Table Of Contents
M through R Commands
mroute
Configures a static multicast route. (Configuration mode.)
mroute src smask in-if-name dst dmask out-if-name
no mroute src smask in-if-name dst dmask out-if-name
show mroute [dst [src]]
Displays the current multicast route table.
Syntax Description
Usage Guidelines
The mroute command supports routing multicast traffic through the PIX Firewall.
Examples
In the following example, the multicast sources are the inside interface and DMZ with no internal receivers:
multicast interface outsidemulticast interface insidemulticast interface dmzmroute 1.1.1.1 255.255.255.255 inside 230.1.1.2 255.255.255.255 outsidemroute 2.2.2.2 255.255.255.255 dmz 230.1.1.2 255.255.255.255 outsidemulticast
Enables multicast traffic to pass through the PIX Firewall. Includes an igmp subcommand mode for multicast support. (Configuration mode.)
Syntax Description
Usage Guidelines
The multicast command supports routing multicast traffic through the PIX Firewall.
The PIX Firewall igmp commands are subcommands of the multicast command.
The clear igmp [group | interface interface_name] command clears IGMP entries.
Note
The PIX Firewall acts as an IGMP proxy but is not a multicast router.
Examples
The following example shows use of the multicast command with corresponding igmp subcommands:
multicast interface outsidemulticast interface insideigmp forward interface outsideigmp join-group 224.1.1.1The following is an example of the show igmp command:
pixfirewall(config)# show igmpIGMP is enabled on interface insideCurrent IGMP version is 2IGMP query interval is 60 secondsIGMP querier timeout is 125 secondsIGMP max query response time is 10 secondsLast member query response interval is 1 secondsInbound IGMP access group isIGMP activity: 0 joins, 0 leavesIGMP querying router is 10.1.3.1 (this system)IGMP Connected Group MembershipGroup Address Interface Uptime Expires Last Reportedmtu
Specify the maximum transmission unit (MTU) for an interface. (Configuration mode.)
Syntax Description
Usage Guidelines
The mtu command sets the size of data sent on a connection. Data larger than the maximum transmission unit (MTU) value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes.
For PIX Firewall software version 6.2, MTU size must be greater than or equal to 1500 for the Stateful Failover link and greater than or equal to 576 for the LAN-based failover link.
For PIX Firewall software versions 5.2 through 6.1, MTU size must be greater than or equal to 256 bytes for the Stateful Failover link.
PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
For Ethernet interfaces, the default MTU is 1500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it.
The no mtu command resets the MTU block size to 1500 for Ethernet interfaces. The show mtu command displays the current block size. The show interface command also shows the MTU value.
Examples
The following example shows the use of the mtu command with Ethernet:
interface ethernet0 automtu inside 8192show mtumtu outside 1500mtu inside 8192name / names
Associate a name with an IP address. (Configuration mode.)
name ip_address name
no name [ip_address name]
clear names
names
no names
clear names
show names
Displays the name command statements in the configuration.
Syntax Description
Usage Guidelines
Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you mustyou must ensure that the host names either match existing names or you have a map to list the differences.
The name command maps text strings to IP addresses. The clear names command clears the list of names from the PIX Firewall configuration. The no names command disables the use of the text names, but does not remove them from the configuration. The show names command lists the name command statements in the configuration.
Usage Notes
1.
2.
3.
4.
5.
name 255.255.255.0 class-C-mask
Note
Examples
In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 209.165.201.3. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command restores their display.
pixfirewall(config)# namespixfirewall(config)# name 192.168.42.3 pix_insidepixfirewall(config)# name 209.165.201.3 pix_outsidepixfirewall(config)# ip address inside pix_inside 255.255.255.0pixfirewall(config)# ip address outside pix_outside 255.255.255.224pixfirewall(config)# show ip addressSystem IP Addresses:inside ip address pix_inside mask 255.255.255.0outside ip address pix_outside mask 255.255.255.224pixfirewall(config)# no namespixfirewall(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224pixfirewall(config)# namespixfirewall(config)# show ip addressSystem IP Addresses:inside ip address pix_inside mask 255.255.255.0outside ip address pix_outside mask 255.255.255.224pixfirewall(config)# show namesSystem IP Addresses:name 192.168.42.3 pix_insidename 209.165.201.3 pix_outsidenameif
Name interfaces and assign security level. (Configuration mode.)
nameif hardware_id if_name security_level
clear nameif
Syntax Description
Usage Guidelines
The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.
Usage Notes
1.
2.
3.
4.
Examples
The following example shows use of the nameif command:
nameif ethernet2 perimeter1 sec50nameif ethernet3 perimeter2 sec20Related Commands
nat
Associate a network with a pool of global IP addresses. (Configuration mode.)
show nat
Displays the nat command statements in the current configuration.
Syntax Description
Usage Guidelines
The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows your network to have any IP addressing scheme and the PIX Firewall protects these addresses from visibility on the external network.
Note
The nat if_name 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access. The if_name is the higher security level interface name. The acl_name is the name you use to identify the access-list command statement.
With PIX Firewall software version 5.3 and higher, there is no longer a restriction on having the nat 0 command (Identity NAT) and the nat 0 access-list command configured at the same time. Both the nat 0 command and the nat 0 access-list command may be configured concurrently.
The access-list option changes the behavior of the nat 0 command. (Without the access-list option, the command is backward compatible with previous versions.) The nat 0 command implemented the identity feature; this new version of the command disables NAT. Specifically, the new behavior disables proxy ARPing for the IP addresses in the nat 0 command statement.
Note
access-list no-nat permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
nat (inside) 0 access-list no-natAfter changing or removing a nat command statement, use the clear xlate command.
The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.
You can use the no nat command to remove a nat command statement.
The nat outside option lets you enable or disable outside NAT, which address translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called Bi-Directional NAT. By default, address translation occurs only for host addresses on the higher security or "inside" interface.
Note
Use a natid of 0 with the outside option to disable address translation for host addresses on the lower security interface. Use this option only if outside dynamic NAT is configured on the interface. By default, address translation is automatically disabled for hosts connected to the lower security interface.
Table 7-1 helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.
The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.
Usage Notes
1.
Addresses on each interface must be on a different subnet. See Appendix D "TCP/IP Reference Information" of the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting.
The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat command statements appear in the configuration.
2.
3.
4.
Examples
The nat 0 command requires that traffic initiates from an inside host.
If you want the addresses to be visible from the outside network, use the static command as follows:
nat (inside) 0 209.165.201.0 255.255.255.224static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftpaccess-group acl_out in interface outsidenat (inside) 0 209.165.202.128 255.255.255.224static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.224access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftpaccess-group acl_out in interface outside...The following example shows use of the nat 0 access-list command to permit internal host 10.1.1.15, accessible through the inside interface, "inside," to bypass NAT when connecting to outside host 10.2.1.3.
access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3nat (inside) 0 access-list no-natThe following commands will disable all NAT on a PIX Firewall with three interfaces:
access-list all-ip-packet permit ip 0 0 0 0nat (dmz) 0 access-list all-ip-packetnat (inside) 0 access-list all-ip-packetGiven outbound traffic and the following example, for the nat command statements with a nat_id of 1, any of the hosts on the 10.1.1.0 network are translated to the range of 209.165.201.25-209.165.201.27, and after all the three addresses have been used, the translation rule starts using 209.165.201.30 as the PAT address. For the nat command statements with a nat_id of 3, all of the hosts on the 10.1.3.0 network are translated to the outside IP address of the FWSM using PAT.
nat (inside) 1 10.1.1.0 255.255.255.0global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224global (outside) 1 209.165.201.30nat (inside) 3 10.1.3.0 255.255.255.0global (outside) 3 interfaceThe following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 10.3.3.0 inside networks can start outbound connections. The global command statements create unique pools of global addresses for those hosts that cannot overlap.
nat (inside) 1 10.0.0.0 255.0.0.0global (outside) 1 209.165.201.24-209.165.201.27 netmask 255.255.255.224global (outside) 1 209.165.201.30nat (inside) 3 10.3.3.0 255.255.255.0global (outside) 3 209.165.201.10-209.165.201.23 netmask 255.255.255.224Related Commands
ntp
Synchronizes the PIX Firewall with a network time server using the Network Time Protocol (NTP). (Configuration mode.)
Syntax Description
Usage Guidelines
The ntp command synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set.
The ntp authenticate command enables NTP authentication.
The clear ntp command removes the NTP configuration, including disabling authentication and removing all authentication keys and NTP server designations.
Usage Notes
1.
2.
3.
Examples
The following are examples of the show ntp commands.
The following is sample output from the show ntp command:
pixfirewall(config)# show ntpntp authentication-key 1234 md5 ********ntp authenticatentp trusted-key 1234ntp server 10.10.1.2 key 1234 source inside preferpixfirewall(config)#The following is sample output from the show ntp associations command:
pixfirewall(config)# show ntp associationsaddress ref clock st when poll reach delay offset disp*~172.23.56.249 172.23.56.225 4 113 128 177 4.5 -0.24 125.2* master (synced), # master (unsynced), + selected, - candidate, ~ configuredThe following is sample output from the show ntp associations detail command:
pixfirewall(config)# show ntp associations detail172.23.56.249 configured, our_master, sane, valid, stratum 4ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002)our mode client, peer mode server, our poll intvl 128, peer poll intvl 128root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021delay 4.47 msec, offset -0.2403 msec, dispersion 125.21precision 2**19, version 3org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)filtdelay = 4.47 4.58 4.97 5.63 4.79 5.52 5.87 0.00filtoffset = -0.24 -0.36 -0.37 0.30 -0.17 0.57 -0.74 0.00filterror = 0.02 0.99 1.71 2.69 3.66 4.64 5.62 16000.0The following is sample output from the show ntp status command:
pixfirewall(config)# show ntp statusClock is synchronized, stratum 5, reference is 172.23.56.249nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)clock offset is -0.2403 msec, root delay is 42.51 msecroot dispersion is 135.01 msec, peer dispersion is 125.21 msecRelated Commands
•
object-group
Defines object groups that you can use to optimize your configuration. Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group. (Configuration mode.)
[no] object-group icmp-type grp_id
ICMP type group subcommands:
description description_text
icmp-object icmp_type
group-object grp_id[no] object-group network grp_id
network group subcommands:
description description_text
network-object host host_addr
network-object host_addr netmask
group-object grp_id[no] object-group protocol grp_id
protocol group subcommands:
description description_text
protocol-object protocol
group-object grp_id[no] object-group service grp_id {tcp | udp | tcp-udp}
service group subcommands:
description description_text
port-object range begin_service end_service
port-object eq service
group-object grp_idclear object-group [grp_type]
show object-group [id grp_id | grp_type]
Note
Syntax Description
Usage Guidelines
When a group is defined with the object-group command and then used in a PIX Firewall command, the command applies to every item in that group. This can significantly reduce your configuration size.
Once an object group is defined, the keyword object-group must be used before the group name in all applicable PIX Firewall commands. For example,
show object-group group_namewhere group_name is the name of the group.
The following are two examples of the use of an object group once it is defined:
conduit permit tcp object-group group_name anyaccess-list acl_name permit tcp any object-group group_nameAdditionally, the access-list and conduit command parameters can be grouped as follows in Table 7-2.
You can group commands hierarchically; an object group can be a member of another object group.
To use object groups, you must do the following:
•
For example:
access-list acl permit tcp object-group remotes object-group locals object-group eng_svcwhere remotes and locals are sample object group names.
•
•
After a main object-group command is entered, the command mode changes to its corresponding subcommand mode. The object group is then defined in the subcommand mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:
pix_name (config)#where pix_name is the name of the PIX Firewall.
However, when the object-group command is entered, the prompt appears as follows:
pix_name (config-type)#where pix_name is the name of the PIX Firewall and type is the object-group type.
Use exit, quit, or any valid config-mode command such as access-list to close an object-group subcommand mode and exit the object-group main command.
Use the no object-group command form to remove a group of previously defined object-group commands. The clear object-group command form can also be used.
The show object-group command displays all defined object groups by their grp_id when the show object-group id grp_id command form is entered, and by their group type when the show object-group grp_type command form is entered. When you enter show object-group without a parameter, all defined object groups are shown.
When entered without a parameter, the clear object-group command removes all defined object groups that are not being used in a command. Using grp_type parameter removes all defined object groups that that are not being used in a command for that group type only.
For use in the object-group icmp-type command, Table 7-3 lists ICMP type numbers and names:
Usage Notes
1.
2.
3.
4.
Examples
The following example shows how to use the object-group icmp-type subcommand mode to create a new icmp-type object group:
(config)# object-group icmp-type icmp-allowed(config-icmp-type)#icmp-object echo(config-icmp-type)#icmp-object time-exceeded(config-icmp-type)#exitThe following example shows how to use the object-group network subcommand to create a new network object group:
(config)# object-group network sjc_eng_ftp_servers(config-network)#network-object host sjc.eng.ftp.servcers(config-network)#network-object host 172.23.56.194(config-network)#network-object 192.1.1.0 255.255.255.224(config-network)#exitThe following example shows how to use the object-group network subcommand to create a new network object group and map it to a existing object-group:
(config)# object-group network sjc_ftp_servers(config-network)#network-object host sjc.ftp.servers(config-network)#network-object host 172.23.56.195(config-network)#network-object 193.1.1.0 255.255.255.224(config-network)#group-object sjc_eng_ftp_servers(config-network)#exitThe following example shows how to use the object-group protocol subcommand mode to create a new protocol object group.
(config)# object-group protocol proto_grp_1(config-protocol)#protocol-object udp(config-protocol)#protocol-object ipsec(config-protocol)#exit(config)# object-group protocol proto_grp_2(config-protocol)#protocol-object tcp(config-protocol)#group-object proto_grp_1(config-protocol)#exitThe following example shows how to use the object-group service subcommand mode to create a new port (service) object group.
(config)# object-group service eng_service tcp(config-service)#group-object eng_www_service(config-service)#port-object eq ftp(config-service)#port-object range 2000 2005(config-service)#exitThe following example shows how to use the group-object subcommand mode to create a new object group that consists of previously defined objects:
(config)# object-group network host_grp_1(config-network)# network-object host 192.168.1.1(config-network)# network-object host 192.168.1.2(config-network)# exit(config)# object-group network host_grp_2(config-network)# network-object host 172.23.56.1(config-network)# network-object host 172.23.56.2(config-network)# exit(config)# object-group network all_hosts(config-network)# group-object host_grp_1(config-network)# group-object host_grp_2(config-network)# exit(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp(config)# access-list all permit tcp object-group all_hosts any eq wwwAs shown in this example, without the group-object command the all_hosts group has to be defined to include all the IP addresses that have already defined in host_grp_1 and host_grp_2, but with the group-object command, the duplicated definitions of the hosts are eliminated.
The following example illustrates how use object groups to simplify access list configuration:
object-group network remotenetwork-object host kqk.suu.dri.ixxnetwork-object host kqk.suu.pyl.gnlobject-group network localsnetwork-object host 172.23.56.10network-object host 172.23.56.20network-object host 172.23.56.194network-object host 172.23.56.195object-group service eng_svc ftpport-object eq wwwport-object eq smtpport-object range 25000 25100This grouping then enables the access list to be configured in one line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:
access-list acl permit tcp object-group remote object-group locals object-group eng_svc
Note
outbound / apply
Create an access list for controlling Internet use. (Configuration mode.)
Syntax Description
apply
Specifies whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
clear apply
Removes all the apply command statements from the configuration.
clear outbound
Removes all outbound command statements from the configuration.
deny
Deny the access list access to the specified IP address and port.
except
Create an exception to a previous outbound command. An except command statement applies to permit or deny command statements only with the same access list ID.
When used with apply outgoing_src, the IP address of an except command statement applies to the destination address.
When used with apply outgoing_dest, the IP address of an except command statement applies to the source address.
See "Outbound List Rules" for more information.
if_name
The network interface originating the connection.
ip_address
The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0.
list_ID
A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number from 1 to 1599. This number can be the same as what you use with the nat and global commands. This number is just an arbitrary number that groups outbound command statements to an apply command statement. List_IDs are processed sequentially in descending order.
For more information, see "Outbound List Rules."
netmask
The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.
no outbound
Removes a single outbound command statement from the configuration.
no apply
Removes a single apply command statement from the configuration.
outbound
The outbound command, in conjunction with the apply command, uses access lists to control a filtering function on outgoing packets from the PIX Firewall. The filters can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules.
The use of an outbound command requires use of the apply command. The apply command lets you specify whether the access control list applies to inside users' ability to start outbound connections with the apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
For more information, see "Outbound List Rules" and the access-list command. The outbound command has been superseded by the access-list command.
outgoing_dest
Deny or permit access to an external IP address using the service(s) specified in the outbound command.
outgoing_src
Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command.
permit
Allow the access list to access the specified IP address and port.
port
A port or range of ports that the access list is permitted or denied access to. See the "Ports" section in "Using PIX Firewall Commands" for a list of valid port literal names.
protocol
Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.
Usage Guidelines
The outbound command creates an access list that lets you specify the following:
•
•
•
•
Outbound lists are filters on outgoing packets from the PIX Firewall. The filter can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command enables you to specify whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
Note
The java option has been replaced by the filter java command.After adding, removing, or changing outbound command statements, use the clear xlate command.
Use the no outbound command to remove a single outbound command statement from the configuration. Use the clear outbound command to remove all outbound command statements from the configuration. The show outbound command displays the outbound command statements in the configuration.
Use the no apply command to remove a single apply command statement from the configuration. Use the clear apply command statement to remove all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.
Outbound List Rules
Rules, written as outbound list_ID... command statements are global to the PIX Firewall, they are activated by apply list_ID outgoing_src | outgoing_dest command statements. When applied to outgoing_src, the source IP address, the destination port, and protocol are filtered. When applied to outgoing_dest, the destination IP address, port, and protocol are filtered.
The outgoing_src option and outgoing_dest outbound lists are filtered independently. If any one of the filters contain the deny option, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match. If there is a tie, a permit option overrides a deny option.
Rules are grouped by a list_ID. Within each list_ID, except rules (that is, outbound n except ...) can be set. The except option reverses the best matched rule of deny or permit. In addition, PIX Firewall filters the specified IP address and mask in the rule for the destination IP address of the outbound packet if the list is applied to the outbound_src. Alternatively, PIX Firewall filters the source IP address if the list is applied to the outgoing_dest. Furthermore, the except rules only apply to rules with the same list_ID. A single except rule within a list_ID without another permit or deny rule has no effect. If multiple except rules are set, the best match is checked for which except to apply.
The outbound command rules are now sorted by the best match checking. Use the show outbound command to see how the best match is judged by the PIX Firewall.
Usage Notes
1.
2.
3.
4.
outbound 1 deny 0 0 0apply (inside) 1 outgoing_srcThen add command statements that permit or deny hosts access to specific ports.
For example:
outbound 1 deny 0 0 0outbound 1 permit 10.1.1.1 255.255.255.255 23 tcpoutbound 1 permit 10.1.1.1 255.255.255.255 80 tcpapply (inside) 1 outgoing_srcYou could state this same example as follows with the except option:
outbound 1 deny 0 0 0outbound 1 except 209.165.201.11 255.255.255.255 23 tcpoutbound 1 except 209.165.201.11 255.255.255.255 80 tcpapply (inside) 1 outgoing_srcIn the preceding outbound except command statement, IP address 209.165.201.11 is the destination IP address, not the source address. This means that everyone is denied outbound access, except those users going to 209.165.201.11 via Telnet (port 23) or HTTP (port 80).
5.
You must have a specific deny command statement to block Java applets.6.
7.
8.
Examples
In the following example, the first outbound group sets inside hosts so that they can only see and Telnet to perimeter hosts, and do DNS lookups. The perimeter network address is 209.165.201.0 and the network mask is 255.255.255.224.
outbound 9 deny 0.0.0.0 0.0.0.0 0 0outbound 9 except 209.165.201.0 255.255.255.224 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpThe next outbound group lets hosts 10.1.1.11 and 10.1.1.12 go anywhere:
outbound 11 deny 0.0.0.0 0.0.0.0 0 0outbound 11 permit 10.1.1.11 255.255.255.255 0 0outbound 11 permit 10.1.1.12 255.255.255.255 0 0outbound 11 permit 0.0.0.0 0.0.0.0 21 tcpoutbound 11 permit 10.3.3.3 255.255.255.255 143 tcpThis last outbound group lets hosts on the perimeter only access TCP ports 389 and 30303 and UDP port 53 (DNS). Finally, the apply command statements set the outbound groups so that the permit and deny rules affect access to all external addresses.
outbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpapply (inside) 9 outgoing_srcapply (inside) 11 outgoing_srcapply (perim) 13 outgoing_srcControlling Outbound Connections
The following example prevents all inside hosts from starting outbound connections:
outbound 1 deny 0 0 0apply (inside) 1 outgoing_srcThe 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero).
Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created):
outbound 1 permit 0 0 0apply (inside) 1 outgoing_srcControlling Inside Hosts' Access to Outbound Services
The following example prevents inside host 192.168.1.49 from accessing the World Wide Web
(port 80):outbound 11 deny 192.168.1.49 255.255.255.255 80 tcpapply (inside) 11 outgoing_srcControlling Inside Hosts' Access to Outside Servers
If your employees are spending too much time examining GIF images on a particular website with two web servers, you can use the following example to restrict this access:
outbound 12 deny 192.168.146.201 255.255.255.255 80 tcpoutbound 12 deny 192.168.146.202 255.255.255.255 80 tcpapply (inside) 12 outgoing_destUsing except Command Statements
An except command statement only provides exception to items with the same list_ID, as shown in the following example:
outbound 9 deny 0.0.0.0 0.0.0.0 0 0outbound 9 except 10.100.0.0 255.255.0.0 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpoutbound 11 deny 0.0.0.0 0.0.0.0 0 0outbound 11 permit 10.1.1.11 255.255.255.255 0 0outbound 11 permit 10.1.1.12 255.255.255.255 0 0outbound 11 permit 0.0.0.0 0.0.0.0 21 tcpoutbound 11 permit 10.3.3.3 255.255.255.255 143 tcpoutbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpIn the preceding examples, the following two command statements work against other command statements in list 9 but not in lists 11 and 13:
outbound 9 except 10.100.0.0 255.255.0.0 23 tcpoutbound 9 except 0.0.0.0 0.0.0.0 53 udpIn the following example, the set of deny, permit, and except option command statements denies everybody from connecting to external hosts except for DNS queries and Telnet connections to hosts on 10.100.0.0. The host with IP address 10.1.1.11 is permitted outbound access, and has access to everywhere except to 10.100.0.0 via Telnet and anywhere to use DNS.
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcpoutbound 1 permit 10.1.1.11 255.255.255.255 0 tcpoutbound 1 except 10.100.0.0 255.255.0.0 23 tcpoutbound 1 except 0.0.0.0 0.0.0.0 53 udpapply (inside) outgoing_srcpager
Enable or disable screen paging. (Privileged mode.)
Syntax Description
number
The number of lines before the "---more---" prompt appears. The minimum is 1. Use 0 to disable paging.
Usage Guidelines
The pager lines command let you specify the number of lines in a page before the "---more---" prompt appears. The pager command enables display paging, and the no pager command disables paging and lets output display completely without interruption. If you set the pager lines command to some value and want to revert back to the default, enter the pager command without options. The clear pager command resets the number of lines in a page to 24.
When paging is enabled, the following prompt appears:
<--- more --->The "---more---" prompt uses syntax similar to the UNIX more command:
•
•
•
Use the pager 0 command to disable paging.
Examples
The following example shows use of the pager command:
pixfirewall# pager lines 2pixfirewall# ping inside 10.0.0.4210.0.0.42 NO response received -- 1010ms10.0.0.42 NO response received -- 1000ms<--- more --->passwd
Set password for Telnet access to the PIX Firewall console. (Privileged mode.)
Syntax Description
Usage Guidelines
The passwd command sets a password for Telnet access to the PIX Firewall console. An empty password is also changed into an encrypted string. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text. The clear passwd command resets the password to "cisco."
Note
Examples
The following example shows use of the passwd command:
passwd watag00s1amshow passwdpasswd jMorNbK0514fadBh encryptedRelated Commands
pdm
These commands support communication between the PIX Firewall and a browser running the Cisco PIX Device Manager (PDM). (Configuration mode.)
Syntax Description
Defaults
Default PDM syslog level is 0. Default logging messages is 100 and the maximum is 512.
Usage Guidelines
The pdm disconnect command and the show pdm sessions command are accessible through the command line. The clear pdm, pdm history commands, pdm location, and pdm logging commands may appear in your configuration and are available through the CLI, but they are designed to work as internal PDM-to-PIX Firewall commands accessible through PDM.
The pdm disconnect command lets you disconnect a specific PDM session using a session_id obtained with the show pdm sessions command. The show pdm sessions command lists all the open PDM sessions going to a PIX Firewall.
The pdm location command can only associate one interface to an ip_address /netmask pair. Specifying an existing pair will replace the old definition. The PDM syslog messages are stored separately from the PIX Firewall syslog accessed through the logging buffered command.
The clear pdm location command will remove all of the PDM locations. The pdm location command associates an interface to an ip_address /netmask pair. Specifying a new pair replaces the old definition.
The clear pdm location command removes all of the PDM locations.
Note
PDM location is not actually a PIX command, but rather a PDM bookkeeping command. When PDM opens it discovers the network topology surrounding the PIX from which it was launched. PDM then stores its discovered topology database in the PIX config file using pdm location commands to record ip address to interface associations. For example:
pdm location 10.1.1.1 255.255.255.255 insidepdm location 10.1.1.2 255.255.255.255 insidepdm location 10.1.3.0 255.255.255.0 insidepdm location 10.1.2.0 255.255.255.0 outsidepdm location InsideRouter 255.255.255.255 insidePDM rules are built on top of the network topology it can discover or has explicitly defined. Ideally, the topology is clearly defined first via the Host/Network and Network Object functions before policy Rules are applied.
You may use the CLI command clear pdm location to remove pdm location commands from your configuration, and it will not affect the operation of the PIX. However the next time PDM is run, it will again have to rediscover the network topology and update the configuration file with pdm location commands.
If you have an existing configuration before migrating to PDM, or use both the CLI and PDM to configure your PIX Firewall, PDM will derive much of the topology information from the current config file. For example:
static (inside,outside) 2.2.2.2 1.1.1.2 netmask 255.255.255.255 0 0This command implies that host 1.1.1.2 resides on the inside network.
Why is pdm location needed if PDM can derive or discover the topology information at runtime?
•
PDM may not be able to resolve all the IP addresses shown in a configuration. For example, a PIX with three interfaces uses the CLI command acl permit ip any 1.1.1.1 applied to inside interface. Where is 1.1.1.1, dmz or outside? If you manually resolve 1.1.1.1 to the outside interface, for example, PDM will need to "remember" the interface to IP address association to allow Rules to be accurately displayed and edited.
The clear pdm logging command will clear the PDM log without disabling it.
Examples
The following example shows how to report the last data point in PDM-display format:
pix(config)# pdm history enablepix(config)# show pdm history view 10m snapshot pdmclientINTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0| RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:PIXoutsideINTERF ACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY |SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0| METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PIXinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0|M ETRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP|OP R|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PixSYS: METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_HIST ORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|BLK1 550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10|0|M ETRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HISTOR Y|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUPS|V IEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIEW|1 0|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0|MET RIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|The following example shows how to report the data, formatted for the PIX Firewall CLI:
pix(config)# pdm history enablepix(config)# show pdm history view 10m snapshotAvailable 4 byte Blocks: [ 10s] : 1600Used 4 byte Blocks: [ 10s] : 0Available 80 byte Blocks: [ 10s] : 400Used 80 byte Blocks: [ 10s] : 0Available 256 byte Blocks: [ 10s] : 500Used 256 byte Blocks: [ 10s] : 0Available 1550 byte Blocks: [ 10s] : 931Used 1550 byte Blocks: [ 10s] : 385Available 1552 byte Blocks: [ 10s] : 0Used 1552 byte Blocks: [ 10s] : 0Available 2560 byte Blocks: [ 10s] : 0Used 2560 byte Blocks: [ 10s] : 0Available 4096 byte Blocks: [ 10s] : 0Used 4096 byte Blocks: [ 10s] : 0Available 8192 byte Blocks: [ 10s] : 0Used 8192 byte Blocks: [ 10s] : 0Available 16384 byte Blocks: [ 10s] : 0Used 16384 byte Blocks: [ 10s] : 0Available 65536 byte Blocks: [ 10s] : 0Used 65536 byte Blocks: [ 10s] : 0CPU Utilization: [ 10s] : 0IP Options Bad: [ 10s] : 0Record Packet Route: [ 10s] : 0IP Options Timestamp: [ 10s] : 0Provide s,c,h,tcc: [ 10s] : 0Loose Source Route: [ 10s] : 0SATNET ID: [ 10s] : 0Strict Source Route: [ 10s] : 0IP Fragment Attack: [ 10s] : 0Impossible IP Attack: [ 10s] : 0IP Teardrop: [ 10s] : 0ICMP Echo Reply: [ 10s] : 0ICMP Unreachable: [ 10s] : 0ICMP Source Quench: [ 10s] : 0ICMP Redirect: [ 10s] : 0ICMP Echo Request: [ 10s] : 0ICMP Time Exceeded: [ 10s] : 0ICMP Parameter Problem: [ 10s] : 0ICMP Time Request: [ 10s] : 0ICMP Time Reply: [ 10s] : 0ICMP Info Request: [ 10s] : 0ICMP Info Reply: [ 10s] : 0ICMP Mask Request: [ 10s] : 0ICMP Mask Reply: [ 10s] : 0Fragmented ICMP: [ 10s] : 0Large ICMP: [ 10s] : 0Ping of Death: [ 10s] : 0No Flags: [ 10s] : 0SYN & FIN Only: [ 10s] : 0FIN Only: [ 10s] : 0FTP Improper Address: [ 10s] : 0FTP Improper Port: [ 10s] : 0Bomb: [ 10s] : 0Snork: [ 10s] : 0Chargen: [ 10s] : 0DNS Host Info: [ 10s] : 0DNS Zone Transfer: [ 10s] : 0DNS Zone Transfer High Port: [ 10s] : 0DNS All Records: [ 10s] : 0Port Registration: [ 10s] : 0Port Unregistration: [ 10s] : 0RPC Dump: [ 10s] : 0Proxied RPC: [ 10s] : 0ypserv Portmap Request: [ 10s] : 0ypbind Portmap Request: [ 10s] : 0yppasswd Portmap Request: [ 10s] : 0ypupdated Portmap Request: [ 10s] : 0ypxfrd Portmap Request: [ 10s] : 0mountd Portmap Request: [ 10s] : 0rexd Portmap Request: [ 10s] : 0rexd Attempt: [ 10s] : 0statd Buffer Overflow: [ 10s] : 0Input KByte Count: [ 10s] : 41804Output KByte Count: [ 10s] : 526456Input KPacket Count: [ 10s] : 364Output KPacket Count: [ 10s] : 450Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 90076Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 8895LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 3138Lost Carrier: [ 10s] : 0Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Input KByte Count: [ 10s] : 61835Output KByte Count: [ 10s] : 26722Input KPacket Count: [ 10s] : 442Output KPacket Count: [ 10s] : 418Input Bit Rate: [ 10s] : 0Output Bit Rate: [ 10s] : 0Input Packet Rate: [ 10s] : 0Output Packet Rate: [ 10s] : 0Input Error Packet Count: [ 10s] : 0No Buffer: [ 10s] : 0Received Broadcasts: [ 10s] : 308607Runts: [ 10s] : 0Giants: [ 10s] : 0CRC: [ 10s] : 0Frames: [ 10s] : 0Overruns: [ 10s] : 0Underruns: [ 10s] : 0Output Error Packet Count: [ 10s] : 0Collisions: [ 10s] : 0LCOLL: [ 10s] : 0Reset: [ 10s] : 0Deferred: [ 10s] : 2Lost Carrier: [ 10s] : 707Hardware Input Queue: [ 10s] : 128Software Input Queue: [ 10s] : 0Hardware Output Queue: [ 10s] : 0Software Output Queue: [ 10s] : 0Available Memory: [ 10s] : 45293568Used Memory: [ 10s] : 21815296Xlate Count: [ 10s] : 0Connection Count: [ 10s] : 0TCP Connection Count: [ 10s] : 0UDP Connection Count: [ 10s] : 0URL Filtering Count: [ 10s] : 0URL Server Filtering Count: [ 10s] : 0TCP Fixup Count: [ 10s] : 0TCP Intercept Count: [ 10s] : 0HTTP Fixup Count: [ 10s] : 0FTP Fixup Count: [ 10s] : 0AAA Authentication Count: [ 10s] : 0AAA Authorzation Count: [ 10s] : 0AAA Accounting Count: [ 10s] : 0Current Xlates: [ 10s] : 0Max Xlates: [ 10s] : 0ISAKMP SAs: [ 10s] : 0IPSec SAs: [ 10s] : 0L2TP Sessions: [ 10s] : 0L2TP Tunnels: [ 10s] : 0PPTP Sessions: [ 10s] : 0PPTP Tunnels: [ 10s] : 0Related Commands
•
•
perfmon
View performance information. (Privileged mode.)
perfmon verbose
perfmon interval seconds
perfmon quiet
perfmon settings
N/A
show perfmon
Displays PIX Firewall performance information. (However, this command output does not display in a Telnet console session.)
Syntax Description
Usage Guidelines
The perfmon command lets you monitor the PIX Firewall unit's performance. Use the show perfmon command to view the information immediately. Use the perfmon verbose command to display the information every two minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds you specify.
Use the perfmon quiet command to disable the display.
An example of the performance information follows:
This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.
Examples
The following commands display the performance monitor statistics every 30 seconds on the PIX Firewall console:
perfmon interval 30perfmon verboseping
Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.)
Syntax Description
Usage Guidelines
The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that a host is participating on the network. If a host is not responding, ping displays "NO response received." Use the show interface command to ensure that the PIX Firewall is connected to the network and is passing traffic.
If you want internal hosts to be able to ping external hosts, you must create an ICMP access-list command statement for echo reply; for example, to give ping access to all hosts, use the access-list acl_grp permit icmp any any command and bind the access-list command statement to the interface you want to test using an access-group command statement.
If you are pinging through PIX Firewall between hosts or routers, but the pings are not successful, use the debug icmp trace command to monitor the success of the ping. If pings are both inbound and outbound, they are successful.
The PIX Firewall ping command no longer requires an interface name. If an interface name is not specified, PIX Firewall checks the routing table to find the address you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.
An example of the usage follows:
ping 10.0.0.110.0.0.1 response received -- 10ms10.0.0.1 response received -- 10ms10.0.0.1 response received -- 0msOr you can still enter the command specifying the interface:
ping outside 10.0.0.110.0.0.1 response received -- 10ms10.0.0.1 response received -- 10ms10.0.0.1 response received -- 0ms
Examples
In the following example, the ping command makes three attempts to reach an IP address:
ping 192.168.42.54192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0Ms192.168.42.54 response received -- 0Msprivilege
Configures or displays command privilege levels. (Configuration mode.)
Syntax Description
Usage Guidelines
The privilege command sets user-defined privilege levels for PIX Firewall commands. This is especially useful for setting different privilege levels for related configuration, show, and clear commands. However, be sure to verify privilege level changes in your commands with your security policies before implementing the new privilege levels.
When commands have privilege levels set, and users have privilege levels set, then the two are compared to determine if a given user can execute a given command. If the user's privilege level is lower than the privilege level of the command, the user is prevented from executing the command. This is modeled after Cisco IOS software.
To change between privilege levels, use the login command to access another privilege level and the appropriate logout, exit, or quit command to exit that level.
Note
Examples
You can set the privilege level "5" for an individual user as follows:
username intern1 password pass1 privilege 5Also, you can also define a set of show commands with the privilege level "5" as follows:
level:privilege show level 5 command aliasprivilege show level 5 command applyprivilege show level 5 command arpprivilege show level 5 command auth-promptprivilege show level 5 command blocksThe following examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. Username indicates the name the user entered when he or she logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates the user has entered the config terminal command.
pixfirewall(config)# show curprivUsername : enable_15Current privilege level : 15Current Mode/s : P_PRIV P_CONFpixfirewall(config)# exitpixfirewall# show curprivUsername : enable_15Current privilege level : 15Current Mode/s : P_PRIVpixfirewall# exitpixfirewall> show curprivUsername : enable_1Current privilege level : 1Current Mode/s : P_UNPRpixfirewall>The following is an example of applying a privilege level of 11 to a complete AAA authorization configuration:
privilege configure level 11 command aaaprivilege configure level 11 command aaa-serverprivilege configure level 11 command access-groupprivilege configure level 11 command access-listprivilege configure level 11 command activation-keyprivilege configure level 11 command ageprivilege configure level 11 command aliasprivilege configure level 11 command applyRelated Commands
quit
Exit configuration or privileged mode. (All modes.)
Syntax Description
Usage Guidelines
Use the quit command to exit configuration or privileged mode.
Examples
The following example shows use of the quit command:
pixfirewall(config)# quitpixfirewall# quitpixfirewall>reload
Reboot and reload the configuration. (Privileged mode.)
Syntax Description
noconfirm
Permits the PIX Firewall to reload without user confirmation.
reload
Reboot and reload configuration.
Usage Guidelines
The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy
disk or, if a diskette is not present, from Flash memory.The PIX Firewall does not accept abbreviations to the keyword noconfirm.
You are prompted for confirmation before starting with "Proceed with reload?".
Any response other than n causes the reboot to occur.
Note
Examples
The following example shows use of the reload command:
reloadProceed with reload? [confirm] yRebooting...PIX Bios V2.7...rip
Change RIP settings. (Configuration mode.)
Syntax Description
Usage Guidelines
The rip command enables IP routing table updates from received Routing Information Protocol (RIP) broadcasts. Use the no rip command to disable the PIX Firewall IP routing table updates. The default is to enable IP routing table updates. If you specify RIP version 2, you can encrypt RIP updates using MD5 encryption.
The clear rip command removes all the rip commands from the configuration.
Ensure that the key and key_id values are the same as in use on any other device in your network that makes RIP version 2 updates.
The PIX Firewall cannot pass RIP updates between interfaces.
When RIP version 2 is configured in passive mode with PIX Firewall software version 5.3 and higher, the PIX Firewall accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. For RIP version 2 default mode, the PIX Firewall will transmit default route updates using an IP destination of 224.0.0.9. Configuring RIP version 2 registers the multicast address 224.0.0.9 on the respective interface to be able to accept multicast RIP version 2 updates.
Only Intel 10/100 and Gigabit interfaces support multicasting.
When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from the interface card.
Examples
The following is sample output from the version 1 show rip and rip inside default commands:
show riprip outside passiveno rip outside defaultrip inside passiveno rip inside defaultrip inside defaultshow riprip outside passiveno rip outside defaultrip inside passiverip inside defaultThe next example combines version 1 and version 2 commands and shows listing the information with the show rip command after entering the RIP commands that do the following:
•
•
•
rip outside passive version 2 authentication md5 thisisakey 2rip outside default version 2 authentication md5 thisisakey 2rip inside passiverip dmz passive version 2show riprip outside passive version 2 authentication md5 thisisakey 2rip outside default version 2 authentication md5 thisisakey 2rip inside passive version 1rip dmz passive version 2The next example shows how use of the clear rip command clears all the previous rip commands from the current configuration:
clear ripshow ripThe following example shows use of the version 2 feature that passes the encryption key in text form:
rip out default version 2 authentication text thisisakey 3show riprip outside default version 2 authentication text thisisakey 3route
Enter a static or default route for the specified interface. (Configuration mode.)
Syntax Description
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it is saved. The clear route command removes route command statements from the configuration that do not contain the CONNECT keyword.
Create static routes to access networks connected outside a router on any interface. The effect of a static route is like stating "to send a packet to the specified network, give it to this router." For example, PIX Firewall sends all packets destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route command statement.
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1The routing table automatically specifies the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, PIX Firewall creates a route statement entry that is not deleted when you use the clear route command.
If the route command statement uses the IP address from one of the PIX Firewall unit's interfaces as the gateway IP address, PIX Firewall will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
The following steps show how PIX Firewall handles routing:
Step 1
Step 2
Step 3
Step 4
Step 5
•
•
For example, if the following command statement is in the configuration:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 2 OTHERIf you enter the following statement:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 3PIX Firewall converts the command statement to the following:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 3 OTHERExamples
Specify one default route command statement for the outside interface, which in this example is for the router on the outside interface that has an IP address of 209.165.201.1:
route outside 0 0 209.165.201.1 1For static routes, if two networks, 10.1.2.0 and 10.1.3.0 connect via a hub to the dmz1 interface router at 10.1.1.4, add these static route command statements to provide access to the networks:
route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1
