Cisco PIX Firewall Command Reference, Version 6.2
M through R Commands
Download this chapter
M through R CommandsM through R Commands
give_us_feedback

Table Of Contents

M through R Commands

mroute

multicast

mtu

name / names

nameif

nat

ntp

object-group

outbound / apply

pager

passwd

pdm

perfmon

ping

privilege

quit

reload

rip

route


M through R Commands

mroute

Configures a static multicast route. (Configuration mode.)

Configure with the command...
Remove with the command...

mroute src smask in-if-name dst dmask out-if-name

no mroute src smask in-if-name dst dmask out-if-name


Show command options
Show command output

show mroute [dst [src]]

Displays the current multicast route table.


Syntax Description

dmask

The destination network address mask.

dst

The Class D address of the multicast group.

in-if-name

The input interface name to pass multicast traffic.

out-if-name

The output interface name to pass multicast traffic.

smask

The multicast source network address mask.

src

The IP address of the multicast source.


Usage Guidelines

The mroute command supports routing multicast traffic through the PIX Firewall.

Examples

In the following example, the multicast sources are the inside interface and DMZ with no internal receivers: 

multicast interface outside

multicast interface inside

multicast interface dmz


mroute 1.1.1.1 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside

mroute 2.2.2.2 255.255.255.255 dmz 230.1.1.2 255.255.255.255 outside

multicast

Enables multicast traffic to pass through the PIX Firewall. Includes an igmp subcommand mode for multicast support. (Configuration mode.)

Configure with the command...
Remove with the command...

multicast interface interface_name [max-groups number]

no multicast interface interface_name

clear multicast

Subcommands to the multicast command:

igmp forward interface interface_name

igmp access-group acl_id

igmp version {1 | 2}

igmp join-group group

igmp query-interval seconds

igmp query-max-response-time seconds

Subcommands to the multicast command:

no igmp

clear igmp [group | interface interface_name]


Show command options
Show command output

show igmp [group | interface interface_name] [detail]

Displays the IGMP information for a multicast group, whether statically configured or dynamically created.

show multicast [interface interface_name]

Displays all or per-interface multicast settings. Also displays the IGMP configuration for any interface that is specified.


Syntax Description

acl_id

Access control list ID.

detail

Displays all information in the IGMP table.

group

The address of the multicast group.

igmp

Internet Group Management Protocol.

interface_name

The name of the interface on which to enable multicast traffic.

join-group

The multicast group to join.

max-groups

Specifies the maximum number of groups, from 0 to 2000. The default value is 500.

number

The maximum number of groups that can be joined.

query-interval

The query response time interval.

query-max-
response-time

The maxium query response time interval.

seconds

Specifies the number of seconds to wait.


Usage Guidelines

The multicast command supports routing multicast traffic through the PIX Firewall.

The PIX Firewall igmp commands are subcommands of the multicast command.

The clear igmp [group | interface interface_name] command clears IGMP entries.

Note The PIX Firewall acts as an IGMP proxy but is not a multicast router.

Examples

The following example shows use of the multicast command with corresponding igmp subcommands: 

multicast interface outside

multicast interface inside

igmp forward interface outside 

igmp join-group 224.1.1.1

The following is an example of the show igmp command: 

pixfirewall(config)# show igmp 


  IGMP is enabled on interface inside

  Current IGMP version is 2

  IGMP query interval is 60 seconds

  IGMP querier timeout is 125 seconds

  IGMP max query response time is 10 seconds

  Last member query response interval is 1 seconds

  Inbound IGMP access group is 

  IGMP activity: 0 joins, 0 leaves

  IGMP querying router is 10.1.3.1 (this system)


  IGMP Connected Group Membership

   Group Address    Interface            Uptime    Expires   Last Reported

mtu

Specify the maximum transmission unit (MTU) for an interface. (Configuration mode.)

Configure with the command...
Remove with the command...

mtu if_name  bytes

no mtu [if_name  bytes]


Show command options
Show command output

show mtu

Displays the current block size.


Syntax Description

bytes

The number of bytes in the MTU, in the range of 64 to 65,535 bytes. The value specified depends on the type of network connected to the interface.

if_name

The internal or external network interface name.


Usage Guidelines

The mtu command sets the size of data sent on a connection. Data larger than the maximum transmission unit (MTU) value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes.

For PIX Firewall software version 6.2, MTU size must be greater than or equal to 1500 for the Stateful Failover link and greater than or equal to 576 for the LAN-based failover link.

For PIX Firewall software versions 5.2 through 6.1, MTU size must be greater than or equal to 256 bytes for the Stateful Failover link.

PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.

For Ethernet interfaces, the default MTU is 1500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it.

The no mtu command resets the MTU block size to 1500 for Ethernet interfaces. The show mtu command displays the current block size. The show interface command also shows the MTU value.

Examples

The following example shows the use of the mtu command with Ethernet: 

interface ethernet0 auto

mtu inside 8192


show mtu

mtu outside 1500

mtu inside 8192

name / names

Associate a name with an IP address. (Configuration mode.)

Configure with the command...
Remove with the command...

name ip_address name

no name [ip_address name]

clear names

names

no names

clear names


Show command options
Show command output

show names

Displays the name command statements in the configuration.


Syntax Description

ip_address

The IP address of the host being named.

name

The name assigned to the IP address. Allowable characters are a to z, A to Z, 0 to 9, a dash, and an underscore. The name cannot start with a number. If the name is over 16 characters long, the name command fails.


Usage Guidelines

Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you mustyou must ensure that the host names either match existing names or you have a map to list the differences.

The name command maps text strings to IP addresses. The clear names command clears the list of names from the PIX Firewall configuration. The no names command disables the use of the text names, but does not remove them from the configuration. The show names command lists the name command statements in the configuration.

Usage Notes

1. You must first use the names command before using the name command. Use the name command immediately after the names command and before you use the write memory command.

2. To disable displaying name values, use the no names command.

3. Only one name can be associated with an IP address.

4. Both the name and names command statements are saved in the configuration.

5. While the name command will let you assign a name to a network mask, no other PIX Firewall command requiring a mask will let you use the name as a mask value. For example, the following command is accepted. 

name 255.255.255.0 class-C-mask

Note None of the commands in which a mask is required can process the "class-C-mask" as an accepted network mask.

Examples

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 209.165.201.3. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command restores their display. 

pixfirewall(config)# names

pixfirewall(config)# name 192.168.42.3 pix_inside

pixfirewall(config)# name 209.165.201.3 pix_outside

pixfirewall(config)# ip address inside pix_inside 255.255.255.0

pixfirewall(config)# ip address outside pix_outside 255.255.255.224


pixfirewall(config)# show ip address

System IP Addresses:

inside ip address pix_inside mask 255.255.255.0

outside ip address pix_outside mask 255.255.255.224


pixfirewall(config)# no names

pixfirewall(config)# show ip address

System IP Addresses:

inside ip address 192.168.42.3 mask 255.255.255.0

outside ip address 209.165.201.3 mask 255.255.255.224


pixfirewall(config)# names

pixfirewall(config)# show ip address

System IP Addresses:

inside ip address pix_inside mask 255.255.255.0

outside ip address pix_outside mask 255.255.255.224


pixfirewall(config)# show names

System IP Addresses:

name 192.168.42.3 pix_inside

name 209.165.201.3 pix_outside

nameif

Name interfaces and assign security level. (Configuration mode.)

Configure with the command...
Remove with the command...

nameif hardware_id if_name security_level

clear nameif


Show command options
Show command output

show nameif

Displays interface names.


Syntax Description

hardware_id

The hardware name for the network interface that specifies the interface's slot location on the PIX Firewall motherboard. For more information on PIX Firewall hardware configuration, refer to the Cisco PIX Firewall Hardware Installation Guide.

A logical choice for an Ethernet interface is ethernetn. These names can also be abbreviated with any leading characters in the name, for example, ether1 or e2.

if_name

A name for the internal or external network interface of up to 48 characters in length. By default, PIX Firewall names the inside interface "inside," the outside interface "outside," and any perimeter interface "intfn" where n is 2 through 5.

security_level

Enter 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. By default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0. The first perimeter interface is initially set to security10, the second to security15, the third to security20, and the fourth perimeter interface to security25 (a total of 6 interfaces are permitted, with a total of 4 perimeter interfaces permitted).

For access from a higher security to a lower security level, nat and global commands or static commands must be present. For access from a lower security level to a higher security level, static and access-list commands must be present.

Interfaces with the same security level cannot communicate with each other. We recommend that every interface have a unique security level.


Usage Guidelines

The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.

Usage Notes

1. If you change the hardware_id of the outside interface; for example, from ethernet0 to ethernet1, PIX Firewall changes every reference to the outside interface in your configuration to inside, which can cause problems with route, ip, and other command statements that affect the flow of traffic through the PIX Firewall.

2. After changing a nameif command, use the clear xlate command.

3. The inside interface cannot be renamed or given a different security level. The outside interface can be renamed, but not given a different security level.

4. An interface is always "external" with respect to another interface that has a higher security level.

Examples

The following example shows use of the nameif command: 

nameif ethernet2 perimeter1 sec50

nameif ethernet3 perimeter2 sec20

Related Commands

interface

nat

Associate a network with a pool of global IP addresses. (Configuration mode.)

Configure with the command...
Remove with the command...

nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [conn_limit [em_limit]]]

no nat [(if_name)] id address [netmask [outside]

nat [(if_name)] 0 access-list acl_name

no nat [(if_name)] 0 [access-list acl_name]


Show command options
Show command output

show nat

Displays the nat command statements in the current configuration.


Syntax Description

access-list

Associates access-list command statements to the nat 0 command and exempts traffic that matches the access-list from NAT processing.

acl_name

The access list name.

clear nat

Removes nat command statements from the configuration.

conn_limit

The connection time limit.

dns

Specifies that DNS replies that match the xlate are translated.

em_limit

The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.

hh:mm:ss

The timeout interval for the translation slot. However, timeout only occurs if no TCP or UDP connection is actively using the translation.

id

The id number to match with the global address pool.

if_name

The internal network interface name.

local_ip

Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.

max_conns

The maximum TCP connections permitted from the interface you specify.

nat_id

nat_id values can be 0, 0 access list acl_name, or a number greater than zero (0).

A nat_id that is 0 specifies the inside hosts for identity translation. Identity translations are translations that map an address to itself. The restriction is that the traffic must initiate from an inside host.

A nat_id that is 0 access list acl_name specifies the traffic to exempt from NAT processing, based on the access list specified by acl_name. This is useful in Virtual Private Network (VPN) configuration where traffic between private networks should be exempted from NAT.

A nat_id that is a number greater than zero (0) specifies the inside hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command, so the nat_id number must match the global_id number of the global address pool you want to use for dynamic address translation.

netmask

Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0.

norandomseq

Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Using this option disables TCP Initial Sequence Number (ISN) randomization protection. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.

outside

Specifies that the nat command apply to the outside interface address. For access control, IPSec, and AAA use the real outside address.

timeout

Sets the idle timeout value for the translation slot.


Usage Guidelines

The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows your network to have any IP addressing scheme and the PIX Firewall protects these addresses from visibility on the external network.

Note If not explicitly included in the nat command, the PIX Firewall derives the network mask from the class of the IP address. For example, the command nat 0 10.130.36.0 causes all addresses in the 10.0.0.0 network to be translated and not only those in the 10.130.36.0 network. For this reason, you should specify the network mask when configuring an IP address that is not classful.

The nat if_name 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access. The if_name is the higher security level interface name. The acl_name is the name you use to identify the access-list command statement.

With PIX Firewall software version 5.3 and higher, there is no longer a restriction on having the nat 0 command (Identity NAT) and the nat 0 access-list command configured at the same time. Both the nat 0 command and the nat 0 access-list command may be configured concurrently.

The access-list option changes the behavior of the nat 0 command. (Without the access-list option, the command is backward compatible with previous versions.) The nat 0 command implemented the identity feature; this new version of the command disables NAT. Specifically, the new behavior disables proxy ARPing for the IP addresses in the nat 0 command statement.

Note The access list you specify with the nat 0 access-list command will not work with an access-list command statement that contains a port specification. The following sample command statements will not work.

access-list no-nat permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
nat (inside) 0 access-list no-nat

After changing or removing a nat command statement, use the clear xlate command.

The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.

You can use the no nat command to remove a nat command statement.

The nat outside option lets you enable or disable outside NAT, which address translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called Bi-Directional NAT. By default, address translation occurs only for host addresses on the higher security or "inside" interface.

Note If outside dynamic NAT is enabled on an interface, explicit NAT policy must be configured for all hosts on the interface.

Use a natid of 0 with the outside option to disable address translation for host addresses on the lower security interface. Use this option only if outside dynamic NAT is configured on the interface. By default, address translation is automatically disabled for hosts connected to the lower security interface.

Table 7-1 helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.

Table 7-1 Interface Access Commands by Interface

From This Interface
To This Interface
Use This Command
From This Interface
To This Interface
Use This Command

inside

outside

nat

dmz2

outside

nat

inside

dmz1

nat

dmz2

dmz1

nat

inside

dmz2

nat

dmz2

inside

static

dmz1

outside

nat

outside

dmz1

static

dmz1

dmz2

static

outside

dmz2

static

dmz1

inside

static

outside

inside

static


The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.

Usage Notes

1. You can enable identity address translation with the nat 0 command. Use this command when you have IP addresses that are the same as those used on more than one interface. Adaptive Security remains in effect with the nat 0 command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

Addresses on each interface must be on a different subnet. See Appendix D "TCP/IP Reference Information" of the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting.

The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat command statements appear in the configuration.

2. The nat 1 0 0 command means that all outbound connections can pass through the PIX Firewall with address translation. If you use the nat (inside) 1 0 0 command, users can start connections on any interface with a lower security level, on the both perimeter interfaces and the outside interface. With NAT in effect, you must also use the global command statement to provide a pool of addresses through which translated connections pass. In effect, you use the nat command statement to specify from which interface connections can originate and you use the global command statement to determine at which interface connections can occur. The NAT ID must be the same on the nat and global command statements.

3. The nat 1 10.2.3.0 command means that only outbound connections originating from the inside host 10.2.3.0 can pass through the PIX Firewall to go to their destinations with address translation.

4. The PIX Firewall does not support outside NAT for non-H.323 multimedia applications or between overlapping network addresses.

Examples

The nat 0 command requires that traffic initiates from an inside host.

If you want the addresses to be visible from the outside network, use the static command as follows: 

nat (inside) 0 209.165.201.0 255.255.255.224

static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224

access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp

access-group acl_out in interface outside


nat (inside) 0 209.165.202.128 255.255.255.224

static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.224

access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftp

access-group acl_out in interface outside

...

The following example shows use of the nat 0 access-list command to permit internal host 10.1.1.15, accessible through the inside interface, "inside," to bypass NAT when connecting to outside host 10.2.1.3. 

access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3

nat (inside) 0 access-list no-nat

The following commands will disable all NAT on a PIX Firewall with three interfaces: 

access-list all-ip-packet permit ip 0 0 0 0

nat (dmz) 0 access-list all-ip-packet

nat (inside) 0 access-list all-ip-packet

Given outbound traffic and the following example, for the nat command statements with a nat_id of 1, any of the hosts on the 10.1.1.0 network are translated to the range of 209.165.201.25-209.165.201.27, and after all the three addresses have been used, the translation rule starts using 209.165.201.30 as the PAT address. For the nat command statements with a nat_id of 3, all of the hosts on the 10.1.3.0 network are translated to the outside IP address of the FWSM using PAT. 

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224 

global (outside) 1 209.165.201.30


nat (inside) 3 10.1.3.0 255.255.255.0

global (outside) 3 interface

The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 10.3.3.0 inside networks can start outbound connections. The global command statements create unique pools of global addresses for those hosts that cannot overlap. 

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 209.165.201.24-209.165.201.27 netmask 255.255.255.224

global (outside) 1 209.165.201.30


nat (inside) 3 10.3.3.0 255.255.255.0

global (outside) 3 209.165.201.10-209.165.201.23 netmask 255.255.255.224

Related Commands

global

outbound / apply

ntp

Synchronizes the PIX Firewall with a network time server using the Network Time Protocol (NTP). (Configuration mode.)

Configure with the command...
Remove with the command...

ntp authenticate

no ntp authenticate

ntp authentication-key number md5 value

no ntp authentication-key number md5 value

ntp server ip_address [key number] source if_name [prefer]

no ntp server ip_address

ntp trusted-key number

no ntp trusted-key number

N/A

clear ntp


Show command options
Show command output

show ntp

Displays the current NTP configuration.

show ntp associations [detail]

Displays the configured network time server associations.

show ntp status

Displays the NTP clock information.


Syntax Description

associations

The network time server associations.

authenticate

Enables NTP authentication. If enabled, the PIX Firewall requires authentication before synchronizing with an NTP server.

authentication-key

Defines the authentication keys for use with other NTP commands.

detail

Provides additional detail on the network time servers.

if_name

Specifies the interface to use to send packets to the network time server.

ip_address

The IP address of the network time server with which to synchronize.

key

Specifies the authentication key.

md5

The encryption algorithm.

number

The authentication key number (1 to 4294967295).

prefer

Designates the network time server specified as the preferred server with which to synchronize time.

server

The network time server.

source

Specifies the network time source.

status

Displays NTP clock information.

trusted-key

Specifies the trusted key against which to authenticate.

value

The key value, an arbitrary string of up to 32 characters. The key value is displayed as "***********" when the configuration is viewed by the write terminal or show tech-support commands.


Usage Guidelines

The ntp command synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set.

The ntp authenticate command enables NTP authentication.

The clear ntp command removes the NTP configuration, including disabling authentication and removing all authentication keys and NTP server designations.

Usage Notes

1. The authentication keys for the ntp commands are defined in the ntp authentication-key command. If authentication is used, the PIX Firewall and NTP server must be configured with the same key.

2. If authentication is enabled, use the ntp trusted-key command to define one or more key numbers that the NTP server needs to provide in its NTP packets for the PIX Firewall to accept synchronization with the NTP server.

3. The PIX Firewall listens for NTP packets (port 123) only on interfaces that have an NTP server configured through the ntp server command. NTP packets that are not responses from a request by the PIX Firewall are dropped.

Examples

The following are examples of the show ntp commands.

The following is sample output from the show ntp command: 

pixfirewall(config)# show ntp

ntp authentication-key 1234 md5 ********

ntp authenticate

ntp trusted-key 1234

ntp server 10.10.1.2 key 1234 source inside prefer

pixfirewall(config)#

The following is sample output from the show ntp associations command: 

pixfirewall(config)# show ntp associations

  address           ref clock         st  when  poll reach   delay  offset  disp

 *~172.23.56.249    172.23.56.225     4   113   128  177     4.5   -0.24   125.2

 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

The following is sample output from the show ntp associations detail command: 

pixfirewall(config)# show ntp associations detail

172.23.56.249 configured, our_master, sane, valid, stratum 4

ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002)

our mode client, peer mode server, our poll intvl 128, peer poll intvl 128

root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021

delay 4.47 msec, offset -0.2403 msec, dispersion 125.21

precision 2**19, version 3

org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)

rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)

xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)

filtdelay =     4.47    4.58    4.97    5.63    4.79    5.52    5.87   0.00

filtoffset =   -0.24   -0.36   -0.37    0.30   -0.17    0.57   -0.74   0.00

filterror =     0.02    0.99    1.71    2.69    3.66    4.64    5.62   16000.0

The following is sample output from the show ntp status command: 

pixfirewall(config)# show ntp status

Clock is synchronized, stratum 5, reference is 172.23.56.249

nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6

reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)

clock offset is -0.2403 msec, root delay is 42.51 msec

root dispersion is 135.01 msec, peer dispersion is 125.21 msec

Related Commands

clear

debug

show

object-group

Defines object groups that you can use to optimize your configuration. Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group. (Configuration mode.)

[no] object-group icmp-type grp_id

ICMP type group subcommands:
description description_text
icmp-object icmp_type
group-object grp_id

[no] object-group network grp_id

network group subcommands:
description description_text
network-object host host_addr
network-object host_addr netmask
group-object grp_id

[no] object-group protocol grp_id

protocol group subcommands:
description description_text
protocol-object protocol
group-object grp_id

[no] object-group service grp_id {tcp | udp | tcp-udp}

service group subcommands:
description description_text
port-object range begin_service end_service
port-object eq service
group-object grp_id

clear object-group [grp_type]

show object-group [id grp_id | grp_type]

Note Enter no in front of a subcommand to remove the configuration within an object group.

Syntax Description

begin_service

Used with the range keyword, the decimal number or name of a TCP or UDP port that is the beginning value for a range of services.

description description_text

A subcommand of the object-group command that enables users to add a description of up to 200 characters to an object-group. The starting position of the description text is the character right after the whitespace (a blank or a tab) following the description keyword.

end_service

Used with the range keyword, the decimal number or name of a TCP or UDP port that is the ending value for a range of services.

eq service

Specifies the decimal number or name of a TCP or UDP port for a particular service object.

group-object

The group-object subcommand is used to add a group of objects that are themselves members of another object group.

grp_id

Required parameter that identifies the object group (one to 64 characters). Can be any combination of letters, digits, and the "_", "-", "." characters.

grp_type

The type of group, either ICMP type, network, protocol, or service.

host

Keyword used with the host_addr parameter to define a host object.

host_addr

The host IP address or host name (if the host name is already defined using the name command).

icmp-object

The object-group icmp-type subcommand used to add ICMP objects to an ICMP-type object group.

icmp-type

Defines a group of ICMP types such as echo and echo-reply. After entering the main object-group icmp-type command, add ICMP objects to the ICMP type group with the icmp-object and the group-object subcommand.

icmp_type

The decimal number or name of an ICMP type.

net_addr

The network address. Used with netmask to define a subnet object.

netmask

The netmask. Used with net_addr to define a subnet object.

network

Defines a group of hosts or subnet IP addresses. After entering the main object-group network command, add network objects to the network group with the network-object and the group-object subcommand.

network-object

The object-group network subcommand used to add network objects to a network object group.

obj_grp_id

The name of a previously defined object group. For object groups to be grouped together, they must be of the same type. For example, you can group two or more network object groups together, but you cannot group a protocol group and a network group together.

object-group

The main object grouping command. The keyword after it specifies the type of object group that is being defined. After entering this main command with the type indicator keyword, you are in subcommand mode where you explicitly define individual group members using the object-group subcommands.

port-object

The object-group service subcommand used to add port objects to a service object group.

protocol

Defines a group of protocols such as TCP and UDP. After entering the main object-group protocol command, add protocol objects to the protocol group with the protocol-object and the group-object subcommand.

protocol

The protocol name or number. (For example, UDP is 17 and TCP is 6.)

protocol-object

The object-group protocol subcommand used to add protocol objects to a protocol object group.

range

Keyword indicating that the range parameters follow.

service

Defines a group of TCP/UDP port specifications such as "eq smtp" and "range 2000 2010." After entering the main object-group service command, add port objects to the service group with the port-object and the group-object subcommand.

tcp

Specifies that service group is used for TCP.

tcp-udp

Specifies that service group can be used for TCP and UDP.

udp

Specifies that service group is used for UDP.


Usage Guidelines

When a group is defined with the object-group command and then used in a PIX Firewall command, the command applies to every item in that group. This can significantly reduce your configuration size.

Once an object group is defined, the keyword object-group must be used before the group name in all applicable PIX Firewall commands. For example, 

show object-group group_name

where group_name is the name of the group.

The following are two examples of the use of an object group once it is defined: 

conduit permit tcp object-group group_name any

access-list acl_name permit tcp any object-group group_name

Additionally, the access-list and conduit command parameters can be grouped as follows in Table 7-2.

Table 7-2 Object Groups to Replace Individual Parameters

Instead of using individual parameters...
...use the following object group:

protocol

object-group protocol

host and subnet

object-group network

service

object-group service

icmp_type

object-group icmp_type


You can group commands hierarchically; an object group can be a member of another object group.

To use object groups, you must do the following:

The keyword object-group must be used before the object group name in all commands.

For example: 

access-list acl permit tcp object-group remotes object-group locals object-group 
eng_svc

where remotes and locals are sample object group names.

The object group must be non-empty.

An object group cannot be removed or emptied if it is currently being used in a command.

After a main object-group command is entered, the command mode changes to its corresponding subcommand mode. The object group is then defined in the subcommand mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows: 

pix_name (config)#

where pix_name is the name of the PIX Firewall.

However, when the object-group command is entered, the prompt appears as follows: 

pix_name (config-type)#

where pix_name is the name of the PIX Firewall and type is the object-group type.

Use exit, quit, or any valid config-mode command such as access-list to close an object-group subcommand mode and exit the object-group main command.

Use the no object-group command form to remove a group of previously defined object-group commands. The clear object-group command form can also be used.

The show object-group command displays all defined object groups by their grp_id when the show object-group id grp_id command form is entered, and by their group type when the show object-group grp_type command form is entered. When you enter show object-group without a parameter, all defined object groups are shown.

When entered without a parameter, the clear object-group command removes all defined object groups that are not being used in a command. Using grp_type parameter removes all defined object groups that that are not being used in a command for that group type only.

For use in the object-group icmp-type command, Table 7-3 lists ICMP type numbers and names:

Table 7-3 ICMP Types 

Number
Name of ICMP Type

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

mask-request

18

mask-reply

31

conversion-error

32

mobile-redirect


Usage Notes

1. You can use all other PIX Firewall commands in subcommand mode, including the show and clear commands.

2. Subcommands appear indented when displayed or saved by the show config, write, or config commands.

3. Subcommands have the same command privilege level as the main command.

4. When more than one object group is used in an access-list or conduit command, the elements of all object groups used in the command are cross-concatenated together, starting with the first group's elements concatenated the second group's elements, then the first and second group's elements concatentated together with the third group's elements, and so on.

Examples

The following example shows how to use the object-group icmp-type subcommand mode to create a new icmp-type object group: 

(config)# object-group icmp-type icmp-allowed

(config-icmp-type)#icmp-object echo

(config-icmp-type)#icmp-object time-exceeded

(config-icmp-type)#exit

The following example shows how to use the object-group network subcommand to create a new network object group: 

(config)# object-group network sjc_eng_ftp_servers

(config-network)#network-object host sjc.eng.ftp.servcers 

(config-network)#network-object host 172.23.56.194 

(config-network)#network-object 192.1.1.0 255.255.255.224 

(config-network)#exit

The following example shows how to use the object-group network subcommand to create a new network object group and map it to a existing object-group: 

(config)# object-group network sjc_ftp_servers

(config-network)#network-object host sjc.ftp.servers 

(config-network)#network-object host 172.23.56.195 

(config-network)#network-object 193.1.1.0 255.255.255.224 

(config-network)#group-object sjc_eng_ftp_servers 

(config-network)#exit

The following example shows how to use the object-group protocol subcommand mode to create a new protocol object group. 

(config)# object-group protocol proto_grp_1

(config-protocol)#protocol-object udp

(config-protocol)#protocol-object ipsec

(config-protocol)#exit


(config)# object-group protocol proto_grp_2

(config-protocol)#protocol-object tcp

(config-protocol)#group-object proto_grp_1

(config-protocol)#exit

The following example shows how to use the object-group service subcommand mode to create a new port (service) object group. 

(config)# object-group service eng_service tcp

(config-service)#group-object eng_www_service

(config-service)#port-object eq ftp

(config-service)#port-object range 2000 2005

(config-service)#exit

The following example shows how to use the group-object subcommand mode to create a new object group that consists of previously defined objects: 

(config)# object-group network host_grp_1

(config-network)# network-object host 192.168.1.1

(config-network)# network-object host 192.168.1.2

(config-network)# exit


(config)# object-group network host_grp_2

(config-network)# network-object host 172.23.56.1

(config-network)# network-object host 172.23.56.2

(config-network)# exit


(config)# object-group network all_hosts

(config-network)# group-object host_grp_1

(config-network)# group-object host_grp_2

(config-network)# exit


(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp

(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp