PDM Supported CLI Commands
Download this chapter
PDM Supported CLI CommandsPDM Supported CLI Commands
 Feedback

Table Of Contents

PDM Support for PIX Firewall CLI Commands

Parse and Allow Changes

Parse Without Allowing Changes

Parse and Only Permit Access to the Monitoring Tab

Only Display in Unparseable Command List


PDM Support for PIX Firewall CLI Commands

This appendix describes how PDM handles PIX Firewall CLI (command-line interface) commands.

This appendix includes the following sections:

Parse and Allow Changes

Parse Without Allowing Changes

Parse and Only Permit Access to the Monitoring Tab

Only Display in Unparseable Command List

Note PIX Firewall commands that you enter at the command line, but do not appear in the configuration are not supported in PDM. These are the clock, configure, copy, debug, disable, enable, exit, flashfs, help, perfmon, quit, session, and setup commands. The clear uauth, kill, ping, reload, show, who, and write commands that also do not appear in the configuration are incorporated directly into the PDM interface.

Note PDM does not currently support VPN and IPSec commands. These are the ca, crypto, ip local pool, and vpdn commands. The isakmp identity command is supported for use with the SSL feature of PDM.

Parse and Allow Changes

Table A-1 lists the commands that PDM fully supports. PDM parses these commands in a PIX Firewall configuration and allows PDM to operate successfully.

Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. For all exceptions, refer to the Parse and Only Permit Access to the Monitoring Tab section for information on how to correct each problem. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.

Table A-1 Commands That PDM Parses and Allows in Configuration 

Command
Description

aaa command, include option

Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command.

aaa command, match acl_name option

Apply authentication, authorization, or accounting to an access list. Exception: PDM cannot parse this command if an access-group command statement shares the same acl_name.

aaa-server

Specify an AAA server.

access-list and access-group

Create an access list and bind it to an interface.

Exceptions: PDM cannot parse these commands if:

Combining the access-list command with the conduit and/or outbound command.

Configuring access-list command statements without an associated access-group command, unless the access-list command statement is used in conjunction with an aaa command statement.

Configuring multiple access-group command statements with the same acl_name for different interfaces.

Using an acl_name for multiple purposes, such as in an access-group command and in an aaa command, or in an aaa authentication match command statement and in an aaa authorization match command statement.

apply

Apply outbound command statements to an interface.

auth-prompt

Change the AAA challenge text.

conduit

Add, delete, or show conduits through the PIX Firewall for incoming connections. Exception: PDM cannot parse this command if you combine it with the access-list command.

dhcp

Implement the DHCP server feature.

domain-name

Specify the PIX Firewall domain.

enable password

Set the privileged mode password.

failover

Change or view access to the optional failover feature.

filter

Enable or disable outbound URL or HTML object filtering.

fixup protocol

Change, enable, disable, or list a PIX Firewall application protocol feature.

global

Create or delete entries from a pool of global addresses.

hostname

Change the host name in the PIX Firewall command line prompt.

http

Configure PDM access.

icmp

Enable or disable pinging to an interface.

interface

Identify network interface speed and duplex.

ip address

Identify addresses for network interfaces.

ip audit

Configure IDS signature use.

ip verify reverse-path

Implement unicast RPF IP spoofing protection.

logging

Enable or disable syslog and SNMP logging.

name

Associate a name with an IP address.

nameif

Specify name and security level for an interface.

nat

Associate a network with a pool of global IP addresses.

outbound

Create an access list to control outbound connections.

Exceptions:

Using the outbound command with the except option.

Combining the access-list command with the conduit and/or outbound command.

passwd

Set password for Telnet access to the firewall console

pdm

Specify PDM commands.

rip

Change RIP settings.

route

Enter a static or default route for the specified interface.

service resetinbound

Send reset to denied inbound TCP packet.

service resetoutside

Send reset to denied TCP packet to the outside interface.

snmp-server

Provide SNMP event information.

ssh

Specify a host for PIX Firewall console access via Secure Shell (SSH).

static

Map the local IP address to a global IP address. Exception: Inbound PAT using the static command is not parsed.

sysopt

Change the PIX Firewall system options. Exception: The route dnat and nodnsalias options cannot be parsed.

telnet

Specify host for PIX Firewall console access via Telnet.

tftp-server

Specify the IP address of the TFTP configuration server.

timeout

Set the maximum idle time duration.

url-cache

Cache responses to URL filtering requests to the Websense server.

url-server

Designate a server running Websense for use with the filter url command.


Parse Without Allowing Changes

Table A-2 lists supported PDM commands that cannot be changed. PDM parses these commands in the PIX Firewall configuration and handles them transparently.

Table A-2 Commands That PDM Supports That Cannot Be Changed 

Command
Description

arp

Change or view the ARP cache, and set the timeout value.

floodguard

Enable or disable Flood Defender to protect against flood attacks.

isakmp identity [address | hostname]

Specify the identity for obtaining IPSec certificate by either IP address or hostname.

mtu

Specify the MTU (maximum transmission unit) for an interface.

nat [(if_name)] 0 access-list acl_name

Associate network address translation to an access list.

PDM does not support the nat 0 access-list command. PDM prompts you to confirm whether or not you are using the nat 0 access-list command for crypto (VPN) commands only. If you respond with y, PDM ignores the command and gives you full access to PDM. If you respond with n, in which case you are using this command for both VPN and with other PIX Firewall configuration features, PDM is not able to understand this usage and forces PDM into a limited state where you can only access the Monitoring tab.

pager

Enable or disable screen paging.

sysopt nodnsalias inbound

Disable inbound embedded DNS A record fixups according to aliases that apply to the A record address.

sysopt nodnsalias outbound

Disable outbound DNS A record replies.

sysopt route dnat

Specify that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop.

terminal

Change the console terminal settings.

virtual

Access the PIX Firewall virtual server.


Parse and Only Permit Access to the Monitoring Tab

Table A-3 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.

Table A-3 Commands That PDM Can Only Use in Limited Access Mode 

Command
Description

alias

Administer overlapping addresses with dual NAT. Also permits inside interface access to a DNS server on a perimeter interface.

establish

Permit return connections on ports other than those used for the originating connection based on an established connection.

outbound id except

Create an access list to control outbound connections.

static [used for inbound PAT]

Funnel inbound connections through a single IP address.

nat [(if_name)] 0 access-list acl_name

Associate an access list with network address translation.

If used only for VPN purposes, PDM parses and ignores this command. If used for non-VPN use, or mixed with VPN and non-VPN use, only the Monitoring tab can be accessed. When this command is encountered in your configuration, you are prompted to specify its purpose.


In addition, the following command combinations also limit access to only the Monitoring tab:

aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM: 

access-list 101 permit tcp any any 

aaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portal

aaa accounting match 101 inside portal

You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.

Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM: 

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0

access-group 101 in interface outside

conduit permit icmp any any

Using an ACL (access control list) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255: 

access-group eng in interface perim

access-group eng in interface outside

Using an ACL name for multiple purposes such as in an access-group command statement and in an aaa command statement. For example, the following commands would not be parsed by PDM: 

access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-group acl_out in interface outside

aaa authentication match acl_out outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement. For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out2 outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement the same as the first and applying that in the aaa authorization command.

For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out3 outside AuthIn

Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM: 

outbound 13 deny 0.0.0.0 0.0.0.0 0 0                                                                                                  

outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

apply (inside) 13 outgoing_src

apply (perim) 13 outgoing_src

Only Display in Unparseable Command List

The following commands are ignored when encountered by PDM, and are displayed in the list of unparseable commands:

Note PDM does not change or remove these commands from your configuration.

All IPSec VPN crypto commands with the exception of isakmp identity command. This includes the ip local pool, sysopt connection permit-pptp, and vpdn commands.

Access lists not applied to any interface and not applied to a aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement. For example: 

access-list eng permit ip any server1 255.255.255.255

access-list eng permit ip any server2 255.255.255.255

access-list eng permit ip any server3 255.255.255.255

access-list eng deny ip any any

A list of outbound command statements without an associated apply command statement.