Support

Table Of Contents

Command Reference

aaa

aaa-server

access-group

access-list

alias

arp

auth-prompt

ca

clock

conduit

configure

crypto dynamic-map

crypto ipsec

crypto map

debug

disable

domain-name

enable

enable password

established

exit

failover

filter

fixup protocol

flashfs

floodguard

global

help

hostname

interface

ip

ipsec

isakmp

kill

logging

mtu

name / names

nameif

nat

outbound / apply

pager

passwd

perfmon

ping

quit

reload

rip

route

service

session

show

show blocks / clear blocks

show checksum

show conn

show history

show interface

show memory

show processes

show tech-support

show traffic

show uauth

show version

show xlate

snmp-server

static

syslog

sysopt

telnet

terminal

tftp-server

timeout

uauth (clear and show)

url-cache

url-server

virtual

who

write

xlate (clear and show)

Command Reference

---

This chapter provides detailed descriptions on each PIX Firewall command.

Before using this chapter, read:

•"," for important information about command line guidelines including ports and protocols.

•"," for information about configuring PIX Firewall for initial access, server access, authentication, and troubleshooting.

•"," for background information about IPSec and its components, and how to implement these IPSec features in the PIX Firewall to create a Virtual Private Network (VPN).

The following notes can help you as you configure the PIX Firewall:

•View your configuration at any time with the write terminal command.

•Save your configuration frequently with the write memory command.

•Always check the syntax before entering a command. Enter a command and press the Enter key to view a quick summary, or precede a command with help, as in, help aaa.

•View syslog messages as you work on the PIX Firewall. Start accumulating messages with the logging buffered 7 command, view messages with the show logging command, and clear the message buffer with the clear logging command. Syslog messages are described in the System Log Messages for the Cisco Secure PIX Firewall Version 5.0.

•PIX Firewall documentation is available online at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix

•Abbreviate commands, such as, using the co t command statement to start configuration mode, the wr t command statement to list the configuration, and wr m to write to Flash memory. Start logging with the lo b 7 command statement and show logging messages with the sh lo command statement.

•After changing or removing the alias, conduit, global, nat, outbound, and static commands, use the clear xlate command to make the IP addresses available for access.

•You can view possible port and protocol numbers at the following IANA web sites:

http://www.isi.edu/in-notes/iana/assignments/port-numbers

http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

•Create your configuration on a text editor and then cut and paste it into the configuration. PIX Firewall lets you paste in a line at a time or the whole configuration. Always check your configuration after pasting large blocks of text to be sure everything copied.

aaa

Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)

aaa accounting acctg_service |except inbound|outbound| if_name local_ip local_mask
foreign_ip foreign_mask group_tag

no aaa accounting authen_service |except inbound | outbound | if_name group_tag

aaa authentication authen_service |except inbound|outbound| if_name local_ip local_mask
foreign_ip foreign_mask group_tag

no aaa authentication [authen_service |except inbound|outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag

aaa authentication [serial |enable |telnet] console group_tag

no aaa authentication [serial|enable|telnet] console group_tag

aaa authorization  author_service |except inbound| outbound| if_name
local_ip local_mask foreign_ip foreign_mask

no aaa authorization [author_service |except inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]

show aaa

Syntax Description

accounting	Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
acctg_service	The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
authentication	Enable or disable user authentication, prompt user for username and password, and verify information with authentication server. When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit. Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service	The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.) If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization. Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization	Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service	The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization. For protocol/port: •protocol—the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on). •port—the TCP or UDP destination port, or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP the port is not applicable and should not be used. An example port specification is: aaa authorization udp/53-1024 inside 0 0 0 0 This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024. Note   Specifying a port range may produce unexpected results at the authorization server. PIX Firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted.
except	Create an exception to a previously specified set of services.
inbound	Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or perimeter.
outbound	Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or perimeter.
if_name	Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip	The IP address of the highest security level interface from which or to which access is sought. You can set this address to 0 to let the authentication server decide which hosts are authenticated.
local_mask	Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
foreign_ip	The IP address of the lowest security level interface from which or to which access is sought.
foreign_mask	Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0.
console	Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server. The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial|enable|telnet] console command. While the enable option allows three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial or Telnet connections. Telnet access to the PIX Firewall console is available from any internal interface (not the outside interface) and requires previous use of the telnet command. Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password. The maximum password length for accessing the console is 16 characters.
group_tag	The group tag set with the aaa-server command.

Usage Guidelines

The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:

•User authentication services. A user starting a connection via FTP, Telnet, or over the World Wide Web is prompted for their username and password. An authentication server, designated previously with the aaa-server command, verifies whether the username and password are correct. If the username and password are correct, PIX Firewall lets further traffic between the authentication server and the connection interact independently through the PIX Firewall unit's "Cut-Through Proxy" feature.

•Authentication access to the PIX Firewall unit's console via Telnet or the serial console. (Telnet access requires previous use of the telnet command.)

•User authorization services for TACACS+ connections that let the authentication server determine which services the user can access.

•Accounting services so that administrators can track which hosts accessed the PIX Firewall.

---

Note   PIX Firewall does not support RADIUS authorization.

---

---

Note   If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.

---

Usage Notes

1 The aaa command is not intended to mandate your security policy. The authentication and authorization servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access.The PIX Firewall interacts with FTP, HTTP (Web access), and Telnet to display the credentials prompts for logging in to the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree.

2 Accounting information is only sent to the active server in a server group.

3 The prompts users see requesting AAA credentials differ between the three services that can access the PIX Firewall for authentication: Telnet, FTP, and HTTP (Web):

(a) Telnet users see a prompt generated by the PIX Firewall that you can change with the auth-prompt command. The PIX Firewall permits a user up to four chances to log in and then if the username or password still fails, the PIX Firewall drops the connection.

(b) FTP users receive a prompt from the FTP program. If a user enters an incorrect password, the connection is dropped immediately. If the username or password on the authentication database differs from the username or password on the remote host to which you are using FTP to access, enter the username and password in these formats:

authentication_user_name@remote_system_user_name

authentication_password@remote_system_password

If you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.

Some FTP graphical user interfaces (GUIs) do not display challenge values.

(c) HTTP users see a pop-up window generated by the browser itself. If a user enters an incorrect password, the user is reprompted. When the web server and the authentication server are on different hosts, use the virtual command to get the correct authentication behavior.

4 Use of the aaa authorization command requires previous use of the aaa authentication command; however, use of the aaa authentication command does not require use of an aaa authorization command.

5 If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.

6 Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication ... console command:

(a) enable option—Allows three tries before stopping with "Access denied." The enable option requests a username and password before accessing privileged mode for serial or Telnet connections.

(b) serial option—Causes the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection.

(c) telnet option—Causes the user to be prompted continually until successfully logging in. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection.

7 You can specify an interface name with aaa authentication. In previous versions, if you specified aaa authentication any outbound 0 0 server, PIX Firewall only authenticated outbound connections and not those to the perimeter interface. PIX Firewall now authenticates any outbound connection to the outside as well as to hosts on the perimeter interface. To preserve the behavior of previous versions, use these commands to enable authentication and to disable authentication from the inside to the perimeter interface:

aaa authentication any outbound 0 0 server

aaa authentication except outbound perim_net perim_mask server

8 When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.

Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server.  Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.

Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set.  This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts.  Flushing the cache is of no use.

As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.

9 Multimedia applications such as CU-SeeMe, InternetPhone, MeetingPoint, and MS Netmeeting silently start the HTTP service before an H.323 session is established from the inside to the outside. To avoid interfering with these applications, do not enter blanket outgoing AAA command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.

10 For outbound connections, first use the nat command to determine which IP addresses can access the firewall. For inbound connections, first use the static and conduit commands to determine which inside IP addresses can be accessed through the firewall from the outside network.

11 When a host is configured for authentication, all users on the host have to use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that users must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.

12 The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8-bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).

13 Up to 256 TACACS+ or RADIUS servers are permitted (up to 16 servers in each of the up to 16 server groups—set with the aaa-server command). When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

14 For each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. Also, for an IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.

15 The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.

16 For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.

17 Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.

18 PIX Firewall supports authentication usernames up to 127 characters and passwords of up to 63 characters. A password or username may not contain an at (@) character as part of the password or username string, except as shown in Note 3.

19 If the first attempt at authorization fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet is:

Unable to connect to remote host: Connection timed out

See also: aaa-server, auth-prompt, service, telnet, virtual.

Examples

1 The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 192.150.50.0, and a perimeter network of 192.150.50.0.

This example enables authentication for connections originated from the inside network to the outside network:

aaa authentication any outbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 
tacacs+ 

This example enables authentication for connections originated from the inside network to the perimeter network:

aaa authentication any outbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 
tacacs+

This example enables authentication for connections originated from the outside network to the inside network:

aaa authentication any inbound 192.168.1.0 255.255.255.0 192.150.50.0 255.255.255.0 
tacacs+

This example enables authentication for connections originated from the outside network to the perimeter network:

aaa authentication any inbound 192.150.50.0 255.255.255.0 192.150.50.0 255.255.255.0 
tacacs+

This example enables authentication for connections originated from the perimeter network to the outside network:

aaa authentication any perimeter 192.150.50.0 255.255.255.0 192.150.50.0 255.255.255.0 
tacacs+

2 This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+:

nat (inside) 1 10.0.0.0 255.255.255.0

aaa authentication any outbound 0 0 tacacs+

aaa authentication except outb 10.0.0.42 255.255.255.255 tacacs+ 

3 This example permits inbound access to any IP address in the range of 192.150.50.1 through 192.150.50.254. All services are permitted by the conduit command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface:

aaa-server AuthIn protocol tacacs+

aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20

static (inside, outside) 192.150.50.0 10.16.1.0 netmask 255.255.255.0 10 60

conduit permit tcp 192.150.50.0 255.255.255.0 10.16.1.0 255.255.255.0

aaa authentication any inbound 0 0 AuthIn

4 This example enables authorization for DNS lookups from the outside interface:

aaa authorization udp/53 inbound 0.0.0.0 0.0.0.0

5 This example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:

 aaa authorization 1/0 outbound 0.0.0.0 0.0.0.0

This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.

6 This example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:

aaa authorization 1/8 outbound 0.0.0.0 0.0.0.0 

aaa-server

Specify an AAA server. (Configuration mode.)

aaa-server group_tag (if_name) host server_ip key timeout seconds

no aaa-server group_tag (if_name) host server_ip key timeout seconds

aaa-server group_tag protocol auth_protocol

clear aaa-server [group_tag]

Syntax Description

group_tag	An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server.
if_name	The interface name on which the server resides.
host server_ip	The IP address of the TACACS+ or RADIUS server.
key	A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
timeout seconds	The maximum idle time permitted before PIX Firewall switches to the next AAA server you specified. The default is 5 seconds. The maximum time is 30 seconds.
protocol auth_protocol	The type of AAA server, either tacacs+ or radius.

Usage Guidelines

The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.

AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 16 tag groups and each group can have up to 16 AAA servers for a total of up to 256 AAA servers.

The aaa command references the tag group.

The aaa-server command replaces the radius-server and tacacs-server commands.

---

Note   The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS.

---

If accounting is in effect, the accounting information goes only to the active server.

The default configuration provides these two aaa-server protocols:

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

---

Note   If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration.

---

Examples

1 This example uses the default protocol tacacs+ with the aaa commands:

aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20

aaa authentication any outbound 0 0 0 0 TACACS+

aaa authorization any outbound 0 0 0 0

aaa accounting any outbound 0 0 0 0 TACACS+

aaa authentication any serial console TACACS+

This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall's serial console requires authentication from the TACACS+ server.

2 This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections:

aaa-server AuthIn protocol radius

aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20

aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4

aaa-server AuthOut protocol radius

aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15

aaa authenticate any inbound 0 0 0 0 AuthIn

aaa authentication any outbound 0 0 0 0 AuthOut

access-group

Binds the access list name to the interface interface-name to permit or deny IP packets incoming into the interface. (Configuration mode.)

access-group access-list-name in interface interface-name

clear access-group access-list-name in interface interface-name

no access-group access-list-name in interface interface-name

show access-group access-list-name in interface interface-name

Syntax Description

access-list-name	The name associated with a given access list.
in interface	Filters on inbound packets at the given interface.
interface-name	The name of the network interface.

Usage Guidelines

The access-group command binds the name of a given access list to an interface. Access lists are applied to traffic inbound to interface. If the access list permits the address, the PIX Firewall continues to process the packet. If the access list rejects the address, the firewall discards the packet and generates a syslog message.

If no access list is bound to an interface, the conduit list or outbound list is checked.

---

Note   The use of access-group command overrides the conduit and outbound lists for the specified interface-name.

---

---

Note   The PIX Firewall currently only supports IPSec on the outside interface. Although the PIX Firewall currently can simulate the Private Link inside termination with the use of the sysopt ipsec pl-compatible command, the termination on the inside interface is not a true termination. For more information on the sysopt ipsec pl-compatible command, see the sysopt command page.

---

The no access-group command unbinds the "access-list-name" from the interface interface-name.

The show access-group command displays the current access-list bound to the interface(s).

The clear access-group command removes all entries from access-list indexed by "list-name." If "list-name" is not specified, all access-lists are destroyed.

Examples

The following example shows use of the access-group command. The example indicates that access list 101 will be bound to the outside interface.

access-group 101 in interface outside

access-list

Create an access list. (Configuration mode.)

access-list access-list-name [deny | permit] protocol source source-netmask destination destination-netmask

no access-list access-list-name [deny | permit] protocol source source-netmask destination destination-netmask

clear access-list

show access-list

Syntax Description

access-list-name	Name of an access list.
deny	In relation to an interface, deny does not allow a packet to traverse the PIX Firewall. In relation to a crypto map entry, deny does not select a packet for IPsec protection. Using the deny keyword prevents traffic from being protected by crypto in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in this crypto map entry to be applied to this traffic.
destination	Address of the network or host to which the packet is being sent. There are three other ways to specify the destination: •Use a 32-bit quantity in four-part, dotted-decimal format. •Use the keyword any as an abbreviation for the destination and netmask of 0.0.0.0 0.0.0.0. This keyword is not recommended for access lists used for IPSec via crypto map. •Use host destination as an abbreviation for a destination and netmask of destination 255.255.255.255.
destination-netmask	Netmask bits to be applied to the destination. There are three other ways to specify the destination netmask: •Use a 32-bit quantity in four-part, dotted-decimal format. Place zeroes in the bit positions you want to ignore. •Use the keyword any as an abbreviation for a destination and destination-netmask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for access lists used for IPSec. •Use host destination as an abbreviation for a destination and destination-netmask of destination 255.255.255.255.
protocol	Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. For IPSec, the protocol must be IP.
permit	In relation to an interface, permit enables a session to be established across the PIX Firewall. In relation to a crypto map entry, permit selects a packet for IPsec protection. Using the permit keyword causes all IP traffic that matches the specified conditions to be protected by crypto, using the policy described by the corresponding crypto map entry.
source	Address of the network or host from which the packet is being sent. There are three other ways to specify the source: •Use a 32-bit quantity in four-part, dotted-decimal format. •Use the keyword any as an abbreviation for a source and source-netmask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec. •Use host source as an abbreviation for a source and source-netmask of source 255.255.255.255.
source-netmask	Netmask bits (mask) to be applied to source. There are three other ways to specify the source netmask: •Use a 32-bit quantity in four-part, dotted-decimal format. Place zeroes in the bit positions you want to ignore. •Use the keyword any as an abbreviation for a source and source-netmask of 0.0.0.0 0.0.0.0. This keyword is not recommended. •Use host source as an abbreviation for a source and source-netmask of source 255.255.255.255.

Usage Guidelines

The access-list command allows you to create an access list. After you have defined an access list, bind it to an interface using the access-group command or bind it to a crypto map entry using the crypto map command. The show access-list command lists the access-list command statements in the configuration. The clear access-list command removes all access-list command statements from the configuration.

---

Note   The clear access-list command stops all traffic through the PIX Firewall.

---

---

Note   Do not use the access-list command in conjunction with the conduit and outbound commands.

---

---

Note   The access-list command uses the same syntax as the Cisco IOS command of the same name with one very important difference. The subnet mask in the PIX Firewall access-list command is specified the same as all other PIX Firewall commands, which is very different than the Cisco IOS version of this command.

---

If the access list is bound to an interface, the access list selects which traffic will be able to traverse the PIX Firewall. When bound to a crypto map entry, the access list selects which IP traffic will be protected by IPSec and which traffic will not be protected. For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or traffic between Host  A and Host B.

The access lists themselves are not specific to IPSec. It is the crypto map entry referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists associated with IPSec crypto map entries have four primary functions:

•Select outbound traffic to be protected by IPSec (permit = protect).

•Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

•Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec.

•Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for ipsec-isakmp crypto map entries.) In order for a peer's initiated IPSec negotiation to be accepted, it must specify a data flow that is "permitted" by a crypto access list associated with an ipsec-isakmp crypto map entry.

The crypto access list you define will be associated with an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the sections "Mirror Image Crypto Access Lists at each IPSec Peer" and "any Keyword in Crypto Access Lists" in "."

---

Note   The protocol in access-lists used for IPsec can only be ip.  In other words, the granularity of each IPsec tunnel can only be per-host or greater. 

---

If you configure multiple statements for a given crypto access list to be used for IPSec, in general the first permit statement that is matched will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.

Examples

The following example creates a numbered crypto access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. When the PIX Firewall uses this crypto access list, all IP traffic that is exchanged between the source and destination subnets will be encrypted.

access-list 101 permit ip 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255

This crypto access list would be applied to an interface as an outbound crypto access list after you define a crypto map and apply it to the interface.

alias

Administer overlapping addresses with dual NAT. (Configuration mode.)

alias [(if_name)] dnat_ip foreign_ip [netmask]

no alias [[(if_name)] dnat_ip foreign_ip [netmask]]

show alias

Syntax Description

if_name	The internal network interface name in which the foreign_ip overlaps.
dnat_ip	An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.
foreign_ip	IP address on the external network that has the same address as a host on the internal network.
netmask	Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.

Usage Guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 192.150.50.1, you can use alias to redirect traffic to another address, such as, 192.150.50.42.

---

Note   You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.

---

After changing or removing an alias command statement, use the clear xlate command.

There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.

The alias command has two uses which can be summarized in the following ways of reading an alias command statement:

•If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address.

•If the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.

The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration.

The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.

You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 10.1.1.0 192.150.50.0 255.255.255.0 creates aliases for each IP address between 192.150.50.1 and 192.150.50.254.

---

Note   ActiveX blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command.

---

Usage Notes

1 To access an alias dnat_ip address with static and conduit command statements, specify the dnat_ip address in the conduit command statement as the address from which traffic is permitted from. The following example illustrates this note:

alias (inside) 192.168.8.14 192.150.50.1 255.255.255.255

static (inside,outside) 192.150.50.1 192.168.8.14 netmask 255.255.255.255

conduit permit tcp host 192.150.50.1 eq ftp-data host 192.168.8.14

An alias is specified with the inside address 192.168.8.14 mapping to the foreign address 192.150.50.1.

Examples

1 In this example, an inside network uses IP address 192.159.1.33, which on the Internet belongs to domain.com. When inside clients try to access domain.com, the packets do not go to the firewall because the client thinks 192.159.1.33 is on the local inside network. To correct this, a net alias is created as follows with the alias command:

alias (inside) 192.168.1.0 192.159.1.0 255.255.255.0

show alias

alias 192.168.1.0 192.159.1.0 255.255.255.0

When client 192.159.1.123 connects to domain.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to: 192.168.1.33. If the PIX Firewall uses 192.150.50.1 through 192.150.50.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=192.159.1.123 and DST=192.168.1.33. The PIX Firewall translates it to SRC=192.150.50.254 and DST=192.159.1.33 on the outside.

2 In this example, a web server is on the inside at 10.1.1.11 and a static for it at 192.150.50.11. The source host is on the outside with address 192.150.50.7. A DNS server on the outside has a record for www.domain.com as follows:

www.domain.com.

IN

A

192.150.50.11

The period at the end of the www.domain.com. domain name must be included.

The alias command is:

alias 10.1.1.11 192.150.50.11 255.255.255.255

PIX Firewall doctors the nameserver replies to 10.1.1.11  for inside clients to directly connect to the web server.

The conduit command statement you would expect to use is:

conduit permit tcp host 192.150.50.11 eq telnet host 192.150.50.7 

But with the alias command, use this command:

conduit permit tcp host 192.150.50.11 eq telnet host 192.159.1.7

You can test the DNS entry for the host with the following nslookup command:

nslookup -type=any www.domain.com

arp

Change or view the ARP cache, and set the timeout value. (Configuration mode.)

arp if_name ip_address mac_address [alias]

clear arp

no arp if_name ip_address

show arp [if_name] [ip_address mac_address alias]

arp timeout seconds

no arp timeout

show arp timeout

Syntax Description

if_name	The internal or external interface name specified by the nameif command.
ip_address	Host IP address for the ARP table entry.
mac_address	Hardware MAC address for the ARP table entry; for example, 00e0.1e4e.3d8b.
alias	Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration.
seconds	Duration that an ARP entry can exist in the ARP table before being cleared.

Usage Guidelines

The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.

---

Note   You can use the sysopt noproxyarp command to disable proxy-arps on an interface.

---

Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).

The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.

Examples

The following examples illustrate use of the arp and arp timeout commands:

arp inside 192.168.0.42 00e0.1e4e.2a7c

arp outside 192.168.0.43 00e0.1e4e.3d8b alias

show arp

                                                        outside 192.168.0.43 00e0.1e4e.3d8b alias

                                                      inside 192.168.0.42 00e0.1e4e.2a7c

clear arp inside 192.168.0.42

arp timeout 42

show arp timeout

arp timeout 42 seconds

no arp timeout

show arp timeout

arp timeout 14400 seconds

auth-prompt

Change the AAA challenge text. (Configuration mode.)

auth-prompt [accept|reject|prompt] string

clear auth-prompt

no auth-prompt [accept|reject|prompt] string

show auth-prompt

Syntax Description

accept	If a user authentication via Telnet is accepted, display the prompt string.
reject	If a user authentication via Telnet is rejected, display the prompt string.
prompt	The AAA challenge prompt string follows this keyword. This keyword is optional for backward compatibility.
string	A string of up to 177 alphanumeric characters. Special characters should not be used; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)

Usage Guidelines

The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication,  HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.

If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.

Example

The following example shows how to set the authentication prompt and how users view the prompt:

auth-prompt XYZ Company Firewall Access

After this string is added to the configuration, users view:

XYZ Company Firewall Access

User Name:

Password:

The prompt keyword can be included or omitted. For example:

auth-prompt prompt Hello There!

This command statement is the same as:

auth-prompt Hello There!

ca

Configure the PIX Firewall to interoperate with a Certification Authority (CA). (Configuration mode.)

ca authenticate ca_nickname [fingerprint]

ca configure ca_nickname ca | ra retry_period retry_count [crloptional]

no ca configure ca_nickname

show ca configure

ca crl request ca_nickname

ca enroll ca_nickname challenge_password [serial] [ipaddress]

no ca enroll ca_nickname

ca generate rsa key|specialkey key_modulus_size

ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address]

no ca identity ca_nickname

show ca identity

ca save all

no ca save all

show ca certificate

ca zeroize rsa

show ca mypubkey rsa

---

Note   See the section "About CA" in "," for more information about this IPSec feature.

---

Syntax Description

ca_nickname	The CA's name. Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently the PIX Firewall supports only one CA at a time.
fingerprint	A key consisting of alphanumeric characters the PIX Firewall uses to authenticate CA's certificate.
ca | ra	Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command. Some CA systems provide a RA, which the PIX Firewall contacts instead of the CA.
retry_period	Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the firewall retries every 1 minute.
retry_count	Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.
crloptional	Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate Certificate Revocation List (CRL) is not accessible to your PIX Firewall. The default is without crloptional.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
serial	Specify the PIX Firewall's serial number.
ipaddress	The PIX Firewall's IP address.
key	This specifies that one general-purpose RSA key pair will be generated.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ca_ipaddress	The CA's IP address.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Usage Guidelines

ca authenticate

The ca authenticate command allows the PIX Firewall to authenticate its CA by obtaining the CA's self-signed certificate, which contains the CA's public key.

In order to authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in some out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.

If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.

The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.

To view the CA's certificate, use the show ca certificate command.

---

Note   If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.

---

Example

In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 5432

%Error in verifying the received fingerprint. Type help or `?' for a list of 
available commands.

ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

Example

The following example indicates myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 [crloptional]

ca crl request

The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time.

A PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (un-expired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent via an ISAKMP exchange. This is because the certificate itself contains the location where the PIX Firewall must query to get the appropriate CRL. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.

Use the ca crl request command only if your CA does not support a RA. A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your firewall.

The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. If your PIX Firewall receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.

If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

The ca crl request command is not saved with the PIX Firewall configuration between reloads.

Example

The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:

ca crl request myca

ca enroll

The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.

The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display PIX Firewall's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.

The required challenge password is necessary in the event that you need to revoke your PIX Firewall's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

---

Note   This password is not stored anywhere, so you need to remember this password.

---

If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.

The PIX Firewall's serial number is optional. If you provide it, it will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.

Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.

Example

The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as the PIX Firewall's serial number of 197754987.

ca enroll myca.example.com 1234567890 197754987

ca generate rsa

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

---

Note   Before issuing this command, make sure your PIX Firewall has a host name and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a host name and domain name.

---

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

Example

In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048

---

Note   You cannot generate both special usage and general purpose keys; you can only generate one or the other.

---

ca identity

The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity from the configuration and deletes all certificates issued by the specified CA. The show ca identity command shows the current settings stored in RAM.

The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, include the location and the name of the script within the ca identity command statement.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.

Example

The following example indicates that the CA myca.example.com is declared as the PIX Firewall's supported CA. The CA's IP address of 205.139.94.231 is provided.

ca identity myca.example.com 205.139.94.231 

ca save all

The ca save all commands allows you to save the PIX Firewall's RSA key pairs, the CA, RA and PIX Firewall's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall's Flash memory.

The ca save command itself is not saved with the PIX Firewall configuration between reloads.

To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user is allowed to issue this show command.

ca zeroize rsa

The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional task. Perform these tasks in the following order:

•Use the no ca identity command to manually remove the PIX Firewall's certificates from the configuration. This will delete all the certificates issued by the CA.

•Ask the CA administrator to revoke your PIX Firewall's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall's certificates using the crypto ca enroll command.

show ca mypubkey rsa

The show ca mypubkey rsa command displays the PIX Firewall's public keys in a DER/BER encoded PKCS#1 representation.

Example

The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command:

show ca mypubkey rsa

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com

 Usage: Signature Key

 Key Data:

            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d

            6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf

            6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com

 Usage: Encryption Key

 Key Data:

            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a

            48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98

            908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

clock

Set the PIX Firewall clock for use with the PIX Firewall Syslog Server and the Public Key Infrastructure (PKI) protocol. (Configuration mode.)

clock

clock set hh:mm:ss month day year

clock set hh:mm:ss day month year

show clock

Syntax Description

hh:mm:ss	The current hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0.
month	The current month expressed as the first three characters of the month; for example, apr for April.
day	The current day of the month; for example, 1.
year	The current year expressed as four digits; for example, 2000.

Usage Guidelines

The clock command lets you specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.

You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.

A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).

While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.

The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.

Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp.

Example

To enable PFSS time-stamp logging for the first time, use these commands:

clock set 21:0:0 apr 1 2000

show clock

21:00:05 Apr 01 2000

logging host 192.150.50.3

logging timestamp

logging trap 5

In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 192.150.50.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap command specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.

conduit

Add, delete, or show conduits through the firewall for incoming connections. (Configuration mode.)

conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]

no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]

conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]

clear conduit

show conduit

permit	Permit access if the conditions are matched.
deny	Deny access if the conditions are matched.
protocol	Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at: http://www.isi.edu/in-notes/iana/assignments/protocol-numbers If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See the Usage Guidelines for a complete list of the ICMP types.
global_ip	A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example: conduit permit tcp host 192.150.50.1 eq ftp any This example lets any foreign host access global address 192.150.50.1 for FTP.
global_mask	Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip	An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example: conduit permit tcp any eq ftp host 192.150.50.42 This example lets foreign host 192.150.50.42 access any global address for FTP.
foreign_mask	Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192.
operator	A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example: conduit permit tcp any any Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP: conduit deny tcp host 192.168.1.1 eq ftp 192.150.50.1 Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024): conduit permit tcp host 192.168.1.1 lt 1025 any Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535: conduit deny udp host 192.168.1.1 gt 42 host 192.150.50.42 Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535: conduit deny tcp host 192.168.1.1 neq 10 host 192.150.50.42 neq 42 Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. conduit deny tcp any range ftp telnet any Note    By default, all ports are denied until explicitly permitted.
port	Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example: conduit deny tcp any any This command is the default condition for the conduit command in that all ports are denied until explicitly permitted. You can view valid port numbers online at: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports" in "," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type	The type of ICMP message. lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is conduit permit icmp any   any. This command lets ICMP pass inbound and outbound.

Syntax Description

Usage Guidelines

A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.

The clear conduit command removes all conduit command statements from your configuration.

The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.

When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.

If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.

---

Note   The conduit command statements are processed in the order entered into the configuration.

---

The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example host 192.159.1.250 is not denied access through the PIX Firewall because the permit option precedes the deny option:

conduit permit tcp host 192.150.50.4 255.255.255.255 eq 80 any

conduit deny tcp host 192.150.50.4 255.255.255.0 192.159.1.250 255.255.255.255 eq 80 
any

---

Note   If you want internal users to be able to ping external hosts, use the conduit permit icmp any any command.

---

After changing or removing a conduit command statement, use the clear xlate command.

You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration.

If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. lists possible ICMP types values.

Table 6-1 ICMP Type Literals 

ICMP Type	Literal
0	echo-reply
3	unreachable
4	source-quench
5	redirect
6	alternate-address
8	echo
9	router-advertisement
10	router-solicitation
11	time-exceeded
12	parameter-problem
13	timestamp-reply
14	timestamp-request
15	information-request
16	information-reply
17	mask-request
18	mask-reply
31	conversion-error
32	mobile-redirect

Usage Notes

1 By default, all ports are denied until explicitly permitted.

2 The conduit command statements are processed in the order entered in the configuration. If you remove a command, it affects the order of all subsequent conduit command statements.

3 To remove all conduit command statements, cut and paste your configuration onto your console computer, edit the configuration on the computer, use the write erase command to clear the current configuration, and then paste the configuration back into the PIX Firewall.

4 You can have as many conduit command statements as needed as long as the total size of your configuration does not exceed the maximum allowable size of a configuration. See "Configuration Size" in "."

5 If you use PAT (Port Address Translation), you cannot use a conduit command statement using the PAT address to either permit or deny access to ports.

6 Two conduit command statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit command statement for TCP.

The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example:

static (dmz2,outside) 192.150.50.5 192.168.1.5 netmask 255.255.255.255

conduit permit tcp host 192.150.50.5 eq 1723 any

conduit permit gre host 192.150.50.5 any

In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 192.150.50.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.

7 The RPC conduit command support fixes up UDP portmapper and rpcbind exchanges. TCP exchanges are not supported. This lets simple RPC-based programs work; however, remote procedure calls, arguments, or responses that contain addresses or ports will not be fixed up.

For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.

Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:

rpcinfo -u unix_host_ip_address 150001

Replace unix_host_ip_address with the IP address of the UNIX host.

8 You can overlay host statics on top of a net static range to further refine what an individual host can access:

static (inside, outside) 192.150.50.0 10.1.1.0

conduit permit tcp 192.150.50.0 255.255.255.0 eq ftp any

static (inside, outside) 203.31.17.3 10.1.1.3

conduit permit udp host 192.150.50.3 eq h323 host 1.2.3.3

In this case, the host at 1.2.3.3 has InternetPhone access in addition to its blanket FTP access.

Examples

1 The following commands permit access between an outside UNIX gateway host at 192.150.50.42, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for PIX Firewall with the fixup protocol smtp 25 command. The global address on the PIX Firewall is 192.150.50.1:

static (inside,outside) 192.150.50.1 192.168.1.49 netmask 255.255.255.255 0 0

conduit permit tcp host 192.150.50.1 eq smtp host 192.150.50.42 

To disable Mail Guard, enter this command:

no fixup protocol smtp 25

2 You can set up an inside host to receive H.323 InternetPhone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global address is 192.150.50.0, and the outside network is 192.150.50.0:

static (inside,outside) 192.150.50.0 192.168.1.0 netmask 255.255.255.0 0 0

conduit permit tcp 192.150.50.0 255.255.255.0 eq h323 any

conduit permit tcp 192.150.50.0 255.255.255.0 eq 113 192.150.50.0 255.255.255.0

3 You can create a web server on the perimeter interface that can be accessed by any outside host as follows:

static (perimeter,outside) 192.150.50.4 192.168.1.4 netmask 255.255.255.0 0

conduit permit tcp host 192.150.50.4 eq 80 any

In this example, the static command statement maps the perimeter host, 10.1.1.4. to the global address, 192.150.50.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.

configure

Clear or merge current configuration with that on floppy or Flash memory, start configuration mode, or view current configuration. (Privileged mode.)

clear configure primary|secondary|all

configure net [[server_ip]:[filename]]

configure floppy

configure memory

configure terminal

show configure

Syntax Description

clear	Clears aspects of the current configuration in RAM. Use the write erase command to clear the complete configuration.
primary	Sets the interface, ip, mtu, nameif, and route commands to their default values. In addition, interface names are removed from all commands in the configuration.
secondary	Removes the alias, apply, conduit, global, outbound, static, aaa-server, telnet, tftp-server, and url-server command statements from your configuration.
net	Loads the configuration from a TFTP server and the path you specify.
all	Combines the primary and secondary options.
floppy	Merges the current configuration with that on diskette.
memory	Merges the current configuration with that in Flash memory.
terminal	Starts configuration mode to enter configuration commands from a terminal. Exit configuration mode by entering the quit command.
server_ip	Merges the current configuration with that available across the network at another location, which is defined with the tftp-server command.
filename	A filename you specify to qualify the location of the configuration file on the TFTP server named in server_ip. If you set a filename with the tftp-server command, do not specify it in the configure command; instead just use a colon ( : ) without a filename.

Usage Guidelines

The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration. The clear configure secondary command removes alias, conduit, global, and static command statements from the configuration. However, clear configure secondary command does not remove tftp-server command statements.

---

Note   Save your configuration before using the clear configure command. The clear configure secondary command does not prompt you before deleting lines from your configuration.

---

The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify   :filename as simply a colon ( : ). For example:

	configure net :

Use the write net command to store the configuration in the file.

---

Note   Many TFTP servers require the configuration file to be world-readable to be accessible.

---

The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.

The configure memory command merges the configuration in Flash memory into the current configuration in RAM.

The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use write memory to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.

The show configure command lists the contents of the configuration in Flash memory.

Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:

•If the command on diskette or Flash memory is identical to an existing command in the current configuration, it is ignored.

•If the command on diskette or Flash memory is an additional instance of an existing command, such as if you already have one telnet command for IP address 1.2.3.4 and the diskette configuration has a telnet command for 6.7.8.9, then both commands appear in the current configuration.

•If the command redefines an existing command, the command on diskette or Flash memory overwrites the command in the current configuration in RAM. For example, if you have hostname ram in the current configuration and hostname floppy on diskette, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new host name when that command is read from diskette.

Example

The following examples shows how to configure the PIX Firewall using a configuration retrieved with TFTP:

configure net 10.1.1.1:/tftp/config/pixconfig

The pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.

The following example shows how to configure the PIX Firewall from a diskette:

configure floppy

The following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:

configure memory

The following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.

Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.

pixfirewall> enable

password: 

pixfirewall# configure terminal

pixfirewall(config)# write terminal

:  Saved

... config commands ...

:  End

write memory

crypto dynamic-map

Create, view, or delete a dynamic crypto map entry. (Configuration mode.)

crypto dynamic-map dynamic-map-name dynamic-seq-num

no crypto dynamic-map dynamic-map-name [dynamic-seq-num]

crypto dynamic-map   dynamic-map-name dynamic-seq-num match address access-list-name

no crypto dynamic-map   dynamic-map-name dynamic-seq-num match address access-list-name

crypto dynamic-map   dynamic-map-name dynamic-seq-num set peer hostname | ip-address

no crypto dynamic-map   dynamic-map-name dynamic-seq-num set peer hostname | ip-address

crypto dynamic-map  dynamic-map-name dynamic-seq-num set pfs [group1 | group2]

no crypto dynamic-map   dynamic-map-name dynamic-seq-num set pfs

crypto dynamic-map   dynamic-map-name dynamic-seq-num set security-association lifetime seconds   seconds | kilobytes kilobytes

no crypto dynamic-map   dynamic-map-name dynamic-seq-num set security-association lifetime seconds   | kilobytes 

crypto dynamic-map  dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]

no crypto dynamic-map   dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]

show crypto dynamic-map [tag  dynamic-map-name]

---

Note   See the section "Dynamic Crypto Maps" in "" for more information about dynamic crypto maps.

---

Syntax Description

dynamic-map-name	Specifies the name of the dynamic crypto map set.
dynamic-seq-num	Specifies the sequence number that corresponds to the dynamic crypto map entry.
subcommand	Various subcommands (match address, set transform-set, and so on).
tag map-name	(Optional) Shows the crypto dynamic map set with the specified map-name.

---

Note   The crypto dynamic-map subcommands, such as match address, set peer, set pfs are described in the crypto map command page. See this command page for the descriptions of these commands, including syntax descriptions.

---

Usage Guidelines

crypto dynamic-map

The crypto dynamic-map command allows you to create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The show crypto dynamic-map command allows you to view a dynamic crypto map set.

Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)

When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)

If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

Dynamic crypto maps are used for determining whether or not traffic should be protected.

---

Note   The only parameter required in a dynamic crypto map is the set transform-set. All other parameters are optional.

---

Examples

The following example configures an IPSec crypto map set.

Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address 102

crypto map mymap 20 set transform-set my_t_set1 my_t_set2

crypto map mymap 20 set peer 10.0.0.3

crypto dynamic-map mydynamicmap 10 match address 103

dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

The following is sample output for the show crypto dynamic-map command:

show crypto dynamic-map

Crypto Map Template "dyn1" 10

        access-list 152 permit ip host 172.21.114.67 any

        Current peer: 0.0.0.0

        Security association lifetime: 4608000 kilobytes/120 seconds

        PFS (Y/N): N

        Transform sets={ tauth, t1, }

The following partial configuration was in effect when the above show crypto dynamic-map command was issued:

crypto ipsec security-association lifetime seconds 120        

crypto ipsec transform-set t1 esp-des esp-md5-hmac 

crypto ipsec transform-set tauth ah-sha-hmac 

crypto dynamic-map dyn1 10

crypto dynamic-map dyn1 set transform-set tauth t1 

crypto dynamic-map dyn1 match address 152

crypto map to-firewall local-address Ethernet0

crypto map to-firewall 10 ipsec-isakmp  

crypto map to-firewall 10 set peer 172.21.114.123

crypto map to-firewall 10 set transform-set tauth t1 

crypto map to-firewall 10 match address 150

crypto map to-firewall 20 ipsec-isakmp dynamic dyn1

access-list 150 permit ip host 172.21.114.67 host 172.21.114.123

access-list 150 permit ip host 15.15.15.1 host 172.21.114.123

access-list 150 permit ip host 15.15.15.1 host 8.8.8.1

access-list 152 permit ip host 172.21.114.67 any

crypto dynamic-map    match address

See the crypto map   match address command within the crypto map command page for information about this command.

crypto dynamic-map  set peer

See the crypto map set peer command within the crypto map command page for information about this command.

crypto dynamic-map   set pfs

See the crypto map set pfs command within the crypto map command page for information about this command.

crypto dynamic-map   set security-association lifetime

See the crypto map   set security-association lifetime command within the crypto map command page for information about this command.

crypto dynamic-map  set transform-set

See the crypto map   set transform-set command within the crypto map command page for information about this command.

---

Note   This command is required for dynamic crypto map entries.

---

crypto ipsec

Create, view, or delete crypto related global values (Configuration mode.)

crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes

no crypto ipsec security-association lifetime seconds | kilobytes

show crypto ipsec security-association lifetime

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

no crypto ipsec transform-set transform-set-name

show crypto ipsec transform-set [tag transform-set-name]

clear crypto [ipsec] sa

clear crypto [ipsec] sa peer

clear crypto [ipsec] sa map map-name

clear crypto [ipsec] sa entry destination-address protocol spi

clear crypto [ipsec] sa counters

show crypto ipsec sa [map map-name | address | identity] [detail]

---

Note   See the section "About IPSec" in "" for more information about this IPSec feature.

---

Syntax Description

address	(Optional) Shows the all existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP).
destination address	Specify the IP address of your peer or the remote peer.
detail	(Optional) Shows detailed error counters. (The default is the high level send/receive error counters.)
identity	(Optional) Shows only the flow information. It does not show the security association information.
interface-name	Specify the identifying interface (outside or external) to be used by the PIX Firewall to identify itself to remote peers. If IKE is enabled, and you are using a Certification Authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
ip-address	Specify a remote peer's IP address.
ipsec-isakmp	Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
kilobytes   kilobytes	Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes (10 megabytes per second for one hour).
map map-name	The name of the crypto map set.
peer-name	Specify a remote peer's name as the fully qualified domain name. For example, remotepeer.example.com.
protocol	Specify either the AH or ESP protocol.
seconds   seconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
seq-num	The number you assign to the crypto map entry.
spi	Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF).
tag transform-set-name	(Optional) Shows only the transform sets with the specified transform-set-name.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.
transform-set-name	Specify the name of the transform set to create or modify.

Usage Guidelines

crypto ipsec security-association lifetime

The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. See the clear crypto [ipsec] sa command within the crypto ipsec command page for more information.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

Examples

This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).

crypto ipsec security-association lifetime seconds 2700

crypto ipsec security-association lifetime kilobytes 2304000

The following is a sample output for the show crypto ipsec security-association lifetime command:

show crypto ipsec security-association lifetime

Security-association lifetime: 4608000 kilobytes/120 seconds

The following configuration was in effect when the above show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120

crypto ipsec transform-set

The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.

A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.

When security associations are established manually, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.

To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

Examples of acceptable transform combinations are as follows:

•ah-md5-hmac

•esp-des

•esp-des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

For more information about transform sets, see "Transform Sets" in "."

Examples

This example defines one transform set (named "standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform is specified in this example:

crypto ipsec transform-set standard esp-des esp-md5-hmac

The following is a sample output for the show crypto ipsec transform-set command:

show crypto ipsec transform-set 

Transform set combined-des-sha: { esp-des esp-sha-hmac  } 

   will negotiate = { Tunnel,  }, 

Transform set combined-des-md5: { esp-des esp-md5-hmac  } 

   will negotiate = { Tunnel,  }, 

Transform set t1: { esp-des esp-md5-hmac  } 

   will negotiate = { Tunnel,  }, 

Transform set t100: { ah-sha-hmac  } 

   will negotiate = { Tunnel,  }, 

Transform set t2: { ah-sha-hmac  } 

   will negotiate = { Tunnel,  }, 

   { esp-des  } 

   will negotiate = { Tunnel,  },

The following configuration was in effect when the above show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac 

crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac 

crypto ipsec transform-set t1 esp-des esp-md5-hmac 

crypto ipsec transform-set t100 ah-sha-hmac 

crypto ipsec transform-set t2 ah-sha-hmac esp-des

crypto ipsec set transform-set

The crypto ipsec set transform-set command allows you to specify which transform sets can be used with a given crypto map entry. Use the no crypto ipsec set transform-set command to remove all transform sets from a crypto map entry. This command is required for all static and dynamic crypto map entries.

For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first.

If the PIX Firewall initiates the negotiation, the transform sets are presented to the IPSec peer in the order specified in the crypto map entry. If the IPSec peer initiates the negotiation, the PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.

The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.

For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.

If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command.

Example

The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.)

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac

crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1 my_t_set2

crypto map mymap set peer 10.0.0.1 10.0.0.2

In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the IPSec peer's transform sets.

clear crypto [ipsec] sa

The clear crypto ipsec sa command allows you to delete IPSec security associations. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.

If the security associations are manually established, the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear crypto sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear crypto sa command before the changes take effect.

---

Note   If you make significant changes to IPSec configuration such as access-list or peers, clear crypto sa will not be enough to activate the new configuration. In such case, rebind the crypto map to the interface with the crypto map interface command.

---

If the PIX Firewall is processing active IPSec traffic, Cisco recommends that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

---

Note   This command only clears IPSec security associations; to clear IKE state, use the clear crypto isakmp command.

---

Examples

The following example clears (and reinitializes if appropriate) all IPSec security associations at the PIX Firewall:

clear crypto sa

The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto sa entry 10.0.0.1 AH 256

show crypto ipsec sa

The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).

Examples

The following is a sample output for the show crypto ipsec sa command:

show crypto ipsec sa

interface: Ethernet0

    Crypto map tag: firewall-alice, local addr. 172.21.114.123

   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)

   current_peer: 172.21.114.67

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10

    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10

    #send errors 10, #recv errors 0

     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67

     path mtu 1500, media mtu 1500

     current outbound spi: 20890A6F

     inbound esp sas:

      spi: 0x257A1039(628756537)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 26, crypto map: firewall-alice

        sa timing: remaining key lifetime (k/sec): (4607999/90)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     outbound esp sas:

      spi: 0x20890A6F(545852015)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 27, crypto map: firewall-alice

        sa timing: remaining key lifetime (k/sec): (4607999/90)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

interface: Tunnel0

    Crypto map tag: firewall-alice, local addr. 172.21.114.123

   local  ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)

   current_peer: 172.21.114.67

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10

    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10

    #send errors 10, #recv errors 0

     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67

     path mtu 1500, media mtu 1500

     current outbound spi: 20890A6F

     inbound esp sas:

      spi: 0x257A1039(628756537)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 26, crypto map: firewall-alice

        sa timing: remaining key lifetime (k/sec): (4607999/90)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     outbound esp sas:

      spi: 0x20890A6F(545852015)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 27, crypto map: firewall-alice

        sa timing: remaining key lifetime (k/sec): (4607999/90)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

crypto map

To create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)

crypto map map-name client configuration address initiate | respond

no crypto map map-name client configuration address initiate | respond

crypto map   map-name interface interface-name

no crypto map map-name interface interface-name

show crypto map [interface interface-name | tag map-name]

crypto map   map-name seq-num ipsec-isakmp | ipsec-manual [dynamic   dynamic-map-name]

no crypto map   map-name seq-num

crypto map   map-name seq-num match address access-list-name

no crypto map   map-name seq-num match address access-list-name

crypto map   map-name seq-num set peer hostname | ip-address

no crypto map   map-name seq-num set peer hostname | ip-address

crypto map   map-name seq-num set pfs [group1 | group2]

no crypto map   map-name seq-num set pfs

crypto map   map-name seq-num set security-association lifetime seconds   seconds | kilobytes kilobytes

no crypto map   map-name seq-num set security-association lifetime seconds   seconds | kilobytes kilobytes

crypto map   map-name set session-key inbound | outbound ah spi hex-key-string

no crypto map   map-name seq-num set session-key inbound | outbound ah

crypto map   map-name set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string]

no crypto map   map-name seq-num set session-key inbound | outbound esp

crypto map   map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]

no crypto map   map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]

---

Note   See the section "Crypto Map Entries" in "," for more information about crypto maps.

---

Syntax Description

map map-name	The name of the crypto map set.
initiate	Indicates the PIX Firewall will attempt to set IP addresses for each peer.
respond	Indicates the PIX Firewall will accept requests for IP addresses from any requesting peer.
interface interface-name	Specify the identifying interface (outside or external) to be used by the PIX Firewall to identify itself to peers. If IKE is enabled, and you are using a Certification Authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
tag map-name	(Optional) Shows the crypto map set with the specified map-name.
seq-num	The number you assign to the crypto map entry.
ipsec-isakmp	Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic	(Optional) Specifies that this crypto map entry is to reference a pre-existing dynamic crypto map.
dynamic-map-name	(Optional) Specifies the name of the dynamic crypto map set to be used as the policy template.
access-list-name	Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.
match address	Specify an access list for a crypto map entry.
set peer	Specify an IPSec peer in a crypto map entry.
hostname	Specify a peer by its host name. This is the peer's host name concatenated with its domain name. For example, myhost.example.com.
ip-address	Specify a peer by its IP address.
set pfs	Specify that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
group1	Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2	Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
seconds   seconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
kilobytes   kilobytes	Specifies the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
set session-key	Manually specify the IPSec session keys within a crypto map entry.
inbound	Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound	Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah	Sets the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform. AH protocol provides authentication via MD5-HMAC and SHA-HMAC.
spi	Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the firewall if inbound, the peer if outbound.
hex-key-string	Specifies the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 bytes. If the crypto map's transform set includes: •DES algorithm, specify at least 16 bytes per key. •MD5 algorithm, specify at least 32 bytes per key. •SHA algorithm, specify 40 bytes per key. Longer key sizes are simply hashed to the appropriate length.
esp	Sets the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform. ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.
cipher	Indicates the key string to use with the ESP encryption transform.
authenticator	(Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
set transform-set	Specify which transform sets can be used with the crypto map entry.
transform-set-name	The name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

Usage Guidelines

crypto map client configuration address

Use the crypto map client configuration address command to configure IKE Mode Configuration on your PIX Firewall. The IKE Mode Configuration allows the PIX Firewall to download an IP address to the peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.

Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.

The keyword initiate indicates the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates the PIX Firewall will accept requests for IP addresses from any requesting peer.

See the section "About IKE Mode Configuration (Dynamic IP Address Assignment for Cisco Secure VPN Client)" in "," for more information about the IKE Mode Configuration.

Examples

The following examples configure IKE Mode Configuration on your PIX Firewall:

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map interface

The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.

Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.

---

Note   Bind a crypto map only to the outside or ethernet0 interface because the PIX Firewall currently only supports IPSec on this interface. Although the PIX Firewall currently can simulate the Private Link inside termination with the use of the sysopt ipsec pl-compatible command, the termination on the inside interface is not a true termination. For more information on the sysopt ipsec pl-compatible command, see the sysopt command page.

---

Examples

The following example assigns crypto map set mymap to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the mymap set. When outbound traffic matches an access list in one of the mymap crypto map entries, a security association (if IPsec) will be established per that crypto map entry's configuration (if no security association or connection already exists).

crypto map mymap interface outside

The following is sample output for the show crypto map command:

show crypto map

Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123

Crypto Map "firewall-alice" 10 ipsec-isakmp

        Peer = 172.21.114.67

        access-list 141 permit ip host 172.21.114.123 host 172.21.114.67

        Current peer: 172.21.114.67

        Security-association lifetime: 4608000 kilobytes/120 seconds

        PFS (Y/N): N

        Transform sets={ t1, }

The following configuration was in effect when the above show crypto map command was issued:

crypto map firewall-alice 10 ipsec-isakmp  

crypto map firewall-alice 10 set peer 172.21.114.67

crypto map firewall-alice 10 set transform-set t1 

crypto map firewall-alice 10 match address 141

The following is sample output for the show crypto map command when manually established security associations are used:

show crypto map

Crypto Map "multi-peer" 20 ipsec-manual

        Peer = 172.21.114.67

        access-list 120 permit ip host 1.1.1.1 host 1.1.1.2

        Current peer: 172.21.114.67

        Transform sets={ t2, }

        Inbound esp spi: 0, 

         cipher key: ,

         auth_key: ,

        Inbound ah spi: 256, 

            key: 010203040506070809010203040506070809010203040506070809,

        Outbound esp spi: 0

         cipher key: ,

         auth key: , 

        Outbound ah spi: 256, 

            key: 010203040506070809010203040506070809010203040506070809,

The following configuration was in effect when the above show crypto map command was issued:

crypto map multi-peer 20 ipsec-manual  

crypto map multi-peer 20 set peer 172.21.114.67

crypto map multi-peer 20 set session-key inbound ah 256

010203040506070809010203040506070809010203040506070809

crypto map multi-peer 20 set session-key outbound ah 256

010203040506070809010203040506070809010203040506070809

crypto map multi-peer 20 set transform-set t2 

crypto map multi-peer 20 match address 120

crypto map   ipsec-manual | ipsec-isakmp

To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.

---

Note   The crypto map command without a keyword creates an ipsec-isakmp entry by default.

---

Once a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, once a map entry has been created as ipsec-isakmp, you cannot change it to ipsec-manual; you must delete and reenter the map entry.

After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.

Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link together definitions of the following:

•What traffic should be protected

•Which IPSec peer(s) the protected traffic can be forwarded to—these are the peers with which a security association can be established

•Which transform sets are acceptable for use with the protected traffic

•How keys and security associations should be used/managed (or what the keys are, if IKE is not used)

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num.

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap set transform-set my_t_set1

crypto map mymap set peer 10.0.0.1

The following example shows the minimum required crypto map configuration when the 
security associations are manually established. 

crypto transform-set someset ah-md5-hmac esp-des

crypto map mymap 10 ipsec-manual

crypto map mymap 10 match address 102

crypto map mymap 10 set transform-set someset

crypto map mymap 10 set peer 10.0.0.5

crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654

crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc

crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345

crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

crypto map   ipsec-isakmp dynamic

To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.

Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.

Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.

To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.

For more information about dynamic maps, see the section "Dynamic Crypto Maps" in "."

Examples

The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1

crypto map mymap 10 set peer 10.0.0.2

crypto map mymap 20 ipsec-isakmp

crypto map mymap 10 match address 102

crypto map mymap 10 set transform-set my_t_set1 my_t_set2

crypto map mymap 10 set peer 10.0.0.3

crypto dynamic-map mydynamicmap 10

crypto dynamic-map mydynamicmap 10 match address 103

crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

crypto map   match address

To assign an extended access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the extended access list from a crypto map entry.

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use the access-list command to define this access list.

The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)

---

Note   The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination.

---

The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.

---

Note   Access list used by a crypto map must have "ip" as the protocol. In other words, the classification of IPSec traffic is per-host or greater.

---

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1

crypto map set peer

Use the crypto map   set peer command to specify an IPSec peer in a crypto map entry. Use the no crypto map   set peer command to remove an IPSec peer from a crypto map entry.

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.

You can specify the peer by its host name only if the host name is mapped to the peer's IP address in a DNS server or if you manually map the host name to the IP address with the ip host command.

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map set pfs

The crypto map  set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map  set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.

During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.

The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.

Examples

This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set pfs group2

crypto map   set security-association lifetime

To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.

The crypto map's security associations are negotiated according to the global lifetimes.

This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.

If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. See the clear crypto sa command for more details.

To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.

To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.

However, shorter lifetimes require more CPU processing time.

The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).

To for more information about how these lifetimes, see "How These Lifetimes Work" in "."

Examples

This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2,700 seconds (45 minutes).

crypto map mymap 10 ipsec-isakmp

set security-association lifetime seconds 2700

crypto map   set session-key

To manually specify the IPSec session keys within a crypto map entry, use the crypto map   set session-key command. Use the no crypto map   set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.

If the crypto map's transform set includes:

•an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic.

•an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic.

•an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.

When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.

You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.

Security associations established using this command do not expire (unlike security associations established using IKE).

The PIX Firewall's session keys must match its peer's session keys.

If you change a session key, the security association using the key will be deleted and reinitialized.

Examples

The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.

crypto ipsec transform-set t_set ah-sha-hmac

crypto map mymap 20 ipsec-manual

crypto map mymap 20 match address 102

crypto map mymap 20 set transform-set t_set

crypto map mymap 20 set peer 10.0.0.21

crypto map mymap 20 set session-key inbound ah 300 
1111111111111111111111111111111111111111

crypto map mymap 20 set session-key outbound ah 300 
2222222222222222222222222222222222222222

The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac

crypto map mymap 10 ipsec-manual

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set someset

crypto map mymap 10 set peer 10.0.0.1

crypto map mymap 10 set session-key inbound ah 300 
9876543210987654321098765432109876543210

crypto map mymap 10 set session-key outbound ah 300 
fedcbafedcbafedcbafedcbafedcbafedcbafedc

crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345

    authenticator 0000111122223333444455556666777788889999

crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd

    authenticator 9999888877776666555544443333222211110000

crypto map   set transform-set

To specify which transform sets can be used with the crypto map entry, use the crypto map   set transform-set command. Use the no crypto map   set transform-set command to remove all transform sets from a crypto map entry.

This command is required for all static and dynamic crypto map entries.

For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.

If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.

The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.

For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.

If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.

Example

The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac

crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1 my_t_set2

crypto map mymap set peer 10.0.0.1 10.0.0.2

In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.

debug

Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)

debug crypto ipsec

no debug crypto ipsec

debug crypto isakmp

no debug crypto isakmp

debug crypto ca

no debug crypto ca

debug icmp trace

no debug icmp trace

debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp]  | [proto tcp [sport src_port]  [dport dest_port]]  |
[proto udp [sport src_port] [dport dest_port]]  [rx | tx | both]

no debug packet if_name [src source_ip [netmask mask]]  [dst dest_ip [netmask mask]]
[[proto icmp]  | [proto tcp [sport src_port] [dport dest_port]] |  
[proto udp [sport src_port]  [dport dest_port]]   [rx | tx |  both]

debug sqlnet

no debug sqlnet

show debug

Syntax Description

if_name	Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
src source_ip	Source IP address.
netmask mask	Network mask.
dst dest_ip	Destination IP address.
proto icmp	Display ICMP packets only.
proto tcp	Display TCP packets only.
sport src_port	Source port. See the "Ports" section in "" for a list of valid port literal names.
dport dest_port	Destination port.
proto udp	Display UDP packets only.
rx	Display only packets received at the PIX Firewall.
tx	Display only packets that were transmitted from the PIX Firewall.
both	Display both received and transmitted packets.

Usage Guidelines

The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with debug packet.

The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall. The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall's own interfaces.

The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.

Use of the debug commands can slow down busy networks.

Trace Channel Feature

The debug icmp trace and debug sqlnet commands now send their output to the Trace Channel. The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:

•If you are only using the PIX Firewall serial console, all debug commands display on the serial console.

•If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug icmp trace or the debug sqlnet commands, the output displays on the Telnet console session.

•If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session becomes the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.

•The debug packet command only displays on the serial console. However, you can enable or disable this command from either the serial console or a Telnet console sessions.

The debug commands are shared between all Telnet and serial console sessions.

---

Note   The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug icmp trace and debug sqlnet output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug output, which may be unexpected. If you are using the serial console and debug output is not appearing, use the who command to see if a Telnet console session is running.

---

Additional debug Command Information

---

Note   Use of the debug packet command on a PIX Firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session.

---

---

Note   To let users ping through the PIX Firewall, add the conduit permit icmp any   any command to the configuration. This lets pings go outbound and inbound.

---

To stop a debug packet trace command, enter:

no debug packet if_name

Replace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.

To stop a debug icmp trace command, enter:

no debug icmp trace

Examples

The following example turns on this command:

debug icmp trace

When you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (192.150.50.42) to the PIX Firewall's outside interface (192.150.50.1):

Inbound ICMP echo reply (len 32 id 1 seq 256) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 512) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 512) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 768) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 768) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 1024) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 1024) 192.150.50.1 > 192.150.50.42

NO DEBUG ICMP TRACE

ICMP trace off

This example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.

You can debug the contents of packets with the debug packet command:

debug packet inside

--------- PACKET ---------

-- IP --

4.3.2.1 ==>     255.3.2.1

        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x60

        id = 0x3902     flags = 0x0     frag off=0x0

        ttl = 0x20      proto=0x11      chksum = 0x5885

        -- UDP --

                source port = 0x89      dest port = 0x89

                len = 0x4c      checksum = 0xa6a0

        -- DATA --

                00000014:                                     00 01 00 00            |

         ....

                00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46            | ..

.. EIEPEGEGEFF

                00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43            | CC

NFAEDCACACACAC

                00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01            | AC

AAA.. ..... ..

                00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00                                                                        | ..

....`......

--------- END OF PACKET ---------

This display lists the information as it appears in a packet.

An example of the show debug command follows:

show debug

debug icmp trace off

debug packet off

debug sqlnet off

disable

Exit privileged mode and return to unprivileged mode. (Privileged mode.)

disable

Usage Guidelines

The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.

Example

The following example shows how to exit privileged mode:

pixfirewall# disable

pixfirewall>

domain-name

Change the IPSec domain name. (Configuration mode.)

domain-name name

Syntax Description

name	A domain name.

Usage Guidelines

The domain-name command lets you change the IPSec domain name.

---

Note   The change of the domain name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.

---

enable

Start privileged mode. (Unprivileged mode.)

enable

Usage Guidelines

The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.

Example

The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.

pixfirewall> enable

Password: 

pixfirewall# configure terminal

pixfirewall(config)#

enable password

Set the privileged mode password. (Privileged mode.)

enable password   password [encrypted]

show enable password

Syntax Description

password	A case-sensitive password of up to 16 alphanumeric characters.
encrypted	Specifies that the password you entered is already encrypted. The password must be 16 characters in length.

Usage Guidelines

The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). The show enable password command lists the encrypted form of the password.

You can return the enable password to its original value (press the Enter key at prompt) by entering:

pixfirewall# enable password

pixfirewall# 

---

Note   If you change the password, write it down and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password.

---

Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.

See also: passwd.

Examples

The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:

pixfirewall> enable

Password:

pixfirewall# enable password w0ttal1fe

pixfirewall# configure terminal

pixfirewall(config)# write terminal

Building configuration...

...

enable password 2oifudsaoid.9ff encrypted

...

The following example shows the use of the encrypted option:

enable password 1234567890123456 encrypted

show enable password

enable password 1234567890123456 encrypted

enable password 1234567890123456

show enable password

enable password feCkwUGktTCAgIbD encrypted

established

Allow or disallow return connections based on an established connection. (Configuration mode.)

established protocol dst_port_1 [permitto protocol [dst_port_2[-dst_port_2]]] [permitfrom protocol [src_port[-src_port]]]

no established protocol dst_port_1 [permitto protocol [dst_port_2[-dst_port_2]]] [permitfrom protocol [src_port[-src_port]]]

clear established

show established

Syntax Description

protocol	IP protocol type of udp or tcp.
dst_port_1	The destination port to which you want to establish a connection. See the "Ports" section in "" for a list of valid port literal names.
dst_port_2	The destination port that you want the PIX Firewall to permit the connection to return on.
src_port	The source port on the server from which the return connection will originate.
permitto	Permit inbound connections to the specified port or protocol. This option only opens the destination port.
permitfrom	Permit inbound connections from the specified port or protocol. Used with the permitto option, the permitfrom option provides a more specific source port. If the permitfrom option is used by itself, it requests access from a specific port to any port.

Usage Guidelines

The established command allows outbound connections return access to the PIX Firewall on different ports from which the original connection originated from. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection from a server on an external host. The PIX Firewall finds dst_port_1 in its translation table and associates the established command information with the outbound translation. The outbound translation indicates the source and destination IP addresses.

The first protocol and port you specify is for the destination of the original connection. The permitto and permitfrom options refine the information you specify for the return connection.

---

Note   Cisco recommends that you always specify the established command with the permitto and permitfrom options. Without these options, the use of the established command opens a security hole that can be exploited for attack of your internal systems. See the "Security Problem" section that follows for more information.

---

The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall. The permitfrom option lets you specify a new protocol or port at the remote server. The no established command disables the established feature. The show established command shows the established commands in the configuration. The clear established command removes all establish command statements from your configuration.

---

Note   For the established command to work, the client must listen on the port specified with the permitto option.

---

You can use the established command with a PAT or a non-PAT global command statement, as well as with the nat 0 command statement (where there are no global command statements).

The established command works as shown in the following format:

established A B permitto C D permitfrom E F

This command works as though it were written "For protocol A and port B, permit a connection back to the PIX Firewall through protocol C and port D, and, optionally, permit a return connection from the server over protocol E and port F."

For example:

established tcp 6060 permitto tcp 6061 permitfrom tcp 6059

In this case, a source connection starts using TCP port 6060. The PIX Firewall then lets the return connection come back in over TCP port 6061 from a server that is providing the same service at TCP port 6059.

For multimedia applications such as RealAudio, VDO, Xing, VocalTec, H.323, and CU-SeeMe, PIX Firewall handles return packet access through the firewalls transparently. For other applications, such as Internet gaming, if the return packets do not return correctly and the application does not work, the established command provides an alternative functionality.

Security Problem

While this command is running, all UDP or TCP traffic is permitted between the client and server for the current TCP connection. This command only allows the host to which the inside client is connected to deliver UDP data or make high TCP port connections back to the client.

The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, users outside the PIX Firewall can access any ports on servers behind the firewall that are accessible with the conduit and static commands.

The following example illustrates this problem:

static (inside,outside) 192.150.50.42 192.168.1.42 netmask 255.255.255.255 

conduit permit tcp host 192.150.50.42 eq http any

established tcp 0

In this example, inside host 192.168.1.42 can be accessed from the outside interface for Web access as permitted by the conduit command statement. Because this is a web server (using the HTTP port), access permission is granted to any outside host. However, the established command modifies the effect of the conduit command statement and lets any user access any port on the 192.168.1.42 server.

Examples

The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 192.150.50.1. The example allows packets from the foreign host 192.150.50.1 on port 4242 back to local host 10.1.1.1 on port 5454:

established tcp 9999 permitto tcp 5454 permitfrom tcp 4242

The next example allows packets from foreign host 192.150.50.1 on any port back to local host 10.1.1.1 on port 5454:

established tcp 9999 permitto tcp 5454

exit

Exit an access mode. (All modes.)

exit

Usage Guidelines

Use the exit command to exit from an access mode. This command is the same as quit.

Example

The following example shows how to exit configuration mode and then privileged mode:

pixfirewall(config)# exit

pixfirewall# exit

pixfirewall>

failover

Change or view access to the optional failover feature. (Configuration mode.)

failover [active]

failover ip address if_name ip_address

failover link [stateful_if_name]

failover reset

failover timeout hh:mm:ss

no failover active

show failover

Syntax Description

active	Make a PIX Firewall the Active unit. Use this command when you need to force control of the connection back to the unit you are accessing, such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the Primary unit. Either enter no failover active on the secondary unit to switch service to the primary or failover active on the Primary unit.
if_name	Interface on which the Standby unit resides.
ip_address	The IP address used by the Standby unit to communicate with the Active unit. Use this IP address with the ping command to check the status of the Standby unit. This address must be on the same network as the system IP address. For example, if the system IP address is 192.159.1.3, set the failover IP address to 192.159.1.4.
link	Specify the interface where a fast LAN link is available for fast failover.
stateful_if_name	In addition to the failover cable, a dedicated fast LAN link is required to support Stateful Failover. Do not use FDDI because of its blocksize or Token Ring because Token Ring requires additional time to insert into the ring. The default interface is the highest LAN port with failover configured.
reset	Force both units back to an unfailed state. Use this command once the fault has been corrected. The failover reset command can be entered from either unit, but it is best to always enter commands at the Active unit. Entering the failover reset command at the Active unit will "unfail" the Standby unit.
timeout hh:mm:ss	Set the interval of time during which the secondary PIX Firewall admits all inbound and outbound traffic so that it can establish a translation slot table (xlates) for the traffic moving through the PIX Firewall. Once the xlates are created, the PIX Firewall resumes adaptive security. The effect of this feature is that Stateful Failover occurs after the 45 seconds required to allow the secondary unit to take over after the Primary unit fails. Because this duration is within the time in which a connection retries before being dropped, the failover will appear transparent to inbound and outbound users. Cisco recommends that the timeout value be set at 2 minutes or less. By default, this option is disabled. Note   During the timeout interval, the PIX Firewall is placed in a non-secure state so that any host on the outside can access any inside host without requiring a conduit or static command statement. Only use the timeout option with a static command containing the norandomseq option.

Usage Guidelines

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.

Use the failover active command to initiate a failover switch from the Standby unit, or the no failover active command from the Active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an Active unit offline for maintenance. Because the Standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.

Use the failover link command to enable Stateful Failover.

If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.

To configure failover:

---

Step 1 If you have a PIX 515, obtain a PIX-515-UR feature license key that lets you add the failover option. Then purchase the failover option, which includes the Secondary unit. If you have a PIX 520 or older model, purchase a second unit with the same connection license as the Primary unit.

Step 2 Install the Secondary unit as described in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 available in your accessory kit. If you are using Stateful Failover, install both units on 100 Mbps full-duplex LAN interfaces.

Step 3 Connect the failover cable as described in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0.

Step 4 Only configure the Primary unit. When you enter the write memory command to save the configuration to Flash memory, the Primary unit updates the Secondary unit.

See "Failover" in "," for additional configuration information.

Examples

The following output shows that failover is enabled, and that the Primary unit state is active:

show failover

Failover On

Cable status: Normal

Reconnect time-out 0:00:00

        This host: Primary - Active

                Active time: 3456 (sec)

                Interface 4th (172.16.1.112): Normal

                Interface intf3 (192.168.3.2): Normal

                Interface intf2 (192.168.2.2): Normal

                Interface outside (192.168.1.8): Normal

                Interface inside (10.1.1.6): Normal

        Other host: Secondary - Standby

                Active time: 0 (sec)

                Interface 4th (172.16.1.111): Normal

                Interface intf3 (192.168.3.1): Normal

                Interface intf2 (192.168.2.1): Normal

                Interface outside (192.168.1.7): Normal

                Interface inside (10.1.1.2): Normal

Standby Logical Update Statistics

        Link : intf2

        Stateful Obj    xmit    xerr    rcv     rerr

        General         53      0       0       0

        sys cmd         53      0       0       0

        up time         0       0       0       0

        xlate           0       0       0       0

        tcp conn        0       0       0       0

        udp conn        0       0       0       0

        ARP tbl         0       0       0       0

        RIF Tbl         0       0       0       0

The "Cable status" has these values:

•Normal—Indicates that the Active unit is working and that the Standby unit is ready.

•Waiting—Indicates that monitoring of the other unit's network interfaces has not yet started.

•Failed—Indicates that the PIX Firewall has failed.

You can view the IP addresses of the Standby unit with the show ip address command:

show ip address

System IP Addresses:

        ip address outside 192.150.50.2 255.255.255.0

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.150.70.3 255.255.255.0

Current IP Addresses:

        ip address outside 192.150.50.2 255.255.255.0

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.150.70.3 255.255.255.0

The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.

filter

Enable or disable outbound URL or HTML object filtering. (Configuration mode.)

filter activex port local_ip mask foreign_ip mask

no filter activex port local_ip mask foreign_ip mask

filter url http|except local_ip local_mask foreign_ip foreign_mask [allow]

no filter url http|except [local_ip local_mask foreign_ip foreign_mask]

show filter

Syntax Description

activex	Block outbound ActiveX, Java applets, and other HTML <object> tags from outbound packets.
url	Filter URLs (Universal Resource Locators) from data moving through the PIX Firewall.
http	filter url only: Filter HTTP (World Wide Web) URLs.
except	filter url only: Create an exception to a previous filter condition.
port	filter activex only: The port at which Web traffic is received on the PIX Firewall. The port must be specified as a numeric value, not a literal like "www."
local_ip	The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.
local_mask	Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_ip	The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_mask	Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
allow	filter url only: When the server is unavailable, let outbound connections pass through PIX Firewall without filtering. If you omit this option, and if the WebSENSE server goes offline, PIX Firewall stops outbound port 80 (Web) traffic until the WebSENSE server is back online.

Usage Guidelines

The sections that follow describe each type of filter.

filter activex

The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets.

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.

This feature blocks the HTML <object> tag and comments it out within the HTML web page.

---

Note   The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the filter activex command. If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, PIX Firewall cannot block the tag.

---

---

Note   The port must be specified as a numeric value, not as a literal such as "www."

---

---

Note   ActiveX blocking does not occur when users access an IP address referenced by the alias command.

---

filter activex Example

To specify that all outbound connections have ActiveX blocking, use:

filter activex 80 0 0 0 0

This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

filter url

The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the WebSENSE filtering application.

The allow option to the filter command determines how the PIX Firewall behaves in the event that the WebSENSE server goes offline. If you use the allow option with the filter command and the WebSENSE server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.

---

Note   With the allow option set, PIX Firewall now passes control to an alternate server if the WebSENSE server goes offline.

---

To filter URLs:

---

Step 1 Designate a WebSENSE server with the url-server command.

Step 2 Enable filtering with the filter command.

Step 3 If needed, improve throughput with the url-cache command. However, this command does not update WebSENSE logs, which may affect WebSENSE accounting reports. Accumulate WebSENSE run logs before using the url-cache command.

Step 4 Use the show url-cache stats and the show perfmon commands to view run information.

Information on WebSENSE is available at: http://www.websense.com/products/websense/

filter url Example

The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

url-server (perimeter) host 10.0.1.1

filter url http 0 0 0 0

filter url except 10.0.2.54 255.255.255.255 0 0

fixup protocol

Change, enable, disable, or list a PIX Firewall application protocol feature. (Configuration mode.)

fixup protocol ftp [port]

fixup protocol http [port[-port]

fixup protocol h323 [port[-port]]

fixup protocol rsh [514]

fixup protocol smtp [port[-port]]

fixup protocol sqlnet [port[-port]]

no fixup protocol  protocol [port[-port]]

clear fixup

show fixup [protocol  protocol]

Syntax Description

protocol	Specify the protocol to fix up: ftp, http, h323, rsh, smtp, sqlnet.
port	Specify the port number or range for the application protocol. The default ports are: 80 for http, 1720 for h323, 25 for smtp, and 1521 for sqlnet. The default port value for rsh cannot be changed, but additional port statements can be added. See the "Ports" section in "" for a list of valid port literal names.

Usage Guidelines

The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh. The fixup protocol commands are always present in the configuration and are enabled by default.

The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults.  This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any statics.

The FTP port can be changed; however if you change the default of port 21, to something like 2021, all FTP control connections must happen on port 2021.  FTP control connections on port 21 will no longer work.

You can add multiple port settings for each protocol with separate commands; for example:

fixup protocol ftp 21

fixup protocol ftp 4254

fixup protocol ftp 9090

These commands cause PIX Firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.

The clear fixup command removes fixup commands from the configuration that you added. It does not remove the default fixup protocol commands.

The show fixup command lists all values or the show fixup protocol   protocol command lists an individual protocol.

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.

You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command.  After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.

The fixup protocol h323 command provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting.

---

Note   If there is a no fixup protocol http command statement in the configuration, the filter url command does not work.

---

Examples

The following example enables access to an inside server running Mail Guard:

static (inside, outside) 192.150.50.1 192.168.42.1 netmask 255.255.255.0

conduit permit tcp host 192.150.50.1 eq smtp any

fixup protocol smtp 25

This example shows the default fixup protocol values:

show fixup

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

The following example shows the commands to disable Mail Guard:

static (dmz1,outside) 192.150.50.1 10.1.1.1 netmask 255.255.255.255

conduit permit tcp host 192.150.50.1 eq smtp any

no fixup protocol smtp 25

In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 192.150.50.1 address so that mail is sent to this address.) The conduit command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.

flashfs

Clear Flash memory or display Flash memory sector sizes. (Configuration mode.)

clear flashfs

show flashfs

---

Note   Only use the clear flashfs command before downgrading the PIX Firewall software to an older version.

---

Usage Guidelines

The clear flashfs command clears Flash memory.

The show flashfs command displays the size in bytes of each Flash memory sector.

The data in each sector is as follows:

•file 0—PIX Firewall binary image, where the .bin file is stored.

•file 1—PIX Firewall configuration data that you can view with the show config command.

•file 2—PIX Firewall datafile that stores IPSec key and certificate information

•file 3—flashfs information for the show flashfs command.

Example

Use the following command to clear Flash memory:

clear flashfs

Use the following commands to display the Flash memory sector sizes:

show flashfs

flash file system:            version:1           magic:0x12345679

                    file 0: origin:                                                0 length:1794104

                    file 1: origin: 2095104 length:1496

                    file 2: origin:                                                0 length:0

                    file 3: origin: 2096640 length:140

clear flashfs

show flashfs

flash file system:            version:0           magic:0x0

                    file 0: origin:                                                0 length:0

                    file 1: origin:                                                0 length:0

                    file 2: origin:                                                0 length:0

                    file 3: origin:                                                0 length:0

The origin values are integer multiples of the underlying Flash memory sector size.

floodguard

Enable or disable Flood Defender to protect against flood attacks. (Configuration mode.)

floodguard enable | disable

show floodguard

Syntax Description

enable	Enable Flood Defender.
disable	Disable Flood Defender.

Usage Guidelines

The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources.

When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers.

If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:

1 Timewait

2 FinWait

3 Embryonic

4 Idle

The floodguard command is enabled by default.

Example

The following example enables the floodguard command and lists the floodguard command statement in the configuration:

floodguard enable

show floodguard

floodguard enable

global

Create or delete entries from a pool of global addresses. (Configuration mode.)

global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask]

no global [(if_name)] nat_id [global_ip[-global_ip] [netmask global_mask]]

show global

Syntax Description

if_name	The external network where you use these global addresses.
nat_id	A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.
global_ip	One or more global IP addresses that the PIX Firewall shares among its connections. If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-). You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.
netmask	Reserved word that prefaces the network global_mask variable.
global_mask	The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.128 and an address range of 192.150.50.20-192.150.50.140, the 192.150.50.127 broadcast address and the 192.150.50.128 network address will not be included in the pool of global addresses.

Usage Guidelines

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.

After changing or removing a global command statement, use the clear xlate command.

Use the no global command to remove access to a nat_id, or to a PAT address, or address range within a nat_id. Use the show global command to view the global command statements in the configuration.

Usage Notes

1 You can enable the PAT (Port Address Translation) feature by entering a single IP address with the global command. You can have one PAT per interface. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.

2 When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address frees, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT. For example:

global (outside) 1 192.150.50.1-192.150.50.10 netmask 255.255.255.0

global (outside) 1 192.150.50.42 netmask 255.255.255.0

3 PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the firewall. Multimedia applications can conflict with port mappings provided by PAT.

4 PAT works with DNS, FTP and passive FTP, HTTP, mail, RPC, rshell, Telnet, URL filtering, and outbound traceroute.

5 IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 192.150.50.1 and the domain for the PIX Firewall is pix.domain.com, the PTR record would be:

1.50.150.192.in-addr.arpa. IN PTR pix.domain.com.

Examples

The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:

global (outside) 1 192.150.50.1-192.150.50.10 netmask 255.255.255.0

global (outside) 1 192.150.50.42 netmask 255.255.255.0

Global 192.150.50.42 will be Port Address Translated

nat (inside) 1 0 0

clear xlate

The next example creates a global pool from two contiguous Class C addresses and gives the perimeter hosts access to this pool of addresses:

global (outside) 1000 192.150.50.1-192.150.50.254

global (outside) 1000 192.150.51.1-192.150.51.254

nat (perimeter) 1000 0 0

help

Display help information. (Unprivileged mode.)

help

?

Usage Guidelines

The help or   ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a question mark or just the command name and pressing the Enter key.

If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

•To view another screenful, press the Space bar.

•To view the next line, press the Enter key.

•To return to the command line, press the q key.

Example

The following example shows how you can display help information by following the command name with a question mark:

enable ?

usage: enable password <pw> [encrypted]

Help information is available on the core commands (not the show, no, or clear commands) by entering   ? at the command prompt:

?

aaa                                                                                          Enable, disable, or view TACACS+ or RADIUS

                                                                                                                user authentication, authorization and accounting

hostname

Change the host name in the PIX Firewall command line prompt. (Configuration mode.)

hostname newname

Syntax Description

newname

New host name for the PIX Firewall prompt. This name can be up to 16 alphanumeric characters and mixed case.

Usage Guidelines

The hostname command changes the host name label on prompts. The default host name is pixfirewall.

---

Note   The change of the host name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.

---

Example

The following example shows how to change a host name:

pixfirewall(config)# hostname spinner

spinner(config)# hostname pixfirewall

pixfirewall(config)# 

interface

Identify network interface speed and duplex. (Configuration mode.)

interface hardware_id [hardware_speed] [shutdown]

clear interface

show interface

Syntax Description

hardware_id	Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernetn, fddi0 or fddi1, token-ring0, token-ring1, to token-ringn, depending on how many network interfaces are in the firewall.
hardware_speed	Network interface speed (optional). Do not specify a hardware_speed for a FDDI interface. Possible Ethernet values are: 10baset—Set for 10 Mbps Ethernet half duplex communication. 10full—Set for 10 Mbps Ethernet full duplex communication. 100basetx—Set for 100 Mbps Ethernet half duplex communication. 100full—Set for 100 Mbps Ethernet full duplex communication. aui—Set 10 for Mbps Ethernet half duplex communication with an AUI cable interface. auto—Set Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card, which shipped with the PIX Firewall units manufactured after November 1996. bnc—Set for 10 Mbps Ethernet half duplex communication with a BNC cable interface. Possible Token Ring values are: 4mbps—4 Mbps data transfer speed. You can specify this as 4. 16mbps—(default) 16 Mbps data transfer speed. You can specify this as 16.
shutdown	Disable an interface.

Usage Guidelines

The interface command identifies the speed and duplex settings of the network interface boards.
Use show interface to view information about the interface.

The clear interface command resets all of the statistics for FDDI, Token Ring, and Ethernet interface cards except those that count normal traffic.

The shutdown option lets you disable an interface. When you first install PIX Firewall version 5.0, all interfaces are shut down by default. You must explicitly enable an interface by entering the command without the shutdown option. If the shutdown option does not exist in the command, packets are passed by the driver to and from the card.

If the shutdown option does exist, packets are dropped in either direction. Inserting a new card defaults to the default interface command containing the shutdown option. (That is, if you add a new card and then enter the write memory command, the shutdown option is saved into Flash memory for the interface.) When upgrading from a previous version to the current version, interfaces are enabled.

The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.

---

Note   The show interface command reports "line protocol down" for BNC cable connections and for 3Com cards.

---

---

Note   Even though the default is to set automatic speed sensing for the interfaces with the interface hardware_id auto command, it is safest to specify the speed of the network interfaces; for example, 10baset or 100basetx. This lets PIX Firewall operate in network environments that may include switches or other devices that do not handle auto sensing correctly.

---

Usage Notes

1 When you use the interface token-ring command, also use the mtu command to set the block size depending on the interface speed.

2 After changing an interface command, use the clear xlate command.

show interface Notes

The show interface command lets you view network interface information for both Ethernet and Token Ring, depending on which is installed in your PIX Firewall. This is one of the first commands you should use when establishing network connectivity after installing a PIX Firewall.

The information in the show interface display is as follows:

•The ethernet, fddi, or token-ring interface strings indicate that you have used the interface command to configure the interface. The statement indicates either outside or inside and whether the interface is available ("up") or not available ("down").

•"line protocol up" means a working cable is plugged into the network interface. If the message is "line protocol down," either the cable is incorrect or not plugged into the interface connector.

•Network interface type.

•Interrupt vector. It is acceptable for interface cards to have the same interrupts because PIX Firewall uses interrupts to get Token Ring information, but polls Ethernet cards.

•MAC address. Intel cards start with "i" and 3Com cards with "3c."

•MTU (maximum transmission unit): the size in bytes that data can best be sent over the network.

•"nn packets input" indicates that packets are being received in the firewall.

•"nn packets output" indicates that packets are being sent from the firewall.

•Line duplex status: half duplex indicates that the network interface switches back and forth between sending and receiving information; full duplex indicates that the network interface can send or receive information simultaneously.

•Line speed: 10baset is listed as 10000 Kbit; 100basetx is listed as 100000 Kbit.

•Interface problems:

•no buffer, the PIX Firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data.

•runts are packets with less information than expected.

•giants are packets with more information than expected.

•CRC (cyclic redundancy check) are packets that contain corrupted data (checksum error).

•frame errors are framing errors.

•ignored and aborted errors are provided for future use, but are not currently checked; the PIX Firewall does not ignore or abort frames.

•underruns occur when the PIX Firewall is overwhelmed and cannot get data fast enough to the network interface card.

•overruns occur when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.

Example

The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:

nameif ethernet0 outside security0

nameif token-ring0 inside security100

nameif ethernet1 DMZ security50

interface ethernet0 auto

interface token-ring0 16mbps

interface ethernet1 auto

show interface

interface ethernet0 "outside" is up, line protocol is up

              Hardware is i82557 ethernet, irq 10, address is 0060.7380.2f16

              IP address 192.150.50.1, subnet mask 255.255.0.0

              MTU 1500 bytes, BW 100000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1 packets output, 0 bytes, 0 underruns

interface token-ring0 "inside" is up, line protocol is up

              Hardware is o3137 token-ring, irq 9, address is 0000.8326.72c6

             IP address 10.0.0.1, subnet mask 255.0.0.0

             MTU 8192 bytes, BW 16000 Kbit, Ring-speed: 16Mbps

        116 packets input, 27099 bytes, 0 no buffer

        Received 116 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 116 frame, 0 overrun, 0 ignored, 0 abort

        3 packets output, 150 bytes, 0 underruns

interface ethernet1 "DMZ" is up, line protocol is up

              Hardware is i82557 ethernet, irq 9, address is 00a0.c95d.0282

              IP address 127.0.0.1, subnet mask 255.255.255.0

              MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 packets output, 0 bytes, 0 underruns 

ip

Identify addresses for local pool and network interfaces. (Configuration mode.)

ip local pool pool_name pool_start-address[-pool_end-address]

no ip local pool pool_name pool_start-address[-pool_end-address]

show ip local pool pool_name ip_address[-ip_address]

ip address if_name ip_address [netmask]

show ip

Syntax Description

pool_name	Local pool name.
pool_start_address pool_end_address	Local pool IP address range.
if_name	The internal or external interface name designated by the nameif command.
ip_address	PIX Firewall's network interface IP address.
netmask	Network mask of ip_address.

Usage Guidelines

The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic ip addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. Use the show ip local pool command to view usage information about the pool of local addresses.

To reference this pool of local addresses, use the isakmp client configuration address-pool command. See the isakmp command page for more information.

The ip address command lets you assign an IP address to each interface. Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, re-enter the command with the correct information.

After changing an ip address command, use the clear xlate command.

---

Note   Do not set the netmask to all 255s, such as 255.255.255.255. This stops access on the interface. Instead, use a network address of 255.255.255.0 for Class C addresses, 255.255.0.0 for Class B addresses, or 255.0.0.0 for Class A addresses.

---

The default address for an interface is 127.0.0.1.

PIX Firewall configurations using failover require a separate IP address for each network interface on the Standby unit. The system IP address is the address of the Active unit. When the show ip address command is executed on the Active unit, the current IP address is the same as the system IP address. When the show ip address command is executed on the Standby unit, the system IP address is the failover IP address configured for the Standby unit.

ip address Example

The following example shows how to list IP addresses:

show ip address

System IP Addresses:

        ip address outside 192.150.50.2 255.255.255.0

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.150.70.3 255.255.255.0

Current IP Addresses:

        ip address outside 192.150.50.2 255.255.255.0

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.150.70.3 255.255.255.0

The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.

ip local pool Example

The following example creates a pool of IP addresses and then displays the pool contents:

ip local pool mypool 10.0.0.10-10.0.0.20

show ip local pool mypool

Pool                                                                                   Begin                                                                            End                                                                                                           Free                            In use

mypool                                                                     10.0.0.10                                              10.0.0.20                                                                  11                                                          0

Available Addresses:

10.0.0.10

10.0.0.11

10.0.0.12

10.0.0.13

10.0.0.14

10.0.0.15

10.0.0.16

10.0.0.17

10.0.0.18

10.0.0.19

10.0.0.20

ipsec

Configure IPSec policy. (Configuration mode; however, the clear ipsec command is Privileged mode.)

clear ipsec

ipsec ...

show ipsec

Usage Guidelines

The clear ipsec command clears an IPSec policy. The ipsec command is a shortened form of the crypto ipsec command. See the crypto ipsec command page for information on all other command options and examples. The show ipsec command displays the current policy.

isakmp

Negotiates IPSec security associations and enables IPSec secure communications.
(Configuration mode.)

isakmp client configuration address-pool local pool-name [interface-name]

no isakmp client configuration address-pool local pool-name

isakmp enable interface-name

no isakmp enable interface-name

isakmp identity address | hostname

no isakmp identity

isakmp key keystring address peer-address [netmask]

no isakmp key keystring address peer-address

isakmp policy priority authentication pre-share | rsa-sig

no isakmp policy priority authentication pre-share | rsa-sig

isakmp policy priority encryption des | 3des

no isakmp policy priority encryption des | 3des

isakmp policy priority group   1 | 2

no isakmp policy priority group   1 | 2

isakmp policy priority hash md5 | sha

no isakmp policy priority hash md5 | sha

isakmp policy priority lifetime   seconds

no isakmp policy priority lifetime seconds

show isakmp policy

show isakmp sa

clear isakmp

---

Note   See "About IKE" in "," for more information about this IPSec feature.

---

pool-name	Specifies the name of a local address pool to allocate the dynamic client ip.
interface-name	The name of the interface on which to enable ISAKMP negotiation.
peer-address	Specify the IP address of the IPSec peer.
peer-hostname	Specify the hostname of the IPSec peer.
key keystring	Specify the authentication pre-shared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers.
address peer-address	Specify the peer IP address for the pre-shared key.
netmask	(Optional) The IP address of 0.0.0.0. can be entered as a wildcard indicating the key could be used for any peer that does not have a key associated with its specific IP address.
policy priority	Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.
authentication pre-share	Specifies pre-shared keys as the authentication method.
authentication rsa-sig	Specifies RSA signatures as the authentication method. RSA signatures provide non-repudiation for the IKE negotiation. This basically means you can prove to a third party whether you had an IKE negotiation with the peer.
encryption des	Specifies 56-bit DES-CBC as the encryption algorithm is to be used in the IKE policy.
encryption 3des	Specifies the Triple DES encryption algorithm is to be used in the IKE policy.
group 1	Specifies the 768-bit Diffie-Hellman group is to be used in the IKE policy. This is the default value.
group 2	Specifies the 1024-bit Diffie-Hellman group is to be used in the IKE policy.
hash md5	Specifies MD5 (HMAC variant) as the hash algorithm to be used in the IKE policy.
hash sha	Specifies SHA-1 (HMAC variant) as the hash algorithm to be used in the IKE policy. This is the default hash algorithm.
lifetime seconds	Specifies how many seconds each security association should exist before expiring. Use an integer from 60 to 86,400 seconds (one day).

Syntax Description

Usage Guidelines

isakmp client configuration address-pool local

The isakmp client configuration address-pool local command is used to configure the IP address local pool to reference IKE. Use the no crypto isakmp client configuration address-pool local command to restore to the default value.

Before using this command, use the ip local pool command to define a pool of local addresses to be assigned to a remote IPSec peer.

Examples

The following example references IP address local pools to IKE with "mypool" as the pool-name:

isakmp client configuration address-pool local mypool outside

isakmp enable

The isakmp enable command is used to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Firewall. ISAKMP is enabled by default. Use the no isakmp enable command to disable IKE.

---

Note   The PIX Firewall currently only supports IPSec on the outside interface. Although the PIX Firewall currently can simulate the Private Link inside termination with the use of the sysopt ipsec pl-compatible command, the termination on the inside interface is not a true termination. For more information on the sysopt ipsec pl-compatible command, see the sysopt command page.

---

Examples

The following example shows how to disable IKE on the outside interface:

no isakmp enable outside

isakmp identity

To define the ISAKMP identity the PIX Firewall uses when participating in the IKE protocol, use the isakmp identity command. Use no isakmp identity command to reset the ISAKMP identity to the default value of IP address.

When two peers use IKE to establish IPSec security associations, each peer sends its ISAKMP identity to the remote peer. It will send either its IP address or host name depending on how each has its ISAKMP identity set. By default, the PIX Firewall's ISAKMP identity is set to the IP address. As a general rule, set the PIX Firewall's and its peer's identities in the same way to avoid an IKE negotiation failure. This failure could be due to either the PIX Firewall or its peer not recognizing its peer's identity, and a DNS lookup not able to resolve the identity.

Examples

The following example uses pre-shared keys between the PIX Firewall and its peer and sets both their ISAKMP identities to hostname.

At the PIX Firewall, the ISAKMP identity is set to hostname:

isakmp identity hostname

At the peer, the ISAKMP identity is set to hostname:

isakmp identity hostname

isakmp key

To configure a pre-shared authentication key, use the isakmp key command. Use the no isakmp key command to delete a pre-shared authentication key. You would configure this key at both peers whenever you specify pre-shared keys in an IKE policy. Otherwise the policy cannot be used because it will not be submitted for matching by the IKE process.

---

Note   The PIX Firewall or any IPSec peer can use the same authentication key with multiple peers, but this is not as secure as using a unique authentication key between each pair of peers.

---

The isakmp key command is the second task required to configure the pre-shared keys at the peers. (The first task is accomplished with the isakmp identity command.)

Use the address keyword, if the peer ISAKMP identity is set to its IP address. Otherwise use the hostname keyword.

Examples

The following example shows "sharedkeystring" as the authentication key to share between the PIX Firewall and its peer. The peer's ISAKMP identity in this example was previously set using the keyword hostname. Thus in this example, we again use the hostname keyword to specify the peer's hostname.

isakmp key sharedkeystring hostname mypeer.example.com

isakmp policy authentication

The isakmp policy authentication command allows you to specify the authentication method within an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

If you specify RSA signatures, you must configure the PIX Firewall and its peer to obtain certificates from a CA. If you specify pre-shared keys, you must separately configure these pre-shared keys within the PIX Firewall and its peer.

Use the no isakmp policy authentication command to reset the authentication method to the default value of RSA signatures.

Examples

The following example shows use of the isakmp policy authentication command. This example sets the authentication method of rsa-signatures to be used within the IKE policy with the priority number of 40.

isakmp policy 40 authentication rsa-sig

isakmp policy encryption

To specify the encryption algorithm within an IKE policy, use the isakmp policy encryption command. IKE policies define a set of parameters to be used during IKE negotiation.

DES and 3DES are the two encryption algorithm options available.

Use the no isakmp policy encryption command to reset the encryption algorithm to the default value, which is des.

Examples

The following example shows use of the isakmp policy encryption command. This example sets the Triple DES algorithm to be used within the IKE policy with the priority number of 40.

isakmp policy 40 encryption 3des

isakmp policy group

Use the isakmp policy group command to specify the Diffie-Hellman group to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

There are two group options: 768-bit or 1024-bit. The 1024-bit Diffie Hellman provides stronger security, but it requires more CPU time to execute.

Use the no isakmp policy group command to reset the Diffie-Hellman group identifier to the default value of group 1, 768-bit Diffie Hellman.

Examples

The following example shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.

isakmp policy 40 group   2

isakmp policy hash

Use the isakmp policy hash command to specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.

To reset the hash algorithm to the default value of SHA-1, use the no isakmp policy hash command.

Examples

The following example shows use of the isakmp policy hash command. This example sets the MD5 hash algorithm to be used within the IKE policy with the priority number of 40.

isakmp policy 40 hash    md5

isakmp policy lifetime

To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command. Use the no isakmp policy lifetime command to reset the security association lifetime to the default value of 86,400 seconds (one day).

When IKE begins negotiations, it looks to agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by a security association at each peer. The security association is retained by each peer until the security association's lifetime expires. Before a security association expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec security associations. New security associations are negotiated before current security associations expire.

To save setup time for IPSec, configure a longer IKE security association lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.

---

Note   When PIX Firewall initiates an IKE negotiation between itself and an IPSec peer, an IKE policy can be selected only if the lifetime of the peer's policy is shorter than or equal to the lifetime of its policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected.

---

Example

The following example shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.

isakmp policy 40 lifetime 50,400

show isakmp policy

To view the parameters for each IKE policy, use the show isakmp policy command.

Example

The following is a sample output from the show isakmp policy command after two IKE policies were configured (with priorities 70 and 90 respectively):

show isakmp policy

Protection suite priority 70

                                                      encryption algorithm:                  DES - Data Encryption Standard (56 bit keys)

                                                      hash algorithm: Message Digest 5

                                                      authentication method:             Rivest-Shamir-Adleman Signature

                                                      Diffie-Hellman group:                   #2 (1024 bit)

                                                      lifetime:                                                    5000 seconds, no volume limit

Protection suite priority 90

                                                      encryption algorithm:                    DES - Data Encryption Standard (56 bit keys)

                                                      hash algorithm: Secure Hash Standard

                                                      authentication method:            Pre-Shared Key

                                                      Diffie-Hellman group:                  #1 (768 bit)

                                                      lifetime:                                                 10000 seconds, no volume limit

Default protection suite

                                                      encryption algorithm:                  DES - Data Encryption Standard (56 bit keys)

                                                      hash algorithm: Secure Hash Standard

                                                      authentication method:            Rivest-Shamir-Adleman Signature

                                                      Diffie-Hellman group:                  #1 (768 bit)

                                                      lifetime:                                                86400 seconds, no volume limit

---

Note   Although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds); volume limit lifetimes are not currently configurable.

---

show isakmp sa

To view all current IKE security associations between the PIX Firewall and its peer, use the show isakmp sa command.

Examples

The following is a sample output from the show isakmp sa command after IKE negotiations were successfully completed between the PIX Firewall and its peer:

show isakmp sa

        dst            src         state     pending    created 

    16.132.40.2    16.132.30.2    QM_IDLE        0           1 

clear crypto isakmp

Use the clear crypto isakmp command to clear active IKE connections.

kill

Terminate a Telnet session. (Privileged mode.)

kill telnet_id

Syntax Description

telnet_id

Telnet session ID.

Usage Guidelines

The kill command terminates a Telnet session. Use the who command to view the Telnet session ID value. When you kill a Telnet session, the PIX Firewall lets any active commands terminate and then drops the connection without warning the user. The kill command does not affect PIX Firewall Manager sessions.

See also: show who, telnet.

Example

The following example shows use of the show who command to list the active Telnet sessions and the use of the kill command to end Telnet session 2:

show who

2: From 10.10.54.0 

kill 2

logging

Enable or disable syslog and SNMP logging. (Configuration mode.)

logging on

no logging on

logging buffered level

clear logging

no logging buffered

logging console level

no logging console

logging facility  facility

no logging facility   facility

logging host [in_if_name] ip_address [protocol /port]

no logging host [in_if_name] ip_address

logging message syslog_id

no logging message syslog_id

clear logging disabled

show logging disabled

logging monitor level

no logging monitor level

logging timestamp

no logging timestamp

logging trap level

no logging trap level

show logging

Syntax Description

on	Start sending syslog messages to all output locations. Stop all logging with the no logging on command.
buffered	Send syslog messages to an internal buffer that can be viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer.
level	Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: •0—emergencies—System unusable messages •1—alerts—Take immediate action •2—critical—Critical condition •3—errors—Error message •4—warnings—Warning message •5—notifications—Normal but significant condition •6—informational—Information message •7—debugging—Debug messages and log FTP commands and WWW URLs
console	Specify that syslog messages appear on the PIX Firewall console as each message occurs. You can limit the types of messages that appear on the console with level. Cisco recommends that you do not use this command in production mode because its use degrades PIX Firewall performance.
facility	Specify the syslog facility. The default is 20.
facility	Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message.
host	Specify a syslog server that will receive the messages sent from the PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. However a server can only be specified to receive either UDP or TCP, not both. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server.
in_if_name	Interface on which the syslog server resides.
ip_address	Syslog server's IP address.
protocol	The protocol over which the syslog message is sent; either tcp or udp. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server. You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17.
port	The port from which the PIX Firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server. For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535. For the TCP port, the default is 1470, and the allowable range is 1025 through 65535.
message	Specify a message to be allowed. Use with the no command to suppress a message. Use the clear logging disabled command to reset the disallowed messages to the original set. Use the show message disabled command to list the suppressed messages you specified with the no logging message command. All syslog messages are permitted unless explicitly disallowed. The "PIX Startup begin" message cannot be blocked and neither can more than one message per command statement.
syslog_id	Specify a message number to disallow or allow. If a message is listed in syslog as   %PIX-1-101001, use "101001" as the syslog_id. Refer to the System Log Messages for the Cisco Secure PIX Firewall Version 5.0 guide for message numbers. PIX Firewall documentation is available online at: www.cisco.com/univercd/cc/td/doc/product/iaabu/pix
monitor	Specify that syslog messages appear on Telnet sessions to the PIX Firewall console.
timestamp	Specify that syslog messages sent to the syslog server should have a time stamp value on each message.
trap	Set logging level for SNMP syslog traps and syslog messages.
clear	Clear the buffer for use with the logging buffered command.
show	List which logging options are enabled. If the logging buffered command is in use, the show logging command lists the current message buffer.

Usage Guidelines

The logging command lets you enable or disable sending informational messages to the console, to a syslog server, or to an SNMP management station.

You can also use this guide to get the message numbers that can be individually suppressed with the logging message command.

Important Notes

1 Do not use the logging console command when the PIX Firewall is in production mode because it degrades system performance. By default, this command is disabled. Instead, use the logging buffered command to start logging, the show logging command to view the messages, and the clear logging command to clear the buffer to make viewing the most current messages easier.

2 PIX Firewall provides more information in messages sent to a syslog server than at the console, but the console provides enough information to permit effective troubleshooting.

3 The logging timestamp command requires that the clock command be set.

4 The no logging message command cannot block the "%PIX-6-199002: PIX startup completed. Beginning operation." syslog message.

5 The aaa authentication enable console command causes syslog messages to be sent (at syslog level 4) each time the configuration is changed from the serial console.

See also: ca, telnet, terminal

Viewing Syslog Messages from the Console

To view syslog messages from the PIX Firewall console:

---

Step 1 Store syslog messages for display at the PIX Firewall console with the following command:

logging buffered 7

The value 7 causes all syslog message levels to be stored in the buffer. If preferred, set the value to a lower number to view fewer messages.

Refer to Appendix A of the System Log Messages for the Cisco Secure PIX Firewall Version 5.0 guide for a list of messages that appear at each severity level.

Step 2 View the messages with:

show logging

Step 3 Use the clear logging command to clear the buffer so that viewing new messages is easier.

Step 4 To disable storing messages, use the no logging buffered command.

New messages appear at the end of the logging listing.

Viewing Syslog Messages from a Telnet Console Session

To view syslog messages from a Telnet console session:

---

Step 1 If you have not done so already, configure the PIX Firewall to let a host on an internal interface access the PIX Firewall with the telnet command. If you have IPSec enabled, you can access the Telnet console from the outside interface. For example, if a host on the inside interface has the IP address 192.168.1.2, the command would be:

telnet 192.168.1.2 255.255.255.255 inside

You can also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:

telnet timeout 15

Step 2 Start Telnet from the host and specify the inside interface of the PIX Firewall. For example, if the inside interface of the PIX Firewall is 192.168.1.1, the command to start Telnet on a Windows system would be:

telnet 192.168.1.1

Step 3 When Telnet connects, the PIX Firewall prompts you with the PIX passwd: prompt. Enter the Telnet password, which is cisco by default.

Step 4 Use the enable command followed by the configure terminal command to get to configuration mode.

Step 5 Start message logging with the logging monitor command.

Step 6 Display messages directly to the Telnet session by entering the terminal monitor command. You can disable directly displaying messages by entering the terminal no monitor command.

Step 7 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.

Step 8 When done, disable this feature with these commands:

terminal no monitor

no logging monitor

Sending Syslog Messages to a Syslog Server

PIX Firewall can send syslog messages to any syslog server. In the event that all syslog servers are offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.

To send messages to a syslog server:

---

Step 1 Designate a host to receive the messages with the logging host command as shown in the following example:

logging host interface address [protocol/port]

Replace interface with the interface on which the server exists and address with the IP address of the host. An example logging host command is as follows:

logging host outside 192.150.50.5

If the syslog server is receiving messages on a non-standard port, you can replace protocol with 
udp and port with the new port value. The default protocol is UDP with a default port of 514. 
You can also specify TCP with a default of 1468. To date, there is only one TCP syslog server, 
the Cisco PIX Firewall Syslog Server (PFSS). See "PIX Firewall Syslog Server (PFSS)" for 
more information.

Only one logging host UDP or TCP command statement is permitted for a specific syslog server. A subsequent command statement overrides the previous one. Use the write terminal command to view the logging host command statement in the configuration—the UDP option is shown as "17" and the TCP option as "6."

Step 2 Set the logging level with the logging trap command; for example:

logging trap debugging

Cisco recommends that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.

Step 3 If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20, which receives the messages in the local4 receiving mechanism.

Step 4 Start sending messages with the logging on command. To disable sending messages, use the no logging on command.

Step 5 If you want to send time stamped messages to a syslog server, use the clock set command to set the PIX Firewall system clock and the logging timestamp command to enable time stamping. For example:

clock set 14:25:00 apr 1 1999

logging timestamp 

In this example, the clock is set to the current time of 2:25 pm on April 1, 1999, and time stamping is enabled. To disable timestamp logging, use the no logging timestamp command.

Receiving Requests

For the PIX Firewall to receive requests from an SNMP management station:

---

Step 1 Identify the IP address of the SNMP management station with the snmp-server host command.

Step 2 Set the snmp-server options for location, contact, and the community password as required.