Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Support

M through R Commands

Downloads

Table Of Contents

M through R Commands

mtu

name / names

nameif

nat

outbound / apply

pager

passwd

pdm

perfmon

ping

quit

reload

rip

route


M through R Commands

mtu

Specify the maximum transmission unit ( MTU) for an interface. (Configuration mode.)

mtu if_name  bytes

no mtu [if_name  bytes]

show mtu

Syntax Description

if_name

The internal or external network interface name.

bytes

The number of bytes in the MTU, in the range of 64 to 65,535 bytes. The value specified depends on the type of network connected to the interface.


Usage Guidelines

The mtu command sets the size of data sent on a connection. Data larger than the MTU value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes.

PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.

For Ethernet interfaces, the default MTU is 1500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it.

For Token Ring and FDDI, the default is 8192 bytes.

The no mtu command resets the MTU block size to 1500 for Ethernet interfaces and 8192 for Token Ring. The show mtu command displays the current block size. The show interface command also shows the MTU value.

Examples

The following example shows use of the mtu command for use with Token Ring and Ethernet: 

interface token-ring0 16mbps

interface ethernet0 auto

mtu inside 8192

show mtu

mtu outside 1500

mtu inside 8192

name / names

Associate a name with an IP address. (Configuration mode.)

name ip_address name

no name [ip_address name]

names

no names

clear names

show names

Syntax Description

ip_address

The IP address of the host being named.

name

The name assigned to the IP address. Allowable characters are a to z, A to Z, 0 to 9, a dash, and an underscore. The name cannot start with a number. If the name is over 16 characters long, the name command fails.


Usage Guidelines

Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you need to ensure that the host names either match existing names or you have a map to list the differences.

The names command enables use of the name command to map text strings to IP addresses. The clear names and no names commands are the same and disable use of the name text strings. The show names command lists the name command statements in the configuration.

Notes

1. You must first use the names command before using the name command. Use the name command immediately after the names command and before you use the write memory command.

2. To disable displaying name values, use the no names command.

3. Only one name can be associated with an IP address.

4. Both the name and names command statements are saved in the configuration.

5. While the name command will let you assign a name to a network mask, no other PIX Firewall command requiring a mask will let you use the name as a mask value. For example, the following command is accepted. 

name 255.255.255.0 class-C-mask

Note None of the commands in which a mask is required can process the "class-C-mask" as an accepted network mask.

Examples

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 209.165.201.3. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command restores their display. 

names

name 192.168.42.3 pix_inside

name 209.165.201.3 pix_outside

ip address inside pix_inside 255.255.255.0

ip address outside pix_outside 255.255.255.224

show ip address

inside ip address pix_inside mask 255.255.255.0

outside ip address pix_outside mask 255.255.255.224

no names

show ip address

inside ip address 192.168.42.3 mask 255.255.255.0

outside ip address 209.165.201.3 mask 255.255.255.224

names

show ip address

inside ip address pix_inside mask 255.255.255.0

outside ip address pix_outside mask 255.255.255.224

nameif

Name interfaces and assign security level. (Configuration mode.)

nameif hardware_id if_name security_level

show nameif

clear nameif

Syntax Description

hardware_id

The hardware name for the network interface that specifies the interface's slot location on the PIX Firewall motherboard. Interface boards are numbered from the leftmost slot nearest the power supply as slot 0. The internal network interface must be in slot 1. The lowest security_level external interface board is in slot 0 and the next lowest security_level external interface board is in slot 2.

Possible choices are ethernetn for Ethernet or token-ringn for Token Ring.
These names can be abbreviated with any leading characters in the name; for example, ether1, e2, token0, or t0.

if_name

A name for the internal or external network interface of up to 48 characters in length. This name can be uppercase or lowercase. By default, PIX Firewall names the inside interface "inside," the outside interface "outside," and any perimeter interface "intfn" where n is 2 through 5.

security_level

Either 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. By default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0. The first perimeter interface is initially set to security10, the second to security15, the third to security20, and the fourth perimeter interface to security25 (a total of 6 interfaces are permitted, with a total of 4 perimeter interfaces permitted).

For access from a higher security to a lower security level, nat and global commands or static commands must be present. For access from a lower security level to a higher security level, static and access-list commands must be present.

Interfaces with the same security level cannot communicate with each other. We recommend that every interface have a unique security level.


Usage Guidelines

The nameif command allows you to assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.

Usage Notes

1. If you change the hardware_id of the outside interface; for example, from ethernet0 to ethernet1, PIX Firewall changes every reference to the outside interface in your configuration to inside, which can cause problems with route, ip, and other command statements that affect the flow of traffic through the PIX Firewall.

2. After changing a nameif command, use the clear xlate command.

3. The inside interface cannot be renamed or given a different security level. The outside interface can be renamed, but not given a different security level.

4. An interface is always "external" with respect to another interface that has a higher security level.

Examples

The following example shows use of the nameif command: 

nameif ethernet2 perimeter1 sec50

nameif ethernet3 perimeter2 sec20

Related Commands

interface

nat

Associate a network with a pool of global IP addresses. (Configuration mode.)

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]

nat [(if_name)] 0 access-list acl_name

nat [(if_name)] 0 local_ip [netmask [max_conns [em_limit]]] [norandomseq]

no nat [[(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]]] [norandomseq]

no nat [(if_name)] 0 access-list acl_name

show nat

clear nat

Syntax Description

if_name

The internal network interface name.

If the interface is associated with an access list, then the if_name is the higher security level interface name.

nat_id

All nat command statements with the same nat_id are in the same nat group. Use the nat_id in the global command statement; for example: 

nat (perimeter) 1 0 0

global (outside) 1 209.165.201.1-209.165.201.30 netmask 255.255.255.224

This example associates the nat command with the global command via the nat_id.

The nat_id is an arbitrary positive number between 0 and two billion. This number can be the same as the ID used with the outbound and apply commands.

Specify 0 with IP addresses and netmasks to identify internal networks that desire only outbound identity address translation. Specify 0 with the access-list option to specify traffic that should be exempted from NAT.

access-list

Associate an access-list command statements to the nat 0 command.

local_ip

Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.

netmask

Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.

max_conns

The maximum TCP connections permitted from the interface you specify.

clear

Removes nat command statements from the configuration.

em_limit

The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.

norandomseq

Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.


Usage Guidelines

The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows your network to have any IP addressing scheme and the PIX Firewall protects these addresses from visibility on the external network.

Note If not explicitly included in the nat command, the PIX Firewall derives the network mask from the class of the IP address. For example, the command nat 0 10.130.36.0 causes all addresses in the 10.0.0.0 network to be translated and not only those in the 10.130.36.0 network. For this reason, you should specify the network mask when configuring an IP address that is not classful.

The nat (if_name) 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access. The if_name is the higher security level interface name. The acl_name is the name you use to identify the access-list command statement.

With PIX Firewall software version 5.3 and later, there is no longer a restriction on having the nat 0 command (Identity NAT) and the nat 0 access-list command configured at the same time. Both the nat 0 command and the nat 0 access-list command may be configured concurrently.

The new access-list option changes the behavior of the nat 0 command. (Without the access-list option, the command is backward compatible with previous versions.)
The nat 0 command implemented the identity feature; this new version of the command disables NAT. Specifically, the new behavior disables proxy ARPing for the IP addresses in the nat 0 command statement.

Note The access list you specify with the nat 0 access-list command will not work with an access-list command statement that contains a port specification. The following sample command statements will not work.

access-list no-nat permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
nat (inside) 0 access-list no-nat

After changing or removing a nat command statement, use the clear xlate command.

The connection limit allows you to set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit allows you to prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.

You can use the no nat command to remove a nat command statement and you can use the show nat command to view nat command statements in the current configuration.

Table 7-1 helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.

Table 7-1 Interface Access Commands by Interface 

From This Interface
To This Interface
Use This Command
 
From This Interface
To This Interface
Use This Command

inside

outside

nat

 

dmz2

outside

nat

inside

dmz1

nat

 

dmz2

dmz1

nat

inside

dmz2

nat

 

dmz2

inside

static

dmz1

outside

nat

 

outside

dmz1

static

dmz1

dmz2

static

 

outside

dmz2

static

dmz1

inside

static

 

outside

inside

static


The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.

Usage Notes

1. You can enable identity address translation with the nat 0 command. Use this command when you have IP addresses that are the same as those used on more than one interface. Adaptive Security remains in effect with the nat 0 command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

Addresses on each interface must be on a different subnet. See Appendix D "TCP/IP Reference Information" of the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting.

The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat command statements appear in the configuration.

2. The nat 1 0 0 command means that all outbound connections can pass through the PIX Firewall with address translation. If you use the nat (inside) 1 0 0 command, users can start connections on any interface with a lower security level, on the both perimeter interfaces and the outside interface. With NAT in effect, you must also use the global command statement to provide a pool of addresses through which translated connections pass. In effect, you use the nat command statement to specify from which interface connections can originate and you use the global command statement to determine at which interface connections can occur. The NAT ID must be the same on the nat and global command statements.

3. The nat 1 10.2.3.0 command means that only outbound connections originating from the inside host 10.2.3.0 can pass through the PIX Firewall to go to their destinations with address translation.

Examples

The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and

10.3.3.0 inside networks can start outbound connections. The global command statements create a pool of global addresses as follows: 

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 209.165.201.24-209.165.201.27 netmask 255.255.255.224

global (outside) 1 209.165.201.30

nat (inside) 3 10.3.3.0 255.255.255.0

global (outside) 3 209.165.201.10-209.165.201.24 netmask 255.255.255.224

Related Commands

global

outbound / apply

When using the nat 0 command, if you want the addresses to be visible from the outside network, use static and access-list command statements: 

nat (inside) 0 209.165.201.0 255.255.255.224

static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224

access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp

access-group acl_out in interface outside


nat (inside) 0 209.165.202.128 255.255.255.224

static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.224

access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftp

access-group acl_out in interface outside

...

The following example shows use of the nat 0 access-list command to permit internal host 10.1.1.15, accessible through the inside interface, "inside," to bypass NAT when connecting to outside host 10.2.1.3. 

access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3

nat (inside) 0 access-list no-nat

The following commands will disable all NAT on a PIX Firewall with three interfaces: 

access-list all-ip-packet permit ip 0 0 0 0

nat (dmz) 0 access-list all-ip-packet

nat (inside) 0 access-list all-ip-packet

outbound / apply

Create an access list for controlling Internet use. (Configuration mode.)

outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]

outbound list_ID except ip_address [netmask [port[-port]] [protocol]

clear outbound

no outbound [list_ID permit | deny ip_address [netmask [port[-port]] [protocol]]

no outbound [list_ID except ip_address [netmask [port[-port]] [protocol]]

show outbound

apply [(if_name)] list_ID outgoing_src | outgoing_dest

clear apply

no apply [[(if_name)] list_ID outgoing_src | outgoing_dest]

show apply [(if_name)] [list_ID outgoing_src | outgoing_dest]

Syntax Description

outbound

The outbound command, in conjunction with the apply command, uses access lists to control a filtering function on outgoing packets from the PIX Firewall. The filters can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules.

The use of an outbound command requires use of the apply command. The apply command allows you to specify whether the access control list applies to inside users' ability to start outbound connections with the apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.

For more information, see "Outbound List Rules" and the access-list command. The outbound command has been superseded by the access-list command.

list_ID

A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number from 1 to 1599. This number can be the same as what you use with the nat and global commands. This number is just an arbitrary number that groups outbound command statements to an apply command statement. List_IDs are processed sequentially in descending order.

For more information, see "Outbound List Rules."

no outbound

Removes a single outbound command statement from the configuration.

clear outbound

Removes all outbound command statements from the configuration.

show outbound

Displays the outbound command statements in the configuration.

permit

Allow the access list to access the specified IP address and port.

deny

Deny the access list access to the specified IP address and port.

except

Create an exception to a previous outbound command. An except command statement applies to permit or deny command statements only with the same access list ID.

When used with apply outgoing_src, the IP address of an except command statement applies to the destination address.

When used with apply outgoing_dest, the IP address of an except command statement applies to the source address.

See "Outbound List Rules" for more information.

ip_address

The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0.

netmask

The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.

port

A port or range of ports that the access list is permitted or denied access to. See the "Ports" section in "Using PIX Firewall Commands" for a list of valid port literal names.

protocol

Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.

if_name

The network interface originating the connection.

outgoing_src

Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command.

outgoing_dest

Deny or permit access to an external IP address using the service(s) specified in the outbound command.

apply

Specifies whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.

noapply

Removes a single apply command statement from the configuration.

clear apply

Removes all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.

show apply

Displays the apply command statements in the configuration.


Usage Guidelines

The outbound command creates an access list that allows you to specify the following:

Whether inside users can create outbound connections

Whether inside users can access specific outside servers

What services inside users can use for outbound connections and for accessing outside servers

Whether outbound connections can execute Java applets on the inside network

Outbound lists are filters on outgoing packets from the PIX Firewall. The filter can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command allows you to specify whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.

Note The outbound command has been superseded by the access-list command. We recommend that you migrate your outbound command statements to access-list command statements to maintain future compatibility.

The java option has been replaced by the filter java command.

After adding, removing, or changing outbound command statements, use the clear xlate command.

Use the no outbound command to remove a single outbound command statement from the configuration. Use the clear outbound command to remove all outbound command statements from the configuration. The show outbound command displays the outbound command statements in the configuration.

Use the no apply command to remove a single apply command statement from the configuration. Use the clear apply command statement to remove all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.

Outbound List Rules

Rules, written as outbound list_ID... command statements are global to the PIX Firewall, they are activated by apply list_ID outgoing_src | outgoing_dest command statements. When applied to outgoing_src, the source IP address, the destination port, and protocol are filtered. When applied to outgoing_dest, the destination IP address, port, and protocol are filtered.

The outgoing_src option and outgoing_dest outbound lists are filtered independently. If any one of the filters contain the deny option, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect.  The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match. If there is a tie, a permit option overrides a deny option.

Rules are grouped by a list_ID.  Within each list_ID, except rules (that is, outbound n except ...) can be set.  The except option reverses the best matched rule of deny or permit.  In addition, PIX Firewall filters the specified IP address and mask in the rule for the destination IP address of the outbound packet if the list is applied to the outbound_src.  Alternatively, PIX Firewall filters the source IP address if the list is applied to the outgoing_dest.  Furthermore, the except rules only apply to rules with the same list_ID.  A single except rule within a list_ID without another permit or deny rule has no effect.  If multiple except rules are set, the best match is checked for which except to apply. 

The outbound command rules are now sorted by the best match checking. Use the show outbound command to see how the best match is judged by the PIX Firewall.

Usage Notes

1. If outbound commands are not specified, the default behavior is to permit all outbound traffic and services from inside hosts.

2. After adding, changing, or removing an outbound and apply command statement group, use the clear xlate command to make the IP addresses available in the translation table.

3. The outbound commands are processed linearly within a list_ID. In addition, list_IDs are processed sequentially in descending order. For example, the first command statement you specify in an outbound list is processed first, then the next outbound command statement in that list, and so on. Similarly, list_ID 10 is processed before list_ID 20, and so on.

4. When using outbound commands, it is often helpful to deny or permit access to the many before you deny or permit access to the specific. Start with an interface-wide specification such as the following command that denies all hosts from starting connections. 

outbound 1 deny 0 0 0

apply (inside) 1 outgoing_src

Then add command statements that permit or deny hosts access to specific ports, for example: 

outbound 1 deny 0 0 0

outbound 1 permit 10.1.1.1 255.255.255.255 23 tcp

outbound 1 permit 10.1.1.1 255.255.255.255 80 tcp

apply (inside) 1 outgoing_src

You could state this same example as follows with the except option. 

outbound 1 deny 0 0 0

outbound 1 except 209.165.201.11 255.255.255.255 23 tcp

outbound 1 except 209.165.201.11 255.255.255.255 80 tcp

apply (inside) 1 outgoing_src

In the preceding outbound except command statement, IP address 209.165.201.11 is the destination IP address, not the source address. This means that everyone is denied outbound access, except those users going to 209.165.201.11 via Telnet (port 23) or HTTP (port 80).

5. If you permit access to port 80 (http), this also permits Java applets to be downloaded.
You must have a specific deny command statement to block Java applets.

6. The maximum number of outbound list entries in a configuration is 1599.

7. Outbound lists have no effect on access-list command statement groups.

8. The use of the access-group command statement overrides the conduit and outbound command statements for the specified interface name.

Examples

The first outbound group sets inside hosts so that they can only see and Telnet to perimeter hosts, and do DNS lookups. In this example, the perimeter network address is 209.165.201.0 and the network mask is 255.255.255.224. 

outbound 9 deny 0.0.0.0 0.0.0.0 0 0

outbound 9 except 209.165.201.0 255.255.255.224 23 tcp

outbound 9 except 0.0.0.0 0.0.0.0 53 udp

The next outbound group in this same example lets hosts 10.1.1.11 and 10.1.1.12 go anywhere: 

outbound 11 deny 0.0.0.0 0.0.0.0 0 0

outbound 11 permit 10.1.1.11 255.255.255.255 0 0

outbound 11 permit 10.1.1.12 255.255.255.255 0 0

outbound 11 permit 0.0.0.0 0.0.0.0 21 tcp

outbound 11 permit 10.3.3.3 255.255.255.255 143 tcp

This last outbound group in this same example lets hosts on the perimeter only access TCP ports 389 and 30303 and UDP port 53 (DNS). Finally, the apply command statements set the outbound groups so that the permit and deny rules affect access to all external addresses. 

outbound 13 deny 0.0.0.0 0.0.0.0 0 0                                                                                                  

outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 53 udp


apply (inside) 9 outgoing_src

apply (inside) 11 outgoing_src

apply (perim) 13 outgoing_src

Controlling Outbound Connections

The following example prevents all inside hosts from starting outbound connections: 

outbound 1 deny 0 0 0

apply (inside) 1 outgoing_src

The 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero).

Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created): 

outbound 1 permit 0 0 0

apply (inside) 1 outgoing_src

Controlling Inside Hosts' Access to Outbound Services

The following example prevents inside host 192.168.1.49 from accessing the World Wide Web
(port 80): 

outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp

apply (inside) 11 outgoing_src

Controlling Inside Hosts' Access to Outside Servers

If your employees are spending too much time examining GIF images on a particular website with two web servers, you can use the following example to restrict this access: 

outbound 12 deny 192.168.146.201 255.255.255.255 80 tcp

outbound 12 deny 192.168.146.202 255.255.255.255 80 tcp

apply (inside) 12 outgoing_dest

Using except Command Statements

An except command statement only provides exception to items with the same list_ID. Consider the following example. 

outbound 9 deny 0.0.0.0 0.0.0.0 0 0

outbound 9 except 10.100.0.0 255.255.0.0 23 tcp

outbound 9 except 0.0.0.0 0.0.0.0 53 udp

outbound 11 deny 0.0.0.0 0.0.0.0 0 0

outbound 11 permit 10.1.1.11 255.255.255.255 0 0

outbound 11 permit 10.1.1.12 255.255.255.255 0 0

outbound 11 permit 0.0.0.0 0.0.0.0 21 tcp

outbound 11 permit 10.3.3.3 255.255.255.255 143 tcp

outbound 13 deny 0.0.0.0 0.0.0.0 0 0

outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

In the preceding examples, the following two command statements work against other command statements in list 9 but not in lists 11 and 13: 

outbound 9 except 10.100.0.0 255.255.0.0 23 tcp

outbound 9 except 0.0.0.0 0.0.0.0 53 udp

In the following example, the set of deny, permit, and except option command statements denies everybody from connecting to external hosts except for DNS queries and Telnet connections to hosts on 10.100.0.0. The host with IP address 10.1.1.11 is permitted outbound access, and has access to everywhere except to 10.100.0.0 via Telnet and anywhere to use DNS. 

outbound   1 deny 0.0.0.0 0.0.0.0 0 tcp

outbound   1 permit 10.1.1.11 255.255.255.255 0 tcp

outbound   1 except 10.100.0.0 255.255.0.0 23 tcp

outbound   1 except 0.0.0.0 0.0.0.0 53 udp

apply (inside) outgoing_src

pager

Enable or disable screen paging. (Privileged mode.)

pager [lines  number]

clear pager

no pager

show pager

Syntax Description

number

The number of lines before the More prompt appears. The minimum is 1.
Use 0 to disable paging.


Usage Guidelines

The pager lines command allows you to specify the number of lines in a page before the More prompt appears. The pager command enables display paging, and no pager disables paging and lets output display completely without interruption. If you set pager lines to some value and want to revert back to the default, enter the pager command without options. The clear pager command resets the number of lines in a page to 24.

Use pager 0 to disable paging.

The show pager command displays pager status.

When paging is enabled, the following prompt appears: 

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Examples

The following example shows use of the pager command: 

pixfirewall# pager lines 2

pixfirewall# ping inside 10.0.0.42

        10.0.0.42 NO response received -- 1010ms

        10.0.0.42 NO response received -- 1000ms

<--- More --->

passwd

Set password for Telnet access to the PIX Firewall console. (Privileged mode.)

passwd password [encrypted]

clear passwd

show passwd

Syntax Description

password

A case-sensitive password of up to 16 alphanumeric and special characters. Any character can be used in the password except a question mark and a space.

encrypted

Specifies that the password you entered is already encrypted. The password you specify with the encrypted option must be 16 characters in length.


Usage Guidelines

The passwd command sets a password for Telnet access to the PIX Firewall console. An empty password is also changed into an encrypted string. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text. The clear passwd command resets the password to "cisco."

Note Write down the new password and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again.

Examples

The following example shows use of the passwd command: 

passwd watag00s1am

show passwd

passwd jMorNbK0514fadBh encrypted

Related Commands

enable password

pdm

A new family of commands support Cisco PIX Device Manager (PDM) communication with a PIX Firewall over an HTTP server. The pdm disconnect command allows you to disconnect a specific PDM session using a session_id obtained with the show pdm sessions command. The show pdm sessions command lists all the open PDM sessions going to a PIX Firewall. (Configuration mode.)

Note The pdm disconnect command and the show pdm sessions command are accessible through the command line. The clear pdm, pdm history commands, pdm location, and pdm logging commands may appear in your configuration and are available through the CLI, but they are designed to work as internal PDM-to-PIX Firewall commands accessible through PDM.

clear pdm

pdm disconnect session_id
show pdm sessions

[no] pdm history enable
show pdm history [view {all|12h|5d|60m|10m}][snapshot] [feature {all|blocks|cpu|failover|ids|interface < if_name>|memory|perfmon|xlates}][pdmclient]

pdm location ip_address netmask if_name

pdm logging [level [messages]]
no pdm logging
show pdm logging

Syntax Description

pdm

Pertaining to the Cisco PIX Device Manager.

clear pdm

Removes all locations, disables logging and clears the PDM buffer. Internal PDM command.

pdm disconnect

Disconnects the specified PDM session from the PIX Firewall.

session_id

PDM session ID number available from the show pdm sessions command.

show pdm sessions

Displays a session_id for each active PDM session to the PIX Firewall, beginning with session number 0.

history enable

Internal PDM command. Take a data sample and store the sample data to the PDM history buffer. The no version of this command disables PDM data sampling.

show pdm history

Internal PDM command. Displays the contents of the PDM history buffer.

12h | 5d | 60m | 10m | all

Specifies the PDM history view to display: 12 hours (12h), 5 days (5d), 60 minutes (60m),10 minutes (10m), or all history contents in the PDM history buffer.

snapshot

Displays only the last PDM history data point.

feature

This specifies to display history for a single feature (selected with one of the following). Otherwise, all of them are displayed.

blocks

History for system buffers. Similar to output of the show blocks command.

cpu

History for CPU usage. Similar to output of the show cpu usage command.

failover

History for failover. Similar to output of the show failover command.

ids

History for IDS (Intrusion Detection System).

memory

History for memory. Similar to output of the show memory command.

perfmon

History for performance. Similar to output of show perfmon command.

xlates

History for translation slot information. Similar to output of the show xlate command.

pdmclient

Displays the PDM history in PDM-display format.

location

Internal PDM command. Associates an interface with an IP address on which PDM resides.

ip_address

Specifies the host or network on which PDM resides.

netmask

Specifies the network mask for the pdm location ip_address.

if_name

Specifies the interface name on which PDM resides.

logging

Internal PDM command. Specifies the type and number of syslog messages displayed through the PDM syslog option.

level

Specifies the priority level of syslog messages displayed in the PDM syslog option.

messages

Specifies the number of messages stored in the PDM buffer. Once the buffer is full, old messages will be discarded.

show pdm logging

Internal PDM command. Displays the contents of the PDM buffer within PDM.


Defaults

Default PDM syslog level is 0. Default logging messages is 100 and the maximum is 512.

Usage Guidelines

The pdm location command can only associate one interface to an ip_address /netmask pair. Specifying an existing pair will replace the old definition. The PDM syslog messages are stored separately from the PIX Firewall syslog accessed through the logging buffered command.

The clear pdm location command will remove all of the PDM locations. The clear pdm logging command will clear the PDM log without disabling it.

Examples

The following example shows how to report the last data point in PDM-display format: 

pix(config)# show pdm history 10m snapshot pdmclient

INTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0|
RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:PIXoutsideINTERF
ACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY
|SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|
METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PIXinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0|M
ETRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP|OP
R|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PixSYS:
METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_HIST
ORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|BLK1
550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10|0|M
ETRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HISTOR
Y|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUPS|V
IEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIEW|1
0|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0|MET
RIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|

The following example shows how to report the last data point in non-PDM format: 

pix(config)# show pdm history 10m snapshot

INTERFACE|outside|up|IBC|0|OBC|1344|IPC|0|OPC|0|IBR|21|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0|
RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0

:PIX outside INTERFACE:

Input Byte Count: [ 10s] : 1952

Output Byte Count: [ 10s] : 64

Input Packet Count: [ 10s] : 17

Output Packet Count: [ 10s] : 1

Input Error Packet Count: [ 10s] : 0

Output Error Packet Count: [ 10s] : 0

:PIX inside INTERFACE:

Input Byte Count: [ 10s] : 0

Output Byte Count: [ 10s] : 64

Input Packet Count: [ 10s] : 0

Output Packet Count: [ 10s] : 1

Input Error Packet Count: [ 10s] : 0

Output Error Packet Count: [ 10s] : 0

MEM|50479104

BLOCK|BLK4|1600|BLK80|0|BLK256|400|BLK1550|0|BLK1552|997|BLK2560|0|BLK4096|1188|BLK8192|0|
BLK16384|0|BLK65536|0

Available Memory: [ 10s] : 52662272

Available 4 bytes Blocks: [ 10s] : 1600

Available 80 bytes Blocks: [ 10s] : 400

Available 256 bytes Blocks: [ 10s] : 998

Available 1550 bytes Blocks: [ 10s] : 676

PERFMON|XLATES|0|CONNECTIONS|0|TCP CONNS|0|UDP CONNS|0|URLS|0|WEBSNS|0|TCP FIXUP|0|TCP

INTERCEPT|0|HTTP FIXUP|0|FTP FIXUP|0|AAA AUTHEN|0|AAA AUTHOR|0|AAA ACCOUNT|0

Xlate Count: [ 10s] : 0

Connection Count: [ 10s] : 0

TCP Connection Count: [ 10s] : 0

UDP Connection Count: [ 10s] : 0

URL Filtering Count: [ 10s] : 0

WEBSENSE Filtering Count: [ 10s] : 0

TCP Fixup Count: [ 10s] : 0

TCP Intercept Count: [ 10s] : 0

HTTP Fixup Count: [ 10s] : 0

FTP Fixup Count: [ 10s] : 0

AAA Authentication Count: [ 10s] : 0

AAA Authorzation Count: [ 10s] : 0

AAA Accounting Count: [ 10s] : 0

Related Commands

copy tftp flash

http

setup

perfmon

View performance information. (Privileged mode.)

perfmon interval seconds

perfmon quiet  |  verbose

perfmon settings

show perfmon

Syntax Description

interval seconds

Specify the number of seconds the performance display is refreshed on the console. The default is 120 seconds.

quiet

Disable performance monitor displays.

verbose

Enable displaying performance monitor information at the PIX Firewall console.

settings

Displays the interval and whether it is quiet or verbose.


Usage Guidelines

The perfmon command allows you to monitor the PIX Firewall unit's performance. Use the show perfmon command to view the information immediately. Use the perfmon verbose command to display the information every two minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds you specify.

Note The show perfmon command does not display in a Telnet console session.

Use the perfmon quiet command to disable the display.

An example of the performance information follows:

PERFMON STATS:

Current

Average

Xlates

33/s

  20/s

Connections

  110/s

10/s

TCP Conns

50/s

42/s

WebSns Req  

4/s

2/s

TCP Fixup

20/s

15/s

HTTP Fixup

5/s

5/s

FTP Fixup

7/s

4/s

AAA Authen

10/s

5/s

AAA Author

9/s

5/s

AAA Account

3/s

3/s


This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.

Examples

The following commands display the performance monitor statistics every 30 seconds on the PIX Firewall console: 

perfmon interval 30

perfmon verbose

ping

Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.)

ping [if_name] ip_address

Syntax Description

if_name

The internal or external network interface name. The address of the specified interface is used as the source address of the ping.

ip_address

The IP address of a host on the inside or outside networks.


Usage Guidelines

The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that a host is participating on the network. If a host is not responding, ping displays "NO response received." Use the show interface command to ensure that the PIX Firewall is connected to the network and is passing traffic.

If you want internal hosts to be able to ping external hosts, you must create an ICMP access-list command statement for echo reply; for example, to give ping access to all hosts, use the access-list acl_grp permit icmp any   any command and bind the access-list command statement to the interface you want to test using an access-group command statement.

If you are pinging through PIX Firewall between hosts or routers, but the pings are not successful, use the debug icmp trace command to monitor the success of the ping. If pings are both inbound and outbound, they are successful.

The PIX Firewall ping command no longer requires an interface name. If an interface name is not specified, PIX Firewall checks the routing table to find the address you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.

An example of the usage follows: 

ping 10.0.0.1

         10.0.0.1 response received -- 10ms

         10.0.0.1 response received -- 10ms

         10.0.0.1 response received -- 0ms

Or you can still enter the command specifying the interface: 

ping outside 10.0.0.1

         10.0.0.1 response received -- 10ms

         10.0.0.1 response received -- 10ms

10.0.0.1 response received -- 0ms

Examples

The ping command makes three attempts to reach an IP address: 

ping 192.168.42.54

                                                            192.168.42.54 response received -- 0Ms

                                                            192.168.42.54 response received -- 0Ms

                                                            192.168.42.54 response received -- 0Ms

quit

Exit configuration or privileged mode. (All modes.)

quit

Usage Guidelines

Use the quit command to exit configuration or privileged mode.

Examples

The following example shows use of the quit command: 

pixfirewall(config)# quit

pixfirewall# quit

pixfirewall>

reload

Reboot and reload the configuration. (Privileged mode.)

reload

reload noconfirm

Syntax Description

reload

Reboot and reload configuration.

noconfirm

Permits the PIX Firewall to reload without user confirmation.


Usage Guidelines

The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy
disk or, if a diskette is not present, from Flash memory.

The PIX Firewall does not accept abbreviations to the keyword noconfirm.

You are prompted for confirmation before starting with "Proceed with reload?".
Any response other than n causes the reboot to occur.

Note Configuration changes not written to Flash memory are lost after reload. Before rebooting, store the current configuration in Flash memory with the write memory command.

Examples

The following example shows use of the reload command: 

reload

Proceed with reload?  [confirm] y


Rebooting...


PIX Bios V2.7

...

rip

Change RIP settings. (Configuration mode.)

rip if_name default | passive [version [1 | 2]] [authentication [text | md5 key (key_id)]]

no rip if_name default | passive [version [1 | 2]] [authentication [text | md5 key (key_id)]]

show rip [if_name]

clear rip

debug rip [if_name]

Syntax Description

if_name

The internal or external network interface name.

default

Broadcast a default route on the interface.

passive

Enable passive RIP on the interface. The PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables.

version

RIP version. Use version 2 for RIP update encryption. Use version 1 to provide backward compatibility with the older version.

authentication

Enable RIP version 2 authentication.

text

Send RIP updates as clear text (not recommended).

md5

Send RIP updates using MD5 encryption.

key

Key to encrypt RIP updates. This value must be the same on the routers and any other device that provides RIP version 2 updates. The key is a text string of up to 16 characters in length.

key_id

Key identification value. The key_id can be a number from 1 to 255. Use the same key_id in use on the routers and any other device that provides RIP version 2 updates.


Usage Guidelines

The rip command enables IP routing table updates from received Routing Information Protocol (RIP) broadcasts. Use the show rip command to display the current RIP settings. Use the no rip command to disable the PIX Firewall IP routing table updates. The default is to enable IP routing table updates. If you specify RIP version 2, you can encrypt RIP updates using MD5 encryption.

The clear rip command removes all the rip commands from the configuration.

Ensure that the key and key_id values are the same as in use on any other device in your network that makes RIP version 2 updates.

The PIX Firewall cannot pass RIP updates between interfaces.

When RIP version 2 is configured in passive mode with PIX Firewall software version 5.3 and higher, the PIX Firewall accepts RIP version 2 multicast updates with IP destination of 224.0.0.9. For RIP version 2 default mode, the PIX Firewall will transmit default route updates using an IP destination of 224.0.0.9. Configuring RIP version 2 registers the multicast address 224.0.0.9 on the respective interface to be able to accept multicast RIP version 2 updates.

Only Intel 10/100 and Gigabit interfaces support multicasting. FDDI and Token Ring will still operate in broadcast mode (IP destination 255.255.255.255 not 224.0.0.9).

When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from the interface card.

Examples

The following is sample output from the version 1 show rip and rip inside default commands: 

show rip

rip outside passive

no rip outside default

rip inside passive

no rip inside default


rip inside default 

show rip

rip outside passive

no rip outside default

rip inside passive

rip inside default

The next example combines version 1 and version 2 commands and shows listing the information with the show rip command after entering the rip commands that:

Enable version 2 passive RIP using MD5 authentication on the outside interface to encrypt the key used by the PIX Firewall and other RIP peers, such as routers.

Enable version 1 passive RIP listening on the inside interface of the PIX Firewall.

Enable version 2 passive RIP listening on the dmz interface of the PIX Firewall. 

rip outside passive version 2 authentication md5 thisisakey 2

rip outside default version 2 authentication md5 thisisakey 2

rip inside passive 

rip dmz passive version 2


show rip

rip outside passive version 2 authentication md5 thisisakey 2

rip outside default version 2 authentication md5 thisisakey 2

rip inside passive version 1

rip dmz passive version 2

The next example shows how use of the clear rip command clears all the previous rip commands from the current configuration: 

clear rip

show rip

This example shows use of the version 2 feature that passes the encryption key in text form: 

rip out default version 2 authentication text thisisakey 3

show rip                   

rip outside default version 2 authentication text thisisakey 3

route

Enter a static or default route for the specified interface. (Configuration mode.)

route if_name ip_address netmask gateway_ip [metric]

clear route [if_name ip_address [netmask gateway_ip]]

no route [if_name ip_address [netmask gateway_ip]]

show route

Syntax Description

if_name

The internal or external network interface name.

ip_address

The internal or external network IP address. Use 0.0.0.0 to specify a default route.
The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Specify a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

gateway_ip

Specify the IP address of the gateway router (the next hop address for this route).

metric

Specify the number of hops to gateway_ip. If you are not sure, enter 1. Your network administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if a metric is not specified.


Usage Guidelines

Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it is saved. The clear route command removes route command statements from the configuration that do not contain the CONNECT keyword.

Create static routes to access networks connected outside a router on any interface. The effect of a static route is like stating "to send a packet to the specified network, give it to this router." For example, PIX Firewall sends all packets destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route command statement. 

route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1

The routing table automatically specifies the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, PIX Firewall creates a route statement entry that is not deleted when you use the clear route command.

If the route command statement uses the IP address from one of the PIX Firewall unit's interfaces as the gateway IP address, PIX Firewall will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

The following steps show how PIX Firewall handles routing:

Step 1 PIX Firewall receives a packet from the inside interface destined to IP address X.

Step 2 Because a default route is set to itself, PIX Firewall sends out an ARP for address X.

Step 3 Any Cisco router on the outside interface LAN which has a route to address X (Cisco IOS software has proxy ARP enabled by default) replies back to the PIX Firewall with its own MAC address as the next hop.

Step 4 PIX Firewall sends the packet to router (just like a default gateway).

Step 5 PIX Firewall adds the entry to its ARP cache for IP address X with the MAC address being that of the router.

The CONNECT route entry is supported. (This identifier appears when you use the show route command.) The CONNECT identifier is assigned to an interface's local network and the interface IP address, which is in the IP local subnet. PIX Firewall will ARP for the destination address. The CONNECT identifier cannot be removed, but changes when you change the IP address on the interface.

If you enter duplicate routes with different metrics for the same gateway, PIX Firewall changes the metric for that route and updates the metric for the route.

For example, the following command statement is in a configuration: 

route inside 10.0.0.0 255.0.0.0 10.0.0.2 2 OTHER

If you enter the following statement: 

route inside 10.0.0.0 255.0.0.0 10.0.0.2 3

PIX Firewall converts the command statement to the following: 

route inside 10.0.0.0 255.0.0.0 10.0.0.2 3 OTHER

Examples

Specify one default route command statement for the outside interface, which in this example, is for the router on the outside interface that has an IP address of 209.165.201.1: 

route outside 0 0 209.165.201.1 1

For static routes, if two networks, 10.1.2.0 and 10.1.3.0 connect via a hub to the dmz1 interface router at 10.1.1.4, add these static route command statements to provide access to the networks: 

route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1

route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1