Downloads |
Table Of Contents
Command Reference
This chapter provides detailed descriptions on each PIX Firewall command.
Before using this chapter, read the following chapters:
•
"Introduction," for important information about command line guidelines including ports and protocols.
•
•
The following notes can help you as you configure the PIX Firewall:
•
•
•
•
•
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix
•
•
•
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers•
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag
aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
aaa authentication [serial | enable | telnet] console group_tag
no aaa authentication [[serial | enable | telnet] console group_tag]
aaa authorization include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag]
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
clear aaa [authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include
Create a new rule with the specified service to include.
exclude
Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
•
aaa authorization include udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet] console command. While the enable option allows three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial or Telnet connections.
Telnet access to the PIX Firewall console is available from any internal interface (not the outside interface) and requires previous use of the telnet command.
Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
group_tag
The group tag set with the aaa-server command.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
•
•
•
•
Note
Note
Note
Usage Notes
1.
2.
3.
4.
5.
a.
b.
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
c.
6.
7.
8.
a.
b.
c.
9.
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask server10.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
a.
b.
Previously, TACACS+ differentiated the two states above and provided two different timeout messages, while RADIUS did not differentiate the two states and provided one timeout message.
22.
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows:Unable to connect to remote host: Connection timed outSee also: aaa-server, auth-prompt, service, telnet, virtual.
Examples
1.
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+2.
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+3.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any4.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthIn5.
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.06.
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
7.
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0aaa-server
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds
no aaa-server group_tag (if_name) host server_ip key timeout seconds
aaa-server group_tag protocol auth_protocol
clear aaa-server [group_tag]
show aaa-server
Syntax Description
Usage Guidelines
The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 16 tag groups and each group can have up to 16 AAA servers for a total of up to 256 AAA servers.
The aaa command references the tag group.
Note
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radius
Note
Examples
1.
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
2.
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authentication include any inbound 0 0 0 0 AuthInaaa authentication include any outbound 0 0 0 0 AuthOut3.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The aaa-server command is used with the crypto map command to establish an authentication association so that VPN Clients are authenticated when they access the PIX Firewall. See "crypto map" for more information.
access-group
Binds the access list to an interface. (Configuration mode.)
access-group acl_name in interface interface-name
clear access-group
no access-group acl_name in interface interface-name
show access-group acl_name in interface interface-name
Syntax Description
acl_name
The name associated with a given access list.
in interface
Filters on inbound packets at the given interface.
interface-name
The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:
%PIX-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group list_nameAlways use the access-list command with the access-group command.
Note
The no access-group command unbinds the "acl_name" from the interface interface-name.
The show access-group command displays the current access-list bound to the interface(s).
The clear access-group command removes all entries from an access-list indexed by "list-name." If "list-name" is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3access-list acl_out permit tcp any host 209.165.201.3 eq 80access-group acl_out in interface outsideThe static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list. (Configuration mode.)
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port
access-list acl_name [deny | permit] icmp src_addr src_mask operator port dest_addr dest_mask operator port icmp_type
no access-list acl_name [[deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port]
clear access-list [acl_name [deny | permit] icmp src_addr src_mask operator port dest_addr dest_mask operator port icmp_type]
show access-list
Syntax Description
acl_name
Name of an access list. You can use either a name or number.
deny
When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit
When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall.
When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
src_addr
Address of the network or host from which the packet is being sent. Specify the source address as follows:
•
•
•
src_mask
Netmask bits (mask) to be applied to src_addr (source address), if the source address is for a network mask. Do not specify a mask if the source address is for a host; if the source address is for a host, use the host parameter before the address; for example:
access-list acl_grp permit tcp host 192.168.1.1 anyIf the source address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore.
Remember that you specify a network mask differently than with the Cisco IOS access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the mask; for example:
access-list acl_grp permit tcp 192.168.1.0 255.255.255.224 anydest_addr
IP address of the network or host to which the packet is being sent. There are three ways to specify the destination:
•
•
•
dest_mask
Netmask bits (mask) to be applied to dest_addr (destination address), if the destination address is a network mask. Do not specify a dest_mask if the destination address is for a host; if the destination address is for a host, use the host parameter before the address; for example:
access-list acl_grp permit tcp any host 192.168.1.1If the destination address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore.
Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the mask; for example:
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224operator
A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example:
access-list acl_out permit tcp any host 209.165.201.1Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP:
access-list acl_out deny tcp any host 209.165.201.1 eq ftpUse lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535:
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.
access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnetport
Service(s) you permit to be used while accessing src_addr or dest_addr. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535.
You can view valid port numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
[Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 6-1 for a list of message types. Omit this option to mean all ICMP types.
In version 5.1, ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.
Usage Guidelines
The access-list command allows you to create an access list. In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists."
After you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement.
The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.
Usage Notes
1.
2.
For access from a lower security level interface to a higher security level interface; that is, "inbound" connections, port access is denied by default. Always deny access first and permit access afterward. Because inbound connections are denied by default, for single or specific permits, you only need to add permit statements. If the host entries match, then use a permit statement, otherwise use a default (deny) statement. You only need to specify additional deny statements if you need to deny specific hosts and permit everyone else.
3.
4.
5.
%PIX-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group list_name6.
7.
8.
ICMP Message Types
[Non-IPSec use only]—If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 6-1 lists possible ICMP types values.
If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:
access-list 10 permit icmp any any echo-replyAnd IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.
Using the access-list Command with IPSec
If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the PIX Firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B.
The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
Crypto access lists associated with the IPSec crypto map command statement have these primary functions:
•
•
•
•
You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.
Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the sections "Mirror Image Crypto Access Lists at each IPSec Peer" and "IKE-Established Security Associations" in "Configuring IPSec."
If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.
Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.
Examples
The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsidecrypto map mymap 10 match address 101[other crypto map commands]The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:
access-list acl_out permit icmp any any echo-replyaccess-group acl_out interface outsidealias
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
show alias
clear alias
Syntax Description
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
Note
Note
After changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
•
•
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 192.168.201.0 209.165.201.0 255.255.255.224 creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
Note
Usage Notes
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note:
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-dataaccess-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
Examples
1.
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224show aliasalias 192.168.201.0 205.165.201.0 255.255.255.224When the inside network client 209.165.201.2 connects to cisco.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 209.165.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=209.165.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
2.
The period at the end of the www.cisco.com. domain name must be included.
The alias command follows:
alias 10.1.1.11 209.165.201.11 255.255.255.255PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11The access-list command statement you would expect to use follows:
access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnetBut with the alias command, use this command:
access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.cisco.comarp
Change or view the ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias]
clear arp
no arp if_name ip_address
show arp [if_name] [ip_address mac_address alias]
arp timeout seconds
no arp timeout
show arp timeout
Syntax Description
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Note
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7carp outside 192.168.0.43 00e0.1e4e.3d8b aliasshow arpoutside 192.168.0.43 00e0.1e4e.3d8b aliasinside 192.168.0.42 00e0.1e4e.2a7cclear arp inside 192.168.0.42arp timeout 42show arp timeoutarp timeout 42 secondsno arp timeoutshow arp timeoutarp timeout 14400 secondsauth-prompt
Change the AAA challenge text. (Configuration mode.)
auth-prompt [accept | reject | prompt] string
no auth-prompt [accept | reject | prompt] string
clear auth-prompt
show auth-prompt
Syntax Description
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
Note
Examples
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall AccessAfter this string is added to the configuration, users view:
XYZ Company Firewall AccessUser Name:Password:The prompt keyword can be included or omitted. For example:
auth-prompt prompt Hello There!This command statement is the same as the following:
auth-prompt Hello There!ca
Configure the PIX Firewall to interoperate with a Certification Authority (CA). (Configuration mode.)
ca authenticate ca_nickname [fingerprint]
ca configure ca_nickname ca | ra retry_period retry_count [crloptional]
no ca configure ca_nickname
show ca configure
ca crl request ca_nickname
ca enroll ca_nickname challenge_password [serial] [ipaddress]
no ca enroll ca_nickname
ca generate rsa key | specialkey key_modulus_size
ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address]
no ca identity ca_nickname
show ca identity
ca save all
no ca save all
show ca certificate
ca zeroize rsa
show ca mypubkey rsa
Syntax Description
Usage Guidelines
The sections that follow describe each ca command.
Note
Note
Note
Note
ca authenticate
The ca authenticate command allows the PIX Firewall to authenticate its Certification Authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.
In order to authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in some out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.
If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.
The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.
To view the CA's certificate, use the show ca certificate command.
Note
Examples
In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.
ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
ca authenticate myca 0123456789ABCDEF0123Certificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 5432%Error in verifying the received fingerprint. Type help or `?' for a list of available commands.ca configure
The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.
Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.
Note
Examples
The following example indicates myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.
ca configure myca ca 5 15 crloptionalca crl request
The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time.
A PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (un-expired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent via an ISAKMP exchange. This is because the certificate itself contains the location where the PIX Firewall must query to get the appropriate CRL. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.
Use the ca crl request command only if your CA does not support a RA. A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your firewall.
The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your PIX Firewall receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.
If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
The ca crl request command is not saved with the PIX Firewall configuration between reloads.
Examples
The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:
ca crl request mycaca enroll
The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.
The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.
The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.
The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.
The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.
Note
Examples
The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.
ca enroll myca.example.com 1234567890 serialca generate rsa
The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.
Examples
In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.
ca generate rsa key 2048
Note
ca identity
The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity from the configuration and deletes all certificates issued by the specified CA. The show ca identity command shows the current settings stored in RAM.
The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, include the location and the name of the script within the ca identity command statement.
By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.
Examples
The following example indicates that the CA myca.example.com is declared as the PIX Firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.
ca identity myca.example.com 205.139.94.231ca save all
The ca save all commands allows you to save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.
The ca save command itself is not saved with the PIX Firewall configuration between reloads.
To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user is allowed to issue this show command.
ca zeroize rsa
The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional task. Perform these tasks in the following order:
•
•
show ca mypubkey rsa
The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.
Examples
The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command:
show ca mypubkey rsa% Key pair was generated at: 15:34:55 Aug 05 1999Key name: pixfirewall.example.comUsage: Signature KeyKey Data:305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001% Key pair was generated at: 15:34:55 Aug 05 1999Key name: pixfirewall.example.comUsage: Encryption KeyKey Data:305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001clear Commands
Remove commands from the configuration or reset command values (All modes.)
Table 6-2, Table 6-3, and Table 6-4 list each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.
Table 6-2 Unprivileged Mode Clear Commands
clear pager
Resets the number of displayed lines to 24.
clock
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server and the Public Key Infrastructure (PKI) protocol. (Configuration mode.)
clock
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
Syntax Description
Usage Guidelines
The clock command lets you specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.
Note
You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.
A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).
While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.
The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall unit's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.
Cisco's PKI (Public Key Infrastructure) protocol uses the clock to make sure that a Certificate Revocation List (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp.
Examples
To enable PFSS time-stamp logging for the first time, use these commands:
clock set 21:0:0 apr 1 2000show clock21:00:05 Apr 01 2000logging host 209.165.201.3logging timestamplogging trap 5In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
conduit
Add, delete, or show conduits through the PIX Firewall for incoming connections. (Configuration mode.)
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]
clear conduit
show conduit
Syntax Description
permit
Permit access if the conditions are matched.
deny
Deny access if the conditions are matched.
protocol
Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See the Usage Guidelines for a complete list of the ICMP types.
global_ip
A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses.
If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 209.165.201.1 eq ftp anyThis example lets any foreign host access global address 209.165.201.1 for FTP.
global_mask
Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip
An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option.
If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 209.165.201.2This example lets foreign host 209.165.201.2 access any global address for FTP.
foreign_mask
Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192.
operator
A comparison operand that lets you specify a port or a port range.
Use without an operator and port to indicate all ports; for example:
conduit permit tcp any anyUse eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
conduit permit tcp host 192.168.1.1 lt 1025 anyUse gt and a port to permit or deny access to all ports greater than the port you specify.
For example, use gt 42 to permit or deny ports 43 to 65535:conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2Use neq and a port to permit or deny access to every port except the ports that you specify.
For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42Use range and a port range to permit or deny access to only those ports named in the range.
For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.conduit deny tcp any range ftp telnet anyNote By default, all ports are denied until explicitly permitted.
port
Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example:
conduit deny tcp any anyThis command is the default condition for the conduit command in that all ports are denied until explicitly permitted.
You can view valid port numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
The type of ICMP message. Table 6-5 lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is conduit permit icmp any any. This command lets ICMP pass inbound and outbound.
Usage Guidelines
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from your configuration.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
Note
When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands
Follow these steps to convert conduit command statements to access-list commands:
Step 1
static (high_interface,low_interface) global_ip local_ip netmask mask
For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2
conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]
For example:
conduit permit tcp host 209.165.201.5 eq www anyThis command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.
The static command identifies the interface that the conduit command restricts access to.
Step 3
Normally the access-list command format is as follows:
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port
However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows:
access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]
For example:
access-list acl_out permit tcp any host 209.165.201.5 eq wwwThis command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for your own identifier. (In this example the identifier, "acl" is from ACL, which means Access Control List and "out" is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Step 4
access-group acl_name in interface low_interface
For example:
access-group acl_out in interface outsideThis command associates with the "acl_out" group of access-list command statements and states that the access-list command statement restricts access to the outside interface.
More on the conduit Command
If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.
Note
The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the PIX Firewall because the permit option precedes the deny option:
conduit permit tcp host 209.165.201.4 eq 80 anyconduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any
Note
After changing or removing a conduit command statement, use the clear xlate command.
You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.
If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 6-5 lists possible ICMP types values.
Usage Notes
1.
2.
3.
4.
5.
6.
The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example:
static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255conduit permit tcp host 209.165.201.5 eq 1723 anyconduit permit gre host 209.165.201.5 anyIn this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.
7.
For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.
Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001Replace unix_host_ip_address with the IP address of the UNIX host.
8.
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp anystatic (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.
Examples
1.
static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2To disable Mail Guard, enter the following command:
no fixup protocol smtp 252.
static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 anyconduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any3.
static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.4 eq 80 anyIn this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.
configure
Clear or merge current configuration with that on floppy or Flash memory, start configuration mode, or view current configuration. (Privileged mode.)
clear configure primary | secondary | all
configure net [[server_ip]:[filename]]
configure floppy
configure memory
configure terminal
show configure
Syntax Description
Usage Guidelines
The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration.
The clear configure secondary command removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from the configuration. However, the clear configure secondary command does not remove tftp-server command statements.
Note
The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ). For example:
configure net :Use the write net command to store the configuration in the file.
If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.
Note
The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.
The configure memory command merges the configuration in Flash memory into the current configuration in RAM.
The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use write memory to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.
The show configure command lists the contents of the configuration in Flash memory.
Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:
•
•
•
Examples
The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:
configure net 10.1.1.1:/tftp/config/pixconfigThe pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.
The following example shows how to configure the PIX Firewall from a diskette:
configure floppyThe following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:
configure memoryThe following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.
Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.
pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)# write terminal: Saved... config commands ...: Endwrite memorycopy tftp flash
Change software images without requiring access to the TFTP monitor mode. (Configuration mode.)
copy tftp[:[[//location][/pathname]]] flash
Syntax Description
Usage Guidelines
The copy tftp flash command lets you download a software image via TFTP. You can use the copy tftp flash command with any PIX Firewall model running version 5.1(1) or later.
The image you download is made available to the PIX Firewall on the next reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flash
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration.
The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command.
If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.
For example, if you want to download the pix512.bin file from the D: partition on a Windows system (IP address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu and enter the filename path in the TFTP server root directory edit box; for example, D:\pix_images. To copy the file to the PIX Firewall, use the following copy tftp command:
copy tftp://10.1.1.5/pix512.bin flashThe TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.
Note
Examples
The following example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download:
copy tftp flashAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? pix512.bincopying tftp://10.1.1.5/pix512.bin to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!...Received 1695744 bytes.Erasing current image.Writing 1597496 bytes of image.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...Image installed.The next example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface. The example sets the filename and location from the tftp-server command, saves memory, and then downloads the image to Flash memory:
tftp-server outside 10.1.1.5 pix512.binWarning: 'outside' interface has a low security level (0).write memoryBuilding configuration...Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99[OK]copy tftp: flashcopying tftp://10.1.1.5/pix512.bin to flash!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...The next examples override the information in the tftp-server command to let you specify alternate information about the filename and location. If you have not set the tftp-server command, you can also use the copy tftp flash command to specify all information as shown in the second example that follows:
copy tftp:/pix512.bin flashcopy tftp://10.0.0.1/pix512.bin flashThe next examples map an IP address to the tftp-host name with the name command and use the tftp-host name in the copy commands:
name 10.1.1.6 tftp-hostcopy tftp://tftp-host/pix512.bin flashcopy tftp://tftp-host/tftpboot/pix512.bin flashcrypto dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.)
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address
no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address
crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2]
no crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs
crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
no crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds | kilobytes
crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]
no crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]
clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]
show crypto dynamic-map [tag dynamic-map-name]
Syntax Description
Note
Usage Guidelines
The sections that follow describe each crypto dynamic-map command.
Note
crypto dynamic-map
The crypto dynamic-map command allows you to create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto map's sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command allows you to view a dynamic crypto map set.
Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)
When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.
The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)
If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
Dynamic crypto maps are used for determining whether or not traffic should be protected.
Note
Examples
The following example configures an IPSec crypto map set.
Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1 10.0.0.2crypto map mymap 20 ipsec-isakmpcrypto map mymap 20 match address 102crypto map mymap 20 set transform-set my_t_set1 my_t_set2crypto map mymap 20 set peer 10.0.0.3crypto dynamic-map mydynamicmap 10 match address 103crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmapThe following is sample output for the show crypto dynamic-map command:
show crypto dynamic-mapCrypto Map Template "dyn1" 10access-list 152 permit ip host 172.21.114.67 anyCurrent peer: 0.0.0.0Security association lifetime: 4608000 kilobytes/120 secondsPFS (Y/N): NTransform sets={ tauth, t1, }The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto ipsec security-association lifetime seconds 120crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto ipsec transform-set tauth ah-sha-hmaccrypto dynamic-map dyn1 10crypto dynamic-map dyn1 set transform-set tauth t1crypto dynamic-map dyn1 match address 152crypto map to-firewall local-address Ethernet0crypto map to-firewall 10 ipsec-isakmpcrypto map to-firewall 10 set peer 172.21.114.123crypto map to-firewall 10 set transform-set tauth t1crypto map to-firewall 10 match address 150crypto map to-firewall 20 ipsec-isakmp dynamic dyn1access-list 150 permit ip host 172.21.114.67 host 172.21.114.123access-list 150 permit ip host 15.15.15.1 host 172.21.114.123access-list 150 permit ip host 15.15.15.1 host 8.8.8.1access-list 152 permit ip host 172.21.114.67 anycrypto dynamic-map match address
See the crypto map match address command within the crypto map command page for information about this command.
crypto dynamic-map set peer
See the crypto map set peer command within the crypto map command page for information about this command.
crypto dynamic-map set pfs
See the crypto map set pfs command within the crypto map command page for information about this command.
crypto dynamic-map set security-association lifetime
See the crypto map set security-association lifetime command within the crypto map command page for information about this command.
crypto dynamic-map set transform-set
See the crypto map set transform-set command within the crypto map command page for information about this command.
Note
crypto ipsec
Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets. (Configuration mode.)
crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes
no crypto ipsec security-association lifetime seconds | kilobytes
show crypto ipsec security-association lifetime
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
no crypto ipsec transform-set transform-set-name
show crypto ipsec transform-set [tag transform-set-name]
clear [crypto] ipsec sa
clear [crypto] ipsec sa counters
clear [crypto] ipsec sa entry destination-address protocol spi
clear [crypto] ipsec sa map map-name
clear [crypto] ipsec sa peer
show crypto ipsec sa [map map-name | address | identity] [detail]
Syntax Description
Usage Guidelines
The sections that follow describe each crypto ipsec command.
Note
crypto ipsec security-association lifetime
The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).
crypto ipsec security-association lifetime seconds 2700crypto ipsec security-association lifetime kilobytes 2304000The following is sample output for the show crypto ipsec security-association lifetime command:
show crypto ipsec security-association lifetimeSecurity-association lifetime: 4608000 kilobytes/120 secondsThe following configuration was in effect when the above show crypto ipsec security-association lifetime command was issued:
crypto ipsec security-association lifetime seconds 120crypto ipsec transform-set
The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.
A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.
When security associations are established manually, a single transform set must be used. The transform set is not negotiated.
Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.
To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.
Examples of acceptable transform combinations are as follows:
•
•
•
•
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.
For more information about transform sets, see "Transform Sets" in "Configuring IPSec."
Examples
This example defines one transform set (named "standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform is specified in this example:
crypto ipsec transform-set standard esp-des esp-md5-hmacThe following is sample output for the show crypto ipsec transform-set command:
show crypto ipsec transform-setTransform set combined-des-sha: { esp-des esp-sha-hmac }will negotiate = { Tunnel, },Transform set combined-des-md5: { esp-des esp-md5-hmac }will negotiate = { Tunnel, },Transform set t1: { esp-des esp-md5-hmac }will negotiate = { Tunnel, },Transform set t100: { ah-sha-hmac }will negotiate = { Tunnel, },Transform set t2: { ah-sha-hmac }will negotiate = { Tunnel, },{ esp-des }will negotiate = { Tunnel, },The following configuration was in effect when the above show crypto ipsec transform-set command was issued:
crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmaccrypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmaccrypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto ipsec transform-set t100 ah-sha-hmaccrypto ipsec transform-set t2 ah-sha-hmac esp-desclear [crypto] ipsec sa
The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.
If the security associations are manually established, the security associations are deleted.
If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.
If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)
If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.
The peer keyword deletes any IPSec security associations for the specified peer.
The map keyword deletes any IPSec security associations for the named crypto map set.
The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.
If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.
If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.
Note
If the PIX Firewall is processing active IPSec traffic, Cisco recommends that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.
Note
Examples
The following example clears (and reinitializes if appropriate) all IPSec security associations at the PIX Firewall:
clear crypto ipsec saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto ipsec sa entry 10.0.0.1 AH 256show crypto ipsec sa
The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).
Note
Note
Examples
The following is a sample output for the show crypto ipsec sa command:
show crypto ipsec sainterface: outsideCrypto map tag: firewall-alice, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 26, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Yinbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 27, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Youtbound ah sas:interface: insideCrypto map tag: firewall-alice, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 26, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Yinbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 27, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Youtbound ah sas:crypto map
To create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)
crypto map map-name client authentication aaa-server-name
no crypto map map-name client authentication aaa-server-name
crypto map map-name client configuration address initiate | respond
no crypto map map-name client configuration address initiate | respond
crypto map map-name interface interface-name
no crypto map map-name interface interface-name
show crypto map [interface interface-name | tag map-name]
crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name]
no crypto map map-name seq-num
crypto map map-name seq-num match address acl_name
no crypto map map-name seq-num match address acl_name
crypto map map-name seq-num set peer hostname | ip-address
no crypto map map-name seq-num set peer hostname | ip-address
crypto map map-name seq-num set pfs [group1 | group2]
no crypto map map-name seq-num set pfs
crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
no crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
crypto map map-name set session-key inbound | outbound ah spi hex-key-string
no crypto map map-name seq-num set session-key inbound | outbound ah
crypto map map-name set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string]
no crypto map map-name seq-num set session-key inbound | outbound esp
crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]no crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]Syntax Description
Usage Guidelines
The sections that follow describe each crypto map command.
Note
crypto map client authentication
The crypto map client authentication command enables the extended authentication (Xauth) feature, which allows you to prompt for a TACAC+/RADIUS username and password during IKE authentication. You must first have your basic AAA Server set up to be able to use this feature. This command tells the PIX Firewall during phase 1 of IKE to use the Xauth (RADIUS/TACACS+) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted.
Use the no crypto map client authentication command to restore the default value. The extended Xauth feature is not enabled by default.
Note
Note
Examples
The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ (inside) host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400crypto map client configuration address
Use the crypto map client configuration address command to configure IKE Mode Configuration on your PIX Firewall. The IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.
Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.
The keyword initiate indicates the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates the PIX Firewall will accept requests for IP addresses from any requesting peer.
Note
See the section "About IKE Mode Config (Dynamic IP Address Assignment for VPN Client)" in "Configuring IPSec," for more information about the IKE Mode Configuration.
Examples
The following examples configure IKE Mode Configuration on your PIX Firewall:
crypto map mymap client configuration address initiatecrypto map mymap client configuration address respondcrypto map interface
The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.
Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
Examples
The following example assigns crypto map set mymap to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the mymap set. When outbound traffic matches an access list in one of the mymap crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).
crypto map mymap interface outsideThe following is sample output for the show crypto map command:
show crypto mapCrypto Map: "firewall-alice" pif: outside local address: 172.21.114.123Crypto Map "firewall-alice" 10 ipsec-isakmpPeer = 172.21.114.67access-list 141 permit ip host 172.21.114.123 host 172.21.114.67Current peer: 172.21.114.67Security-association lifetime: 4608000 kilobytes/120 secondsPFS (Y/N): NTransform sets={ t1, }The following configuration was in effect when the above show crypto map command was issued:
crypto map firewall-alice 10 ipsec-isakmpcrypto map firewall-alice 10 set peer 172.21.114.67crypto map firewall-alice 10 set transform-set t1crypto map firewall-alice 10 match address 141The following is sample output for the show crypto map command when manually established security associations are used:
show crypto mapCrypto Map "multi-peer" 20 ipsec-manualPeer = 172.21.114.67access-list 120 permit ip host 1.1.1.1 host 1.1.1.2Current peer: 172.21.114.67Transform sets={ t2, }Inbound esp spi: 0,cipher key: ,auth_key: ,Inbound ah spi: 256,key: 010203040506070809010203040506070809010203040506070809,Outbound esp spi: 0cipher key: ,auth key: ,Outbound ah spi: 256,key: 010203040506070809010203040506070809010203040506070809,The following configuration was in effect when the above show crypto map command was issued:
crypto map multi-peer 20 ipsec-manualcrypto map multi-peer 20 set peer 172.21.114.67crypto map multi-peer 20 set session-key inbound ah 256010203040506070809010203040506070809010203040506070809crypto map multi-peer 20 set session-key outbound ah 256010203040506070809010203040506070809010203040506070809crypto map multi-peer 20 set transform-set t2crypto map multi-peer 20 match address 120crypto map ipsec-manual | ipsec-isakmp
To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.
Note
After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.
Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps link together definitions of the following:
•
•
•
•
A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap set transform-set my_t_set1crypto map mymap set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the security associations are manually established.
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualcrypto map mymap 10 match address 102crypto map mymap 10 set transform-set somesetcrypto map mymap 10 set peer 10.0.0.5crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedccrypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcdcrypto map ipsec-isakmp dynamic
To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.
Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.
Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.
To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
For more information about dynamic maps, see the section "Dynamic Crypto Maps" in "Configuring IPSec."
Examples
The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1crypto map mymap 10 set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpcrypto map mymap 10 match address 102crypto map mymap 10 set transform-set my_t_set1 my_t_set2crypto map mymap 10 set peer 10.0.0.3crypto dynamic-map mydynamicmap 10crypto dynamic-map mydynamicmap 10 match address 103crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmapcrypto map match address
To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry.
This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use the access-list command to define this access list.
The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
Note
The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)
The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1crypto map set peer
Use the crypto map set peer command to specify an IPSec peer in a crypto map entry. Use the no crypto map set peer command to remove an IPSec peer from a crypto map entry.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1 10.0.0.2crypto map set pfs
The crypto map set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
By default, PFS is not requested.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group.
If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
Note
Examples
This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 set pfs group2crypto map set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.
The crypto map's security associations are negotiated according to the global lifetimes.
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details.
To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.
To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.
However, shorter lifetimes require more CPU processing time.
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).
To for more information about how these lifetimes, see "How These Lifetimes Work" in "Configuring IPSec."
Examples
This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2,700 seconds (45 minutes).
crypto map mymap 10 ipsec-isakmpset security-association lifetime seconds 2700crypto map set session-key
To manually specify the IPSec session keys within a crypto map entry, use the crypto map set session-key command. Use the no crypto map set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.
If the crypto map's transform set includes:
•
•
•
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.
You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.
Security associations established using this command do not expire (unlike security associations established using IKE).
The PIX Firewall unit's session keys must match its peer's session keys.
If you change a session key, the security association using the key will be deleted and reinitialized.
Examples
The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.
crypto ipsec transform-set t_set ah-sha-hmaccrypto map mymap 20 ipsec-manualcrypto map mymap 20 match address 102crypto map mymap 20 set transform-set t_setcrypto map mymap 20 set peer 10.0.0.21crypto map mymap 20 set session-key inbound ah 300 1111111111111111111111111111111111111111crypto map mymap 20 set session-key outbound ah 300 2222222222222222222222222222222222222222The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.
crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-manualcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set somesetcrypto map mymap 10 set peer 10.0.0.1crypto map mymap 10 set session-key inbound ah 300 9876543210987654321098765432109876543210crypto map mymap 10 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedccrypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345authenticator 0000111122223333444455556666777788889999crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcdauthenticator 9999888877776666555544443333222211110000crypto map set transform-set
To specify which transform sets can be used with the crypto map entry, use the crypto map set transform-set command. Use the no crypto map set transform-set command to remove all transform sets from a crypto map entry.
This command is required for all static and dynamic crypto map entries.
For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.
If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.
The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.
Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.
Examples
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)
crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmaccrypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1 my_t_set2crypto map mymap set peer 10.0.0.1 10.0.0.2In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.
debug
Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)
debug crypto ca [level]
no debug crypto ca [level]
debug crypto ipsec [level]
no debug crypto ipsec [level]
debug crypto isakmp [level]
no debug crypto isakmp [level]
debug icmp trace
no debug icmp trace
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]no debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]debug ppp [error | io | uauth]
no debug ppp [error | io | uauth]
debug sqlnet
no debug sqlnet
debug vpdn [event | error | packet]
no debug vpdn [event | error | packet]
show debug
Syntax Description
crypto ca
Display information about CA (Certification Authority) traffic.
level
The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to these events:
•
•
•
Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears with the show debug command.
crypto ipsec
Display information about IPSec traffic.
crypto isakmp
Display information about IKE traffic.
icmp
Display information about ICMP traffic.
packet
Display packet information.
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
src source_ip
Source IP address.
netmask mask
Network mask.
dst dest_ip
Destination IP address.
proto icmp
Display ICMP packets only.
proto tcp
Display TCP packets only.
sport src_port
Source port. See the "Ports" section in "Introduction" for a list of valid port literal names.
dport dest_port
Destination port.
proto udp
Display UDP packets only.
rx
Display only packets received at the PIX Firewall.
tx
Display only packets that were transmitted from the PIX Firewall.
both
Display both received and transmitted packets.
sqlnet
Debug SQL*Net traffic.
ppp
Debug PPTP traffic, which is configured with the vpdn command.
ppp error
Display PPTP PPP virtual interface error messages.
ppp io
Display the packet information for the PPTP PPP virtual interface.
ppp uauth
Display the PPTP PPP virtual interface AAA user authentication debugging messages.
vpdn event
Display PPTP tunnel event change information.
vpdn error
Display PPTP protocol error messages.
vpdn packet
Display PPTP packet information about PPTP traffic.
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with debug packet.
The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.
The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall unit's own interfaces.
The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall.
The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.
Use of the debug commands can slow down busy networks.
Trace Channel Feature
The debug icmp trace, debug sqlnet and debug crypto commands now send their output to the Trace Channel.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
•
The debug commands are shared between all Telnet and serial console sessions.
Note
Additional debug Command Information
Note
Note
Note
Note
To stop a debug packet trace command, enter:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace command, enter:
no debug icmp traceExamples
The following example turns on this command:
debug icmp traceWhen you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1):
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2NO DEBUG ICMP TRACEICMP trace offThis example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
The following is sample output from the show debug command output:
show debugdebug ppp errordebug vpdn eventdebug crypto ipsec 1debug crypto isakmp 1debug crypto ca 1debug icmp tracedebug packet outside bothdebug sqlnetThe trailing 1 at the end of the debug crypto commands is the debugging level, which is described in the "Syntax Description" section at the start of this command page.
You can debug the contents of packets with the debug packet command:
debug packet inside--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00 |....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46 | .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43 | CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01 | ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 | ......`......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
The following is sample output from the show debug command:
show debugdebug icmp trace offdebug packet offdebug sqlnet offdisable
Exit privileged mode and return to unprivileged mode. (Privileged mode.)
disable
Usage Guidelines
The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.
Examples
The following example shows how to exit privileged mode:
pixfirewall# disablepixfirewall>domain-name
Change the IPSec domain name. (Configuration mode.)
domain-name name
Syntax Description
Usage Guidelines
The domain-name command lets you change the IPSec domain name.
Note
dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.)
clear dynamic-map
show dynamic-map
Usage Guidelines
The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.
Note
enable
Start privileged mode. (Unprivileged mode.)
enable
Usage Guidelines
The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.
Examples
The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.
pixfirewall> enablePassword:pixfirewall# configure terminalpixfirewall(config)#enable password
Set the privileged mode password. (Privileged mode.)
enable password password [encrypted]
show enable password
Syntax Description
password
A case-sensitive password of up to 16 alphanumeric characters.
encrypted
Specifies that the password you entered is already encrypted. The password must be 16 characters in length.
Usage Guidelines
The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). The show enable password command lists the encrypted form of the password.
You can return the enable password to its original value (press the Enter key at prompt) by entering:
pixfirewall# enable passwordpixfirewall#
Note
Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.
See also: passwd.
Examples
The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:
pixfirewall> enablePassword:pixfirewall# enable password w0ttal1fepixfirewall# configure terminalpixfirewall(config)# write terminalBuilding configuration......enable password 2oifudsaoid.9ff encrypted...The following example shows the use of the encrypted option:
enable password 1234567890123456 encryptedshow enable passwordenable password 1234567890123456 encryptedenable password 1234567890123456show enable passwordenable password feCkwUGktTCAgIbD encryptedestablished
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.)
established protocol src_port [dest_port] [permitto protocol dport[-dport]] [permitfrom protocol sport[-sport]]
no established protocol src_port [dest_port] [permitto protocol dport[-dport]] [permitfrom protocol sport[-sport]]
clear established
show established
Syntax Description
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port and optional source port specified is for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Note
The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall.
The permitfrom option lets you specify a new protocol or port at the remote server.
The no established command disables the established feature.
The show established command shows the established commands in the configuration.
The clear established command removes all establish command statements from your configuration.
Note
You can use the established command with the nat 0 command statement (where there are no global command statements).
Note
The established command works as shown in the following format:
established A B permitto C D permitfrom E FThis command works as though it were written "If there exists a connection between two hosts using protocol A on ports B and C, permitting return connections through the PIX Firewall via protocol D, if the destination port(s) correspond to E (protocols D and F must match, but can be different than A), and the source port(s) correspond to G."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
Example:
established tcp 0 4000With this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol.
Example:
established tcp 0 0 (same as previous releases established tcp 0)With this example, if something like the following exists:
static (inside,outside) 200.0.0.2 10.0.0.2 access-list acl_grp permit tcp host 200.0.0.2 eq www anyan attacker only need make a web connection to 200.0.0.2 and then they can make unrestricted connections using any protocol or ports.
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
Note
Example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value:
setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
exit
Exit an access mode. (All modes.)
exit
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as quit.
Examples
The following example shows how to exit configuration mode and then privileged mode:
pixfirewall(config)# exitpixfirewall# exitpixfirewall>failover
Change or view access to the optional failover feature. (Configuration mode.)
failover [active]
failover ip address if_name ip_address
failover link [stateful_if_name]
failover reset
no failover active
show failover
Syntax Description
Usage Guidelines
Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
Note
Use the failover active command to initiate a failover switch from the Standby unit, or the no failover active command from the Active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an Active unit offline for maintenance. Because the Standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
Use the failover link command to enable Stateful Failover. Version 5.1 supports Token Ring interfaces with a high speed Ethernet Stateful Failover interface connection. Version 5.1 also supports FDDI interfaces with non-Stateful Failover.
If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
New in version 5.1, when a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.
You can also view the information from the show failover command using SNMP. Refer to "Using the Firewall and Memory Pool MIBs" in "Advanced Configurations," for more information.
A failover configuration example is provided in "Failover Configuration" in "Configuration Examples."
Configuring Failover
Follow these steps to configure failover:
Step 1
Step 2
Step 3
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/install/failover.htm
Step 4
Step 5
See "Failover" in "Advanced Configurations," for additional configuration information.
Examples
The following output shows that failover is enabled, and that the Primary unit state is active:
show failoverFailover OnCable status: NormalReconnect time-out 0:00:00This host: Primary - ActiveActive time: 3456 (sec)Interface 4th (172.16.1.112): NormalInterface intf3 (192.168.3.2): NormalInterface intf2 (192.168.2.2): NormalInterface outside (192.168.1.8): NormalInterface inside (10.1.1.6): NormalOther host: Secondary - StandbyActive time: 0 (sec)Interface 4th (172.16.1.111): NormalInterface intf3 (192.168.3.1): NormalInterface intf2 (192.168.2.1): NormalInterface outside (192.168.1.7): NormalInterface inside (10.1.1.2): NormalStandby Logical Update StatisticsLink : intf2Stateful Obj xmit xerr rcv rerrGeneral 53 0 0 0sys cmd 53 0 0 0up time 0 0 0 0xlate 0 0 0 0tcp conn 0 0 0 0udp conn 0 0 0 0ARP tbl 0 0 0 0RIF Tbl 0 0 0 0The "Cable status" has these values:
•
•
•
You can view the IP addresses of the Standby unit with the show ip address command:
show ip addressSystem IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0Current IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.
The Standby Logical Update Statistics output that displays when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover and can be ignored.
filter
Enable or disable outbound URL or HTML object filtering. (Configuration mode.)
filter activex port local_ip mask foreign_ip mask
no filter activex port local_ip mask foreign_ip mask
filter java port[-port] local_ip mask foreign_ip mask
no filter java port[-port] local_ip mask foreign_ip mask
filter url http|except local_ip local_mask foreign_ip foreign_mask [allow]
no filter url http | except [local_ip local_mask foreign_ip foreign_mask]
clear filter
show filter
Syntax Description
Usage Guidelines
The sections that follow describe each type of filter. The clear filter command removes all filter commands from the configuration. The show filter command lists all filter commands in the configuration.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.
As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.
This feature blocks the HTML <object> tag and comments it out within the HTML web page.
Note
Note
Examples
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter java
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
Note
Examples
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.
The allow option to the filter command determines how the PIX Firewall behaves in the event that the Websense server goes offline. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.
Note
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Information on Websense is available at the following site:
http://www.websense.com/products/websense/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1filter url http 0 0 0 0filter url except 10.0.2.54 255.255.255.255 0 0fixup protocol
Change, enable, disable, or list a PIX Firewall application protocol feature. (Configuration mode.)
fixup protocol ftp [strict] [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol rsh [514]
fixup protocol rtsp [port]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
no fixup protocol protocol [port[-port]]
clear fixup
show fixup [protocol protocol]
Syntax Description
protocol
Specify the protocol to fix up: ftp, http, h323, rsh, rtsp, smtp, sqlnet.
port
Specify the port number or range for the application protocol. The default ports are: TCP 21 for ftp, TCP 80 for http, TCP 1720 for h323, TCP 514 for rsh, TCP 554 for rtsp, TCP 25 for smtp, and TCP 1521 for sqlnet. The default port value for rsh cannot be changed, but additional port statements can be added. See the "Ports" section in "Introduction" for a list of valid port literal names.
strict
Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh. The fixup protocol commands are always present in the configuration and are enabled by default.
The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements.
The FTP port can be changed; however if you change the default of port 21, to something like 2021, all FTP control connections must happen on port 2021. FTP control connections on port 21 will no longer work.
If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The fixup protocol ftp strict command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
Note
Note
You can add multiple port settings for each protocol with separate commands; for example:
fixup protocol ftp 21fixup protocol ftp 4254fixup protocol ftp 9090These commands cause PIX Firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.
The clear fixup command removes fixup commands from the configuration that you added. It does not remove the default fixup protocol commands.
The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.
You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
The fixup rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.
If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554fixup protocol rtsp 8554The following restrictions apply to the fixup protocol rtsp command:
1.
2.
3.
4.
5.
6.
7.
8.
If using TCP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use TCP for all content. On the PIX Firewall, there is no need to configure the fixup.
If using UDP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use UDP for static content, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement
Other fixup protocol commands
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
The fixup protocol h323 command provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting.
The following lists the default fixup protocol values (those enabled when a PIX Firewall is first installed). You can view the fixup protocol settings with the show fixup command as follows:
show fixupfixup protocol ftp 21fixup protocol http 80fixup protocol smtp 25fixup protocol h323 1720fixup protocol rsh 514fixup protocol sqlnet 1521Examples
The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsidefixup protocol smtp 25The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsideno fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
flashfs
Clear Flash memory or display Flash memory sector sizes. (Configuration mode.)
clear flashfs
show flashfs
Usage Guidelines
Note
The clear flashfs command clears Flash memory.
The show flashfs command displays the size in bytes of each Flash memory sector.
The data in each sector is as follows:
•
•
•
•
Examples
Use the following command to clear Flash memory:
clear flashfsThe following commands display the Flash memory sector sizes:
show flashfsflash file system: version:1 magic:0x12345679
