Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Support

S Commands

Downloads

Table Of Contents

S Commands

service

setup

session

show

show blocks / clear blocks

show checksum

show conn

show cpu usage

show crypto engine

show history

show interface

show memory

show processes

show tech-support

show traffic/clear traffic

show uauth

show version

show xlate

shun

snmp-server

ssh

static

syslog

sysopt


S Commands

service

Reset inbound connections. (Configuration mode.)

service resetinbound

service resetoutside

show service

clear service

Syntax Description

resetinbound

Reset inbound connections.


Usage Guidelines

The service command works with all inbound TCP connections to statics whose access lists or uauth (user authorization) do not allow inbound. One use is for resetting IDENT connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the option, the PIX Firewall drops the packet without returning an RST.

For use with IDENT, the PIX Firewall sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that email outbound can be transmitted without having to wait for IDENT to time out. In this case, the PIX Firewall sends a syslog message stating that the incoming connection was a denied connection. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection. However, outside hosts keep retransmitting the SYN until the IDENT times out.

When an IDENT connection is timing out, you will notice that connections slow down. Perform a trace to determine that IDENT is causing the delay and then invoke the service command.

The service resetinbound command provides a safer way to handle an IDENT connection through the PIX Firewall. Ranked in order of security from most secure to less secure are these methods for handling IDENT connections:

1. Use the service resetinbound command.

2. Use the established command with the permitto tcp 113 options.

3. Enter static and access-list command statements to open TCP port 113.

When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows: 

Unable to connect to remote host: Connection timed out

Examples

The following example shows use of the service resetinbound command: 

service resetinbound

show service

service resetinbound

If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX  Firewall least secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay.

If you wish to remove service command statements from the configuration, use the clear service command.

setup

The setup command allows you to provide pre-configuration information to a new PIX Firewall, so you can then configure and monitor your PIX Firewall graphically using PDM. (Configuration Mode.) 

setup

Pre-configure PIX Firewall now through interactive prompts [yes]? 
Enable Password [<use current password>]:

Clock (UTC)

  Year [system year]:

  Month [system month]:

  Day [system day]:

  Time [system time]:

Inside IP address: 
Inside network mask: 
Host name: 
Domain name: 
IP address of host running PIX Device Manager:

Syntax Description

setup

Prompts for the basic operational information for the PIX Firewall if no configuration is found in the Flash memory. 

Enable password:

Specify an enable password for this PIX Firewall. 

Clock (UTC)

Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time). 

Year [system year]:

Specify current year, or default to the year stored in the host computer. 

Month [system month]:

Specify current month, or default to the month stored in the host computer. 

Day [system day]:

Specify current day, or default to the day stored in the host computer. 

Time [system time]

Specify current time in hh:mm:ss format, or default to the time stored in the host computer. 

Inside IP address:

Network interface IP address of the PIX Firewall. 

Inside network mask:

A network mask that applies to inside IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0. 

Host name:

The host name you want to display in the PIX Firewall command line prompt. 

Domain name:

The DNS domain name of the network on which the PIX Firewall runs, for example example.com. 

IP address of host 
running PIX Device 
Manager:

IP address on which PDM connects to the PIX Firewall. 

Use this configuration 
and write to flash?

Store the new configuration to Flash memory. Same as the write memory command. If the answer is yes, the inside interface will be enabled and the requested configuration will be written to Flash memory. If the user answers anything else, the setup dialog repeats using the values already entered as the defaults for the questions.


Usage Guidelines

A PIX Firewall unit requires some initial configuration before PDM can connect to it. The setup dialog appears, via the console, at boot time if there is no configuration in the Flash memory. You can also access the setup command by typing setup from the Config mode.

The dialog asks for the inside IP address, network mask, host name, domain name and PDM host. The host and domain names are used to generate the default certificate for the SSL connection. The interface type is determined from the hardware.

Examples

The following example shows how to complete the setup command prompts. 

router (config)# setup

Pre-configure PIX Firewall now through interactive prompts [yes]? y 
Enable Password [<use current password>]: ciscopix 
Clock (UTC) 
  Year [2001]: 2001 
  Month [Aug]: Sep 
  Day [27]: 12 
  Time [22:47:37]: <Enter> 
Inside IP address: 192.168.1.1 
Inside network mask: 255.255.255.0 
Host name: accounting_pix 
Domain name: example.com 
IP address of host running PIX Device Manager: 192.168.1.2 
 
The following configuration will be used:  
Enable Password: ciscopix 
Clock (UTC): 22:47:37 Sep 12 2001

Inside IP address: ...192.168.1.1 
Inside network mask: ...255.255.255.0 
Host name: ...accounting_pix 
Domain name: ...example.com 
IP address of host running PIX Device Manager: ...192.168.1.2 
 
Use this configuration and write to flash? y

Related Commands

aaa authentication

ca

copy tftp flash

http

session

Access an embedded AccessPro router console. (Privileged mode.)

Note The PIX 506 and PIX 515 do not support use of the session command.

session enable

no session

show session

Note Only use this command if you have an AccessPro router installed in your PIX Firewall.

Syntax Description

enable

Enable the session command for communications with the AccessPro router.


Usage Guidelines

The session command allows you to specify Cisco IOS software commands on an AccessPro router console when the router is installed in your PIX Firewall. Use COM port 4 on the AccessPro router to communicate with the PIX Firewall.

Exit the router console session by entering tilde-dot (~.). Press the tilde key and when you hear a bell sound from your terminal, press the dot key.

While a router console session is occurring, the PIX Firewall disables failover because they both require the same interrupts.

Examples

This example enables an AccessPro session, starts the session, and then disables it: 

session enable

Session has been enabled.

session


Warning: FAILOVER has been disabled!!!

Attempting session with embedded router, use ~. to quit!


acpro> ~.


no session

Session has been disabled

session

Session is not enabled

show

View command information. (Differs by mode.)

show   ?

Usage Guidelines

The show command without arguments or the show   ? command allows you to view the names of the show commands and their descriptions. Explanations for each show command are provided on the respective command page for the command itself where appropriate; for example, show arp is described on the arp command page.

Note The show commands that do not have a command equivalent shown in this section are described on their respective command pages; for example, the show interface command is described on the interface command page.

If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears: 

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Examples

The following is sample output from the show ? command: 

show ?

?               help ...

show blocks / clear blocks

Show system buffer utilization. (Privileged mode.)

clear blocks

show blocks

Usage Guidelines

The show blocks command lists preallocated system buffer utilization. In the show blocks listing, the SIZE column displays the block type. The MAX column is the maximum number of allocated blocks. The LOW column is the fewest blocks available since last reboot. The CNT column is the current number of available blocks. A zero in the LOW column indicates a previous event where memory exhausted. A zero in the CNT column means memory is exhausted now. Exhausted memory is not a problem as long as traffic is moving through the PIX Firewall. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is exhausted, a problem may be indicated.

The clear blocks command keeps the maximum count to whatever number is allocated in the system and equates the low count to the current count.

You can also view the information from the show blocks command using SNMP.

Examples

The following is sample output from the show blocks command: 

show blocks

            SIZE    MAX    LOW    CNT 

     4   1600   1600   1600

    80    100     97     97

   256     80     79     79

            1550    788    402    404

 65536      8      8      8

show checksum

Display the configuration checksum. (Unprivileged mode.)

show checksum

Usage Guidelines

The show checksum command displays four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration. This same information stores with the configuration when you store it in Flash memory. By using the show config command and viewing the checksum at the end of the configuration listing and using the show checksum command, you can compare the numbers to see if the configuration has changed. The PIX Firewall tests the checksum to determine if a configuration has not been corrupted.

Examples

The following is sample output from the show checksum command: 

show checksum

Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81

show conn

Display all active connections. (Privileged mode.)

show conn [count] [foreign | local ip [-ip2]] [netmask mask] [protocol tcp | udp | protocol]
 [fport | lport port1 [-port2]] [state [up [,finin] [,finout]  [,http_get] [,sip] [,smtp_data]  [,smtp_banner] [,smtp_incomplete] [,nojava]  [,data_in]  [,data_out]  [,sqlnet_fixup_data]  [,conn_inbound]  [,rpc]  [,h323]  [,dump]]

show conn [count] |

[protocol <tcp|udp>]

[foreign|local <ip1[-ip2]> [netmask <mask>]]

[lport|fport <port1[-port2]>]

[state <up[,finin][,finout][,http_get][,smtp_data]

[,nojava][,data_in][,data_out][,rpc][,h323]

[,sqlnet_fixup_data][,conn_inbound][,sip]>]

pixfirewall(config)# show conn help

usage: show conn [count] |

[protocol <tcp|udp>]

[foreign|local <ip1[-ip2]> [netmask <mask>]]

[lport|fport <port1[-port2]>]

[state <up[,finin][,finout][,http_get][,smtp_data]

[,nojava][,data_in][,data_out][,rpc][,h323]

[,sqlnet_fixup_data][,conn_inbound][,sip]>]

show conn state <up[,finin][,finout][,http_get][,smtp_data]

[,nojava][,data_in][,data_out][,rpc][,h323]

[,sqlnet_fixup_data][,conn_inbound][,sip]>]

Syntax Description

count

Display only the number of used connections. The precision of the displayed count may vary depending on traffic volume and the type of traffic passing through the PIX Firewall unit.

foreign |  local ip [-ip2] netmask mask

Display active connections by the foreign IP address or by local IP address. Qualify foreign or local active connections by network mask.

protocol tcp | udp | protocol

Display active connections by protocol type. protocol is a protocol specified by number. See "Protocols" in "Using PIX Firewall Commands" for a list of valid protocol literal names.

fport | lport port1 [-port2]

Display foreign or local active connections by port. See "Ports" in "Using PIX Firewall Commands" for a list of valid port literal names.

state

Display active connections by their current state: up (up), FIN inbound (finin), FIN outbound (finout), HTTP get (http_get), SMTP mail data (smtp_data), SIP connection (sip), SMTP mail banner (smtp_banner), incomplete SMTP mail connection (smtp_incomplete), an outbound command denying access to Java applets (nojava), inbound data (data_in), outbound data (data_out), SQL*Net data fix up (sqlnet_fixup_data), inbound connection (conn_inbound), RPC connection (rpc), H.323 connection (h323), dump clean up connection (dump).


Usage Guidelines

The show conn command displays the number and information about the active TCP connections.

You can also view the connection count information from the show conn command using SNMP.

Examples

The following is sample output from the show conn command: 

show conn

6 in use, 6 most used

             TCP out 209.165.201.1:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 

             TCP out 209.165.201.1:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 

             TCP out 209.165.201.1:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 

             TCP out 209.165.201.1:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 

             TCP out 209.165.201.1:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 

             TCP out 209.165.201.1:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 

             UDP out 209.165.201.7:24 in 10.3.3.4:1402 idle 0:01:30 

             UDP out 209.165.201.7:23 in 10.3.3.4:1397 idle 0:01:30 

             UDP out 209.165.201.7:22 in 10.3.3.4:1395 idle 0:01:30

In this example, host 10.3.3.4 on the inside has accessed a website at 209.165.201.1. The global address on the outside interface is 209.165.201.7.

show cpu usage

The show cpu usage command displays CPU utilization. (Privileged or configuration mode.)

Show command options
Show command output

show cpu usage

Displays central processing unit (CPU) utilization information.


Syntax Description

cpu usage

The central processing unit (CPU) usage data.


Usage Guidelines

The show cpu usage command displays the central processing unit (CPU) usage information.

Examples

The following example shows the show cpu usage command output: 

CPU utilization for 5 seconds: p1%; 1 minute: p2%; 5 minutes: p3%

The percentage usage prints as NA (not applicable) if the usage is unavailable for the specified time interval. This can happen if the user asks for CPU usage before the 5-second, 1-minute, or 5-minute time interval has elapsed.

show crypto engine

Shows cryptography engine statistics.

show crypto engine

Syntax Description

crypto engine

Displays usage statistics for the firewall cryptography engine.


Command Modes

Privileged or configuration mode.

Usage Guidelines

The show crypto engine command displays usage statistics for the cryptography engine used by the firewall.

Examples

The following example shows sample output for the show crypto engine command: 

pixfirewall# show crypto engine

Crypto Engine Connection Map:

    size = 8, free = 6, used = 1, active = 1

In this command output, size is total number of undirectional IPSec tunnels, free is the number of unused undirectional IPSec tunnels, used is the number of allocated undirectional IPSec tunnels, and active is the number of active undirectional IPSec tunnels. Because tunnel 0 is reserved for system use, size is equal to free plus used plus one.

show history

Display previously entered lines. (Privileged mode.)

show history

Usage Guidelines

The show history command displays previously entered commands. You can examine commands individually with the up and down arrows or by entering ^p to view previously entered lines or ^n to view the next line.

Examples

The following is sample output from the show history command: 

show history

                enable 

              ...

show interface

See the interface command page for a description of the show interface command.

show memory

Show system memory utilization. (Privileged mode.)

show memory

Usage Guidelines

The show memory command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in the PIX Firewall is allocated as needed.

You can also view the information from the show memory command using SNMP.

Examples

The following is sample output from the show memory command: 

show memory

nnnnnnnn bytes total, nnnnnnn bytes free

show processes

Display processes. (Privileged mode.)

show processes

Usage Guidelines

The show processes command displays a listing of running processes. Processes are lightweight threads requiring only a few instructions. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes used and the total size of the stack, and Process lists the thread's function.

Examples

The following is sample output from the show processes command: 

show processes

                            PC       SP       STATE       Runtime    SBASE     Stack Process

Lsi 800125de 803603d0 80075ba0          0 8035f410 4004/4096 arp_timer

...

show tech-support

View information to help a support analyst. (Privileged mode.)

show tech-support

Usage Guidelines

The show tech-support command lists information technical support analysts need to help you diagnose PIX Firewall problems. This command combines the output from the show commands that provide the most information to a technical support analyst.

Examples

The following is sample output from the show tech-support command: 

show tech-support

PIX Version 6.0(n)nnn 

Compiled on Fri 28-May-99 04:08 by pixbuild

PIX Bios V2.7


pixfirewall up 100 days 6 hours 17 mins

...

show traffic/clear traffic

Shows interface transmit and receive activity. (Privileged mode.)

clear traffic

show traffic

Usage Guidelines

The show traffic command lists the number of packets and bytes moving through each interface. The number of seconds is the duration the PIX Firewall has been online since the last reboot. The clear traffic command clears counters for the show traffic command output.

Examples

The following is sample output from the show traffic command: 

show traffic

outside:

        received (in 3786 secs):

                97 packets      6191 bytes

                42 pkts/sec                           1 bytes/sec

        transmitted (in 3786 secs):

                99 packets                                  10590 bytes

                0 pkts/sec      2 bytes/sec ...

show uauth

See the uauth command page for information on the show uauth command.

show version

View the PIX Firewall operating information. (Unprivileged mode.)

show version

Usage Guidelines

The show version command allows you to view the PIX Firewall unit's software version, operating time since last reboot, processor type, Flash memory type, interface boards, serial number (BIOS ID), and activation key value.

The uptime value in the output of the show version command indicates how long a failover set has been running. If one unit stops running, the uptime value will continue to increase as long as the other unit continues to operate.

Throughput Limited indicates that the speed of the PIX Firewall interface is limited due to platform or version restrictions. ISAKMP peers Limited indicates that the number of IPSec peers is limited due to platform restrictions.

Note The serial number listed with the show version command, in version 5.3 and later, is for the Flash memory BIOS. This number is different from the serial number on the chassis. When you get a software upgrade, you will need the serial number that appears in the show version command, not the chassis number.

In the following examples, the amount of Flash memory (2 MB or 16 MB) is identified by:

Flash AT29C040A @ 0x300 for 2 MB of Flash

Flash i28F640J5 @ 0x300 for 16 MB of Flash

Examples

The following is sample output from the show version command. 

show version


Cisco Secure PIX Firewall Version 6.1(0)

Compiled on Fri 01-Oct-01 13:56 by pixbuild

pix515 up 4 days 22 hours 10 mins 42 secs

Hardware:            PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300

BIOS Flash AT29C257 @ 0xfffd8000


0: ethernet0: address is 00aa.0000.0037, irq 11

1: ethernet1: address is 00aa.0000.0038, irq 10

2: ethernet2: address is 00a0.c92a.f029, irq 9

3: ethernet3: address is 00a0.c948.45f9, irq 7

Licensed Features:

Failover:                                      Enabled

VPN-DES:                                             Enabled

VPN-3DES:                                      Disabled

Maximum Interfaces:                          6

Serial Number: 123 (0x7b)

Activation Key: 0xc5233151 0xb429f6d0 0xda93739a 0xe15cdf51

show xlate

See the xlate command page for information on the show xlate command.

shun

The shun command allows a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. (Configuration Mode.)

[no] shun src_ip [dst_ip sport dport [protocol]]
clear shun [statistics]
show shun src_ip

Syntax Description

shun

Enable a blocking function (shun) based on src_ip.

no

Disable a shun based on src_ip, the actual address used by the PIX Firewall for shun lookups.

clear

Disable all shuns currently enabled and clears shun statistics. Specifying statistics only clears the counters for that interface.

show

Display all shuns currently enabled in the exact format specified.

src_ip

The address of the attacking host.

dst_ip

The address of the of the target host.

sport

The source port of the connection causing the shun.

dport

The destination port of the connection causing the shun.

protocol

The optional IP protocol, such as UDP or TCP.

statistics

Clear only interface counters.


If the shun command is used only with the source IP address of the host, then the other defaults will be 0. No further traffic from the offending host will be allowed.

Usage Guidelines

The shun command applies a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host will be dropped and logged until the blocking function is removed manually or by the Cisco IDS master unit. No traffic from the IP source address will be allowed to traverse the PIX Firewall unit and any remaining connections will time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

Examples

In the following example, the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the PIX Firewall connection table reads:

10.1.1.27, 555-> 10.2.2.89, 666 PROT TCP

If the shun command is applied in the following way: 

shun 10.1.1.27 10.2.2.89 555 666 tcp

The preceding command would delete the connection from the PIX Firewall connection table, and it would also prevent packets from 10.1.1.27 from going through the PIX Firewall. The offending host can be inside or outside of the PIX Firewall.

snmp-server

Provide PIX Firewall event information via SNMP. (Configuration mode.)

snmp-server community key

snmp-server contact text

snmp-server location text

snmp-server host [if_name] ip_addr [trap | poll]

snmp-server enable traps

clear snmp-server command

no snmp-server command

show snmp-server

Syntax Description

community key

Enter the password key value in use at the SNMP management station. The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. PIX Firewall uses the key to determine if the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, firewall, and the management station with this same string. The PIX Firewall then honors SNMP requests using this string and does not respond to requests with an invalid community string.

The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default, if this option is not used, is public.

contact text

Supply your name or that of the PIX Firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

location text

Specify your PIX Firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

snmp-server host

Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to 32 SNMP management stations.

if_name

The interface name where the SNMP management station resides.

ip_addr

The IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come.

trap | poll

Specify whether traps, polls, or both are acted upon. Use with these parameters:

trapOnly traps will be sent. This host will not be allowed to poll.

poll—Traps will not be sent. This host will be allowed to poll.

The default allows both traps and polls to be acted upon.

host

Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to five SNMP management stations.

Use with these parameters:

if_name—The interface name where the SNMP management station resides.

ip_addr—The IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come.

enable traps

Enable or disable sending SNMP trap notifications via syslog.


Usage Guidelines

Use the snmp-server command to identify site, management station, community string, and user information.

In understanding SNMP use, the PIX Firewall is considered the SNMP agent or SNMP server. The management station is the system running the SNMP program that receives and processes the SNMP information that the PIX Firewall sends.

An SNMP object ID (OID) for PIX Firewall displays in SNMP event traps sent from the PIX Firewall. OID 1.3.6.1.4.1.9.1.227 was assigned as the PIX Firewall system object ID.

The clear snmp-server and no snmp-server commands removes command statements. The show snmp-server command displays the information.

Use the trap and poll command options to configure hosts to participate only in specific SNMP activities. Poll responses and traps are sent only to the configured entities. Hosts configured with the trap command option will have traps sent to them, but will not be allowed to poll. Hosts configured with the poll command option will be allowed to poll, but will not have traps sent to them.

Accessibility to the PIX Firewall MIBs is based on configuration, MIB support, and authentication based on the community string. Unsuccessful polling attempts, except for failed community string authentication, are not logged or otherwise indicated. Community authentication failures result in a trap where applicable.

MIB Support

You can browse the System and Interface groups of MIB-II. All SNMP values in the PIX Firewall are read only (RO). The PIX Firewall does not support browsing of the Cisco syslog MIB.

Browsing a MIB is different from sending traps.  Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. Traps are different; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, syslog event generated, and so on.

The Cisco Firewall MIB and Cisco Memory Pool MIB are now available. These MIBs provide the following PIX Firewall information via SNMP:

Buffer usage from the show block command

Connection count from the show conn command

Failover status

Memory usage from the show memory command

Receiving SNMP Requests from an SNMP Management Station

To receive SNMP requests from a management station:

Step 1 Identify the management station with an snmp-server host command statement.

Step 2 Specify snmp-server command options for the location, contact, and community.

Step 3 Start the SNMP software on the management station and begin issuing SNMP requests to the PIX Firewall.

Defaults

If you do not specify either option, the snmp-server host command behaves as in previous versions. The polling is permitted from all configured hosts on the affected interface. Traps are sent to all configured hosts on the affected interface.

Examples

The following example shows commands you would enter to start receiving SNMP requests from a management station: 

snmp-server community wallawallabingbang

snmp-server location Building 42, Sector 54

snmp-server contact Sherlock Holmes

snmp-server host perimeter 10.1.2.42

The next example is sample output from the show snmp-server command: 

show snmp

snmp-server host perimeter 10.1.2.42

snmp-server location Building 42, Sector 54

snmp-server contact Sherlock Holmes

snmp-server community wallawallabingbang

ssh

Specify a host for PIX Firewall console access via Secure Shell (SSH). (Configuration mode.)

ssh disconnect session_id

no ssh disconnect session_id

ssh ip_address [netmask] [interface_name]

no ssh ip_address [netmask] [interface_name]

ssh timeout mm

no timeout mm

show ssh [sessions [ip_address]]

show ssh timeout

clear ssh

Syntax Description

ip_address

IP address of the host or network authorized to initiate an SSH connection to the PIX Firewall.

netmask

Network mask for ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of ip_address.

interface_name

PIX Firewall interface name on which the host or network initiating the SSH connection resides.

mm

The duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. The allowable range is from 1 to 60 minutes.

session_id

SSH session ID number available from the show ssh sessions command.


Usage Guidelines

The ssh ip_address command specifies the host or network authorized to initiate an SSH connection to the PIX Firewall. The ssh timeout command allows you to specify the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. Use the show ssh sessions command to list all active SSH sessions on the PIX Firewall. The ssh disconnect command allows you to disconnect a specific session you observed from the show ssh sessions command. Use the clear ssh command to remove all ssh command statements from the configuration. Use the no ssh command to remove selected ssh command statements from the configuration.

Note You must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. To use SSH, your PIX Firewall must have a DES or 3DES activation key.

To gain access to the PIX Firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the passwd command; the default Telnet password is cisco. To authenticate using AAA server instead, configure the aaa authenticate ssh console command.

SSH permits up to 100 characters in a username and up to 50 characters in a password.

When starting an SSH session, a dot (.) displays on the PIX Firewall console before the SSH user authentication prompt appears.

The dot appears as follows: 

pixfirewall(config)# .

pixfirewall(config)# .

The display of the dot does not affect the functionality of SSH. The dot appears on at the console when generating a server key or decrypting a message using private keys during SSH key exchange, before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.

show ssh sessions Command

The show ssh sessions command provides the following display: 

Session ID      Client IP       Version Encryption      State   Username

    0           172.16.25.15    1.5     3DES            4       -

    1           172.16.38.112   1.5     DES             6       pix

    2           172.16.25.11    1.5     3DES            4       -

The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption the SSH client is using. The State column lists the progress the client is making as it interacts with the PIX Firewall. The Username column lists the login username that has been authenticated for the session. The "pix" username appears when non-AAA authentication is used.

The following table lists the SSH states that appear in the State column:

Number
SSH State

0

SSH_CLOSED

1

SSH_OPEN

2

SSH_VERSION_OK

3

SSH_SESSION_KEY_RECEIVED

4

SSH_KEYS_EXCHANGED

5

SSH_AUTHENTICATED

6

SSH_SESSION_OPEN

7

SSH_TERMINATE

8

SSH_SESSION_DISCONNECTING

9

SSH_SESSION_DISCONNECTED

10

SSH_SESSION_CLOSED


SSH Syslog Messages

Syslog messages 315001, 315002, 315003, 315004, 315005, and 315011 were added for SSH. Refer to Cisco PIX Firewall System Log Messages for more information.

Obtaining an SSH Client

The following sites let you download an SSH v1.x client. Because SSH version 1.x and 2 are entirely different protocols and are not compatible, be sure you download a client that supports SSH v1.x.

Windows 3.1, Windows CE, Windows 95, and Windows NT 4.0—download the free Tera Term Pro SSH v1.x client from the following website:

http://hp.vector.co.jp/authors/VA002416/teraterm.html

The TTSSH security enhancement for Tera Term Pro is available at the following website:

http://www.zip.com.au/~roca/ttssh.html

Note You must download TTSSH to use Tera Term Pro with SSH. TTSSH provides a Zip file you copy to your system. Extract the zipped files into the same folder that you installed Tera Term Pro. For a Windows 95 system, by default, this would be the C:\Program Files\Ttempro folder.

Linux, Solaris, OpenBSD, AIX, IRIX, HP/UX, FreeBSD, and NetBSD—download the SSH v1.x client from the following website:

http://www.openssh.com

Macintosh (international users only)—download the Nifty Telnet 1.1 SSH client from the following website:

http://www.lysator.liu.se/~jonasw/freeware/niftyssh/

Changed aaa Command for SSH

The aaa command adds the ssh option for use with SSH:

aaa authentication [serial | enable | telnet | ssh] console group_tag

The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.

Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication request times out, this implies that the AAA server may be down or not available. You can gain access to the PIX Firewall using the username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the enable password is empty (null), even if you enter the password correctly, you are not granted access to the SSH session.

The user authentication attempt limit is set to 3. Note that the Linux version of the SSH version 1 client available from http://www.openssh.com only allows one user authentication attempt.

Examples

Create an RSA key-pair with a modulus size of 1024 bits (recommended for use with Cisco IOS software): 

hostname cisco-pix

domain-name example.com

ca generate rsa key 1024

show ca mypubkey rsa

ca save all

These command statements set the hostname and domain name for the PIX Firewall, generate the RSA key-pair, display the RSA key-pair, and save the RSA key-pair to Flash memory.

Start an SSH session so clients on the outside interface can access the PIX Firewall console remotely over a secure shell: 

ssh 10.1.1.1 255.255.255.255 outside

ssh timeout 60

Configure the PIX Firewall to perform user authentication using AAA servers. The protocol is the protocol used by the AAA-server to do the authentication. The following example uses the TACACS+ authentication protocol. 

aaa-server ssh123 (inside) host 10.1.1.200 mysecure

aaa-server ssh123 protocol tacacs+

aaa authenticate ssh console ssh123

Related Commands

aaa

ca

domain-name

enable password

hostname

passwd

static

Maps a local IP address to a global IP address (NAT) and supports TCP and UDP port redirection (static PAT). (Configuration mode.)

[no] static [(internal_if_name, external_if_name)] {tcp | udp} {global_ip | interface} global_port local_ip local_port [netmask mask] [max_conns [em_limit]] [norandomseq]

show static

Syntax Description

internal_if_name

The internal network interface name. The higher security level interface you are accessing.

external_if_name

The external network interface name. The lower security level interface you are accessing.

tcp

Specifies TCP port redirection.

udp

Specifies UDP port redirection.

interface

The outside interface address is taken to be the global address.

global_port

Global TCP or UDP port for port redirection.

local_port

Local TCP or UDP port for port redirection.

global_ip

The global IP address used for redirection. The IP address on the lower security level interface you are accessing.

local_ip

The local IP address from the inside network. The IP address on the higher security level interface you are accessing.

netmask

Reserve word required before specifying the network mask.

mask

Pertains to both global_ip and local_ip. For host addresses, always use 255.255.255.255. For network addresses, use the appropriate class mask or subnet mask; for example, for Class A networks, use 255.0.0.0. An example subnet mask is 255.255.255.224.

max_conns

The maximum number of connections permitted through the static at the same time.

em_limit

The embryonic connection limit. An embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections.

norandomseq

Do not randomize the TCP/IP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.


Usage Guidelines

The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address.  Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface.

TCP Intercept Feature

Prior to version 5.3, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN attacks. Previously, if an embryonic connection limit was configured in a static command statement, PIX Firewall simply dropped new connection attempts once the embryonic threshold was reached. Given this, a modest attack could stop an institution's Web traffic. For static command statements without an embryonic connection limit, PIX Firewall passes all traffic. If the affected system does not have TCP SYN attack protection, and most operating systems do not offer sufficient protection, then the affected system's embryonic connection table overloads and all traffic stops.

With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted. For each SYN, PIX Firewall responds on behalf of the server with an empty SYN/ACK segment. PIX Firewall retains pertinent state information, drops the packet, and waits for the client's acknowledgement. If the ACK is received, then a copy of the client's SYN segment is sent to the server and the TCP three-way handshake is performed between PIX Firewall and the server. If and only if, this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then PIX Firewall retransmits the necessary segment using exponential back-offs.

This feature requires no change to the PIX Firewall command set, only that the embryonic connection limit on the static command now has a new behavior.

Deny Xlate for Network or Broadcast Address for Inbound Traffic

For all inbound traffic, PIX Firewall denies translations for destination IP addresses identified as network address or broadcast addresses. PIX Firewall utilizes the global IP and mask from a static command statement to differentiate regular IP addresses from network or broadcast addresses. If a global IP address is a valid network address with a matching network mask, then PIX Firewall disallows the xlate for network or broadcast IP addresses with inbound packet.

Interface Names

The interface names on the static command may seem confusing at first. This is further complicated by how NAT is handled on the PIX Firewall. If NAT is disabled, with the nat 0 command, statics are specified with a different set of rules than when NAT is enabled. For either no NAT or NAT, the rule of which command to access an interface stays the same as shown in Table 8-1.

Table 8-1 assumes that the security levels are 40 for dmz1 and 60 for dmz2.

Table 8-1 Interface Access Commands by Interface 

From This Interface
To This Interface
Use This Command

inside

outside

nat

inside

dmz1

nat

inside

dmz2

nat

dmz1

outside

nat

dmz1

dmz2

static

dmz1

inside

static

dmz2

outside

nat

dmz2

dmz1

nat

dmz2

inside

static

outside

dmz1

static

outside

dmz2

static

outside

inside

static


With NAT Enabled

Network Address Translation (NAT) is enabled with the nat n command where "n" has the value 1 or greater; for example, nat 1 0 0.

Always specify the interface name of the highest security level interface you are accessing, followed by the lower security level interface. The IP addresses are also confusing because the first IP address you specify is for the lower security level interface. The second IP address is for the higher security level interface. The way to remember this is as follows.

static (high,low) low high

For example, assume you have four interfaces on the PIX Firewall that have security levels set with the nameif command as follows: 

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security40

nameif ethernet3 dmz2 security60

To access the inside from the outside interface, you need a static command like the following: 

static (inside,outside) outside_ip_address inside_ip_address netmask mask

Replace outside_ip_address with the global IP address (an IP address on the lower security level interface). Replace inside_ip_address with the IP address of the host on the higher security level interface that you want to grant access to.

Use these replacements in the rest of the commands in this section. Replace mask with 255.255.255.255 for host addresses, except when subnetting is in effect; for example, 255.255.255.128. For network addresses, use the appropriate class mask; for example, for Class A networks, use 255.0.0.0.

To access the inside from the dmz1 interface, you need a static command like the following: 

static (inside,dmz1) dmz1_ip_address inside_ip_address netmask mask

To access the inside from the dmz2 interface, you need a static command like the following: 

static (inside,dmz2) dmz2_ip_address inside_ip_address netmask mask

To access the dmz2 interface from the dmz1 interface, you need a static command like the following: 

static (dmz2,dmz1) dmz1_ip_address dmz2_ip_address netmask mask

To go the other way around, from a higher security level interface to a lower security level interface, use the nat and global commands. For example, to access dmz1 from dmz2, use the following commands. 

nat (dmz2) 1 0 0

global (dmz1) 1 global_ip_address-global_ip_address

Replace global_ip_address-global_ip_address with the IP address range of the addresses in the pool of global addresses. The nat command specifies the name of the higher security level interface; the pool of global addresses are on the lower security level interface.

View the nat command page for more information on using these commands.

Note If you use a static command, you must also use an access-list command. The static command makes the mapping, the access-list command lets users access the static mapping.

The first IP address you specify in the static command is the first IP address you specify in the access-list command as shown in this example: 

static (dmz2,dmz1) 10.1.1.1 192.168.1.1 netmask 255.255.255.255

access-list acl_dmz1 permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.1

access-group acl_dmz1 in interface dmz1

The static command maps the address 10.1.1.1 on the dmz1 interface so that users on the dmz1 interface can access the 192.168.1.1 host on the dmz2 interface. The access-list command lets any users in the 10.1.1.0 network access the 10.1.1.1 address over any TCP port. The access-group command statement binds the access-list command statement to the dmz1 interface.

Note Always make access-list command statements as specific as possible. Using the any option to allow any host access should be used with caution for access lists used with statics.

With No-NAT

With no-NAT, the static command has a different sense of logic. With NAT disabled, addresses on both sides of the PIX Firewall are registered addresses. Between interfaces, addresses must be on different subnets that you control with subnetting. See "Appendix D" of the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting.

Without address translation, you protect addresses on the inside or perimeter interfaces by not providing access to them. Without an access-list command statement, the inside host cannot be accessed on the outside and is, in effect, invisible to the outside world. Conversely, only by opening statics and access lists to servers on the inside or perimeter interfaces, do the hosts become visible.

Without address translation, the format of the static command becomes different:

static (high,low) high high

Again, the security level set for each interface with the nameif command determines what information you fill in. You are using static to access a higher security interface from a lower security interface. The IP address you want visible on the lower security interface is that of the higher security interface. This is the IP address users on the lower security interface's network will use to access the server on the higher security level interface's network. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host.

For example, a web server on the dmz, 209.165.201.5 needs to be accessible by users on the outside. The static and access-list command statements are as follows. 

static (dmz,outside) 209.165.201.5 209.165.201.5 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.201.5 eq www

access-group acl_out in interface outside

The static command presents the 209.165.201.5 address on the outside interface. The DNS server on the outside would map this IP address to the domain of the company; for example, example.com. Users accessing example.com are permitted to access the web server via port 80 by the access-list command.

Another example of no-NAT statics would be when users on dmz1 need to access a web server on dmz2. The network uses a Class C address and subnets it with the   .240 subnet. Addresses 209.165.201.1 to 209.165.201.14 are on dmz1, and addresses 209.165.201.17 to 209.165.201.30 are on dmz2. The web server is at 209.165.201.25. The static and access-list command statements are as follows. 

static (dmz2,dmz1) 209.165.201.25 209.165.201.25 netmask 255.255.255.255

access-list acl_dmz1 permit tcp any host 209.165.201.25 eq www 

access-group acl_dmz1 in interface dmz1

The static command statement opens access to the web server at 209.165.201.25. The access-list command statement permits access to the web server only on port 80 (www).

Additional static Information

After changing or removing a static command statement, use the clear xlate command.

You can create a single mapping between the global and local hosts, or create a range of statics known as net statics.

The static command determines the network mask of network statics by the netmask option or by the number in the first octet of the global IP address. The netmask option can be used to override the number in the first octet. If the address is all zeros where the net mask is zero, then the address is a net address.

Note Do not create statics with overlapping global IP addres