgoing_dest, the destination IP address, port, and protocol are filtered.
The outgoing_src and outgoing_dest outbound lists are filtered independently. If any one of the filters contain deny, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match. If there is a tie, a permit overrides a deny.
Rules are grouped by a list_ID. Within each list_ID, except rules (that is, outbound n except ...) can be set. The except option reverses the best matched rule of deny or permit. In addition, PIX Firewall filters the specified IP address and mask in the rule for the destination IP address of the outbound packet if the list is applied to the outbound_src. Alternatively, PIX Firewall filters the source IP address if the list is applied to the outgoing_dest. Furthermore, the except rules only apply to rules with the same list_ID. A single except rule within a list_ID without another permit or deny rule has no effect. If multiple except rules are set, the best match is checked for which except to apply.
The outbound command rules are now sorted by the best match checking. Use the show outbound command to see how the best match is judged by the PIX Firewall.
Usage Notes
1
2
3
4
outbound 1 deny 0 0 0apply (inside) 1 outgoing_srcThen add statements that permit or deny hosts access to specific ports, for example:
outbound 1 deny 0 0 0outbound 1 permit 10.1.1.1 255.255.255.255 23 tcp
outbound 1 permit 10.1.1.1 255.255.255.255 80 tcp
apply (inside) 1 outgoing_src
If you used the except option, you could state this same example as follows:
outbound 1 deny 0 0 0outbound 1 except 204.31.17.11 255.255.255.255 23 tcp
outbound 1 except 204.31.17.11 255.255.255.255 80 tcp
apply (inside) 1 outgoing_srcIn the above except statement, IP address 204. 31.17.11 is the destination IP address, not the source address. This means that everyone is denied outbound access, except those users going to 204.31.17.11 via Telnet or HTTP (80).
5
PIX Firewall removes applets containing a Java signature anywhere in the packet, but does not remove applets encapsulated in some archive files. Legitimate, non-Java files with Java signatures are also blocked.6
You must have a specific deny statement to block Java applets.7
8
Examples
The first outbound group sets inside hosts so that they can only see and Telnet to perimeter hosts, and do DNS lookups. In this example, the perimeter network address is 204.0.0.0 and the network mask is 255.255.255.0:
outbound 9 deny 0.0.0.0 0.0.0.0 0 0outbound 9 except 204.0.0.0 255.255.255.0 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpThe next outbound group in this same example lets hosts 10.1.1.11 and 10.1.1.12 go anywhere:
outbound 11 deny 0.0.0.0 0.0.0.0 0 0outbound 11 permit 10.1.1.11 255.255.255.255 0 0outbound 11 permit 10.1.1.12 255.255.255.255 0 0outbound 11 permit 0.0.0.0 0.0.0.0 21 tcpoutbound 11 permit 10.3.3.3 255.255.255.255 143 tcpThis last outbound group in this same example lets hosts on the perimeter only access TCP ports 389 and 30303 and UDP port 53 (DNS). Finally, the apply statements set the outbound groups so that the permit and deny rules affect access to all external addresses.
outbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpapply (inside) 9 outgoing_srcapply (inside) 11 outgoing_srcapply (perim) 13 outgoing_srcControlling Outbound Connections
The following example prevents all inside hosts from starting outbound connections:
outbound 1 deny 0 0 0apply (inside) 1 outgoing_srcThe 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero).
Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created):
outbound 1 permit 0 0 0apply (inside) 1 outgoing_srcControlling Inside Hosts' Access to Outbound Services
The following example prevents inside host 192.168.1.49 from accessing the World Wide Web
(port 80):outbound 11 deny 192.168.1.49 255.255.255.255 80 tcpapply (inside) 11 outgoing_srcControlling Inside Hosts' Access to Outside Servers
If your employees are spending too much time examining GIF images on a particular site with two web servers, you can use the following example to restrict this access:
outbound 12 deny 192.168.146.201 255.255.255.255 80 tcpoutbound 12 deny 192.168.146.202 255.255.255.255 80 tcpapply (inside) 12 outgoing_destPreventing Use of Java Applets
The following example prevents all inside users from executing Java applets on the inside network:
outbound 1 deny 0 0 javaapply (inside) 1 outgoing_srcUsing except Statements
An except statement only provides exception to items with the same list_ID. Consider the following example:
outbound 9 deny 0.0.0.0 0.0.0.0 0 0outbound 9 except 20.0.0.0 255.0.0.0 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpoutbound 11 deny 0.0.0.0 0.0.0.0 0 0outbound 11 permit 10.1.1.11 255.255.255.255 0 0outbound 11 permit 10.1.1.12 255.255.255.255 0 0outbound 11 permit 0.0.0.0 0.0.0.0 21 tcpoutbound 11 permit 10.3.3.3 255.255.255.255 143 tcpoutbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpIn the preceding examples, the following two statement work against other statements in list 9 but not in lists 11 and 13.
outbound 9 except 20.0.0.0 255.0.0.0 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpIn the following example, the set of deny, permit, and except option statements denies everybody from connecting to external hosts except for DNS queries and Telnet connections to hosts on 20.0.0.0. The host with IP address 10.1.1.11 is permitted outbound access, and has access to everywhere except to 20.0.0.0 via Telnet and anywhere to use DNS:
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcpoutbound 1 permit 10.1.1.11 255.255.255.255 0 tcpoutbound 1 except 20.0.0.0 255.0.0.0 23 tcpoutbound 1 except 0.0.0.0 0.0.0.0 53 udpapply (inside) outgoing_srcpager
Enable or disable screen paging. (Privileged mode.)
pager [lines lines]
no pager
show pager
Syntax Definition
lines
The number of lines before the More prompt appears. The minimum is 1.
Use 0 to disable paging.
Usage Guidelines
The pager lines command lets you specify the number of lines in a page before the More prompt appears. The pager command enables display paging, and no pager disables paging and lets output display completely without interruption. If you set pager lines to some value and want to revert back to the default, enter the pager command without options.
Use pager 0 to disable paging.
The show pager command displays pager status.
When paging is enabled, the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command:
•
•
To return to the command line, press the q key.
Example
pixfirewall# pager lines 2pixfirewall# ping inside 10.0.0.4210.0.0.42 NO response received -- 1010ms10.0.0.42 NO response received -- 1000ms<--- More --->passwd
Set password for Telnet and PIX Firewall Manager access to the firewall console. (Privileged mode.)
passwd password [encrypted]
show passwd
Syntax Description
Usage Guidelines
The passwd command sets a password for Telnet and PIX Firewall Manager access to the firewall console. An empty password is also changed into an encrypted string. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text.
Note
See also: enable password.
Example
passwd watag00s1amshow passwdpasswd jMorNbK0514fadBh encryptedperfmon
View performance information. (Privileged mode.)
perfmon interval seconds
perfmon quiet | verbose
show perfmon
Syntax Description
Usage Guidelines
The perfmon command lets you monitor the PIX Firewall's performance. Use the show perfmon command to view the information immediately. Use the perfmon verbose command to display the information every two minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds you specify.
Note
Use the perfmon quiet command to disable the display.
An example of the performance information is:
This information lists the number of translations, connections, WebSENSE requests, address translations (called "fixups"), and AAA transactions that occur each second.
Example
The following commands display the performance monitor statistics every 30 seconds on the PIX Firewall console:
perfmon interval 30perfmon verboseping
Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.)
ping if_name ip_address
Syntax Description
Usage Guidelines
The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that the host exists on the network. If the host is not responding, ping displays "NO response received." Use show interface to ensure that the PIX Firewall is connected to the network and is passing traffic.
If you want internal hosts to be able to ping external hosts, you must create an ICMP conduit for echo reply; for example, to give ping access to all hosts, use the conduit permit icmp any any command.
If you are pinging through PIX Firewall between hosts or routers, but the pings are not successful, use the debug icmp trace command to monitor the success of the ping. If pings are both inbound and outbound, they are successful.
Example
The ping command makes three attempts to reach an IP address:
ping inside 192.168.42.54192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0Msquit
Exit configuration or privileged mode. (All modes.)
quit
Usage Guidelines
Use the quit command to exit configuration or privileged mode.
Example
pixfirewall(config)# quitpixfirewall# quitpixfirewall>radius-server
Specify a RADIUS server for use with the aaa command. (Configuration mode.)
radius-server [(if_name)] host ip_address key [timeout seconds]
clear radius-server
no radius-server [(if_name)] host [[ip_address] [key]]
show radius-server
Syntax Description
Usage Guidelines
Specify a RADIUS server. Use show radius-server to view the information.
Note
Servers are used in the order entered in the configuration. If the server is off-line or fails, the next server is checked. This continues until a working server is found. Use no radius-server to disable access to a host.
Use the radius-server command before you use the aaa command. The aaa command enables authentication, and accounting services for access to the RADIUS server you designate.
Note
The clear radius-server command removes all radius-server entries from the configuration.
Before using the clear radius-server command, remove the aaa commands that enable RADIUS authentication or accounting.
Example
radius-server (perimeter) host 192.168.42.42 whatakey!@#$%^&*show radius-serverradius-server (perimeter) host 192.168.42.42 whatakey!@#$%^&*aaa authentication any outside 192.168.42.42 255.255.255.255 0 0 radiusreload
Reboot and reload the configuration. (Privileged mode.)
reload
Usage Guidelines
The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy
disk or, if a diskette is not present, from Flash memory.
Note
Any response other than n causes the reboot to occur.
Note
Example
reloadProceed with reload? [confirm] yRebooting...PIX Bios V2.7...rip
Change RIP settings. (Configuration mode.)
rip if_name default|passive
no rip [if_name default|passive]
show rip if_name
Syntax Description
Usage Guidelines
The rip passive command enables IP routing table updates from received RIP (Routing Information Protocol) broadcasts. Use show rip to display the current RIP settings. Use no rip to disable the PIX Firewall IP routing table updates. The default is to enable IP routing table updates.
Example
show riprip outside passiveno rip outside defaultrip inside passiveno rip inside defaultrip inside defaultshow riprip outside passiveno rip outside defaultrip inside passiverip inside defaultroute
Enter a static or default route for the specified interface. (Configuration mode.)
route if_name ip_address netmask gateway_ip [metric]
clear route [if_name ip_address [netmask gateway_ip]]
no route [if_name ip_address [netmask gateway_ip]]
show route
Syntax Description
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it is saved.
Create static routes to access networks connected outside a router on any interface. The effect of a static route is like stating "to send a packet to the specified network, give it to this router." For example, PIX Firewall sends all packets destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route statement:
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1
Note
Examples
Specify one default route statement for the outside interface, which in this example, has an IP address of 192.150.50.1:
route outside 0 0 192.150.50.1 1For static routes, if two networks, 10.1.2.0 and 10.1.3.0 connect via a hub to the dmz1 interface router at 10.1.1.4, add these static route statements to provide access to the networks:
route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1service
Reset inbound connections. (Configuration mode.)
service resetinbound
show service
Syntax Description
Usage Guidelines
The service command works with all inbound TCP connections to statics whose conduits or uauth (user authorization) do not allow inbound. One use is for resetting IDENT connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the option, the PIX Firewall drops the packet without returning an RST.
For use with IDENT, the PIX Firewall sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that email outbound can be transmitted without having to wait for IDENT to time out. In this case, the PIX Firewall sends a syslog message stating that the incoming connection was a denied connection. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection. However, outside hosts keep retransmitting the SYN until the IDENT times out.
When an IDENT connection is timing out, you will notice that connections slow down. Perform a trace to determine that IDENT is causing the delay and then invoke the service command.
The service resetinbound command provides a safer way to handle an IDENT connection through the PIX Firewall. Ranked in order of security from most secure to less secure are these methods for handling IDENT connections:
1
2
3
When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is:
Unable to connect to remote host: Connection timed outExample
service resetinboundshow serviceservice resetinboundsession
Access an embedded AccessPro router console. (Privileged mode.)
session enable
no session
show session
Note
Syntax Description
Usage Guidelines
The session command lets you specify Cisco IOS commands on an AccessPro router console when the router is installed in your PIX Firewall. Use COM port 4 on the AccessPro router to communicate with the PIX Firewall.
Exit the router console session by entering tilde-dot (~.). Press the tilde key and when you hear a bell sound from your terminal, press the dot key.
While a router console session is occurring, the PIX Firewall disables failover because they both require the same interrupts.
Example
This example enables an AccessPro session, starts the session, and then disables it.
session enableSession has been enabled.sessionWarning: FAILOVER has been disabled!!!Attempting session with embedded router, use ~. to quit!acpro> ~.no sessionSession has been disabledsessionSession is not enabledshow
View command information. (Differs by mode.)
show ?
Usage Guidelines
This command without arguments or the show ? command lets you view the names of the show commands and their descriptions. Explanations for each show command are provided on the respective command page for the command itself where appropriate; for example, show arp is described on the arp command page.
Note
If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command:
•
•
•
Example
show ?? help ...show blocks
Show system buffer utilization. (Privileged mode.)
show blocks
Usage Guidelines
This command lists preallocated system buffer utilization. In the show blocks listing, the SIZE column displays the block type. The MAX column is the maximum number of allocated blocks. The LOW column is the fewest blocks available since last reboot. The CNT column is the current number of available blocks. The FAILED column is not currently used. A zero in the LOW column indicates a previous event where memory exhausted. A zero in the CNT column means memory is exhausted now. Exhausted memory is not a problem as long as traffic is moving through the PIX Firewall. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is exhausted, a problem may be indicated.
Example
pixfirewall(config)# show blocksSIZE MAX LOW CNT FAILED4 1600 1600 160080 100 97 97256 80 79 791550 788 402 40465536 8 8 8show checksum
Display the configuration checksum. (Unprivileged mode.)
show checksum
Usage Guidelines
This command displays four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration. This same information stores with the configuration when you store it in Flash memory. By using the show config command and viewing the checksum at the end of the configuration listing and using the show checksum command, you can compare the numbers to see if the configuration has changed. The PIX Firewall tests the checksum to determine if a configuration has not been corrupted.
Example
show checksumCryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81show conn
Display all active connections. (Privileged mode.)
show conn [count] [foreign|local ip[-ip2] [netmask mask]] [protocol tcp|udp|prot]
[fport|lport port1[-port2]] [state up[,finin][,finout] [,http_get] [,smtp_data] [,smtp_banner]
[,smtp_incomplete][,nojava] [,data_in] [,data_out] [,sqlnet_fixup_data]
[,conn_inbound] [,rpc] [,h323] [,dump]Syntax Description
count
Display only the number of used connections.
foreign| local ip[-ip2] netmask mask
Display active connections by the foreign IP address or by local IP address. Qualify foreign or local active connections by network mask.
protocol tcp|udp|prot
Display active connections by protocol type. prot is a protocol specified by number. Refer to the "Protocols" section in Chapter 1, "" for a list of valid protocol literal names.
fport|lport port1[-port2]
Display foreign or local active connections by port. Refer to the "Ports" section in Chapter 1, "" for a list of valid port literal names.
state
Display active connections by their current state: up (up), FIN inbound (finin), FIN outbound (finout), HTTP get (http_get), SMTP mail data (smtp_data), SMTP mail banner (smtp_banner), incomplete SMTP mail connection (smtp_incomplete), an outbound command denying access to Java applets (nojava), inbound data (data_in), outbound data (data_out), SQL*Net data fix up (sqlnet_fixup_data), inbound connection (conn_inbound), RPC connection (rpc) , H.323 connection (h323), dump clean up connection (dump).
Usage Guidelines
The show conn command displays the number and information about the active TCP connections. lists connection slot flags:
Example
show conn6 in use, 6 most usedTCP out 204.31.17.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 flags UHrIOTCP out 204.31.17.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 flags UHrIOTCP out 204.31.17.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 flags UHrIOTCP out 204.31.17.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 flags UHrIOTCP out 204.31.17.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 flags UHrIOTCP out 204.31.17.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 flags UHrIOUDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 flags dUDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 flags dUDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30 flags dIn this example, host 10.3.3.4 on the inside has accessed a web site at 204.31.17.41. The global address on the outside interface is 192.150.50.70. The flags indicate that the first five TCP connections are up (U), for HTTP (H), in use (r), and that data has gone in and out. The last three UDP connections are in dump (clean up) state.
show history
Display previously entered lines. (Privileged mode.)
show history
Usage Guidelines
This command displays previously entered commands. You can examine commands individually with the up and down arrows or by entering ^p to view previously entered lines or ^n to view the next line.
Example
show historyenable...show memory
Show system memory utilization. (Privileged mode.)
show memory
Usage Guidelines
This command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in the PIX Firewall is allocated as needed.
Example
show memorynnnnnnnn bytes total, nnnnnnn bytes freeshow processes
Display processes. (Privileged mode.)
show processes
Usage Guidelines
This command displays a listing of running processes. Processes are lightweight threads requiring only a few instructions. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes used and the total size of the stack, and Process lists the thread's function.
Example
show processesPC SP STATE Runtime SBASE Stack ProcessLsi 800125de 803603d0 80075ba0 0 8035f410 4004/4096 arp_timer...show tech-support
View information to help a support analyst. (Privileged mode.)
show tech-support
Usage Guidelines
The show tech-support command lists information technical support analysts need to help you diagnose PIX Firewall problems.
Example
show tech-supportPIX Version 4.3(n) nnnCompiled on day dd-mmm-98 hh:mm by pixbuildpixfirewall up n days n hours n minsHardware: Pentium 133, 16 MB RAM, CPU Pentium 133 MHz...show traffic
Shows interface transmit and receive activity. (Privileged mode.)
show traffic
Usage Guidelines
This command lists the number of packets and bytes moving through each interface. The number of seconds is the duration the PIX Firewall has been online since the last reboot.
Example
show trafficoutside:received (in 3786 secs):97 packets 6191 bytes42 pkts/sec 1 bytes/sectransmitted (in 3786 secs):99 packets 10590 bytes0 pkts/sec 2 bytes/sec ...show version
View the PIX Firewall operating information. (Unprivileged mode.)
show version
Usage Guidelines
This command lets you view the PIX Firewall's software version, operating time since last reboot, processor type, Flash memory type, interface boards, and serial number (BIOS ID). If the Flash memory type states "atmel," then it is the 2 MB unit; otherwise, it is the 512 KB version. PIX Firewall units with serial numbers 06002016 and higher have 2 MB Flash memory cards, as do all PIX10000 units, and all PIX510 and PIX520 units.
Example
show versionPIX Version 4.3(n)nnn PointCompiled on Sat 16-May-98 04:08 by pixbuildFinesse Bios V3.3pixfirewall up 100 days 6 hours 17 minsHardware: Pentium 133, 16 MB RAM, CPU Pentium 133 MHzFlash atmel @ base 0x3000: ethernet0: address is 00a0.c90a.eb4d1: ethernet1: address is 00a0.c986.8eea2: ethernet2: address is 00a0.c90a.eb43Serial Number: 0600nnnnsnmp-server
Provide SNMP event information. (Configuration mode.)
snmp-server community key
snmp-server contact text
snmp-server host if_name local_ip
snmp-server location text
snmp-server enable traps
clear snmp-server [contact text]
clear snmp-server [host if_name local_ip]
clear snmp-server [location text]
no snmp-server [contact text]
no snmp-server [host if_name local_ip]
no snmp-server [location text]
no snmp-server enable traps
show snmp-server
Syntax Description
Usage Guidelines
Use the snmp-server command to identify your name, location, and the host to which SNMP traps should be sent. Refer to "Step 15 - Enable Syslog" in Chapter 2, "" for more information on SNMP events. The clear snmp-server and no snmp-server commands remove the information. The show snmp-server command displays the information.
To send traps to an SNMP server:
Step 1
Step 2
Step 3
logging trap debuggingCisco recommends that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.
Step 4
Only syslog messages in the syslog MIB are controlled by this command.
Example
snmp-server community wallawallabingbangsnmp-server location Building 42, Sector 54snmp-server contact Sherlock Holmessnmp-server host perimeter 10.1.2.42show snmpsnmp-server host 10.1.2.42snmp-server location Building 42, Sector 54snmp-server contact Sherlock Holmessnmp-server community wallawallabingbangstatic
Map local IP address to a global IP address. (Configuration mode.)
static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask]
[max_conns [em_limit]] [norandomseq]no static [[(internal_if_name, external_if_name)] global_ip local_ip[netmask network_mask]
[max_conns [em_limit]] [norandomseq]]show static
Syntax Description
Usage Guidelines
The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. Use the static and conduit commands when you are accessing an interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface.
The interface names on the static command may seem confusing at first. This is further complicated by how NAT is handled on the PIX Firewall. If NAT is disabled, with the nat 0 command, statics are specified with a different set of rules than when NAT is enabled. For either no NAT or NAT, the rule of which command to access an interface stays the same as shown in .
assumes that the security levels are 40 for dmz1 and 60 for dmz2.
With NAT Enabled
NAT (Network Address Translation) is enabled with the nat n command where "n" has the value 1 or greater; for example, nat 1 0 0.
Always specify the interface name of the highest security level interface you are accessing, followed by the lower security level interface. The IP addresses are also confusing because the first IP address you specify is for the lower security level interface. The second IP address is for the higher security level interface. The way to remember this is as follows:
static (high,low) low high
For example, assume you have four interfaces on the PIX Firewall that have security levels set with the nameif command as follows:
nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz1 security40nameif ethernet3 dmz2 security60To access the inside from the outside interface, you need a static command like:
static (inside,outside) outside_ip_address inside_ip_address netmask maskReplace outside_ip_address with the global IP address (an IP address on the lower security level interface). Replace inside_ip_address with the IP address of the host on the higher security level interface that you want to grant access to. Use these replacements in the rest of the commands in this section. Replace mask with 255.255.255.255 for host addresses, except when subnetting is in effect; for example, 255.255.255.128. For network addresses, use the appropriate class mask; for example, for Class A networks, use 255.0.0.0.
To access the inside from the dmz1 interface, you need a static command like:
static (inside,dmz1) dmz1_ip_address inside_ip_address netmask maskTo access the inside from the dmz2 interface, you need a static command like:
static (inside,dmz2) dmz2_ip_address inside_ip_address netmask maskTo access the dmz2 interface from the dmz1 interface, you need a static command like:
static (dmz2,dmz1) dmz1_ip_address dmz2_ip_address netmask maskTo go the other way around, from a higher security level interface to a lower security level interface, use the nat and global commands. For example, to access dmz1 from dmz2, use these commands:
nat (dmz2) 1 0 0global (dmz1) 1 global_ip_address-global_ip_addressReplace global_ip_address-global_ip_address with the IP address range of the addresses in the pool of global addresses. The nat command specifies the name of the higher security level interface; the pool of global addresses are on the lower security level interface.
View the nat command page for more information on using these commands.
Note
The first IP address you specify in the static command is the first IP address you specify in the conduit command as shown in this example:
static (dmz2,dmz1) 10.1.1.1 192.168.1.1 netmask 255.255.255.255conduit permit tcp host 10.1.1.1 10.1.1.0 255.255.255.0The static command maps the address 10.1.1.1 on the dmz1 interface so that users on the dmz1 interface can access the 192.168.1.1 host on the dmz2 interface. The conduit command lets any users in the 10.1.1.0 network access the 10.1.1.1 address over any TCP port.
Note
With No-NAT
With no-NAT, the static command has a different sense of logic. With NAT disabled, addresses on both sides of the firewall are registered addresses. Between interfaces, addresses must be on different subnets that you control with subnetting. Refer to Appendix D, "" for more information.
Without address translation, you protect addresses on the inside or perimeter interfaces by not providing access to them. Without a conduit statement, the inside host cannot be accessed on the outside and is, in effect, invisible to the outside world. Conversely, only by opening statics and conduits to servers on the inside or perimeter interfaces, do the hosts become visible.
The format of the static command becomes different:
static (high,low) high high
Again, the security level set for each interface with the nameif command determines what information you fill in. You are using static to access a higher security interface from a lower security interface. The IP address you want visible on the lower security interface is that of the higher security interface. This is the IP address users on the lower security interface's network will use to access the server on the higher security level interface's network. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host.
For example, a web server on the dmz, 204.31.17.65 needs to be accessible by users on the outside. The static and conduit statements are:
static (dmz,outside) 204.31.17.65 204.31.17.65 netmask 255.255.255.192conduit permit tcp host 204.31.17.65 eq www anyThe static command presents the 204.31.17.65 address on the outside interface. The DNS server on the outside would map this IP address to the domain of the company; for example, domain1.com. Users accessing domain1.com are permitted to access the web server via port 80 by the conduit command.
Another example of no-NAT statics would be when users on dmz1 need to access a web server on dmz2. The network uses a Class C address and subnets it with the .192 subnet. Addresses 204.31.17.65 to 204.31.17.126 are on dmz1, and addresses 204.31.17.129 to 204.31.17.190 are on dmz2. The web server is at 204.31.17.142. The static and conduit statements are:
static (dmz2,dmz1) 204.31.17.142 204.31.17.142 netmask 255.255.255.192conduit permit tcp host 204.31.17.142 eq www 204.31.17.64 255.255.255.192The static statement opens access to the web server at 204.31.17.142. The conduit statement permits access to the web server only on port 80 (www) and further refines the access to stipulate that only users on the 204.31.17.64 subnet can access the web server. Refer to Appendix D, "" for more information on subnetting.
Additional static Information
After changing or removing a static statement, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command and then reboot the PIX Firewall.
You can create a single mapping between the global and local hosts, or create a range of statics known as net statics.
The static command determines the network mask of network statics by the netmask option or by the number in the first octet of the global IP address. The netmask option can be used to override the number in the first octet. If the address is all zeros where the net mask is zero, then the address is a net address.
Note
You can have as many statics as needed as long the total size of your configuration does not exceed 1,625,088 characters if your PIX Firewall has a 2 MB Flash memory board, or 102,400 characters if your PIX Firewall has a 512 KB Flash memory board. To determine what type of board is in your firewall, use the show version command. The 2 MB board contains this statement in the display:
Flash atmel @ base 0x300
See also: conduit.Examples
The example that follows creates a static command and then permits users to call in through H.323 using Intel InternetPhone or MS NetMeeting to 10.1.1.222 using IP address 204.31.17.222 to 10.1.1.188 using IP address 204.31.17.188, and so on. The net static command that follows maps addresses 204.31.17.1 through 204.31.17.254 to local addresses 10.1.1.1 through 10.1.1.254.
static (inside, outside) 204.31.17.0 10.1.1.0 8 50conduit permit tcp host 204.31.17.0 eq h323 anyThe following example shows the commands used to disable Mail Guard:
static (dmz1,outside) 204.31.17.1 10.1.1.1 netmask 255.255.255.255conduit permit tcp host 204.31.17.1 eq smtp anyno fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 204.31.17.1 address so that mail is sent to this address.) The conduit command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
syslog
Enable syslog message facility. Obsolete command replaced by the logging command. (Privileged mode.)
Note
sysopt
Change PIX Firewall system options. (Configuration mode.)
sysopt connection enforcesubnet
no sysopt connection enforcesubnet
sysopt connection tcpmss bytes
no sysopt connection tcpmss bytes
sysopt connection timewait
no sysopt connection timewait
sysopt security fragguard
no sysopt security fragguard
clear sysopt
show sysopt
Syntax Description
Usage Guidelines
The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature.
sysopt connection enforcesubnet
The sysopt connection enforcesubnet command prevents external users from spoofing internal addresses. This command prevents packets with a source address belonging to the destination subnet from traversing the PIX firewall. For example if a packet arrives from the outside but has a source address belonging to the inside subnet, the PIX Firewall does not let the packet through.
Note
sysopt connection tcpmss
The sysopt connection tcpmss command forces proxy TCP connections to have a maximum segment size no greater than bytes. This command requests that each side not send a packet of a size greater than bytes at any time during the initial TCP connection establishment.
Note
The bytes value can be a minimum of 28 and any maximum number. You can disable this feature by setting bytes to zero. The default is 1460 bytes, which Cisco recommends for Ethernet and mixed Ethernet and Token Ring environments. If the PIX Firewall has all Token Ring interfaces, you can set bytes to 4056. However, if even one link along the path through the network is not a Token Ring, setting bytes to such a high value may cause poor throughput. In its 1460 byte default value, this command increases throughput of the sysopt security fragguard command.
The TCP maximum segment size is the maximum size that an end host can inject into the network at one time (see RFC 793 for more information on the TCP protocol). The sysopt connection tcpmss command is recommended in a network environment being attacked by an overly aggressive TCP or HTTP stack with a faulty path MTU value that is degrading the performance of the PIX Firewall IP Frag Guard feature. Environments where one or more end hosts reside on a Token Ring network are especially susceptible to attack by aggressive TCP or HTTP stacks.
Note
sysopt connection timewait
The sysopt connection timewait command forces each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds.
The connection timewait option is necessary for end host applications whose default TCP terminating sequence is simultaneous close instead of the normal shutdown sequence (see RFC 793). In simultaneous close, four TCP segments are exchanges in the shutdown instead of the normal three.
The default behavior of the PIX Firewall is to track the normal three shutdown sequence and release the connection after the third segment. This quick release heuristic enables the PIX Firewall to sustain high connection rate.
However with simultaneous close, the quick release will force one side of the connection to linger in the CLOSING state (see RFC 793). Many sockets in the CLOSING state can degrade the performance of an end host. For instance, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Old versions of HP/UX are also susceptible to this behavior. Enabling the connection timewait option enables a "quiet time" window for the abnormal close down sequence to complete.
The no sysopt connection timewait command disables the option, which is off by default.
Note
sysopt security fragguard
The sysopt security fragguard command enables the IP Frag Guard feature. This feature is disabled by default. This feature enforces two addition security checks in addition to the security checks recommend by RFC 1858 against the many IP fragment style attacks: teardrop, land, and so on. First, each non-initial IP fragments is required to be associated with an already seen valid initial IP fragments. Second, IP fragments are rated to 100 full IP fragmented packets per second to each internal host.
The IP Frag Guard feature operates on all interfaces in the PIX Firewall and cannot be selectively enabled or disabled by interface.
PIX Firewall uses the security fragguard command to enforce the security policy determined by a conduit permit or conduit deny command to permit or deny packets through the PIX Firewall.
Note
Note
Note
The show sysopt command lists the sysopt commands in the configuration. The clear sysopt command resets the sysopt command to default settings. The no sysopt security fragguard disables the IP Frag Guard feature.
Example
no sysopt security fragguardshow sysoptsysopt security fragguardno sysopt connection tcpmssno sysopt connection timewaittacacs-server
Specify a TACACS+ server for use with the aaa command. (Privileged mode.)
tacacs-server [(if_name)] host ip_address [key] [timeout seconds]
clear tacacs-server
no tacacs-server [(if_name)] host [[ip_address] [key]]
show tacacs-server
Syntax Description
Usage Guidelines
Specify a TACACS+ server. Use show tacacs-server to examine the information.
Note
Servers are used in the order entered in the configuration. If the server is offline or fails, the next server is checked. This continues until a working server is found. Use the tacacs-server command before you use the aaa command. The aaa command enables authentication, authorization, and accounting services for access to the TACACS+ server you designate.
The clear tacacs-server command removes all tacacs-server entries from the configuration.
Note
Note
Example
tacacs-server (perimeter) host 192.168.42.42 whatakey!@#$%^&*show tacacs-servertacacs-server (perimeter) host 192.168.42.42 whatakey!@#$%^&*aaa authentication any outside 192.168.42.42 255.255.255.255 0 0 tacacs+tcpchecksum
Test for a TCP checksum error. (Configuration mode.)
tcpchecksum [silent | verbose]
no tcpchecksum
show tcpchecksum
Syntax Description
silent
Disable TCP checksum error checking.
verbose
Display warning on PIX Firewall console if TCP checksum error occurs.
Usage Guidelines
Check for TCP segment integrity and report the error if found.
Example
tcpchecksum verboseshow tcpchecksumtcpchecksum verbosetelnet
Specify internal host for PIX Firewall console access via Telnet. (Privileged mode.)
telnet local_ip [netmask]
clear telnet [local_ip [netmask]]
no telnet [local_ip [netmask]]
show telnet
telnet timeout minutes
show telnet timeout
Syntax Description
Usage Guidelines
The telnet command lets you decide which host can access the PIX Firewall console with Telnet. Up to 16 hosts or networks are allowed access to the PIX Firewall console with Telnet, 5 simultaneously. The show telnet command displays the current list of IP addresses authorized to access the PIX Firewall. Use no telnet or clear telnet to remove Telnet access from a previously set IP address. Use the telnet timeout feature to set the maximum time a console Telnet session can be idle before being logged off by PIX Firewall. The clear telnet command does not affect the telnet timeout duration. The no telnet command cannot be used with the telnet timeout feature.
Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the firewall console. Use the kill command to terminate an active Telnet console session.
If the aaa command is used with the console option, Telnet console access must be authenticated with an authentication server. Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis.
Note
Usage Notes
1
telnet 192.168.1.12
3
4
5
6
7
8
See also: aaa, kill, passwd, who.
Examples
The following examples permit hosts 192.168.1.3 and 192.168.1.4 to access the PIX Firewall console via Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.
telnet 192.168.1.3 255.255.255.255telnet 192.168.1.4 255.255.255.255telnet 192.168.2.0 255.255.255.0show telnet192.168.1.3 255.255.255.255192.168.1.4 255.255.255.255192.168.2.0 255.255.255.0You can remove individual entries with the no telnet command or all telnet statements with the clear telnet command:
no telnet 192.168.1.3show telnet192.168.1.4 255.255.255.255192.168.2.0 255.255.255.0clear telnetshow telnetYou can change the maximum session idle duration as follows:
telnet timeout 10show telnet timeouttelnet timeout 10 minutesAn example Telnet console login session appears as follows (the password does not display when entered):
PIX passwd: ciscoWelcome to the PIX firewallCopyright (c) 1995-1999 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Type help or `?' for a list of available commands.pixfirewall>terminal
Change console terminal state. (Configuration mode.)
terminal [no] monitor
Syntax Description
Usage Guidelines
The terminal monitor command lets you enable or disable the display of syslog messages in the current session for either Telnet or serial access to the PIX Firewall console. Use the logging monitor command to enable or disable various levels of syslog messages to the console; use the terminal no monitor command to disable the messages on a per session basis. Use terminal monitor to restart the syslog messages for the current session.
Example
logging monitor...terminal no monitortftp-server
Specify the IP address of the TFTP configuration server. (Configuration mode.)
tftp-server local_ip path
no tftp-server [local_ip path]
show tftp-server
Syntax Description
Usage Guidelines
The tftp-server command lets you specify the IP address of a server that you use to propagate PIX Firewall configuration files to your firewalls. Use tftp-server with the configure net command to read from the configuration or with the write net command to store the configuration in the file you specify.
The contents of the path name you specify in tftp-server are appended to the end of the IP address you specify in the configure net and write net commands. The more of a file and path name specification you provide with the tftp-server command, the less you need to do with the configure net and write net commands. If you specify the full path and filename in tftp-server, the IP address in configure net and write net can be represented with a colon ( : ).
The no tftp server command disables access to the server. The show tftp-server command lists the tftp-server statements in the current configuration.
Example
The following example specifies a TFTP server and then reads the configuration from /pixfirewall/config/test_config:
tftp-server 10.1.1.42 /pixfirewall/config/test_config...configure net :timeout
Set the maximum idle time duration. (Configuration mode.)
timeout [xlate [hh:mm:ss]] [conn [hh:mm:ss]] [udp [hh:mm:ss]] [rpc [hh:mm:ss]]
[h323 [hh:mm:ss]] [uauth [hh:mm:ss] [absolute | inactivity]]show timeout
Syntax Description
