Table Of Contents
D through F Commands
debug
You can debug packets or ICMP tracings through the PIX Firewall. The debug command provides information that helps troubleshoot protocols operating with and through the PIX Firewall. (Configuration mode.)
Syntax Description
access-list
Displays access list configuration information.
adjust
Displays NTP clock adjustments.
all
Displays both standard and TurboACL access list information.
authentication
Displays NTP clock authentication.
both
Displays both received and transmitted packets.
chap
Displays CHAP/MS-CHAP authentication.
crypto ca
Displays information about certification authority (CA) traffic.
crypto ipsec
Displays information about IPSec traffic.
crypto isakmp
Displays information about IKE traffic.
cypher
Display information about the cipher negotiation between the HTTP server and the client.
device
Displays information about the SSL device including session initiation and ongoing status.
dhcpc detail
Displays detailed information about the DHCP client packets.
dhcpc error
Displays error messages associated with the DHCP client.
dhcpc packet
Displays packet information associated with the DHCP client.
dhcpd event
Displays event information associated with the DHCP server.
dhcpd packet
Displays packet information associated with the DHCP server.
dns {resolver | all}
Displays DNS debugging information. The resolver option collects DNS resolution information, and the all option collects all DNS information.
dport dest_port
Destination port.
dst dest_ip
Destination IP address.
events
Displays NTP event information.
fixup {udp | tcp}
Displays fixup information, either using UDP or TCP.
fover option
Displays failover information. Refer to Table 5-1 for the options.
h225 asn
Displays the output of the decoded PDUs.
h225 events
Displays the events of the H.225 signalling, or turn both traces on.
h245 asn
Displays the output of the decoded PDUs.
h245 events
Displays the events of the H.245 signalling, or turn both traces on.
h323
Displays information about the packet-based multimedia communications systems standard.
icmp
Displays information about ICMP traffic.
if_name
Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.
ils
Displays Internet Locator Service (ILS) fixup information (used in LDAP services).
level
The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to the following events:
•
Level 1: Interesting events
•
•
Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears within the show debug command.
loopfilter
Displays NTP loop filter information.
negotiation
Equivalent of the error, uauth, upap and chap debug command options.
netmask mask
Network mask.
packet
Displays packet information.
packets
Displays NTP packet information.
params
Displays NTP clock parameters.
pdm history
Turns on the PDM history metrics debugging information. The no version of this command disables PDM history metrics debugging.
ppp
Debugs L2TP or PPTP traffic, which is configured with the vpdn command.
ppp error
Displays L2TP or PPTP PPP virtual interface error messages.
ppp io
Display the packet information for L2TP or PPTP PPP virtual interface.
ppp uauth
Displays the L2TP or PPTP PPP virtual interface AAA user authentication debugging messages.
pppoe error
Displays PPPoE error messages.
pppoe event
Displays PPPoE event information.
pppoe packet
Displays PPPoE packet information.
proto icmp
Displays ICMP packets only.
proto tcp
Displays TCP packets only.
proto udp
Displays UDP packets only.
radius all
Enables all RADIUS debug options.
radius session
Logs RADIUS session information and the attributes of sent and received RADIUS packets.
ras asn
Displays the output of the decoded PDUs.
ras events
Displays the events of the RAS signalling, or turn both traces on.
route
Displays information from the PIX Firewall routing module.
rx
Displays only packets received at the PIX Firewall.
select
Displays NTP clock selections.
sip
Debug the fixup Session Initiation Protocol (SIP) module.
skinny
Debugs SCCP protocol activity. (Using this option is system-resources intensive and may impact performance on high traffic network segments.)
sport src_port
Source port. See the "Ports" section in ""Using PIX Firewall Commands" for a list of valid port literal names.
sqlnet
Debugs SQL*Net traffic.
src source_ip
Source IP address.
ssh
Debug information and error messages associated with the ssh command.
ssl
Debug information and error messages associated with the ssl command.
standard
Displays non-TurboACL access list information.
sync
Displays NTP clock synchronization.
turbo
Displays TurboACL access list information.
tx
Displays only packets that were transmitted from the PIX Firewall.
upap
Displays PAP authentication.
user username
Specifies to display information for an individual username only.
validity
Displays NTP peer clock validity.
vpdn error
Display L2TP or PPTP protocol error messages.
vpdn event
Display L2TP or PPTP tunnel event change information.
vpdn packet
Display L2TP or PPTP packet information about PPTP traffic.
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.
When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.
Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.
The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
The debug h323 command lets you debug H.323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.
Note
The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall unit's own interfaces.
The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall.
The debug ssh command reports on information and error messages associated with the ssh command.
The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.
Use of the debug commands can slow down busy networks.
Table 5-1 lists the options for the debug fover command.
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.
If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.
Note
Additional debug Command Information
Note
To let users ping through the PIX Firewall, add the access-list acl_grp permit icmp any any command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound.To stop a debug packet trace command, enter the following command:
no debug packet if_nameReplace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.
To stop a debug icmp trace command, enter the following command:
no debug icmp traceExamples
The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after entering the debug dhcpc commands to obtain debugging information.
debug dhcpc packetdebug dhcpc detailip address outside dhcp setrouteDHCP:allocate requestDHCP:new entry. add to queueDHCP:new ip lease str = 0x80ce8a28DHCP:SDiscover attempt # 1 for entry:Temp IP addr:0.0.0.0 for peer on Interface:outsideTemp sub net mask:0.0.0.0DHCP Lease server:0.0.0.0, state:1 SelectingDHCP transaction id:0x8931Lease:0 secs, Renewal:0 secs, Rebind:0 secsNext timer fires after:2 secondsRetry count:1 Client-ID:cisco-0000.0000.0000-outsideDHCP:SDiscover:sending 265 byte length DHCP packetDHCP:SDiscover 265 bytesDHCP Broadcast to 255.255.255.255 from 0.0.0.0DHCP client msg received, fip=10.3.2.2, fport=67DHCP:Received a BOOTREP pktDHCP:Scan:Message type:DHCP OfferDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Server ID Option:10.1.1.69 = 450A44ABDHCP:Scan:Lease Time:259200DHCP:Scan:Subnet Address Option:255.255.254.0DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140DHCP:Scan:Domain Name:example.comDHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87DHCP:Scan:Router Address Option:10.3.2.1DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255...The following example executes the debug icmp trace command:
debug icmp traceWhen you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1).
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2NO DEBUG ICMP TRACEICMP trace offThis example shows that the ICMP packet length is 32 bytes, the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
The following is sample output from the show debug command output:
show debugdebug ppp errordebug vpdn eventdebug crypto ipsec 1debug crypto isakmp 1debug crypto ca 1debug icmp tracedebug packet outside bothdebug sqlnetThe preceding sample output includes the debug crypto commands.
You can debug the contents of packets with the debug packet command:
debug packet inside--------- PACKET ----------- IP --4.3.2.1 ==> 255.3.2.1ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60id = 0x3902 flags = 0x0 frag off=0x0ttl = 0x20 proto=0x11 chksum = 0x5885-- UDP --source port = 0x89 dest port = 0x89len = 0x4c checksum = 0xa6a0-- DATA --00000014: 00 01 00 00 |....00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46 | .... EIEPEGEGEFF00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43 | CCNFAEDCACACACAC00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01 | ACAAA.. ..... ..00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 | ......`......--------- END OF PACKET ---------This display lists the information as it appears in a packet.
The following is sample output from the show debug command:
show debugdebug icmp trace offdebug packet offdebug sqlnet offdhcpd
The dhcpd command controls the DHCP server feature. (Configuration mode.)
show dhcpd [binding|statistics]
Displays the binding and statistics information associated with the dhcpd commands.
Syntax Description
Usage Guidelines
A DHCP server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use the DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network. See the Cisco PIX Firewall and VPN Configuration Guide for information on how to implement the DHCP server feature into the PIX Firewall.
Note
The dhcpd address command specifies the DHCP server address pool. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled. In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10 user license and 128 addresses with a 50 user license on the PIX 501. All other PIX Firewall platforms support 256 addresses. The default for the PIX Firewall interface name is the inside interface, which is the only interface currently supported. The dhcpd address command cannot use names with a "-" (dash) character in them because the "-" character is interpreted as a range specifier instead of as part of the object name.
Note
The no dhcpd address command removes the DHCP server address pool you configured.
The dhcpd lease command specifies the length of the lease in seconds granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address the DHCP granted. The no dhcpd lease command removes the lease length that you specified from your configuration and replaces this value with the default value of 3600 seconds.
The dhcpd domain command specifies the DNS domain name for the DHCP client. For example, example.com. The no dhcpd domain command removes the DNS domain server from your configuration.
The dhcpd enable command enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.
DHCP must be enabled to use this command. Use the dhcpd enable command to turn on DHCP.
Note
The dhcpd option 66 | 150 command retrieves TFTP server address information for IP Phone connections.
When a dhcpd option command request arrives at the PIX Firewall DHCP server, the PIX Firewall places the value(s) specified by the dhcpd option 66 | 150 in the response.
Use the dhcpd option code command as follows:
•
•
•
Because the PIX Firewall DHCP server can be enabled only on the inside interface, clients on the outside of the PIX Firewall cannot get their IP addresses or the TFTP server IP addresses from the PIX Firewall. If outside clients need to connect to the inside TFTP server, then a group of static and access-list statements has to be created for the TFTP server instead of using the dhcpd option command.
The show dhcpd command displays dhcpd commands, binding and statistics information associated with all of the dhcpd commands.
The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
Examples
The following partial configuration example shows use of the dhcpd address, dhcpd dns, and dhcpd enable commands. In this example, an address pool for the DHCP clients is defined, a DNS server address is specified for the DHCP client, and the inside interface of the PIX Firewall is enabled for the DHCP server function.
dhcpd address 10.0.1.100-10.0.1.108dhcpd dns 209.165.200.226dhcpd enableThe following partial configuration example shows how to define a DHCP pool of 256 addresses and use the auto_config command to configure the DNS, WINS, and DOMAIN parameters. Note the netmask of the inside interface is 255.255.254.0.
ip address inside 10.0.1.1 255.255.254.0dhcpd address 10.0.1.2-10.0.1.257dhcpd auto_configdhcpd enableThe following partial configuration example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment:
! use dhcp to configure the outside interface and default routeip address outside dhcp setroute! enable dhcp server daemon on the inside interfaceip address inside 10.0.1.2 255.255.255.0dhcpd address 10.0.1.101-10.0.1.110dhcpd dns 209.165.201.2 209.165.202.129dhcpd wins 209.165.201.5dhcpd lease 3000dhcpd domain example.comdhcpd enable! use outside interface IP as PAT global addressnat (inside) 1 0 0global (outside) 1 interfaceThe following is sample output from the show dhcpd command:
pixfirewall(config)# show dhcpddhcpd address 10.0.1.100-10.0.1.108 insidedhcpd lease 3600dhcpd ping_timeout 750dhcpd dns 192.23.21.23dhcpd enable insideThe following is sample output from the show dhcpd binding command:
pixfirewall(config)# show dhcpd bindingIP Address Hardware Address Lease Expiration Type10.0.1.100 0100.a0c9.868e.43 84985 seconds automaticThe following is sample output from the show dhcpd statistics command:
show dhcpd statisticsAddress Pools 1Automatic Bindings 1Expired Bindings 1Malformed messages 0Message ReceivedBOOTREQUEST 0DHCPDISCOVER 1DHCPREQUEST 2DHCPDECLINE 0DHCPRELEASE 0DHCPINFORM 0Message SentBOOTREPLY 0DHCPOFFER 1DHCPACK 1DHCPNAK 1Related Commands
disable
Exit privileged mode and return to unprivileged mode. (Privileged mode.)
Syntax Description
enable
Enter this at the PIX Firewall command-line interface prompt to enter privileged mode.
disable
Enter this at the PIX Firewall command-line interface prompt to exit privileged mode.
Usage Guidelines
Use the enable command to enter privileged mode. The disable command exits privileged mode and returns you to unprivileged mode.
Examples
The following example shows how to enter privileged mode:
pixfirewall> enablepixfirewall#The following example shows how to exit privileged mode:
pixfirewall# disablepixfirewall>domain-name
Change the IPSec domain name. (Configuration mode.)
Syntax Description
Usage Guidelines
The domain-name command lets you change the IPSec domain name.
Note
Examples
The following example shows use of the domain-name command:
domain-name example.com
dynamic-map
View or delete a dynamic crypto map entry. (Configuration mode.)
show dynamic-map
Displays the dynamic-map commands in the configuration.
Usage Guidelines
The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.
Note
eeprom
This command applies only to PIX 525 models with serial numbers 44480380055 through 44480480044. Displays and updates the contents of the EEPROM non-volatile storage devices used for low-level Ethernet interface configuration information. (Configuration mode.)
Syntax Description
Usage Guidelines
The eeprom commands added in version 5.2(4) and later fix a caveat (CSCds76768) involving corruption of the eeprom on the onboard Ethernet interfaces. For additional information, see the December 20, 2000 Field Notice, "Cisco Secure PIX Firewall: PIX-525 Ethernet EEPROM Programming Issue." This field notice is available at the following website:
http://www.cisco.com/warp/public/770/fn13021.shtml
The problem is summarized as follows:
If you configure the onboard Ethernet interfaces (ethernet0 and ethernet1) on a PIX 525 with a serial number of 44480380055 through 44480480044 to full duplex, interface errors and throughput reductions may occur. If you configure the interfaces to half duplex or to auto-sense, the speed and duplex function normally without error.
The eeprom command is designed to fix the problem and performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode. The two variants of the eeprom command are the show eeprom command and eeprom update command.
The eeprom update command performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode, whereas the show eeprom command indicates whether the Ethernet EEPROM programming is correct or not.
The show eeprom command displays the current EEPROM setting, and the eeprom update command modifies the settings if necessary. If the eeprom command does update the EEPROM settings, a reboot of the PIX Firewall is recommended.
The eeprom command verifies the EEPROM register settings and updates them if they are not set to the recommended values. The eeprom command does not update the settings if they are correct and does not recommend a reboot unless the settings are changed.
The eeprom update command checks the contents of EEPROM registers 6 and 10 to ensure they contain the hexadecimal values 0x4701 and 0x40c0, respectively. If these registers contain different values, then all EEPROM register settings except the MAC address registers, which were not affected by the problem causing CSCds76768, are reset to the correct values.
Each register is 16 bits. The correct register values are as follows:
Examples
The show eeprom command will display the current EEPROM register settings:
pix525# show eepromeeprom settings for ifc0:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4702reg10: 0x40c0reg12: 0x8086eeprom settings for ifc1:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4702reg10: 0x40c0reg12: 0x8086reg12: 0x8086If the command is run on a unit that is not a PIX 525, the following will be seen:
pix515# show eepromThis unit is not a PIX-525.Type help or '?' for a list of available commands.If the update needs to be run on the PIX 525, the eeprom update command returns the following:
pix525# eeprom updateeeprom settings on ifc0 are being reset to defaults:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x8086eeprom settings on ifc1 are being reset to defaults:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x8086*** WARNING! *** WARNING! *** WARNING! *** WARNING! ***The system should be restarted as soon as possible.*** WARNING! *** WARNING! *** WARNING! *** WARNING! ***If the update has been run successfully, the eeprom command output will appear as follows:
pix525# eeprom updateeeprom settings on ifc0 are already up to date:reg0: 0x5000reg1: 0xfe54reg2: 0x65f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x808eeprom settings on ifc1 are already up to date:reg0: 0x5000reg1: 0xfe54reg2: 0x66f6reg3: 0x3reg5: 0x201reg6: 0x4701reg10: 0x40c0reg12: 0x80866enable
Start privileged mode or access privilege levels. (Unprivileged mode for enable, and Configuration mode for enable password.)
show enable
Displays the password configuration for privilege levels.
Syntax Description
Usage Guidelines
The enable command starts privileged mode(s). The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use the disable command to exit privileged mode. Use the enable password command to change the password.
The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt).
You can return the enable password to its original value (press the Enter key at prompt) by entering the following command:
pixfirewall# enable passwordpixfirewall#
Note
Use the passwd command to set the password for Telnet access to the PIX Firewall console. The default passwd value is cisco.
See the passwd command page for more information.
If no privilege level name is specified, then the highest privilege level is assumed.
Examples
The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.
pixfirewall> enablePassword:pixfirewall# configure terminalpixfirewall(config)#The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:
pixfirewall> enablePassword:pixfirewall# enable password w0ttal1fepixfirewall# configure terminalpixfirewall(config)# write terminalBuilding configuration......enable password 2oifudsaoid.9ff encrypted...The following example shows the use of the encrypted option:
enable password 1234567890123456 encryptedshow enable passwordenable password 1234567890123456 encryptedenable password 1234567890123456show enable passwordenable password feCkwUGktTCAgIbD encryptedThe following example shows how to configure enable passwords for levels other than the default level of 15:
pixfirewall(config)# enable password cisco level 10pixfirewall(config)# show enableenable password wC38a.EQklqK3ZqY level 10 encryptedenable password 8Ry2YjIyt7RRXU24 encryptedpixfirewall(config)# enable password wC38a.EQklqK3ZqY level 12 encryptedpixfirewall(config)# show enableenable password wC38a.EQklqK3ZqY level 10 encryptedenable password wC38a.EQklqK3ZqY level 12 encryptedenable password 8Ry2YjIyt7RRXU24 encryptedpixfirewall(config)# no enable password level 12pixfirewall(config)# show enableenable password wC38a.EQklqK3ZqY level 10 encryptedenable password 8Ry2YjIyt7RRXU24 encryptedpixfirewall(config)# no enable password level 10pixfirewall(config)# show enableenable password 8Ry2YjIyt7RRXU24 encryptedHowever, notice that defining privilege levels 10 and 12 does not change or remove the level 15 password.
established
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.)
show established
Displays the established commands in the configuration.
Syntax Description
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Note
The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall.
The permitfrom option lets you specify a new protocol or port at the remote server.
The no established command disables the established feature.
The clear established command removes all establish command statements from your configuration.
Note
You can use the established command with the nat 0 command statement (where there are no global command statements).
Note
The established command works as shown in the following format:
established A B C permitto D E permitfrom D FThis command works as though it were written "If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
For example:
established tcp 0 4000In this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
established tcp 0 0 (Same as previous releases established tcp 0 command.)Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
XDMCP is on by default, but will not complete the session unless the established command is used.
For example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535This enables the internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value.
setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
exit
Exit an access mode. (All modes.)
Syntax Description
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as the quit command.
Examples
The following example shows how to exit configuration mode and then privileged mode:
pixfirewall(config)# exitpixfirewall# exitpixfirewall>failover
Change or view access to the optional failover feature. (Configuration mode.)
show failover [lan [detail]]
Displays failover configuration information, including which unit it active.
Syntax Description
Usage Guidelines
The default failover setup uses serial cable failover. LAN-based failover requires explicit LAN-based failover configuration. Additionally, for LAN-based failover, you must install a dedicated 100 Mbps or Gigabit Ethernet, full-duplex VLAN switch connection for failover operations. Failover is not supported using a crossover Ethernet cable between two PIX Firewall units.
Note
The primary unit in the PIX 515/515E, PIX 525, or PIX 535 failover pair must have an Unrestricted (UR) license. The secondary unit can have Failover (FO) or UR license. However, the failover pair must be two otherwise identical units with the same PIX Firewall hardware and software.For a Stateful Failover link, use the mtu command to set the interface maximum transmission unit (MTU) to 1500 bytes or greater.
For serial cable failover, use the failover command without an argument after you connect the optional failover cable between your primary PIX Firewall and a secondary PIX Firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
For LAN-based failover, use the failover lan commands. The show failover lan command displays LAN-based failover information (only), and show failover lan detail supplies debugging information for your LAN-based failover configuration.
Note
For failover, the PIX Firewall requires that you configure any unused interfaces with one of the following methods:
•
•
Set the speed of the Stateful Failover dedicated interface to 100full for a Fast Ethernet interface or 1000fullsx for a Gigabit Ethernet interface.
Use the failover active command to initiate a failover switch from the standby unit, or the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit off line for maintenance. Because the standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
Use the failover link command to enable Stateful Failover. Enter the no failover link command to disable the Stateful Failover feature.
If a failover IP address has not been entered, the show failover command will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
The failover mac address command enables you to configure a virtual MAC address for a PIX Firewall failover pair. The failover mac address command sets the PIX Firewall to use the virtual MAC address stored in the PIX Firewall configuration after failover, instead of obtaining a MAC address by contacting its failover peer. This enables the PIX Firewall failover pair to maintain the correct MAC addresses after failover. If a virtual MAC address is not specified, the PIX Firewall failover pair uses the burned in network interface card (NIC) address as the MAC address. However, the failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs.
When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the PIX Firewall pair. If the virtual MAC address is added when there are active connections, then those connections will stop. Also, you must write the complete PIX Firewall configuration, including the failover mac address command, into the Flash memory of the secondary PIX Firewall for the virtual MAC addressing to take effect.
The failover poll seconds command lets you determine how long failover waits before sending special failover "hello" packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.
When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
You can also view the information from the show failover command using SNMP. Refer to "Using the Firewall and Memory Pool MIBs" in Chapter 7, "PIX Firewall System Management" of the Cisco PIX Firewall and VPN Configuration Guide for more information.
A failover configuration example is provided in Chapter 8, "Using PIX Firewall Failover" of the Cisco PIX Firewall and VPN Configuration Guide.
Usage Notes
1.
2.
Examples
Serial Cable (Default) Failover
The following sample output shows that failover is enabled, and that the primary unit state is active:
show failoverpixfirewall (config)# show failoverFailover OnCable status:NormalReconnect timeout 0:00:00Poll frequency 15 secondsfailover replication httpThis host:Secondary - StandbyActive time:0 (sec)Interface FailLink (172.16.31.2):NormalInterface 4th (172.16.16.1):NormalInterface int5 (192.168.168.1):NormalInterface intf2 (192.168.1.1):NormalInterface outside (209.165.200.225):NormalInterface inside (10.1.1.4):NormalOther host:Primary - ActiveActive time:242145 (sec)Interface FailLink (172.16.31.1):NormalThe rest of command output is omitted.
The "Cable status" has these values:
•
•
•
The "Stateful Obj" has these values:
•
•
•
•
Each row is for a particular object static count:
•
•
•
•
•
•
•
•
The Standby Logical Update Statistics output displayed when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover, but rather the number of packet transmit errors.
You can view the IP addresses of the standby unit with the show ip address command:
show ip addressSystem IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0Current IP Addresses:ip address outside 209.165.201.2 255.255.255.224ip address inside 192.168.2.1 255.255.255.0ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.
LAN-Based Failover
To make sure LAN-based failover starts properly, follow these configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
The following example outlines how to configure LAN-based failover between two PIX Firewall units.
Primary PIX Firewall configuration:
:
pix(config)# nameif ethernet0 outside security0pix(config)# nameif ethernet1 inside security100pix(config)# nameif ethernet2 stateful security20pix(config)# nameif ethenret3 lanlink security30:
pix(config)#interface ethernet0 100fullpix(config)#interface ethernet1 100fullpix(config)#interface ethernet2 100fullpix(config)#interface ethenret3 100fullpix(config)#interface ethernet4 100full:
pix(config)# ip address outside 172.23.58.70 255.255.255.0pix(config)# ip address inside 10.0.0.2 255.255.255.0pix(config)# ip address stateful 10.0.1.2 255.255.255.0pix(config)# ip address lanlink 10.0.2.2 255.255.255.0pix(config)# failover ip address outside 172.23.58.51pix(config)# failover ip address inside 10.0.0.4pix(config)# failover ip address stateful 10.0.1.4pix(config)# failover ip address lanlink 10.0.2.4pix(config)# failoverpix(config)# failover poll 15pix(config)# failover lan unit primarypix(config)# failover lan interface lanlinkpix(config)# failover lan key 12345678pix(config)# failover lan enable:
Secondary PIX Firewall configuration:
Pix2(config)# nameif ethernet3 lanlink security30pix2(config)# interface ethernet3 100fullpix2(config)# ip address lanlink 10.0.2.2 255.255.255.0pix2(config)# failover ip address lanlink 10.0.2.4pix2(config)# failoverpix2(config)# failover lan unit secondary (optional)pix2(config)# failover lan interface lanlinkpix2(config)# failover lan key 12345678pix2(config)# failover lan enableThe following example illustrates how to use the failover mac address command:
ip address outside 172.23.58.50 255.255.255.224ip address inside 192.168.2.11 255.255.255.0ip address intf2 192.168.10.11 255.255.255.0failoverfailover ip address outside 172.23.58.51failover ip address inside 192.168.2.12failover ip address intf2 192.168.10.12failover mac address outside 00a0.c989.e481 00a0.c969.c7f1failover mac address inside 00a0.c976.cde5 00a0.c922.9176failover mac address intf2 00a0.c969.87c8 00a0.c918.95d8failover link intf2...:The output of the show failover command includes a section for LAN-based failover if it is enabled as follows:
pix(config)# show failoverFailover OnCable status: UnknownReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Primary - StandbyActive time: 255 (sec)Interface outside (192.168.1.232): NormalInterface inside (192.168.5.2): NormalOther host: Secondary - ActiveActive time: 256305 (sec)Interface outside (192.168.1.231): NormalInterface inside (192.168.5.1): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.Lan Based Failover is Activeinterface dmz (171.69.39.200): Normal, peer (171.69.39.201): NormalThe show failover lan command displays only the LAN-based failover section, as follows:
pix(config)# show failover lanLan Based Failover is Activeinterface dmz (171.69.39.200): Normal, peer (171.69.39.201): NormalThe show failover lan detail command is used mainly for debugging purposes and displays information similar to the following:
pix(config)# show failover lan detailLan Failover is ActiveThis Pix is PrimaryCommand Interface is dmzPeer Command Interface IP is 171.69.39.201My interface status is 0x1Peer interface status is 0x1Peer interface downtime is 0x0Total msg send: 103093, rcvd: 103031, droped: 0, retrans: 13, send_err: 0Total/Cur/Max of 51486:0:5 msgs on retransQ... ‡ msgs on retransQ if anyLAN FO cmd queue, count: 0, head: 0x0, tail: 0x0Failover config state is 0x5cFailover config poll cnt is 0Failover pending tx msg cnt is 0Failover Fmsg cnt is 0:filter
Enables, disables, or displays URL, Java, or ActiveX filtering. (Configuration mode.)
show filter
Displays all filter commands in the configuration.
Syntax Description
Usage Guidelines
The clear filter command removes all filter commands from the configuration.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.
As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.
This feature blocks the HTML <object> tag and comments it out within the HTML web page.
Note
ActiveX blocking does not occur when users access an IP address referenced by the alias command.
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter java
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
Note
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.
The allow option to the filter command determines how the PIX Firewall behaves in the event that the N2H2 or Websense server goes off line. If you use the allow option with the filter command and the N2H2 or Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server off line, PIX Firewall stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
Note
The N2H2 or Websense server works with the PIX Firewall to deny users from access to websites based on the company security policy.
Websense protocol version 4 enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then Websense server handles URL filtering and username logging.
The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.
Websense protocol version 4 contains the following enhancements:
•
•
•
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Information on Websense is available at the following website:
http://www.websense.com/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1filter url 80 0 0 0 0filter url except 10.0.2.54 255.255.255.255 0 0The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
filter url 8080 0 0 0 0 proxy-blockfixup protocol
Modifies PIX Firewall protocol fixups to add, delete, or change services and feature defaults. (Configuration mode.)
Syntax Description
fixup protocol protocol [protocol] [port[-port]]
Modifies PIX Firewall protocol fixups to add, delete, or change services and feature defaults.
fixup protocol ils
Provides support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server.
ftp
Specifies to change the ftp port number.
h323 ras
Specifies to use RAS with H.323 to enable dissimilar communication devices to communicate with each other. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods.
h323 h225
Specifies to use H.225, the ITU standard that governs H.225.0 session establishment and packetization, with H.323. H.225.0 actually describes several different protocols: RAS, use of Q.931, and use of RTP.
http [port[-port]
The default port for HTTP is 80. Use the port option to change the HTTP port, or the port-port option to specify a range of HTTP ports.
ils
Specifies the Internet Locator Service. The default port is TCP LDAP server port 389.
no
Disables the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After removing all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
port
Specify the port number or range for the application protocol. The default ports are: TCP 21 for ftp, TCP LDAP server port 389 for ils, TCP 80 for http, TCP 1720 for h323 h225, UDP 1718-1719 for h323 ras, TCP 514 for rsh, TCP 554 for rtsp, TCP 2000 for skinny, TCP 25 for smtp, TCP 1521 for sqlnet, and TCP 5060 for sip. The default port value for rsh cannot be changed, but additional port statements can be added. See the "Ports" section in "Using PIX Firewall Commands" for a list of valid port literal names. The port over which the designated protocol travels.
protocol
Specifies the protocol to fix up.
protocol_name
The protocol name.
ras
Registration, admission, and status (RAS) is a signaling protocol that performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper.
sip
Enable or change the port assignment of the Session Initiation Protocol (SIP) for TCP connections. UDP SIP is on by default and cannot be disabled and the port assignment is nonconfigurable. PIX Firewall Version 6.2 introduces PAT support for SIP.
skinny
Enable SCCP. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.
strict
Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
Defaults
The default ports for the PIX Firewall fixup protocols are as follows:
fixup protocol ftp 21fixup protocol http 80fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000(These are the defaults that are enabled on a PIX Firewall running software version 6.2.)
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh and sip. The fixup protocol commands are always present in the configuration and are enabled by default.
The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements.
The clear fixup command resets the fixup configuration to its default. It does not remove the default fixup protocol commands.
You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
fixup protocol ftp
Use the fixup protocol ftp command to specify the listening port or ports for the File Transfer Protocol (FTP). The following describes the features and usage of this command:
•
•
•
INCORRECT
fixup protocol ftp 21fixup protocol ftp 20CORRECT
fixup protocol ftp 21•
The following is an example of a fixup protocol ftp configuration that uses multiple FTP fixups:
:: For a PIX Firewall with two interfaces:ip address outside 192.168.1.1 255.255.255.0ip address inside 10.1.1.1 255.255.255.0:: There is an inside host 10.1.1.15 that will be: exported as 192.168.1.15. This host runs the FTP: services at port 21 and 1021:static (inside, outside) 192.168.1.15 10.1.1.15:: Construct an access list to permit inbound FTP traffic to: port 21 and 1021:access-list outside permit tcp any host 192.168.1.15 eq ftpaccess-list outside permit tcp any host 192.168.1.15 eq 1021access-group outside in interface outside:: Specify that traffic to port 21 and 1021 are FTP traffic:fixup protocol ftp 21fixup protocol ftp 1021If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
fixup protocol h323 {h225 | ras}
The fixup protocol h323 {h225 | ras} command provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. Version 5.3 and higher supports H.323 version 2. H.323 version 2 adds the following functionality to the PIX Firewall:
•
•
PIX Firewall software versions 6.2 and higher support PAT for H.323.
When upgrading from any pre-PIX Firewall software version 6.2 release, the following will be added to the configuration:
fixup protocol h323 ras 1718-1719Additionally, fixup protocol h323 port becomes fixup protocol h323 h225 port.
You can disable H.225 signalling or RAS fixup (or both) with the no fixup protocol h323 {h225 | ras} port [-port] command.
fixup protocol http
The fixup protocol http command sets the port for Hypertext Transfer Protocol (HTTP) traffic. The default port for HTTP is 80.
Use the port option to change the default port assignments from 80. Use the port-port option to apply HTTP application inspection to a range of port numbers.
Note
HTTP inspection performs several functions:
•
•
•
The latter two features must be configured in conjuction with the filter command.
fixup protocol ils
The fixup protocol ils command provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LightWeight Directory Access Protocol (LDAP) to exchange directory information with an for Internet Locator Service (ILS) server.
fixup protocol rtsp
The fixup protocol rtsp command lets PIX Firewall pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.
If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554fixup protocol rtsp 8554The following restrictions apply to the fixup protocol rtsp command:
1.
2.
3.
4.
5.
6.
7.
If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the PIX Firewall, there is no need to configure the fixup.
If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement.
fixup protocol sip
Session Initiation Protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions and two-party audio conferences (calls). SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateway or VoIP proxy server. SIP and SDP are defined in the following RFCs:
•
•
To support SIP, calls through the PIX Firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected. This is because while the signaling is sent over a well known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Therefore, SIP is a text-based protocol and contains the IP addresses throughout the text. The packets are inspected and NAT is provided for the IP addresses.
PIX Firewall software version 6.2 and higher support PAT for SIP.
The fixup protocol sip command enables SIP on the interface.
The SIP fixup is always in effect when UDP signaling is used, even if the command no fixup procol sip 5060 is issued. With TCP signaling, the fixup can be disabled with the command no fixup protocol sip 5060.
For additional information about the SIP protocol see RFC 2543. For additional information about the Session Description Protocol (SDP), see RFC 2327.
Note
fixup protocol skinny
Skinny Client Control Protocol (SCCP or "skinny") protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.
fixup protocol smtp
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
Note
As of PIX Firewall software version 5.1 and higher, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.
In PIX Firewall software version 4.4, all characters in the SMTP banner are converted to asterisks.
fixup protocol sqlnet
PIX Firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.
Examples
The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsidefixup protocol smtp 25The following example shows the commands to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255access-list acl_out permit tcp host 209.165.201.1 eq smtp anyaccess-group acl_out in interface outsideno fixup protocol smtp 25In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
flashfs
Clear, display, or downgrade filesystem information. (Configuration mode.)
flashfs downgrade {4.x | 5.0 | 5.1}
clear flashfs
show flashfs
Displays the size in bytes of each filesystem sector and the current state of the filesystem.
Syntax Description
Usage Guidelines
The clear flashfs and the flashfs downgrade 4.x commands clear the filesystem part of Flash memory in the PIX Firewall. Versions 4.n cannot use the information in the filesystem; it needs to be cleared to let the earlier version operate correctly.
The flashfs downgrade 5.x command reorganizes the filesystem part of Flash memory so that information stored in the filesystem can be accessed by the earlier version. The PIX Firewall maintains a filesystem in Flash memory to store system information, IPSec private keys, certificates, and CRLs. It is crucial that you clear or reformat the filesystem before downgrading to a previous PIX Firewall version. Otherwise, your filesystem will get out of sync with the actual contents of the Flash memory and cause problems when the unit is later upgraded.
Note
You only need to use the flashfs downgrade 5.x command if your PIX Firewall has 16 MB of Flash memory, if you have IPSec private keys, certificates, or CRLs stored in Flash memory, and you used the ca save all command to save these items in Flash memory. The flashfs downgrade 5.x command fails if the filesystem indicates that any part of the image, configuration, or private data in the Flash memory device is unusable.
The clear flashfs and flashfs downgrade commands do not affect the configuration stored in Flash memory.
The clear flashfs command is the same as the flashfs downgrade 4.x command.
The show flashfs command displays the size in bytes of each filesystem sector and the current state of the filesystem. The data in each sector is as follows:
•
•
•
•
•
Examples
The following is sample output from the show flashfs command:
pixfirewall(config)# show flashfsflash file system: version:2 magic:0x12345679file 0: origin: 0 length:1511480file 1: origin: 2883584 length:3264file 2: origin: 0 length:0file 3: origin: 3014656 length:4444164file 4: origin: 8257536 length:280Use the following command to write the filesystem to Flash memory before downgrading to a lower version of software:
pixfirewall(config)# flashfs downgrade 5.3The following commands display the filesystem sector sizes:
pixfirewall(config)# show flashfsflash file system: version:1 magic:0x12345679file 0: origin: 0 length:1794104file 1: origin: 2095104 length:1496file 2: origin: 0 length:0file 3: origin: 2096640 length:140file 4: origin: 8257536 length:280pixfirewall(config)#flashfs downgrade 5.3pixfirewall(config)#show flashfsflash file system: version:0 magic:0x0file 0: origin: 0 length:0file 1: origin: 0 length:0file 2: origin: 0 length:0file 3: origin: 0 length:0file 4: origin: 8257536 length:280The origin values are integer multiples of the underlying filesystem sector size.
floodguard
Enable or disable Flood Defender to protect against flood attacks. (Configuration mode.)
floodguard enable
floodguard disable
clear floodguard
show floodguard
Displays the floodguard command in the configuration.
Syntax Description
Usage Guidelines
The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources.
When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers.
If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:
1.
2.
3.
4.
5.
The floodguard command is enabled by default.
Examples
The following example enables the floodguard command and lists the floodguard command statement in the configuration:
floodguard enableshow floodguardfloodguard enablefragment
The fragment command provides additional management of packet fragmentation and improves compatibility with NFS. (Configuration Mode.)
fragment size database-limit [interface]
fragment chain chain-limit [interface]
fragment timeout seconds [interface]
clear fragment
Syntax Description
Usage Guidelines
By default the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
If a large percentage of the network traffic through the PIX Firewall is NFS, additional tuning may be necessary to avoid database overflow. See system log message 209003 for additional information.
In an environment where the MTU between the NFS server and client is small, such as a WAN interface, the chain option may require additional tuning. In this case, NFS over TCP is highly recommended to improve efficiency.
Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool. See the show block command for more details. The default values will limit DoS due to fragment flooding to that interface only.
Examples
For example, to prevent fragmented packets on the outside and inside interfaces enter:
pixfirewall(config)# fragment chain 1 outsidepixfirewall(config)# fragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
The following example configures the outside fragment database to limit a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
pixfirewall(config)#pixfirewall(config)# fragment outside size 2000pixfirewall(config)# fragment chain 45 outsidepixfirewall(config)# fragment outside timeout 10pixfirewall(config)#The clear fragment command resets the fragment databases. Specifically, all fragments awaiting re-assembly are discarded. In addition, the size is reset to 200; the chain limit is reset to 24; and the timeout is reset to 5 seconds.
The show fragment command display the states of the fragment databases. If the interface name is specified, only the database residing at the specified interface is displayed.
pixfirewall(config)# show fragment outsideInterface:outsideSize:2000, Chain:45, Timeout:10Queue:1060, Assemble:809, Fail:0, Overflow:0The preceding example shows that the "outside" fragment database has the following:
•
•
•
•
•
•
•
This fragment database is under heavy usage.
The PIX Firewall also includes FragGuard for additional IP fragmentation protection. For more information refer to the Cisco PIX Firewall and VPN Configuration Guide at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm#1046527
