Downloads |
Table Of Contents
Command Reference
This chapter provides detailed descriptions on most of the PIX Firewall commands.
Note
The IPSec-related commands are described in the "Command Reference" chapter of the Cisco PIX Firewall IPSec User Guide, Version 5.2.
Before reading the PIX Firewall "Command Reference" chapter, read the following:
•
•
•
The following notes can help you as you configure the PIX Firewall:
•
•
•
•
•
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix
•
•
•
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers•
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag
aaa accounting match acl_name inbound | outbound | if_name group_tag
no aaa accounting match acl_name inbound | outbound | if_name group_tag
aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
aaa authentication match acl_name inbound | outbound | if_name group_tag
no aaa authentication match acl_name inbound | outbound | if_name group_tag
aaa authentication [serial | enable | telnet | ssh] console group_tag
no aaa authentication [serial | enable | telnet | ssh] console group_tag
aaa authorization include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]aaa authorization match acl_name inbound | outbound | if_name group_tag
no aaa authorization match acl_name inbound | outbound | if_name group_tag
clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag]
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
clear aaa [authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include
Create a new rule with the specified service to include.
exclude
Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
match acl_name
Specify an access-list command statement name.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
•
aaa authorization include udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.
Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
group_tag
The group tag set with the aaa-server command.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
•
•
•
•
Note
Note
Note
match acl_name Option Usage
The syntax for this command is as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag
An example is as follows:
show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)show aaaaaa authentication match mylist outbound TACACS+Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command:
aaa authentication match yourlist outbound tacacsis equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order dependent between access_list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacsafter this command:
aaa authentication match mylist outbound TACACS+PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access_list format. Hybrid configurations; that is, old configurations combined with the new access_list configuration are not recommended.
Usage Notes
1.
2.
3.
4.
5.
a.
b.
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
c.
6.
7.
8.
a.
b.
c.
9.
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask server10.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
11.
To avoid interfering with these applications, do not enter blanket outgoing AAA command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
a.
b.
Previously, TACACS+ differentiated the two states above and provided two different timeout messages, while RADIUS did not differentiate the two states and provided one timeout message.
22.
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows:Unable to connect to remote host: Connection timed outSee also: aaa-server, auth-prompt, service, ssh, telnet, virtual.
Examples
1.
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+2.
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+3.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any4.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthIn5.
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.06.
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
7.
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0aaa-server
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds
no aaa-server group_tag (if_name) host server_ip key timeout seconds
aaa-server group_tag protocol auth_protocol
clear aaa-server [group_tag]
show aaa-server
Syntax Description
Usage Guidelines
The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.
The aaa command references the tag group.
Note
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radius
Note
Examples
1.
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
2.
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authentication include any inbound 0 0 0 0 AuthInaaa authentication include any outbound 0 0 0 0 AuthOut3.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The aaa-server command is used with the crypto map command to establish an authentication association so that VPN Clients are authenticated when they access the PIX Firewall.
Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto and isakmp commands.
access-group
Binds the access list to an interface. (Configuration mode.)
access-group acl_ID in interface interface_name
clear access-group
no access-group acl_ID in interface interface_name
show access-group acl_ID in interface interface_name
Syntax Description
acl_ID
The name associated with a given access list.
in interface
Filter on inbound packets at the given interface.
interface_name
The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_IDAlways use the access-list command with the access-group command.
Note
The no access-group command unbinds the acl_ID from the interface interface_name.
The show access-group command displays the current access list bound to the interfaces.
The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3access-list acl_out permit tcp any host 209.165.201.3 eq 80access-group acl_out in interface outsideThe static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list. (Configuration mode.)
access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
access-list acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type
no access-list acl_ID [[deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port]
Caution
clear access-list [acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type]
show access-list
Syntax Description
acl_ID
Name of an access list. You can use either a name or number.
deny
When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit
When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
source_addr
Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command.
source_mask
Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask.
local_addr
Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
local_mask
Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
destination_addr
IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed.
destination_mask
Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask.
remote_addr
IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement.
remote_mask
Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask
operator
A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example:
access-list acl_out permit tcp any host 209.165.201.1Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP:
access-list acl_out deny tcp any host 209.165.201.1 eq ftpUse lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535:
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10operator (continued)
Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.
access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnet
port
Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535.
You can view valid port numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
[Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 5-1 for a list of message types. Omit this option to mean all ICMP types.
ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.
Usage Guidelines
The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists." By default, all access in an access list is denied. You must explicitly permit it.
Use the following guidelines for specifying a source, local, or destination address:
•
•
•
Use the following guidelines for specifying a network mask:
•
access-list acl_grp permit tcp any host 192.168.1.1•
•
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section). Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto command.
The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.
Note
RADIUS Authorization Feature
PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message.
The administrator first defines access lists on the PIX Firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.
After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+.
To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any anyIn this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.
Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.
Note
There is not a radius option to the aaa authorization command.
Follow these steps to enable RADIUS authorization:
Step 1
Step 2
Step 3
When the PIX Firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells PIX Firewall to use the access-list command statements to determine how RADIUS users are authorized.
Usage Notes
1.
2.
3.
4.
5.
6.
7.
8.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID9.
10.
11.
ICMP Message Types
[Non-IPSec use only]—If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 5-1 lists possible ICMP types values.
If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:
access-list 10 permit icmp any any echo-replyAnd IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.
Using the access-list Command with IPSec
If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the PIX Firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto command.
The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
Crypto access lists associated with the IPSec crypto map command statement have these primary functions:
•
•
•
•
You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.
Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for more information.
If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.
Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.
Examples
The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsidecrypto map mymap 10 match address 101[other crypto map commands]The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:
access-list acl_out permit icmp any any echo-replyaccess-group acl_out interface outsidealias
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
show alias
clear alias
Syntax Description
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
Note
Note
After changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
•
•
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 192.168.201.0 209.165.201.0 255.255.255.224 creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
Note
Usage Notes
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note:
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-dataaccess-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
Examples
1.
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224show aliasalias 192.168.201.0 205.165.201.0 255.255.255.224When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 192.168.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=209.165.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
2.
The period at the end of the www.example.com. domain name must be included.
The alias command follows:
alias 10.1.1.11 209.165.201.11 255.255.255.255PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.example.comarp
Change or view the ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias]
clear arp
no arp if_name ip_address
show arp [if_name] [ip_address mac_address alias]
arp timeout seconds
no arp timeout
show arp timeout
Syntax Description
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Note
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7carp outside 192.168.0.43 00e0.1e4e.3d8b aliasshow arpoutside 192.168.0.43 00e0.1e4e.3d8b aliasinside 192.168.0.42 00e0.1e4e.2a7cclear arp inside 192.168.0.42arp timeout 42show arp timeoutarp timeout 42 secondsno arp timeoutshow arp timeoutarp timeout 14400 secondsauth-prompt
Change the AAA challenge text. (Configuration mode.)
auth-prompt [accept | reject | prompt] string
no auth-prompt [accept | reject | prompt] string
clear auth-prompt
show auth-prompt
Syntax Description
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
Note
Examples
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall AccessAfter this string is added to the configuration, users view:
XYZ Company Firewall AccessUser Name:Password:The prompt keyword can be included or omitted. For example:
auth-prompt prompt Hello There!This command statement is the same as the following:
auth-prompt Hello There!clear Commands
Remove commands from the configuration or reset command values (All modes.)
Table 5-2, Table 5-3, and Table 5-4 list each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.
Note
Table 5-2 Unprivileged Mode Clear Commands
clear pager
Resets the number of displayed lines to 24.
clock
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server and the Public Key Infrastructure (PKI) protocol. (Configuration mode.)
clock
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
Syntax Description
Usage Guidelines
The clock command lets you specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.
Note
You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.
A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).
While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.
The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall unit's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.
Cisco's PKI (Public Key Infrastructure) protocol uses the clock to make sure that a Certificate Revocation List (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of IPSec concepts.
Examples
To enable PFSS time-stamp logging for the first time, use these commands:
clock set 21:0:0 apr 1 2000show clock21:00:05 Apr 01 2000logging host 209.165.201.3logging timestamplogging trap 5In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
conduit
Add, delete, or show conduits through the PIX Firewall for incoming connections. (Configuration mode.)
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]
clear conduit
show conduit
Syntax Description
permit
Permit access if the conditions are matched.
deny
Deny access if the conditions are matched.
protocol
Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See the Usage Guidelines for a complete list of the ICMP types.
global_ip
A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses.
If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 209.165.201.1 eq ftp anyThis example lets any foreign host access global address 209.165.201.1 for FTP.
global_mask
Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip
An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option.
If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 209.165.201.2This example lets foreign host 209.165.201.2 access any global address for FTP.
foreign_mask
Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192.
operator
A comparison operand that lets you specify a port or a port range.
Use without an operator and port to indicate all ports; for example:
conduit permit tcp any anyUse eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
conduit permit tcp host 192.168.1.1 lt 1025 anyUse gt and a port to permit or deny access to all ports greater than the port you specify.
For example, use gt 42 to permit or deny ports 43 to 65535:conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2Use neq and a port to permit or deny access to every port except the ports that you specify.
For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42Use range and a port range to permit or deny access to only those ports named in the range.
For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.conduit deny tcp any range ftp telnet anyBy default, all ports are denied until explicitly permitted.
port
Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example:
conduit deny tcp any anyThis command is the default condition for the conduit command in that all ports are denied until explicitly permitted.
You can view valid port numbers online at the following site:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
The type of ICMP message. Table 5-5 lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is conduit permit icmp any any. This command lets ICMP pass inbound and outbound.
Usage Guidelines
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from your configuration.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
Note
When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands
Follow these steps to convert conduit command statements to access-list commands:
Step 1
static (high_interface,low_interface) global_ip local_ip netmask mask
For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2
conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]
For example:
conduit permit tcp host 209.165.201.5 eq www anyThis command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.
The static command identifies the interface that the conduit command restricts access to.
Step 3
Normally the access-list command format is as follows:
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port
However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows:
access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]
For example:
access-list acl_out permit tcp any host 209.165.201.5 eq wwwThis command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for your own identifier. (In this example the identifier, "acl" is from ACL, which means Access Control List and "out" is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Step 4
access-group acl_name in interface low_interface
For example:
access-group acl_out in interface outsideThis command associates with the "acl_out" group of access-list command statements and states that the access-list command statement restricts access to the outside interface.
More on the conduit Command
If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.
Note
The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the PIX Firewall because the permit option precedes the deny option:
conduit permit tcp host 209.165.201.4 eq 80 anyconduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any
Note
After changing or removing a conduit command statement, use the clear xlate command.
You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.
If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 5-5 lists possible ICMP types values.
Usage Notes
1.
2.
3.
4.
5.
The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example:
static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255conduit permit tcp host 209.165.201.5 eq 1723 anyconduit permit gre host 209.165.201.5 anyIn this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.
6.
For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.
Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001Replace unix_host_ip_address with the IP address of the UNIX host.
7.
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp anystatic (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.
Examples
1.
static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2To disable Mail Guard, enter the following command:
no fixup protocol smtp 252.
static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 anyconduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any3.
static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.4 eq 80 anyIn this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.
configure
Clear or merge current configuration with that on floppy or Flash memory, start configuration mode, or view current configuration. (Privileged mode.)
Note
clear configure primary | secondary | all
configure net [[server_ip]:[filename]]
configure floppy
configure memory
configure terminal
show configure
Syntax Description
Usage Guidelines
The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration.
The clear configure secondary command removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from the configuration. However, the clear configure secondary command does not remove tftp-server command statements.
Note
The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ). For example:
configure net :Use the write net command to store the configuration in the file.
If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.
Note
The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.
The configure memory command merges the configuration in Flash memory into the current configuration in RAM.
The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use write memory to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.
The show configure command lists the contents of the configuration in Flash memory.
Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:
•
•
•
Examples
The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:
configure net 10.1.1.1:/tftp/config/pixconfigThe pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.
The following example shows how to configure the PIX Firewall from a diskette:
configure floppyThe following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:
configure memoryThe following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.
Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.
pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)# write terminal: Saved... config commands ...: Endwrite memorycopy tftp flash
Change software images without requiring access to the TFTP monitor mode. (Configuration mode.)
copy tftp[:[[//location][/pathname]]] flash
Syntax Description
Usage Guidelines
The copy tftp flash command lets you download a software image via TFTP. You can use the copy tftp flash command with any PIX Firewall model running version 5.1 or later.
The image you download is made available to the PIX Firewall on the next reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flash
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration.
The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command.
If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.
For example, if you want to download the pix512.bin file from the D: partition on a Windows system (IP address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu and enter the filename path in the TFTP server root directory edit box; for example, D:\pix_images. To copy the file to the PIX Firewall, use the following copy tftp command:
copy tftp://10.1.1.5/pix512.bin flashThe TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.
Note
Examples
The following example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download:
copy tftp flashAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? pix512.bincopying tftp://10.1.1.5/pix512.bin to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!...Received 1695744 bytes.Erasing current image.Writing 1597496 bytes of image.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...Image installed.The next example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface. The example sets the filename and location from the tftp-server command, saves memory, and then downloads the image to Flash memory:
tftp-server outside 10.1.1.5 pix512.binWarning: 'outside' interface has a low security level (0).write memoryBuilding configuration...Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99[OK]copy tftp: flashcopying tftp://10.1.1.5/pix512.bin to flash!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...The next example overrides the information in the tftp-server command to let you specify alternate information about the filename and location. If you have not set the tftp-server command, you can also use the copy tftp flash command to specify all information as shown in the second example that follows:
copy tftp:/pix512.bin flashcopy tftp://10.0.0.1/pix512.bin flashThe next example maps an IP address to the tftp-host name with the name command and uses the tftp-host name in the copy commands:
name 10.1.1.6 tftp-hostcopy tftp://tftp-host/pix512.bin flashcopy tftp://tftp-host/tftpboot/pix512.bin flashdebug
Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)
debug dhcpc detail | error | packet
no debug dhcpc detail | error | packet
debug dhcpd event | packet
no debug dhcpd event | packet
debug fover option
no debug fover option
debug h323 h225 [asn | event]
no debug h323 h225 [asn | event]
debug h323 h245 [asn | event]
no debug h323 h245 [asn | event]
debug h323 ras [asn | event]
no debug h323 ras [asn | event]
debug icmp trace
no debug icmp trace
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]no debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]debug ppp error | io | uauth
no debug ppp error | io | uauth
debug sqlnet
no debug sqlnet
debug ssh
no debug ssh
debug vpdn event | error | packet
no debug vpdn event | error | packet
show debug
Syntax Description
dhcpc detail
Display detailed information about the DHCP client packets.
dhcpc error
Display error messages associated with the DHCP client.
dhcpc packet
Display packet information associated with the DHCP client.
dhcpd event
Display event information associated with the DHCP server.
dhcpd packet
Display packet information associated with the DHCP server.
fover option
Display failover information. Refer to Table 5-6 for the options.
h323
Display information about the packet-based multimedia communications systems standard.
h225 asn
Display the output of the decoded PDUs.
h225 events
Display the events of the H225 signalling, or turn both traces on.
h245 asn
Display the output of the decoded PDUs.
h245 events
Display the events of the H245 signalling, or turn both traces on
ras asn
Display the output of the decoded PDUs.
ras events
Display the events of the RAS signalling, or turn both traces on.
icmp
Display information about ICMP traffic.
packet
Display packet information.
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
src source_ip
Source IP address.
netmask mask
Network mask.
dst dest_ip
Destination IP address.
proto icmp
Display ICMP packets only.
proto tcp
Display TCP packets only.
sport src_port
Source port. See the "Ports" section in "Introduction" for a list of valid port literal names.
dport dest_port
Destination port.
proto udp
Display UDP packets only.
rx
Display only packets received at the PIX Firewall.
tx
Display only packets that were transmitted from the PIX Firewall.
both
Display both received and transmitted packets.
sqlnet
Debug SQL*Net traffic.
ppp
Debug PPTP traffic, which is configured with the vpdn command.
ppp error
Display PPTP PPP virtual interface error messages.
ppp io
Display the packet information for the PPTP PPP virtual interface.
ppp uauth
Display the PPTP PPP virtual interface AAA user authentication debugging messages.
ssh
Debug information and error messages associated with the ssh command.
vpdn event
Display PPTP tunnel event change information.
vpdn error
Display PPTP protocol error messages.
vpdn packet
Display PPTP packet information about PPTP traffic.
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.
The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
The debug h323 command lets you debug H323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.
Note
The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall unit's own interfaces.
The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall.
The debug ssh command reports on information and error messages associated with the ssh command.
The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.
Use of the debug commands can slow down busy networks.
For information about the debug crypto commands or IPSec-related debug commands, refer to the debug command page within the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2.
Table 5-6 lists the options for the debug fover command.
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.
If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
The debug commands are shared between all Telnet and serial console sessions.
Note
Additional debug Command Information
Note
Note
To stop a debug packet trace command, enter:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace command, enter:
no debug icmp traceExamples
The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after turning on the debug dhcpc commands to obtain debugging information:
debug dhcpc packetdebug dhcpc detailip address outside dhcp setrouteDHCP:allocate requestDHCP:new entry. add to queueDHCP:new ip lease str = 0x80ce8a28DHCP:SDiscover attempt # 1 for entry:Temp IP addr:0.0.0.0 for peer on Interface:outsideTemp sub net mask:0.0.0.0DHCP Lease server:0.0.0.0, state:1 SelectingDHCP transaction id:0x8931Lease:0 secs, Renewal:0 secs, Rebind:0 secsNext timer fires after:2 secondsRetry count:1 Client-ID:cisco-0000.0000.0000-outsideDHCP:SDiscover:sending 265 byte length DHCP packetDHCP:SDiscover 265 bytesDHCP Broadcast to 255.255.255.255 from 0.0.0.0DHCP client msg received, fip=10.3.2.2, fport=67DHCP:Received a BOOTREP pktDHCP:Scan:Message type:DHCP OfferDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Lease Time:259200DHCP:Scan:Subnet Address Option:255.255.254.0DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140DHCP:Scan:Domain Name:example.comDHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87DHCP:Scan:Router Address Option:10.3.2.1DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255...The following example turns on this command:
debug icmp traceWhen you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1):
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2NO DEBUG ICMP TRACEICMP trace offThis example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
The following is sample output from the show debug command output:
show debugdebug ppp errordebug vpdn eventdebug crypto ipsec 1debug crypto isakmp 1debug crypto ca 1debug icmp tracedebug packet outside bothdebug sqlnetThe above sample output includes the debug crypto commands. Refer to the debug command page within the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for more information about the debug crypto commands.
You can debug the contents of packets with the debug packet command:
debug packet inside--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00 |....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46 | .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43 | CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01 | ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 | ......`......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
The following is sample output from the show debug command:
show debugdebug icmp trace offdebug packet offdebug sqlnet offdhcpd
This implements the DHCP server feature. (Configuration Mode)
dhcpd address ip1[-ip2] [if_name]
no dhcpd address ip1[-ip2] [if_name]
dhcpd dns dns1 [dns2]
no dhcpd dns dns1 [dns2]
dhcpd wins wins1 [wins2]
no dhcpd wins wins1 [wins2]
dhcpd lease lease_length
no dhcpd lease lease_length
dhcpd domain domain_name
no dhcpd domain domain_name
dhcpd enable [if_name]
no dhcpd enable [if_name]
show dhcpd [binding|statistics]
clear dhcpd [binding|statistics]
debug dhcpd event
no debug dhcpd event
debug dhcpd packet
no debug dhcpd packet
Syntax Description
Usage Guidelines
A DHCP Server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use the DHCP to configure connected PC clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to a enterprise or corporate network. See "DHCP Server" within the "Advanced Configurations" for information on how to implement the DHCP server feature into the PIX Firewall.
Note
The dhcpd lease command specifies the length of the lease in seconds granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address the DHCP granted. The no dhcpd lease command removes the lease length that you specified from your configuration and replaces this value with the default value of 3,600 seconds.
The dhcpd domain command specifies the DNS domain name for the DHCP client. For example, example.com. The no dhcpd domain command removes the DNS domain server from your configuration.
The dhcpd enable command enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.
Note
The show dhcpd command displays dhcpd commands, binding and statistics information associated with all of the dhcpd commands.
The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
Examples
The following partial configuration example shows use of the dhcpd address, dhcpd dns, and dhcpd enable commands. In this example, an address pool for the DHCP clients is defined, a DNS server address is specified for the DHCP client, and the inside interface of the PIX Firewall is enabled for the DHCP server function:
dhcpd address 10.0.1.100-10.0.1.108dhcpd dns 209.165.200.226dhcpd enableThe following partial configuration example shows how to use three new version 5.2 PIX Firewall features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment:
! use dhcp to configure the outside interface and default routeip address outside dhcp setroute! enable dhcp server daemon on the inside interfaceip address inside 10.0.1.2 255.255.255.0dhcpd address 10.0.1.101-10.0.1.110dhcpd dns 209.165.201.2 209.165.202.129dhcpd wins 209.165.201.5dhcpd lease 3000dhcpd domain example.comdhcpd enable! use outside interface IP as PAT global addressnat (inside) 1 0 0global (outside) 1 interfaceThe following is sample output for the show dhcpd command:
show dhcpddhcpd address 10.0.1.100-10.0.1.108 insidedhcpd dns 192.23.21.23dhcpd enable insideThe following is sample output for the show dhcpd binding command:
show dhcpd bindingIP Address Hardware Address Lease Expiration Type10.0.1.100 0100.a0c9.868e.43 84985 seconds automaticThe following is sample output for the show dhcpd statistics command:
show dhcpd statisticsAddress Pools 1Automatic Bindings 1Expired Bindings 1Malformed messages 0Message ReceivedBOOTREQUEST 0DHCPDISCOVER 1DHCPREQUEST 2DHCPDECLINE 0DHCPRELEASE 0DHCPINFORM 0Message SentBOOTREPLY 0DHCPOFFER 1DHCPACK 1DHCPNAK 1disable
Exit privileged mode and return to unprivileged mode. (Privileged mode.)
disable
Usage Guidelines
The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.
Examples
The following example shows how to exit privileged mode:
pixfirewall# disablepixfirewall>enable
Start privileged mode. (Unprivileged mode.)
enable
Usage Guidelines
The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.
Examples
The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.
pixfirewall> enablePassword:pixfirewall# configure terminalpixfirewall(config)#enable password
Set the privileged mode password. (Privileged mode.)
enable password password [encrypted]
show enable password
Syntax Description
password
A case-sensitive password of up to 16 alphanumeric characters.
encrypted
Specifies that the password you entered is already encrypted. The password must be 16 characters in length.
Usage Guidelines
The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). The show enable password command lists the encrypted form of the password.
You can return the enable password to its original value (press the Enter key at prompt) by entering:
pixfirewall# enable passwordpixfirewall#
Note
Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.
See also: passwd.
Examples
The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:
pixfirewall> enablePassword:pixfirewall# enable password w0ttal1fepixfirewall# configure terminalpixfirewall(config)# write terminalBuilding configuration......enable password 2oifudsaoid.9ff encrypted...The following example shows the use of the encrypted option:
enable password 1234567890123456 encryptedshow enable passwordenable password 1234567890123456 encryptedenable password 1234567890123456show enable passwordenable password feCkwUGktTCAgIbD encryptedestablished
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.)
established protocol dest_port [src_port] [permitto protocol dport[-dport]] [permitfrom protocol sport[-sport]]
no established protocol dest_port [src_port] [permitto protocol dport[-dport]] [permitfrom protocol sport[-sport]]
clear established
show established
Syntax Description
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port and optional source port specified is for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Note
The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall.
The permitfrom option lets you specify a new protocol or port at the remote server.
The no established command disables the established feature.
The show established command shows the established commands in the configuration.
The clear established command removes all establish command statements from your configuration.
Note
You can use the established command with the nat 0 command statement (where there are no global command statements).
Note
The established command works as shown in the following format:
established A B permitto C D permitfrom E FThis command works as though it were written "If there exists a connection between two hosts using protocol A on ports B and C, permitting return connections through the PIX Firewall via protocol D, if the destination port(s) correspond to E (protocols D and F must match, but can be different than A), and the source port(s) correspond to G."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
Example:
established tcp 0 4000With this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol.
Example:
established tcp 0 0 (same as previous releases established tcp 0)With this example, if something like the following exists:
static (inside,outside) 200.0.0.2 10.0.0.2 access-list acl_grp permit tcp host 200.0.0.2 eq www anyan attacker only need make a web connection to 200.0.0.2 and then they can make unrestricted connections using any protocol or ports.
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
Note
Example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value:
setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
exit
Exit an access mode. (All modes.)
exit
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as quit.
Examples
The following example shows how to exit configuration mode and then privileged mode:
pixfirewall(config)# exitpixfirewall# exitpixfirewall>failover
Change or view access to the optional failover feature. (Configuration mode.)
failover [active]
failover ip address if_name ip_address
failover link [stateful_if_name]
failover poll seconds
failover reset
no failover active
show failover
Syntax Description
Usage Guidelines
Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
Note
Note
Note
Use the failover active command to initiate a failover switch from the Standby unit, or the no failover active command from the Active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an Active unit offline for maintenance. Because the Standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
Use the failover link command to enable Stateful Failover. Stateful Failover requires a dedicated interface that is as fast as the fastest active interface to be used exclusively for passing state information between the two PIX Firewall units. FDDI interfaces are supported for non-Stateful Failover interfaces.
If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
The failover poll seconds command lets you determine how long failover waits before sending special failover "hello" packets between the Primary and Standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.
When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.
You can also view the information from the show failover command using SNMP. Refer to "Using the Firewall and Memory Pool MIBs" in "Advanced Configurations," for more information.
A failover configuration example is provided in "Failover Configuration" in "Configuration Examples."
Examples
The following output shows that failover is enabled, and that the Primary unit state is active:
show failoverFailover OnCable status: NormalReconnect time-out 0:00:00This host: Primary - ActiveActive time: 3456 (sec)Interface 4th (172.16.1.112): NormalInterface intf3 (192.168.3.2): NormalInterface intf2 (192.168.2.2): NormalInterface outside (192.168.1.8): NormalInterface inside (10.1.1.6): NormalOther host: Secondary - StandbyActive time: 0 (sec)Interface 4th (172.16.1.111): NormalInterface intf3 (192.168.3.1): NormalInterface intf2 (192.168.2.1): NormalInterface outside (192.168.1.7): NormalInterface inside (10.1.1.2): NormalStandby Logical Update StatisticsLink : intf2Stateful Obj xmit xerr rcv rerrGeneral 53 0 0 0sys cmd 53 0 0 0up time 0 0 0 0xlate 0 0 0 0tcp conn 0 0 0 0udp conn 0 0 0 0ARP tbl 0 0 0 0RIF Tbl 0 0 0 0The "Cable status" has these values:
•
•
•
You can view the IP addresses of the Standby unit with the show ip address command:
show ip addressSystem IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0Current IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.
The Standby Logical Update Statistics output that displays when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover and can be ignored.
filter
Enable or disable outbound URL or HTML object filtering. (Configuration mode.)
filter activex port local_ip mask foreign_ip mask
no filter activex port local_ip mask foreign_ip mask
filter java port[-port] local_ip mask foreign_ip mask
no filter java port[-port] local_ip mask foreign_ip mask
filter url port|except local_ip local_mask foreign_ip foreign_mask [allow]
no filter url port | except [local_ip local_mask foreign_ip foreign_mask]
clear filter
show filter
Syntax Description
Usage Guidelines
The sections that follow describe each type of filter. The clear filter command removes all filter commands from the configuration. The show filter command lists all filter commands in the configuration.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.
As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.
This feature blocks the HTML <object> tag and comments it out within the HTML web page.
Note
Note
Examples
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter java
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
Note
Examples
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.
The allow option to the filter command determines how the PIX Firewall behaves in the event that the Websense server goes offline. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.
Note
The Websense Server works with the PIX Firewall to deny users from access to web sites based on the company security policy.
Websense protocol version 4 enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging.
Websense protocol version 4 contains the following enhancements:
•
•
•
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Information on Websense is available at the following site:
http://www.websense.com/products/websense/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1filter url 80 0 0 0 0filter url except 10.0.2.54 255.255.255.255 0 0The following example filters all outbound HTTP connections received from a proxy server that sends Web traffic on port 8080:
filter url 8080 0 0 0 0fixup protocol
Change, enable, disable, or list a PIX Firewall application protocol feature. (Configuration mode.)
fixup protocol ftp [strict] [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol rsh [514]
fixup protocol rtsp [port]
fixup protocol sip [5060]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
no fixup protocol protocol [port[-port]]
clear fixup
show fixup [protocol protocol]
Syntax Description
protocol
Specify the protocol to fix up: ftp, http, h323, rsh, rtsp, sip, smtp, or sqlnet.
port
Specify the port number or range for the application protocol. The default ports are: TCP 21 for ftp, TCP 80 for http, TCP 1720 for h323, TCP 514 for rsh, TCP 554 for rtsp, TCP 25 for smtp, TCP 1521 for sqlnet, and TCP 5060 for sip. The default port value for rsh cannot be changed, but additional port statements can be added. See the "Ports" section in "Introduction" for a list of valid port literal names.
strict
Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh and sip. The fixup protocol commands are always present in the configuration and are enabled by default.
The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements.
The clear fixup command removes fixup commands from the configuration that you added. It does not remove the default fixup protocol commands.
The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.
You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
The following lists the default fixup protocol values (those enabled when a PIX Firewall is first installed). You can view the fixup protocol settings with the show fixup command as follows:
show fixupfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol ftp
The FTP port can be changed; however if you change the default of port 21, to something like 2021, all FTP control connections must happen on port 2021. FTP control connections on port 21 will no longer work.
If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
The port parameter lets you specify the port at which the PIX Firewall listens for FTP traffic. Typically, this value is 21. In addition, the FTP port can now only be in the range of 1 to 1024.
fixup protocol h323
The fixup protocol h323 command provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting. Version 5.2 supports H.323 version 2. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. H.323 supports VoIP gateways and VoIP gatekeepers. H.323 version 2 adds the following functionality to the PIX Firewall:
•
•
fixup protocol http
Note
fixup protocol rtsp
The fixup protocol rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.
If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554fixup protocol rtsp 8554The following restrictions apply to the fixup protocol rtsp command:
1.
2.
3.
4.
5.
6.
7.
8.
If using TCP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use TCP for all content. On the PIX Firewall, there is no need to configure the fixup.
If using UDP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use UDP for static content, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement
fixup protocol sip
The fixup protocol sip command enables SIP on the interface. SIP enables call handling sessions—particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers.
Session initiation protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:
•
•
fixup protocol smtp
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
fixup protocol sqlnet
Note
Examples
You can add multiple port settings for each protocol with separate commands; for example:
fixup protocol ftp 21fixup protocol ftp 4254fixup protocol ftp 9090These commands cause PIX Firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.
The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsidefixup protocol smtp 25The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsideno fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
flashfs
Clear, display, or downgrade filesystem information. (Configuration mode.)
flashfs downgrade {4.x | 5.0 | 5.1}
clear flashfs
show flashfs
Syntax Description
Usage Guidelines
The clear flashfs and the flashfs downgrade 4.x commands clear the filesystem part of Flash memory in the PIX Firewall. Versions 4.n cannot use the information in the filesystem so it needs to be cleared to let the earlier version operate correctly.
The flashfs downgrade 5.0 | 5.1 command reorganizes the filesystem part of Flash memory so that information stored in the filesystem can be accessed by the earlier version. The PIX Firewall maintains a filesystem in Flash memory to store system information, IPSec private keys, certificates, and CRLs. It is crucial that you clear or reformat the filesystem before downgrading to a previous PIX Firewall version. Otherwise, your filesystem will get out of sync with the actual contents of the Flash memory and cause problems when the unit is later upgraded.
You only need to use the flashfs downgrade 5.0 | 5.1 command if your PIX Firewall has 16 MB Flash memory, if you have IPSec private keys, certificates, or CRLs stored in Flash memory, and you used the ca save all command to save these items in Flash memory. The flashfs downgrade 5.0 | 5.1 command fails if the filesystem indicates that any part of the image, configuration, or private data in the Flash memory device is unusable.
The clear flashfs and flashfs downgrade commands do not affect the configuration stored in Flash memory.
The clear flashfs command is the same as the flashfs downgrade 4.x command.
The show flashfs command displays the size in bytes of each filesystem sector and the current state of the filesystem. The data in each sector is as follows:
•
•
•
•
Examples
Use the following command to write the filesystem to Flash memory before downgrading to version 5.1:
flashfs downgrade 5.1The following commands display the filesystem sector sizes:
show flashfsflash file system: version:1 magic:0x12345679file 0: origin: 0 length:1794104file 1: origin: 2095104 length:1496file 2: origin: 0 length:0file 3: origin: 2096640 length:140flashfs downgrade 5.1show flashfsflash file system: version:0 magic:0x0file 0: origin: 0 length:0file 1: origin: 0 length:0file 2: origin: 0 length:0file 3: origin: 0 length:0The origin values are integer multiples of the underlying filesystem sector size.
floodguard
Enable or disable Flood Defender to protect against flood attacks. (Configuration mode.)
floodguard enable | disable
show floodguard
Syntax Description
Usage Guidelines
The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources.
When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers.
If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:
1.
2.
3.
4.
The floodguard command is enabled by default.
Examples
The following example enables the floodguard command and lists the floodguard command statement in the configuration:
floodguard enableshow floodguardfloodguard enableglobal
Create or delete entries from a pool of global addresses. (Configuration mode.)
global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
no global [(if_name)] nat_id [global_ip [-global_ip] [netmask global_mask]] | [interface]
show global
Syntax Description
Usage Guidelines
The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.
After changing or removing a global command statement, use the clear xlate command.
Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id. Use the show global command to view the global command statements in the configuration.
Usage Notes
1.
2.
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224global (outside) 1 209.165.201.22 netmask 255.255.255.2243.
4.
5.
However for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:
fixup protocol ftp strict ftpaccess-list acl_in permit tcp any any eq ftpaccess-group acl_in in interface insidenat (inside) 1 0 0global (outside) 1 209.165.201.5 netmask 255.255.255.2246.
1.201.165.209.in-addr.arpa. IN PTR pix.example.com.7.
For example, PAT is enabled with these commands:
nat (inside) 1 192.168.1.0 255.255.255.0global (inside) 1 209.165.202.128 netmask 255.255.255.224However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.
To ensure that the inside DNS server can access the root name server, insert the following static command statement:
static (inside,outside) 209.165.202.129 192.168.1.5The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.
8.
ip address outside 192.150.49.1nat (inside) 1 0 0global (outside) 1 interfaceThe interface IP address used for PAT is the address associated with the interface when the xlate is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.
When PAT is enabled on an interface, there should be no termination of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall's outside interface.
9.
global [(int_name)] nat_id address | interface
The following example enables PAT using the IP address at the outside interface in global configuration mode:
ip address outside 192.150.49.1nat (inside) 1 0 0global (outside) 1 interfaceThe interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.
When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.
10.
The following example maps hosts on the internal network 10.1.0.0/16 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/16 to global address 209.165.200.225 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.255.0nat (inside) 2 10.1.1.1 255.255.255.0global (outside) 1 192.168.1.1 netmask 255.255.255.0global (outside) 2 209.165.200.225 netmask 255.255.255.224The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.0.0global (outside) 1 209.165.200.225 netmask 255.255.255.224global (outside) 1 192.168.1.1 netmask 255.255.255.0With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.
Examples
The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224global (outside) 1 209.165.201.12 netmask 255.255.255.224Global 209.165.201.12 will be Port Address Translatednat (inside) 1 0 0clear xlateThe next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:
global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240nat (perimeter) 1000 0 0help
Display help information. (Unprivileged mode.)
help
?
Usage Guidelines
The help or ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a question mark or just the command name and pressing the Enter key.
If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command:
•
•
•
Examples
The following example shows how you can display help information by following the command name with a question mark:
enable ?usage: enable password <pw> [encrypted]Help information is available on the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
?aaa Enable, disable, or view TACACS+ or RADIUSuser authentication, authorization and accounting...hostname
Change the host name in the PIX Firewall command line prompt. (Configuration mode.)
hostname newname
Syntax Description
newname
New host name for the PIX Firewall prompt. This name can be up to 16 alphanumeric characters and mixed case.
Usage Guidelines
The hostname command changes the host name label on prompts. The default host name is pixfirewall.
Note
Examples
The following example shows how to change a host name:
pixfirewall(config)# hostname spinnerspinner(config)# hostname pixfirewallpixfirewall(config)#icmp
Enable or disable pinging to an interface. (Configuration mode.)
icmp permit | deny [host] src_addr [src_mask] [type] int_name
no icmp permit | deny [host] src_addr [src_mask] [type] int_name
clear icmp
show icmp
Syntax Description
permit | deny
Permit or deny the ability to ping a PIX Firewall interface.
src_addr
Address that is either permitted or denied ability to ping an interface. Use host src_addr to specify a single host.
src_mask
Network mask. Specify if a network address is specified.
type
ICMP message type as described in Table 5-7.
int_name
Interface name that can be pinged.
Usage Guidelines
Enable or disable pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected on the network. The new icmp command implements this feature. This feature is also referred to as configurable proxy pinging.
To use the icmp command, configure an access-list command statement that permits or denies ICMP traffic that terminates at the PIX Firewall unit.
If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed.
Cisco recommends that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
The syslog message is as follows:
%PIX-3-313001: Denied ICMP type=type, code=code from source_address on interface interface_number
If this message appears, contact the peer's administrator.
ICMP Message Types
Table 5-7 lists possible ICMP type values.
Example
1.
icmp deny any echo-reply outsideicmp permit any unreachable outside2.
icmp permit host 172.16.2.15 echo-reply outsideicmp permit 171.22.1.0 255.255.255.0 echo-reply outsideicmp permit any unreachable outsideinterface
Identify network interface speed and duplex. (Configuration mode.)
interface hardware_id [hardware_speed] [shutdown]
clear interface
show interface
Syntax Description
Usage Guidelines
The interface command identifies the speed and duplex settings of the network interface boards.
Use show interface to view information about the interface. The show interface command displays the packet drop count of Unicast RPF for each interface. This value appears as the "unicast rpf drops" counter.The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except gigabit Ethernet. The clear interface command also clears the packet drop count of Unicast RPF for all interfaces.
The shutdown option lets you disable an interface. When you first install PIX Firewall, all interfaces are shut down by default. You must explicitly enable an interface by entering the command without the shutdown option. If the shutdown option does not exist in the command, packets are passed by the driver to and from the card.
If the shutdown option does exist, packets are dropped in either direction. Inserting a new card defaults to the default interface command containing the shutdown option. (That is, if you add a new card and then enter the write memory command, the shutdown option is saved into Flash memory for the interface.) When upgrading from a previous version to the current version, interfaces are enabled.
The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.
Note
Note
Note
Usage Notes
1.
2.
show interface Notes
The show interface command lets you view network interface information for both Ethernet and Token Ring, depending on which is installed in your PIX Firewall. This is one of the first commands you should use when establishing network connectivity after installing a PIX Firewall.
The information in the show interface display is as follows:
•
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
If you get a late collision, a device is jumping in and trying to send on the Ethernet while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet.
This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
–
–
–
•
•
show interfaceinterface ethernet0 "outside" is up, line protocol is upHardware is i82559 ethernet, address is 00aa.0000.003bIP address 209.165.201.7, subnet mask 255.255.255.224MTU 1500 bytes, BW 100000 Kbit half duplex1184342 packets input, 1222298001 bytes, 0 no bufferReceived 26 broadcasts, 27 runts, 0 giants4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops0 output errors, 28075 collisions, 0 interface resets0 babbles, 0 late collisions, 117573 deferred0 lost carrier, 0 no carrier...The counters in the last three lines are as follows:
–
–
–
–
–
–
–
–
–
Examples
The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:
show interfaceinterface ethernet0 "outside" is up, line protocol is upHardware is i82557 ethernet, irq 10, address is 0060.7380.2f16IP address 209.165.201.1, subnet mask 255.255.255.224MTU 1500 bytes, BW 100000 Kbit half duplex0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops0 output errors, 28075 collisions, 0 interface resets0 babbles, 0 late collisions, 117573 deferred0 lost carrier, 0 no carrierinterface token-ring0 "inside" is up, line protocol is upHardware is o3137 token-ring, irq 9, address is 0000.8326.72c6IP address 10.0.0.1, subnet mask 255.0.0.0MTU 8192 bytes, BW 16000 Kbit, Ring-speed: 16Mbps116 packets input, 27099 bytes, 0 no bufferReceived 116 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 116 frame, 0 overrun, 0 ignored, 0 abort3 packets output, 150 bytes, 0 underruns, 0 unicast rpf drops0 output errors, 28075 collisions, 0 interface resets0 babbles, 0 late collisions, 117573 deferred0 lost carrier, 0 no carrierinterface ethernet1 "DMZ" is up, line protocol is upHardware is i82557 ethernet, irq 9, address is 00a0.c95d.0282IP address 127.0.0.1, subnet mask 255.255.255.0MTU 1500 bytes, BW 10000 Kbit half duplex0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops0 output errors, 28075 collisions, 0 interface resets0 babbles, 0 late collisions, 117573 deferred0 lost carrier, 0 no carrierip address
Identify addresses for network interfaces. (Configuration mode.)
ip address if_name ip_address [netmask]
ip address if_name dhcp [setroute]
show ip address if_name [dhcp]
show ip
clear ip
Syntax Description
Usage Guidelines
The ip address command lets you assign an IP address to each interface.
Note
Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, re-enter the command with the correct information. The clear ip command resets all interface IP addresses to 127.0.0.1. The clear ip command does not affect the ip local pool or ip verify reverse-route commands.
Note
After changing an ip address command, use the clear xlate command.
Note
Note
The default address for an interface is 127.0.0.1.
PIX Firewall configurations using failover require a separate IP address for each network interface on the Standby unit. The system IP address is the address of the Active unit. When the show ip command is executed on the Active unit, the current IP address is the same as the system IP address. When the show ip command is executed on the Standby unit, the system IP address is the failover IP address configured for the Standby unit.
The ip address dhcp command enables the DHCP client feature within the PIX Firewall. This command allows the PIX Firewall to be a DHCP client to a DHCP server that provides configuration parameters to the client. In this case, the configuration parameters the DHCP server provides is an IP address and a subnet mask to the interface on which the DHCP client feature is enabled. The optional setroute argument tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns. If the setroute argument is configured, the show route command output shows the default route as being set by a DHCP server. To reset the interface and delete the DHCP lease from PIX Firewall, use the clear ip command. To clear the DHCP default route, use the clear route static command.
Note
Examples
The following is sample output for the show ip command:
show ipSystem IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0Current IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover Active unit. When the Primary unit fails, the Current IP Addresses become those of the Standby unit.
The following is sample output for the show ip address dhcp command:
show ip address outside dhcpTemp IP Addr:209.165.201.57 for peer on interface:outsideTemp sub net mask:255.255.255.224DHCP Lease server:209.165.200.225, state:3 BoundDHCP Transaction id:0x4123Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secsTemp default-gateway addr:209.165.201.1Next timer fires after:111797 secsRetry count:0, Client-ID:cisco-0000.0000.0000-outsideip audit
Configure IDS signature use. (Configuration mode.)
ip audit attack [action [alarm] [drop] [reset]]
no ip audit attack
show ip audit attack
ip audit info [action [alarm] [drop] [reset]]
no ip audit info
show ip audit info
ip audit interface if_name audit_name
no ip audit interface [if_name]
show ip audit interface
ip audit name audit_name attack [action [alarm] [drop] [reset]]
no ip audit name audit_name [attack]
show ip audit name [name [info | attack]]
ip audit name audit_name info [action [alarm] [drop] [reset]]
no ip audit name audit_name [info]
show ip audit name
ip audit signature signature_number disable
no ip audit signature signature_number
show ip audit signature [signature_number]
Syntax Description
Usage Guidelines
Cisco Secure Intrusion Detection System (Cisco Secure IDS) is an IP-only feature that provides some level of flexibility for the user to customize the amount of traffic that needs to be audited and logged.
The Cisco Secure IDS features provide the following:
•
•
•
•
•
Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures.
PIX Firewall supports both inbound and outbound auditing.
For a complete list of supported Cisco Secure IDS signatures, their wording, and whether they are attack or informational messages, refer to System Log Messages for the Cisco Secure PIX Firewall Version 5.2. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/syslog/index.htm
Refer to the Cisco Secure Intrusion Detection System Version 2.2.1 User Guide for detailed information on each signature. You can view the "NSDB and Signatures" chapter of this guide at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/sigs.htm
The ip audit commands are described in the sections that follow.
ip audit attack
The ip audit attack [action [alarm] [drop] [reset]] command specifies the default actions to be taken for attack signatures. An audit policy (audit rule) defines the attributes for all signatures that can be applied to an interface along with a set of actions. Using an audit policy may limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies; one for informational signatures and one for attack signatures. If a policy is defined without actions, then the configured default actions will take effect. Each policy requires a different name.
The no ip audit attack command resets the action to be taken for attack signatures to the default action. The show ip audit attack command displays the default attack actions.
ip audit info
The ip audit info [action [alarm] [drop] [reset]] command specifies the default action to be taken for signatures classified as informational signatures.
The no ip audit info command sets the action to be taken for signatures classified as informational and reconnaissance to the default action. The show ip audit info displays the default informational actions.
To cancel event reactions, specify the ip audit info command without an action option.
ip audit interface
The ip audit interface if_name audit_name command applies an audit specification or policy (via the ip audit name command) to an interface. The no ip audit interface [if_name] command removes a policy from an interface. The show ip audit interface command displays the interface configuration.
ip audit name
The ip audit name audit_name info [action [alarm] [drop] [reset]] command specifies the informational signatures except those disabled or excluded by the ip audit signature command that are considered part of the policy. The no ip audit name audit_name [info] command removes the audit policy audit_name. The show ip audit name [name [info|attack]] command displays all audit policies or specific policies referenced by name and possibly type.
ip audit signature
The ip audit signature signature_number disable command specifies which messages to display, attaches a global policy to a signature, and disables or excludes a signature from auditing. The no ip audit signature signature_number command removes the policy from a signature. Used to reenable a signature. The show ip audit signature [signature_number] displays disabled signatures.
Supported IDS Signatures
PIX Firewall lists the following single-packet IDS signature messages: 1000-1006, 1101, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, 6190, and 8000. All signature messages are not supported by PIX Firewall in this release. IDS syslog messages all start with %PIX-4-4000nn and have the following format:
%PIX-4-4000nn IDS:sig_num sig_msg from faddr to laddr on interface int_nameFor example:
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outsideOptions:
Examples
Disable signature 6102 globally:
ip audit signature 6102 disableSpecify default informational actions:
ip audit name attack1 infoSpecify an attack policy:
ip audit name attack2 attack action alarm drop resetApply a policy to an interface:
ip audit interface outside attack1ip audit interface inside attack2ip local pool
Identify addresses for a local pool. (Configuration mode)
ip local pool pool_name pool_start-address[-pool_end-address]
no ip local pool pool_name pool_start-address[-pool_end-address]
show ip local pool pool_name ip_address[-ip_address]
Syntax Description
Usage Guidelines
The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic ip addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. Use the show ip local pool command to view usage information about the pool of local addresses.
When a pool of addresses set by the ip local pool command is empty, the following syslog message appears:
%PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname
To reference this pool of local addresses, use the isakmp client configuration address-pool command. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for information on the isakmp command.
Examples
The following example creates a pool of IP addresses and then displays the pool contents:
ip local pool mypool 10.0.0.10-10.0.0.20show ip local pool mypoolPool Begin End Free In usemypool 10.0.0.10 10.0.0.20 11 0Available Addresses:10.0.0.1010.0.0.1110.0.0.1210.0.0.1310.0.0.1410.0.0.1510.0.0.1610.0.0.1710.0.0.1810.0.0.1910.0.0.20ip verify reverse-path
Implement unicast RPF IP spoofing protection. (Configuration mode.)
ip verify reverse-path interface int_name
no ip verify reverse-path interface int_name
show ip verify [reverse-path [interface int_name]]
clear ip verify [reverse-path [interface int_name]]
Syntax Description
Usage Guidelines
The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides unicast RPF (Reverse Path Forwarding) functionality for the PIX Firewall. The show ip verify command lists the ip verify commands in the configuration. The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.
Due to the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF (Reverse Path Forwarding), or reverse route lookups, prevents such manipulation under certain circumstances.
Note
The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity, and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, then it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.
Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside of the local domain because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing the origin of an attack much easier. When employed, egress filtering enforces what IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and are therefore easily traceable.
Unicast RPF is implemented as follows:
•
•
Note
Use the show interface command to view the number dropped packets, which appears in the "unicast rpf drops" counter.
Examples
The following example protects traffic between the inside and outside interfaces and provides route command statements for two networks 10.1.2.0 and 10.1.3.0 that connect to the inside interface via a hub:
ip address inside 10.1.1.1 255.255.0.0route inside 10.1.2.0 255.255.0.0 10.1.1.1 1route inside 10.1.3.0 255.255.0.0 10.1.1.1 1ip verify reverse-path interface outsideip verify reverse-path interface insideThe ip verify reverse-path interface outside command statement protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command statement protects the inside interface from network egress attacks from users on the internal network.
kill
Terminate a Telnet session. (Privileged mode.)
kill telnet_id
Syntax Description
