Downloads |
Table Of Contents
Command Reference
This chapter provides detailed descriptions of the following PIX Firewall commands:
•
aaa
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
Before reading the PIX Firewall "Command Reference" chapter, read the following:
•
•
•
The following notes can help you as you configure the PIX Firewall:
•
•
•
•
•
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_technical_documentation.html
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/prod_technical_documentation.html
•
•
•
http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers•
aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag
aaa accounting match acl_name inbound | outbound | if_name group_tag
no aaa accounting match acl_name inbound | outbound | if_name group_tag
aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
aaa authentication match acl_name inbound | outbound | if_name group_tag
no aaa authentication match acl_name inbound | outbound | if_name group_tag
aaa authentication [serial | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag
aaa authorization include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_maskno aaa authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]aaa authorization match acl_name inbound | outbound | if_name group_tag
no aaa authorization match acl_name inbound | outbound | if_name group_tag
clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag]
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
clear aaa [authorization [include | exclude author_service inbound | outbound | if_name
local_ip local_mask foreign_ip foreign_mask]]show aaa
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include
Create a new rule with the specified service to include.
exclude
Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
match acl_name
Specify an access-list command statement name.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
The aaa authentication command supports HTTP authentication. The PIX Firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)
If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.
For protocol/port:
•
•
aaa authorization include udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
inbound
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound
Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
serial
Access verification for the PIX Firewall unit's serial console.
enable
Access verification for the PIX Firewall unit's privilege mode.
telnet
Access verification for the Telnet access to the PIX Firewall console.
ssh
Access verification for the SSH access to the PIX Firewall console.
http
Access verification for the HTTP (Hypertext Transfer Protocol) access to the PIX Firewall (via PDM).
console
Specifies that access to the PIX Firewall console requires authentication.
group_tag
The AAA server group tag defined by the aaa-server command.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command allows you to require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.
Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
group_tag
The group tag set with the aaa-server command.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
•
•
•
•
For additional information, see Usage Note 17.
Note
Note
match acl_name Option Usage
The syntax for this command is as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag
An example is as follows:
show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)show aaaaaa authentication match mylist outbound TACACS+Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command:
aaa authentication match yourlist outbound tacacsis equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order dependent between access_list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacsafter this command:
aaa authentication match mylist outbound TACACS+PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access_list format. Hybrid configurations; that is, old configurations combined with the new access_list configuration are not recommended.
Usage Notes
1.
2.
3.
4.
5.
a.
b.
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
c.
6.
7.
8.
a.
b.
c.
9.
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask server10.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
11.
To avoid interfering with these applications, do not enter blanket outgoing AAA command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
a.
b.
Previously, TACACS+ differentiated the two states above and provided two different timeout messages, while RADIUS did not differentiate the two states and provided one timeout message.
22.
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows:Unable to connect to remote host: Connection timed outSee also: aaa-server, auth-prompt, service, ssh, telnet, virtual.
Examples
1.
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+2.
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+3.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any4.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthIn5.
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.06.
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
7.
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0aaa authentication
The aaa authentication command has been modified to support PDM authentication. The PIX Firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall.
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag
Syntax Description
Defaults
If an aaa authentication http console group_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa command is defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password. By default, the enable password is not set.
Usage Guidelines
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
The web browser prompts for the username and password with a pop-up window.
Examples
router(config) aaa authentication telnet console radiusRelated Commands
•
aaa-server
Specify an AAA server. (Configuration mode.)
aaa-server group_tag (if_name) host server_ip key timeout seconds
no aaa-server group_tag (if_name) host server_ip key timeout seconds
aaa-server group_tag protocol auth_protocol
aaa-server radius-acctport port
aaa-server radius-authport port
clear aaa-server [group_tag]
show aaa-server
Syntax Description
aaa-server
Specifies an AAA server or up to 14 groups of servers with a maximum of 14 servers each. Certain types of AAA services can be directed to different servers. Services can also be setup to fail over to multiple servers.
group_tag
An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. Up to 14 server groups are permitted.
if_name
The interface name on which the server resides.
host server_ip
The IP address of the TACACS+ or RADIUS server.
key
A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
timeout seconds
A retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds.
For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.
protocol auth_protocol
The type of AAA server, either tacacs+ or radius.
aaa-server radius-acctport
Sets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646.
aaa-server radius-authport
Sets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645.
port
Specifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall.
These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:
•
•
You can view these and other commonly used port number assignments online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in Chapter 1, "Introduction," for additional information.
no aaa-server
Unbinds an AAA server from and interface or host.
show aaa-server
Displays configuration information of an AAA server in the configuration.
clear aaa-server
Removes an AAA server from the configuration.
Defaults
By default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting.
Usage Guidelines
The aaa-server command allows you to specify an AAA server group. PIX Firewall allows you to define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.
If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are required to reconfigure the PIX Firewall to use ports 1812 and 1813.
Note
The aaa command references the tag group.
Note
If accounting is in effect, the accounting information goes only to the active server.
The default configuration provides these two aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radius
Note
Note
Examples
1.
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
2.
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authentication include any inbound 0 0 0 0 AuthInaaa authentication include any outbound 0 0 0 0 AuthOut3.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The aaa-server command is used with the crypto map command to establish an authentication association so that VPN Clients are authenticated when they access the PIX Firewall.
Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for a description of the crypto and isakmp commands.
access-group
Binds the access list to an interface. (Configuration mode.)
access-group acl_ID in interface interface_name
clear access-group [acl_ID]
no access-group acl_ID in interface interface_name
show access-group [acl_ID]
Syntax Description
acl_ID
The name associated with a given access list.
in interface
Filter on inbound packets at the given interface.
interface_name
The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_IDAlways use the access-list command with the access-group command.
Note
The no access-group command unbinds the acl_ID from the interface interface_name.
The show access-group command displays the current access list bound to the interfaces.
The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3access-list acl_out permit tcp any host 209.165.201.3 eq 80access-group acl_out in interface outsideThe static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list. (Configuration mode.)
access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
access-list acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type
no access-list acl_ID [[deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port]
clear access-list [acl_ID [deny | permit] icmp {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port icmp_type]
show access-list
Syntax Description
acl_ID
Name of an access list. You can use either a name or number.
deny
When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit
When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
source_addr
Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command.
source_mask
Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask.
local_addr
Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
local_mask
Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
destination_addr
IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed.
destination_mask
Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask.
remote_addr
IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement.
remote_mask
Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask
operator
A comparison operand that allows you to specify a port or a port range. Use without an operator and port to indicate all ports; for example:
access-list acl_out permit tcp any host 209.165.201.1Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP:
access-list acl_out deny tcp any host 209.165.201.1 eq ftpUse lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535:
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10operator (continued)
Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.
access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnet
port
Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in Chapter 1, "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
[Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 5-1 for a list of message types. Omit this option to mean all ICMP types.
ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.
Usage Guidelines
The access-list command allows you to specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same access list name are referred to as an "access list." Access lists associated with IPSec are known as "crypto access lists." By default, all access in an access list is denied. You must explicitly permit it.
Use the following guidelines for specifying a source, local, or destination address:
•
•
•
Use the following guidelines for specifying a network mask:
•
access-list acl_grp permit tcp any host 192.168.1.1•
•
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section). Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for a description of the crypto command.
The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.
Note
RADIUS Authorization Feature
PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message.
The administrator first defines access lists on the PIX Firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.
After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+.
To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any anyIn this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.
Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.
Note
There is not a radius option to the aaa authorization command.
Follow these steps to enable RADIUS authorization:
Step 1
Step 2
Step 3
When the PIX Firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells PIX Firewall to use the access-list command statements to determine how RADIUS users are authorized.
Usage Notes
1.
2.
3.
4.
5.
6.
7.
8.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID9.
10.
11.
12.
ICMP Message Types
[Non-IPSec use only]—If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 5-1 lists possible ICMP types values.
If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:
access-list 10 permit icmp any any echo-replyAnd IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.
Using the access-list Command with IPSec
If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the PIX Firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for a description of the crypto command.
The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.
Crypto access lists associated with the IPSec crypto map command statement have these primary functions:
•
•
•
•
You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.
We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for more information.
If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.
Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.
Examples
The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsidecrypto map mymap 10 match address 101[other crypto map commands]The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:
access-list acl_out permit icmp any any echo-replyaccess-group acl_out interface outsidealias
Administer overlapping addresses with dual NAT. (Configuration mode.)
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
show alias
clear alias
Syntax Description
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
Note
sysopt noproxyarp internal_interfaceAfter changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
•
•
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.
The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 192.168.201.0 209.165.201.0 255.255.255.224 creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
Note
Usage Notes
•
•
•
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-dataaccess-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
Examples
1.
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224show aliasalias 192.168.201.0 205.165.201.0 255.255.255.224When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 192.168.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=209.165.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
2.
The period at the end of the www.example.com. domain name must be included.
The alias command follows:
alias 10.1.1.11 209.165.201.11 255.255.255.255PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11The access-list command statement you would expect to use follows:
access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnetBut with the alias command, use this command:
access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.example.comarp
Change or view the ARP cache, and set the timeout value. (Configuration mode.)
arp if_name ip_address mac_address [alias]
clear arp
no arp if_name ip_address
show arp [if_name] [ip_address mac_address alias]
arp timeout seconds
no arp timeout
show arp timeout
Syntax Description
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Note
Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7carp outside 192.168.0.43 00e0.1e4e.3d8b aliasshow arpoutside 192.168.0.43 00e0.1e4e.3d8b aliasinside 192.168.0.42 00e0.1e4e.2a7cclear arp inside 192.168.0.42arp timeout 42show arp timeoutarp timeout 42 secondsno arp timeoutshow arp timeoutarp timeout 14400 secondsauth-prompt
Change the AAA challenge text. (Configuration mode.)
auth-prompt [accept | reject | prompt] string
no auth-prompt [accept | reject | prompt] string
clear auth-prompt
show auth-prompt
Syntax Description
Usage Guidelines
The auth-prompt command allows you to change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
Note
Examples
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall AccessAfter this string is added to the configuration, users view:
XYZ Company Firewall AccessUser Name:Password:The prompt keyword can be included or omitted. For example:
auth-prompt prompt Hello There!This command statement is the same as the following:
auth-prompt Hello There!ca generate rsa key
The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. (Configuration Mode)
ca generate rsa key modulus
Syntax Description
Note
Defaults
RSA key modulus default (during PDM setup) is 768. Default domain is ciscopix.com.
Usage Guidelines
If your PIX Firewall already has RSA keys when you issue this command, you are warned and prompted to replace the existing keys with new keys.
Note
PDM uses the secure communications protocol SSL to communicate with the PIX Firewall.
SSL uses the private key generated with the ca generate rsa command. For a certificate, SSL uses the one obtained from a certification authority (CA). If that does not exist, it uses the PIX Firewall self-signed certificate created when the RSA key pair was generated.
If there is no RSA key pair when an SSL session is initiated, the PIX Firewall creates a default RSA key pair using a key modulus of 768.
The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the show ca my rsa key command.
Examples
This example demonstrates how one general purpose RSA key pair is generated. The selected size of the key modulus is 1024.
router(config) ca generate rsa key 1024Key name:pixfirewall.cisco.comUsage:General Purpose KeyKey Data:30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c8ed4c9f5e0b52 aea931df 04db2872 5c4c0afd 9bd0920b 5e30de82 63d834ac f2e1db1f1047481a 17be5a01 851835f6 18af8e22 45304d53 12584b9c 2f48fad5 31e1be5abb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 7bb44b4c a64a9cf0 efaacd42e291e4ea 67efbf6c 90348b75 320d7fd3 c573037a ddb2dde8 00df782c 39020301 0001clear Commands
Remove commands from the configuration or reset command values (All modes.)
Table 5-2, Table 5-3, and Table 5-4 list each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.
Note
Table 5-2 Unprivileged Mode Clear Commands
clear pager
Resets the number of displayed lines to 24.
clock
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server and the Public Key Infrastructure (PKI) protocol. (Configuration mode.)
clock
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
Syntax Description
Usage Guidelines
The clock command allows you to specify the current time, month, day, and year for use time stamped syslog messages, which you can enable with the logging timestamp command. You can view the current time with the clock or the show clock command.
Note
You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000.
A time prior to January 1, 1998 or after December 31, 2097 will not be accepted (the maximum date that the clock command can work to).
While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years.
The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall unit's motherboard. Should this battery fail, contact Cisco's customer support for a replacement PIX Firewall unit.
Cisco's PKI (Public Key Infrastructure) protocol uses the clock to make sure that a Certificate Revocation List (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for a description of IPSec concepts.
Examples
To enable PFSS time-stamp logging for the first time, use these commands:
clock set 21:0:0 apr 1 2000show clock21:00:05 Apr 01 2000logging host 209.165.201.3logging timestamplogging trap 5In this example, the clock command sets the clock to 9 pm on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
conduit
Add, delete, or show conduits through the PIX Firewall for incoming connections. (Configuration mode.)
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]
clear conduit
show conduit
Syntax Description
permit
Permit access if the conditions are matched.
deny
Deny access if the conditions are matched.
protocol
Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers
If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See the Usage Guidelines for a complete list of the ICMP types.
global_ip
A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses.
If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 209.165.201.1 eq ftp anyThis example lets any foreign host access global address 209.165.201.1 for FTP.
global_mask
Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
foreign_ip
An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option.
If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 209.165.201.2This example lets foreign host 209.165.201.2 access any global address for FTP.
foreign_mask
Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting, for example, 255.255.255.192.
operator
A comparison operand that allows you to specify a port or a port range.
Use without an operator and port to indicate all ports; for example:
conduit permit tcp any anyUse eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024):
conduit permit tcp host 192.168.1.1 lt 1025 anyUse gt and a port to permit or deny access to all ports greater than the port you specify.
For example, use gt 42 to permit or deny ports 43 to 65535:conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2Use neq and a port to permit or deny access to every port except the ports that you specify.
For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535:conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42Use range and a port range to permit or deny access to only those ports named in the range.
For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.conduit deny tcp any range ftp telnet anyBy default, all ports are denied until explicitly permitted.
port
Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value; for example:
conduit deny tcp any anyThis command is the default condition for the conduit command in that all ports are denied until explicitly permitted.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
See "Ports" in Chapter 1, "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type
The type of ICMP message. Table 5-5 lists the ICMP type literals that you can use in this command. Omit this option to mean all ICMP types. An example of this command that permits all ICMP types is conduit permit icmp any any. This command lets ICMP pass inbound and outbound.
Usage Guidelines
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from your configuration.
The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses.
Note
When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands
Follow these steps to convert conduit command statements to access-list commands:
Step 1
static (high_interface,low_interface) global_ip local_ip netmask mask
For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2
conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port]
For example:
conduit permit tcp host 209.165.201.5 eq www anyThis command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The "any" option lets any host on the outside interface access the global IP address.
The static command identifies the interface that the conduit command restricts access to.
Step 3
Normally the access-list command format is as follows:
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port
However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows:
access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]
For example:
access-list acl_out permit tcp any host 209.165.201.5 eq wwwThis command identifies the access-list command statement group with the "acl_out" identifier. You can use any name or number for your own identifier. (In this example the identifier, "acl" is from ACL, which means Access Control List and "out" is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Step 4
access-group acl_name in interface low_interface
For example:
access-group acl_out in interface outsideThis command associates with the "acl_out" group of access-list command statements and states that the access-list command statement restricts access to the outside interface.
More on the conduit Command
If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.
Note
The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the PIX Firewall because the permit option precedes the deny option:
conduit permit tcp host 209.165.201.4 eq 80 anyconduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any
Note
After changing or removing a conduit command statement, use the clear xlate command.
You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.
If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 5-5 lists possible ICMP types values.
Usage Notes
1.
2.
3.
4.
5.
The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example:
static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255conduit permit tcp host 209.165.201.5 eq 1723 anyconduit permit gre host 209.165.201.5 anyIn this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.
6.
For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.
Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001Replace unix_host_ip_address with the IP address of the UNIX host.
7.
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp anystatic (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.
Examples
1.
static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2To disable Mail Guard, enter the following command:
no fixup protocol smtp 252.
static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 anyconduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any3.
static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0conduit permit tcp host 209.165.201.4 eq 80 anyIn this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.
configure
Clear or merge current configuration with that on floppy or Flash memory, start configuration mode, or view current configuration. (Privileged mode.)
Note
clear configure primary | secondary | all
configure net [[server_ip]:[filename]]
configure floppy
configure memory
configure terminal
show configure
Syntax Description
Usage Guidelines
The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration.
The clear configure secondary command removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from the configuration. However, the clear configure secondary command does not remove tftp-server command statements.
Note
The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ). For example:
configure net :Use the write net command to store the configuration in the file.
If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.
Note
The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command.
The configure memory command merges the configuration in Flash memory into the current configuration in RAM.
The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use write memory to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.
The show configure command lists the contents of the configuration in Flash memory.
Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:
•
•
•
Examples
The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:
configure net 10.1.1.1:/tftp/config/pixconfigThe pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.
The following example shows how to configure the PIX Firewall from a diskette:
configure floppyThe following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:
configure memoryThe following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.
Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.
pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)# write terminal: Saved... config commands ...: Endwrite memorycopy tftp flash
Change software images without requiring access to the TFTP monitor mode. (Configuration mode.)
copy tftp[:[[//location] [/pathname]]] flash[:[image | pdm]]
Syntax Description
Usage Guidelines
The copy tftp flash command allows you to download a software image via TFTP. You can use the copy tftp flash command with any PIX Firewall model running version 5.1 or later.
The image you download is made available to the PIX Firewall on the next reload (reboot).
The command syntax is as follows:
copy tftp[:[[//location][/pathname]]] flash
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration.
The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command.
If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.
For example, if you want to download the pix512.bin file from the D: partition on a Windows system (IP address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu and enter the filename path in the TFTP server root directory edit box; for example, D:\pix_images. To copy the file to the PIX Firewall, use the following copy tftp command:
copy tftp://10.1.1.5/pix512.bin flashThe TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.
Note
Examples
The following example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download:
copy tftp flashAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? pix512.bincopying tftp://10.1.1.5/pix512.bin to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!...Received 1695744 bytes.Erasing current image.Writing 1597496 bytes of image.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...Image installed.The next example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface. The example sets the filename and location from the tftp-server command, saves memory, and then downloads the image to Flash memory:
tftp-server outside 10.1.1.5 pix512.binWarning: 'outside' interface has a low security level (0).write memoryBuilding configuration...Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99[OK]copy tftp: flashcopying tftp://10.1.1.5/pix512.bin to flash!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...The next example overrides the information in the tftp-server command to let you specify alternate information about the filename and location. If you have not set the tftp-server command, you can also use the copy tftp flash command to specify all information as shown in the second example that follows:
copy tftp:/pix512.bin flashcopy tftp://10.0.0.1/pix512.bin flashThe next example maps an IP address to the tftp-host name with the name command and uses the tftp-host name in the copy commands:
name 10.1.1.6 tftp-hostcopy tftp://tftp-host/pix512.bin flashcopy tftp://tftp-host/tftpboot/pix512.bin flashdebug
Debug packets or ICMP tracings through the PIX Firewall. The debug command provides information which helps troubleshoot protocols operating with and through the PIX Firewall.
debug dhcpc detail | error | packet
no debug dhcpc detail | error | packet
debug dhcpd event | packet
no debug dhcpd event | packet
debug fover option
no debug fover option
debug h323 h225 [asn | event]
no debug h323 h225 [asn | event]
debug h323 h245 [asn | event]
no debug h323 h245 [asn | event]
debug h323 ras [asn | event]
no debug h323 ras [asn | event]
debug icmp trace
no debug icmp trace
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]no debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]]
[[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] |
[proto udp [sport src_port] [dport dest_port]] [rx | tx | both]
debug pdm history
[no] debug pdm history
debug ppp error | io | uauth | upap | chap | negotiation
no debug ppp error | io | uauth | upap | chap | negotiation
debug rip
no debug rip
debug rtsp
no debug rtsp
debug sip
no debug sip
debug sqlnet
no debug sqlnet
debug ssh
no debug ssh
debug ssl [cypher | device]
no debug ssl [cypher | device]
debug vpdn event | error | packet
no debug vpdn event | error | packet
show debug
Syntax Description
dhcpc detail
Display detailed information about the DHCP client packets.
dhcpc error
Display error messages associated with the DHCP client.
dhcpc packet
Display packet information associated with the DHCP client.
dhcpd event
Display event information associated with the DHCP server.
dhcpd packet
Display packet information associated with the DHCP server.
fover option
Display failover information. Refer to Table 5-6 for the options.
h323
Display information about the packet-based multimedia communications systems standard.
h225 asn
Display the output of the decoded PDUs.
h225 events
Display the events of the H225 signalling, or turn both traces on.
h245 asn
Display the output of the decoded PDUs.
h245 events
Display the events of the H245 signalling, or turn both traces on.
ras asn
Display the output of the decoded PDUs.
ras events
Display the events of the RAS signalling, or turn both traces on.
icmp
Display information about ICMP traffic.
packet
Display packet information.
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
src source_ip
Source IP address.
netmask mask
Network mask.
dst dest_ip
Destination IP address.
proto icmp
Display ICMP packets only.
proto tcp
Display TCP packets only.
sport src_port
Source port. See the "Ports" section in Chapter 1, "Introduction" for a list of valid port literal names.
dport dest_port
Destination port.
debug pdm history
Turns on the PDM history metrics debugging information. The no version of this command disables PDM history metrics debugging.
proto udp
Display UDP packets only.
rx
Display only packets received at the PIX Firewall.
tx
Display only packets that were transmitted from the PIX Firewall.
both
Display both received and transmitted packets.
sqlnet
Debug SQL*Net traffic.
ppp
Debug L2TP or PPTP traffic, which are configured with the vpdn command.
ppp error
Display L2TP or PPTP PPP virtual interface error messages.
ppp io
Display the packet information for L2TP or PPTP PPP virtual interface.
ppp uauth
Display the L2TP or PPTP PPP virtual interface AAA user authentication debugging messages.
upap
Display PAP authentication.
chap
Display CHAP/MS-CHAP authentication.
negotiation
Equivalent of the error, uauth, upap and chap debug command options.
sip
Debug the fixup session initiation protocol (SIP) module.
ssh
Debug information and error messages associated with the ssh command.
ssl
Debug information and error messages associated with the ssl command.
cypher
Display information about the cipher negotiation between the HTTP server and the client.
device
Display information about the SSL device including session initiation and ongoing status.
vpdn event
Display l2tp or pptp tunnel event change information.
vpdn error
Display l2tp or pptp protocol error messages.
vpdn packet
Display l2tp or pptp packet information about PPTP traffic.
Usage Guidelines
The debug command allows you to view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.
The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
The debug h323 command allows you to debug H323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.
Note
The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall unit's own interfaces.
The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall.
The debug ssh command reports on information and error messages associated with the ssh command.
The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.
Use of the debug commands can slow down busy networks.
For information about the debug crypto commands or IPSec-related debug commands, refer to the debug command page within the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0.
Table 5-6 lists the options for the debug fover command.
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.
If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
The debug commands are shared between all Telnet and serial console sessions.
Note
Additional debug Command Information
Note
Note
To stop a debug packet trace command, enter:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace command, enter:
no debug icmp traceExamples
The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after turning on the debug dhcpc commands to obtain debugging information:
debug dhcpc packetdebug dhcpc detailip address outside dhcp setrouteDHCP:allocate requestDHCP:new entry. add to queueDHCP:new ip lease str = 0x80ce8a28DHCP:SDiscover attempt # 1 for entry:Temp IP addr:0.0.0.0 for peer on Interface:outsideTemp sub net mask:0.0.0.0DHCP Lease server:0.0.0.0, state:1 SelectingDHCP transaction id:0x8931Lease:0 secs, Renewal:0 secs, Rebind:0 secsNext timer fires after:2 secondsRetry count:1 Client-ID:cisco-0000.0000.0000-outsideDHCP:SDiscover:sending 265 byte length DHCP packetDHCP:SDiscover 265 bytesDHCP Broadcast to 255.255.255.255 from 0.0.0.0DHCP client msg received, fip=10.3.2.2, fport=67DHCP:Received a BOOTREP pktDHCP:Scan:Message type:DHCP OfferDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Lease Time:259200DHCP:Scan:Subnet Address Option:255.255.254.0DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140DHCP:Scan:Domain Name:example.comDHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87DHCP:Scan:Router Address Option:10.3.2.1DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255...The following example turns on this command:
debug icmp traceWhen you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1):
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2NO DEBUG ICMP TRACEICMP trace offThis example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
The following is sample output from the show debug command output:
show debugdebug ppp errordebug vpdn eventdebug crypto ipsec 1debug crypto isakmp 1debug crypto ca 1debug icmp tracedebug packet outside bothdebug sqlnetThe above sample output includes the debug crypto commands. Refer to the debug command page within the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 6.0 for more information about the debug crypto commands.
You can debug the contents of packets with the debug packet command:
debug packet inside--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00 |....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46 | .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43 | CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01 | ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 | ......`......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
The following is sample output from the show debug command:
show debugdebug icmp trace offdebug packet offdebug sqlnet offdhcpd
The dhcpd command controls the DHCP server feature. (Configuration mode.)
dhcpd address ip1[-ip2] [if_name]
no dhcpd address ip1[-ip2] [if_name]
dhcpd auto_config [client_ifx_name]
no dhcpd auto_config [client_ifx_name]
dhcpd dns dns1 [dns2]
no dhcpd dns dns1 [dns2]
dhcpd wins wins1 [wins2]
no dhcpd wins wins1 [wins2]
dhcpd lease lease_length
no dhcpd lease lease_length
dhcpd domain domain_name
no dhcpd domain domain_name
dhcpd enable [if_name]
no dhcpd enable [if_name]
show dhcpd [binding|statistics]
clear dhcpd [binding|statistics]
debug dhcpd event
no debug dhcpd event
debug dhcpd packet
no debug dhcpd packet
dhcpd ping_timeout timeout
no dhcpd ping_timeout timeout
Syntax Description
Usage Guidelines
A DHCP Server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use the DHCP to configure connected PC clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to a enterprise or corporate network. See "DHCP Server" within the Chapter 3, "Advanced Configurations" for information on how to implement the DHCP server feature into the PIX Firewall.
Note
The dhcpd address command specifies the DHCP server address pool. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled. In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is currently limited to 32 address for pix 506 platform and 256 addresses for other platforms.The default for the PIX Firewall interface name is the inside interface, which is the only interface currently supported. The no dhcpd address command removes the DHCP server address pool you configured.
The dhcpd lease command specifies the length of the lease in seconds granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address the DHCP granted. The no dhcpd lease command removes the lease length that you specified from your configuration and replaces this value with the default value of 3,600 seconds.
The dhcpd domain command specifies the DNS domain name for the DHCP client. For example, example.com. The no dhcpd domain command removes the DNS domain server from your configuration.
The dhcpd enable command enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.
Note
Note
The show dhcpd command displays dhcpd commands, binding and statistics information associated with all of the dhcpd commands.
The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
Examples
The following partial configuration example shows use of the dhcpd address, dhcpd dns, and dhcpd enable commands. In this example, an address pool for the DHCP clients is defined, a DNS server address is specified for the DHCP client, and the inside interface of the PIX Firewall is enabled for the DHCP server function:
dhcpd address 10.0.1.100-10.0.1.108dhcpd dns 209.165.200.226dhcpd enableThe following partial config example shows how to define a dhcp pool of 256 addresses and use the auto_config command to configure the dns, wins and domain parameters. Note that the netmask of inside interface is 255.255.254.0:
ip address inside 10.0.1.1 255.255.254.0dhcpd address 10.0.1.2-10.0.1.257dhcpd auto_configdhcpd enableThe following partial configuration example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment:
! use dhcp to configure the outside interface and default routeip address outside dhcp setroute! enable dhcp server daemon on the inside interfaceip address inside 10.0.1.2 255.255.255.0dhcpd address 10.0.1.101-10.0.1.110dhcpd dns 209.165.201.2 209.165.202.129dhcpd wins 209.165.201.5dhcpd lease 3000dhcpd domain example.comdhcpd enable! use outside interface IP as PAT global addressnat (inside) 1 0 0global (outside) 1 interfaceThe following is sample output for the show dhcpd command:
show dhcpddhcpd address 10.0.1.100-10.0.1.108 insidedhcpd lease 3600dhcpd ping_timeout 750dhcpd dns 192.23.21.23dhcpd enable insideThe following is sample output for the show dhcpd binding command:
show dhcpd bindingIP Address Hardware Address Lease Expiration Type10.0.1.100 0100.a0c9.868e.43 84985 seconds automaticThe following is sample output for the show dhcpd statistics command:
show dhcpd statisticsAddress Pools 1Automatic Bindings 1Expired Bindings 1Malformed messages 0Message ReceivedBOOTREQUEST 0DHCPDISCOVER 1DHCPREQUEST 2DHCPDECLINE 0DHCPRELEASE 0DHCPINFORM 0Message SentBOOTREPLY 0DHCPOFFER 1DHCPACK 1DHCPNAK 1Related Commands
disable
Exit privileged mode and return to unprivileged mode. (Privileged mode.)
disable
Usage Guidelines
The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.
Examples
The following example shows how to exit privileged mode:
pixfirewall# disablepixfirewall>eeprom
The eeprom command displays and updates the contents of the EEPROM non-volatile storage devices used for low level Ethernet interface configuration information for certain PIX 535 units.
show eeprom
eeprom update
Note
Syntax Description
Usage Guidelines
The eeprom commands added in version 5.2(4) and later fixes a caveat (CSCds76768) involving corruption of the eeprom on the onboard Ethernet interfaces. For additional information, see the December 20, 2000 Field Notice, "Cisco Secure PIX Firewall: PIX-525 Ethernet EEPROM Programming Issue." This field notice is available at the following website:
The problem is summarized as follows:
If you configure the onboard Ethernet interfaces (ethernet0 and ethernet1) on a PIX 525 with a serial number of 44480380055 through 44480480044 to full-duplex, interface errors and throughput reductions may occur. If you configure the interfaces to half-duplex or to auto-sense, the speed and duplex function normally without error.
The eeprom command is designed to fix the problem and performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode. The two variants of the eeprom command are the show eeprom command and eeprom update command.
The eeprom update command performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode, whereas the show eeprom command indicates whether the Ethernet EEPROM programming is correct or not.
The show eeprom command displays the current EEPROM setting, and the eeprom update command modifies the settings if necessary. If the eeprom command does update the EEPROM settings, a reboot of the PIX Firewall is recommended.
The eeprom command verifies the EEPROM register settings and updates them if they are not set to the recommended values. The eeprom command does not update the settings if they are correct and does not recommend a reboot unless the settings are changed.
The eeprom update command checks the contents of EEPROM registers 6 and 10 to ensure they contain the hexadecimal values 0x4701 and 0x40c0, respectively. If these registers contain different values, then all EEPROM register settings except the MAC address registers, which were not affected by the problem causing CSCds76768, are reset to the correct values.
Each register is 16 bits. The correct register values are as follows:
Examples
The show eeprom command will display the current EEPROM register settings:
pix525# show eepromeeprom settings for ifc0:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4702reg10: 0x40c0reg12: 0x8086eeprom settings for ifc1:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4702reg10: 0x40c0reg12: 0x8086reg12: 0x8086If the command is run on a unit that is not a PIX 525, the following will be seen:
pix515# show eeprom This unit is not a PIX-525. Type help or '?' for a list of available commands.If the update needs to be run on the PIX 525, the eeprom update command returns the following:
pix525# eeprom updateeeprom settings on ifc0 are being reset to defaults:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x8086eeprom settings on ifc1 are being reset to defaults:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x8086*** WARNING! *** WARNING! *** WARNING! *** WARNING! ***The system should be restarted as soon as possible.*** WARNING! *** WARNING! *** WARNING! *** WARNING! ***If the update has been run successfully, the eeprom command output will look like this:
pix525# eeprom updateeeprom settings on ifc0 are already up to date:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x808eeprom settings on ifc1 are already up to date:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x80866enable
Start privileged mode. (Unprivileged mode.)
enable
Usage Guidelines
The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.
Examples
The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.
pixfirewall> enablePassword:pixfirewall# configure terminalpixfirewall(config)#enable password
Set the privileged mode password. (Privileged mode.)
enable password password [encrypted]
show enable password
Syntax Description
password
A case-sensitive password of up to 16 alphanumeric characters.
encrypted
Specifies that the password you entered is already encrypted. The password must be 16 characters in length.
Usage Guidelines
The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). The show enable password command lists the encrypted form of the password.
You can return the enable password to its original value (press the Enter key at prompt) by entering the following command:
pixfirewall# enable passwordpixfirewall#
Note
Use the passwd command to set the password for Telnet access to the PIX Firewall console. The default passwd value is cisco.
See also: passwd.
Examples
The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:
pixfirewall> enablePassword:pixfirewall# enable password w0ttal1fepixfirewall# configure terminalpixfirewall(config)# write terminalBuilding configuration......enable password 2oifudsaoid.9ff encrypted...The following example shows the use of the encrypted option:
enable password 1234567890123456 encryptedshow enable passwordenable password 1234567890123456 encryptedenable password 1234567890123456show enable passwordenable password feCkwUGktTCAgIbD encryptedestablished
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.)
established dest_protocol dest_port [src_port] [permitto protocol dport [-dport]] [permitfrom protocol sport [-sport]]
no established dest_protocol dest_port [src_port] [permitto protocol dport [-dport]] [permitfrom protocol sport [-sport]]
clear established
show established
Syntax Description
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port and optional source port specified is for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Note
The permitto option allows you to specify a new protocol or port for the return connection at the PIX Firewall.
The permitfrom option allows you to specify a new protocol or port at the remote server.
The no established command disables the established feature.
The show established command shows the established commands in the configuration.
The clear established command removes all establish command statements from your configuration.
Note
You can use the established command with the nat 0 command statement (where there are no global command statements).
Note
The established command works as shown in the following format:
established A B C permitto D E permitfrom D FThis command works as though it were written "If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
Example:
established tcp 0 4000With this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol.
Example:
established tcp 0 0 (same as previous releases established tcp 0 command)With this example, if something like the following exists:
static (inside,outside) 200.0.0.2 10.0.0.2 access-list acl_grp permit tcp host 200.0.0.2 eq www anyan attacker only need make a web connection to 200.0.0.2 and then they can make unrestricted connections using any protocol or ports.
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
Note
Example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value:
setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
exit
Exit an access mode. (All modes.)
exit
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as quit.
Examples
The following example shows how to exit configuration mode and then privileged mode:
pixfirewall(config)# exitpixfirewall# exitpixfirewall>failover
Change or view access to the optional failover feature. (Configuration mode.)
failover [active]
no failover
failover ip address if_name ip_address
failover link [stateful_if_name]
no failover link
failover poll seconds
failover replicate http
no failover replicate http
failover reset
no failover active
show failover
Syntax Description
Usage Guidelines
Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
Note
Note
Note
Use the failover active command to initiate a failover switch from the Standby unit, or the no failover active command from the Active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an Active unit offline for maintenance. Because the Standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
Use the failover link command to enable Stateful Failover. The Stateful Failover interface can be either Ethernet or Token Ring interfaces. FDDI interfaces are supported for non-Stateful Failover interfaces. Enter no failover link to disable the Stateful Failover feature.
If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
The failover poll seconds command allows you to determine how long failover waits before sending special failover "hello" packets between the Primary and Standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.
When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.
You can also view the information from the show failover command using SNMP. Refer to "Using the Firewall and Memory Pool MIBs" in Chapter 3, "Advanced Configurations," for more information.
A failover configuration example is provided in "Failover Configuration" in Chapter 4, "Configuration Examples."
Examples
The following output shows that failover is enabled, and that the Primary unit state is active:
show failoverpixfirewall (config)# show failoverFailover OnCable status:NormalReconnect timeout 0:00:00Poll frequency 15 secondsfailover replication httpThis host:Secondary - StandbyActive time:0 (sec)Interface FailLink (172.16.31.2):NormalInterface 4th (172.16.16.1):NormalInterface int5 (192.168.168.1):NormalInterface intf2 (192.168.1.1):NormalInterface outside (209.165.200.225):NormalInterface inside (10.1.1.4):NormalOther host:Primary - ActiveActive time:242145 (sec)Interface FailLink (172.16.31.1):NormalThe rest of command output is omitted.
The "Cable status" has these values:
•
•
•
The "Stateful Obj" has these values:
•
•
•
•
Each row is for a particular object static count:
•
•
•
•
•
•
•
•
You can view the IP addresses of the standby unit with the show ip address command:
show ip addressSystem IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0Current IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.
The standby Logical Update Statistics output that displays when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover, but rather the number of packet transmit errors.
filter
Enable or disable outbound URL or HTML object filtering. (Configuration mode.)
filter activex port local_ip mask foreign_ip mask
no filter activex port local_ip mask foreign_ip mask
filter java port[-port] local_ip mask foreign_ip mask
no filter java port[-port] local_ip mask foreign_ip mask
filter url port|except local_ip local_mask foreign_ip foreign_mask [allow]
no filter url port | except [local_ip local_mask foreign_ip foreign_mask]
clear filter
show filter
Syntax Description
Usage Guidelines
The sections that follow describe each type of filter. The clear filter command removes all filter commands from the configuration. The show filter command lists all filter commands in the configuration.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.
As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.
This feature blocks the HTML <object> tag and comments it out within the HTML web page.
Note
Note
Examples
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter java
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
Note
Examples
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
The filter url command allows you to prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.
The allow option to the filter command determines how the PIX Firewall behaves in the event that the Websense server goes offline. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.
Note
The Websense Server works with the PIX Firewall to deny users from access to web sites based on the company security policy.
Websense protocol version 4 enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then the Websense server handles URL filtering and username logging.
Websense protocol version 4 contains the following enhancements:
•
•
•
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Information on Websense is available at the following website:
http://www.websense.com/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1filter url 80 0 0 0 0filter url except 10.0.2.54 255.255.255.255 0 0The following example filters all outbound HTTP connections received from a proxy server that sends Web traffic on port 8080:
filter url 8080 0 0 0 0fixup protocol
Change, enable, disable, or list a PIX Firewall application protocol feature. (Configuration mode.)
fixup protocol ftp [strict] [port]
fixup protocol http [port[-port]
fixup protocol h323 [port[-port]]
fixup protocol rsh [514]
fixup protocol rtsp [port]
fixup protocol sip [5060]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
fixup protocol [protocol [skinny | sip | ...]] [port]
no fixup protocol [protocol] [port]
clear fixup
show fixup [protocol protocol]
show conn state [skinny | sip]
show timeout sip
Syntax Description
fixup protocol
Performs enabling, disabling, viewing, or changing the configuration of a service or protocol through the PIX Firewall.
no
Disables the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After removing all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
port
Specify the port number or range for the application protocol. The default ports are: TCP 21 for ftp, TCP 80 for http, TCP 1720 for h323, TCP 514 for rsh, TCP 554 for rtsp, TCP 25 for smtp, TCP 1521 for sqlnet, and TCP 5060 for sip. The default port value for rsh cannot be changed, but additional port statements can be added. See the "Ports" section in Chapter 1, "Introduction" for a list of valid port literal names. The port over which the designated protocol travels.
strict
Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
protocol
Specifies the protocol to fix up.
sip
Enable SIP.
show conn state
Displays the connection state of the designated protocol.
show fixup
The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.
show timeout
Displays the timeout value of the designated protocol.
show timeout skinny
Displays the timeout value of the SCCP.
skinny
Enable SCCP. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.
update timeout
Updates the timeout value of the SCCP.
Defaults
The default for fixup protocol sip is 5060.
The default for fixup protocol skinny is 2000.
Usage Guidelines
SCCP (skinny) protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.
To support SIP calls through the PIX Firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Therefore, SIP is a text-based protocol and contains the IP addresses throughout the text. The packets are inspected and NAT is provided for the IP addresses.
Note
For additional information about the SIP protocol see RFC 2543. For additional information about the Session Description Protocol (SDP) see RFC 2327.
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh and sip. The fixup protocol commands are always present in the configuration and are enabled by default.
The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements.
The clear fixup command removes fixup commands from the configuration that you added. It does not remove the default fixup protocol commands.
The show fixup command lists all values or the show fixup protocol protocol command lists an individual protocol.
You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
The following lists the default fixup protocol values (those enabled when a PIX Firewall is first installed). You can view the fixup protocol settings with the show fixup command as follows:
show fixupfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol ftp
The FTP port can be changed; however if you change the default of port 21, to something like 2021, all FTP control connections must happen on port 2021. FTP control connections on port 21 will no longer work.
If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
The port parameter allows you to specify the port at which the PIX Firewall listens for FTP traffic. Typically, this value is 21. In addition, the FTP port can now only be in the range of 1 to 1024.
fixup protocol h323
The fixup protocol h323 command provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting. Version 5.3 and higher supports H.323 version 2. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. H.323 supports VoIP gateways and VoIP gatekeepers. H.323 version 2 adds the following functionality to the PIX Firewall:
•
•
fixup protocol http
Note
fixup protocol rtsp
The fixup protocol rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.
If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554fixup protocol rtsp 8554The following restrictions apply to the fixup protocol rtsp command:
1.
2.
3.
4.
5.
6.
7.
8.
If using TCP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use TCP for all content. On the PIX Firewall, there is no need to configure the fixup.
If using UDP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use UDP for static content, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement
fixup protocol sip
The fixup protocol sip command enables SIP on the interface. SIP enables call handling sessions—particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers.
Session initiation protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:
•
•
fixup protocol smtp
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
As of version 5.1 and later, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.
In version 4.4, all characters in the SMTP banner are converted to asterisks.
fixup protocol sqlnet
Note
Exa
