-
Cisco PIX Firewall and VPN Configuration Guide, Version 6.2
-
About This Guide
-
Getting Started
-
Establishing Connectivity
-
Controlling Network Access and Use
-
Configuring Application Inspection (Fixup)
-
Using PIX Firewall in SOHO Networks
-
Configuring IPSec and Certification Authorities
-
Site-to-Site VPN Configuration Examples
-
Configuring VPN Client Remote Access
-
Accessing and Monitoring PIX Firewall
-
Using PIX Firewall Failover
-
Upgrading Feature Licenses and System Software
-
Firewall Configuration Forms
-
Acronyms and Abbreviations
-
MS-Exchange Firewall Configuration
-
TCP/IP Reference Information
-
Supported VPN Standards
-
Converting Private Link to IPSec
-
Index
-
Table Of Contents
Accessing and Monitoring PIX Firewall
Command Authorization and LOCAL User Authentication
Creating User Accounts in the LOCAL Database
User Authentication Using the LOCAL Database
Viewing the Current User Account
Configuring LOCAL Command Authorization
Enabling LOCAL Command Authorization
Viewing LOCAL Command Authorization Settings
Viewing NTP Status and Configuration
Managing the PIX Firewall Clock
Setting Daylight Savings Time and Timezones
Using Telnet for Remote System Management
Configuring Telnet Console Access to the Inside Interface
Allowing a Telnet Connection to the Outside Interface
Using SSH for Remote System Management
Identifying the Host Using an SSH Client
Configuring Authentication for an SSH Client
Connecting to the PIX Firewall with an SSH Client
Identifying the Auto Update Server
Viewing the Auto Update Configuration
Receiving Requests and Sending Syslog Traps
Compiling Cisco Syslog MIB Files
Using the Firewall and Memory Pool MIBs
Accessing and Monitoring PIX Firewall
This chapter describes how to configure and use the tools and features provided by the PIX Firewall for monitoring and configuring the system, and for monitoring network activity. It contains the following sections:
•
Command Authorization and LOCAL User Authentication
•
•
•
Command Authorization and LOCAL User Authentication
This section describes the Command Authorization feature and related topics, introduced with PIX Firewall version 6.2. It includes the following topics:
Privilege Levels
PIX Firewall version 6.2 introduces support for up to 16 privilege levels. This is similar to what is available with Cisco IOS software. With this feature, you can assign PIX Firewall commands to one of 16 levels. Also, users logging into the PIX Firewall are assigned privilege levels.
Note
When a user tries to access enable mode, if the message "T+ enable privilege too low" appears on the AAA server, set the Max privilege of the AAA client to Level1 in the Advanced TACACS options.To enable different privilege levels on the PIX Firewall, use the enable command in configuration mode. To assign a password to a privilege level, enter the following command:
pix(config)# enable password [password] [level level] [encrypted]Replace password with a character string from three to sixteen characters long, with no spaces. Replace level with the privilege level you want to assign to the enable password.
Note
For example, the following command assigns the enable password Passw0rD to privilege Level 10:
enable password Passw0rD level 10The following example shows the usage of the enable password command with the encrypted keyword:
enable password .SUTWWLlTIApDYYx level 9 encrypted
Note
Once the different privilege levels are created, you can gain access to a particular privilege level from the > prompt by entering the enable command, as shown below:
pix> enable [privilege level]Replace privilege level with the privilege level to which you want to gain access. If the privlege level is not specified, the default of 15 is used. By default, privilege level 15 is assigned the password cisco. It will always have a password associated with it unless someone assigns it a blank password using the enable password command.
User Authentication
This section describes how to configure the PIX Firewall to use LOCAL user authentication. It includes the following topics:
•
•
•
Creating User Accounts in the LOCAL Database
To define a user account in the LOCAL database, enter the following command:
username username {nopassword|password password [encrypted]} [privilege level]Replace username with a character string from four to fifteen characters long. Replace password with a character string from three to sixteen characters long. Replace privilege level with the privilege level you want to assign to the new user account (from 0 to 15). Use the nopassword keyword to create a user account with no password. Use the encrypted keyword if the password you are supplying is already encrypted.
Note
For example, the following command assigns a privilege level of 15 to the user account admin.
username admin password passw0rd privilege 15If no privilege level is specified, the user account is created with a privilege level of 2. You can define as many user accounts as you need.
Use the following command to create a user account with no password:
username username nopasswordReplace username with the user account that you want to create without a password.
To delete an existing user account, enter the following command:
no username usernameReplace username with the user account that you want to delete. For example, the following command deletes the user account admin.
no username adminTo remove all the entries from the user database, enter the following command:
clear usernameUser Authentication Using the LOCAL Database
User authentication can be completed using the LOCAL database after user accounts are created in this database.
Note
To enable authentication using the LOCAL database, enter the following command:
pix(config)# aaa authentication serial|telnet|ssh|http|enable console LOCALAfter entering this command, the LOCAL user accounts are used for authentication.
You can also use the login command, as follows, to access the PIX Firewall with a particular username and password:
pix> loginThe login command only checks the local database while authenticating a user and does not check any authentication or authorization (AAA) server.
When you enter the login command, the system prompts for a username and password as follows:
Username:adminPassword:********
Note
Use the following command to log out from the currently logged in user account:
logoutViewing the Current User Account
The PIX Firewall maintains usernames in the following authentication mechanisms:
•
•
•
To view the user account that is currently logged in, enter the following command:
show curprivThe system displays the current user name and privilege level, as follows:
Username:adminCurrent privilege level: 15Current Mode/s:P_PRIVAs mentioned in the section "Privilege Levels," you use the enable command to obtain access to different privilege levels with the following command:
pix> enable [privielge level]
When you assign a password to a privilege level, the privilege level is associated with the password in the LOCAL database in the same way a username is associated with a password. When you obtain access to a privilege level using the enable command, the show curpriv command displays the current privilege level as a username in the format enable_n, where n is a privilege level from 1 to 15.
An example follows:
pix# show curprivUsername : enable_9Current privilege level : 9Current Mode/s : P_PRIVWhen you enter the enable command without specifying the privilege level, the default privilege level (15) is assumed and the username is set to enable_15.
When you log into the PIX Firewall for the first time or exit from the current session, the default user name is enable_1, as follows:
pix> show curprivUsername : enable_1Current privilege level : 1Current Mode/s : P_UNPRCommand Authorization
This section describes how to assign commands to different privilege levels. It includes the following topics:
•
•
•
•
Overview
LOCAL and TACACS+ Command Authorization is supported in PIX Firewall version 6.2. With the LOCAL command authorization feature, you can assign PIX Firewall commands to one of 16 levels.
Caution
Configuring LOCAL Command Authorization
In the default configuration, each PIX Firewall command is assigned to either privilege level 0 or privilege level 15. To reassign a specific command to a different privilege level, enter the following command:
[no] privilege [{show | clear | configure}] level level [mode {enable|configure}] command commandReplace level with the privilege level and command with the command you want to assign to the specified level. You can use the show, clear, or configure parameter to optionally set the privilege level for the show, clear, or configure command modifiers of the specified command. Replace command with the command for which you wish to assign privileges. For the full syntax of this command, including additional options, refer to the PIX Firewall Command Reference Guide.
For example, the following commands set the privilege of the different command modifiers of the access-list command:
privilege show level 10 command access-listprivilege configure level 12 command access-listprivilege clear level 11 command access-listThe first line sets the privilege of show access-list (show modifier of cmd access-list) to 10. The second line sets the privilege level of the the configure modifier to 12, and the last line sets the privilege level of the clear modifier to 11.
To set the privilege of all the modifiers of the access-list command to a single privilege level of 10, you would enter the following command:
privilege level 10 command access-listFor commands that are available in multiple modes, use the mode parameter to specify the mode in which the privilege level applies.
The following are examples of setting privilege levels for mode-specific commands:
privilege show level 15 mode configure command configureprivilege clear level 15 mode configure command configureprivilege configure level 15 mode configure command configureprivilege configure level 15 mode enable command configureprivilege configure level 0 mode enable command enableprivilege show level 15 mode configure command enableprivilege configure level 15 mode configure command enableprivilege configure level 15 mode configure command igmpprivilege show level 15 mode configure command igmpprivilege clear level 15 mode configure command igmpprivilege show level 15 mode configure command loggingprivilege clear level 15 mode configure command loggingprivilege configure level 15 mode configure command loggingprivilege clear level 15 mode enable command loggingprivilege configure level 15 mode enable command logging
Note
By default, the following commands are assigned to privilege level 0:
privilege show level 0 command checksumprivilege show level 0 command curprivprivilege configure level 0 command helpprivilege show level 0 command historyprivilege configure level 0 command loginprivilege configure level 0 command logoutprivilege show level 0 command pagerprivilege clear level 0 command pagerprivilege configure level 0 command pagerprivilege configure level 0 command quitprivilege show level 0 command versionEnabling LOCAL Command Authorization
Once you have reassigned privileges to commands from the defaults, as necessary, enable the command authorization feature by entering the following command:
aaa authorization command LOCALBy specifying LOCAL, the user's privilege level and the privilege settings that have been assigned to the different commands are used to make authorization decisions.
When users log in to the PIX Firewall, they can enter any command assigned to their privilege level or to lower privilege levels. For example, a user account with a privilege level of 15 can access every command because this is the highest privilege level. A user account with a privilege level of 0 can only access the commands assigned to level 0.
Viewing LOCAL Command Authorization Settings
To view the CLI command assignments for each privilege level, enter the following command:
show privilege allThe system displays the current assignment of each CLI command to a privilege level. The following example illustrates the first part of the display:
pix(config)# show privilege allprivilege show level 15 command aaaprivilege clear level 15 command aaaprivilege configure level 15 command aaaprivilege show level 15 command aaa-serverprivilege clear level 15 command aaa-serverprivilege configure level 15 command aaa-serverprivilege show level 15 command access-groupprivilege clear level 15 command access-groupprivilege configure level 15 command access-groupprivilege show level 15 command access-listprivilege clear level 15 command access-listprivilege configure level 15 command access-listprivilege show level 15 command activation-keyprivilege configure level 15 command activation-keyTo view the command assignments for a specific privilege level, enter the following command:
show privilege level levelReplace level with the privilege level for which you want to display the command assignments.
For example, the following command displays the command assignments for privilege Level 15:
show privilege level 15To view the privilege level assignment of a specific command, enter the following command:
show privilege command commandReplace command with the command for which you want to display the assigned privilege level.
For example, the following command displays the command assignment for the access-list command:
show privilege command access-listTACACS+ Command Authorization
Caution
1.
2.
–
–
3.
4.
Caution
After command authorization with a TACACS+ server is enabled, for each command entered, the PIX Firewall sends the username, command, and command arguments to the TACACS+ server for authorization.
To enable command authorization with a TACACS+ server, enter the following command:
aaa authorization command tacacs_server_tagTo create the tacacs_server_tag, use the aaa-server command, as follows:
aaa-server tacacs_server_tag [(if_name)] host ip_address [key] [timeout seconds]Use the tacacs_server_tag parameter to identify the TACACS+ server and use the if_name parameter if you need to specifically identify the PIX Firewall interface connected to the TACACS+ server. Replace ip_address with the IP address of the TACACS+ server. Replace the optional key parameter with a keyword of up to 127 characters (including special characters but excluding spaces) to use for encrypting data exchanged with the TACACS+ server. This value must match the keyword used on the TACACS+ server. Replace seconds with a number up to 30 that determines how long the PIX Firewall waits before retrying the connection to the TACACS+ server. The default value is 5 seconds.
The PIX Firewall only expands the command and the command modifier (show, clear, no) when it sends these to the TACACS+ server. The command arguments are not expanded.
For effective operation, it is a good idea to permit the following basic commands on the AAA server:
•
•
•
•
•
•
•
•
•
•
For Cisco PIX Device Manager (PDM) to work with Command Authorization using a TACACS+ Server, the AAA server administrator should authorize the user for the following commands:
•
•
•
•
Recovering from Lockout
If you get locked out because of a mistake in configuring Command Authorization, you can usually recover access by simply restarting the PIX Firewall from the configuration that is saved in Flash memory.
If you have already saved your configuration and you find that you configured authentication using the LOCAL database but did not configure any usernames you created a lockout problem. You can also encounter a lockout problem by configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down or misconfigured.
If you cannot recover access to the PIX Firewall by restarting your PIX Firewall, use your web browser to access the following website:
http://www.cisco.com/warp/public/110/34.shtml
This website provides a downloadable file with instructions for using it to remove the lines in the PIX Firewall configuration that enable authentication and cause the lockout problem.
You can encounter a different type of lockout problem if you use the aaa authorization command tacacs_server_tag command and you are not logged as the correct user. For every command you type, the PIX Firewall will display the following message:
Command Authorization failedThis occurs because the TACACS+ server does not have a user profile for the user account that you used for logging in. To prevent this problem, make sure that the TACACS+ server has all the users configured with the commands that they can execute. Also make sure that you are logged in as a user with the required profile on the TACACS+ server.
Using Network Time Protocol
This section describes how to use the Network Time Protocol (NTP) client, introduced with PIX Firewall version 6.2. It includes the following topics:
•
Overview
The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations such as validating a certificate revocation lists (CRL), which includes a precise time stamp.
PIX Firewall version 6.2 introduces an NTP client that allows the PIX Firewall to obtain its system time from NTP version 3 servers, like those provided with Cisco IOS routers.
Enabling NTP
To enable the PIX Firewall NTP client, enter the following command:
[no] ntp server ip_address [key number] source if_name [prefer]This command causes the PIX Firewall to synchronize with the time server identified by ip_address. The key option requires a authentication key when sending packets to this server. When using this option, replace number with the authentication key. The interface specified by if_name is used to send packets to the time server. If the source keyword is not specified, the routing table will be used to determine the interface. The prefer option makes the specified server the preferred server to provide synchronization, which reduces switching back and forth between servers.
To enable authentication for NTP messages, enter the following command:
[no] ntp authenticate[no] ntp authentication-key number md5 value[no] ntp trusted-key numberThe ntp authenticate command enables NTP authentication. If you enter this command, the PIX Firewall will not synchronize to an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.
The ntp authentication-key command is used to define authentication keys for use with other NTP commands to provide a higher degree of security. The number parameter is the key number (1 to 4294967295). The value parameter is the key value (an arbitrary string of up to 32 characters). The key value will be replaced with `********' when the configuration is viewed with either the write terminal, show configuration, or show tech-support commands.
Use the ntp trusted-key command to define one or more key numbers corresponding to the keys defined with the ntp authentication-key command. The PIX Firewall will require the NTP server to provide this key number in its NTP packets. This provides protection against synchronizing the PIX Firewall system clock with an NTP server that is not trusted.
To remove NTP configuration, enter the following command:
clear ntpThis command removes the NTP configuration, disables authentication, and removes all the authentication keys.
Viewing NTP Status and Configuration
This section describes the information available about NTP status and associations. To view information about NTP status and configuration, use any of the following commands:
•
•
•
The following examples show sample output for each command and the following tables define the meaning of the values in each column of the output.
Example 9-1 shows sample output from the show ntp associations command:
Example 9-1 Sample Output for show ntp association Command
PIX> show ntp associationsaddress ref clock st when poll reach delay offset disp~172.31.32.2 172.31.32.1 5 29 1024 377 4.2 -8.59 1.6+~192.168.13.33 192.168.1.111 3 69 128 377 4.1 3.48 2.3*~192.168.13.57 192.168.1.111 3 32 128 377 7.9 11.18 3.6* master (synced), # master (unsynced), + selected, - candidate, ~ configuredThe first characters in a display line can be one or more of the following characters:
•
•
•
•
•
•
Example 9-2 provides sample output for the show ntp association detail command:
Example 9-2 Sample Output for show ntp association detail Command
pix(config)# show ntp associations detail172.23.56.249 configured, our_master, sane, valid, stratum 4ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 222002)our mode client, peer mode server, our poll intvl 128, peer poll intvl 128root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021delay 4.47 msec, offset -0.2403 msec, dispersion 125.21precision 2**19, version 3org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)filtdelay = 4.47 4.58 4.97 5.63 4.79 5.52 5.870.00filtoffset = -0.24 -0.36 -0.37 0.30 -0.17 0.57 -0.740.00filterror = 0.02 0.99 1.71 2.69 3.66 4.64 5.6216000.0Table 9-2 describes the meaning of the values in each column:
Example 9-3 provides sample output for the show ntp status command:
Example 9-3 Output of the show ntp status Command
pixfirewall(config)# show ntp statusClock is synchronized, stratum 5, reference is 172.23.56.249nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)clock offset is -0.2403 msec, root delay is 42.51 msecroot dispersion is 135.01 msec, peer dispersion is 125.21 msecTable 9-3 describes the meaning of the values in each column:
Managing the PIX Firewall Clock
This section describes how to manage the PIX Firewall system clock and includes the following topics:
•
Viewing System Time
To view the current system time, enter the following command:
show clock [detail]This command displays the system time. The detail option displays the clock source and the current summer-time setting. PIX Firewall version 6.2 provides milliseconds, timezone, and day.
For example:
16:52:47.823 PST Wed Feb 21 2001Setting the System Clock
To set the system time, enter the following command:
clock set hh:mm:ss month day year
Replace hh:mm:ss with the current hours (1-24), minutes, and seconds. Replace month with the first three characters of the current month. Replace day with the numeric date within the month (1-31), and replace year with the four-digit year (permitted range is 1993 to 2035).
Setting Daylight Savings Time and Timezones
PIX Firewall version 6.2 also provides enhancements to the clock command to support daylight savings (summer) time and time zones.
To configure daylight savings (summer) time, enter the following command:
clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm [offset]]The summer-time keyword automatically switches to summer time (for display purposes only).
The recurring keyword indicates that summer time should start and end on the days specified by the values that follow this keyword. If no values are specified, the summer time rules default to United States rules. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the week (Sunday, Monday,...). The month parameter is the full name of the month (January, February,...). The hh:mm parameter is the time (24-hour military format) in hours and minutes. The offset option is the number of minutes to add during summer time (default is 60).
Use either of the following commands when the recurring keyword cannot be used:
clock summer-time zone date date month year hh:mm date month year hh:mm [offset]clock summer-time zone date month date year hh:mm month date year hh:mm [offset]The date keyword causes summer time to start on the first date listed in the command and to end on the second specific date in the command. Two forms of the command are included to enter dates either in the form month date (for example, January 31) or date month (for example, 31 January).
In both forms of the command, the first part of the command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone.
If the starting month is after the ending month, the Southern Hemisphere is assumed.
The zone parameter is the name of the time zone (for example, PDT) to be displayed when summer time is in effect. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the week (Sunday, Monday,...). The date parameter is the date of the month (1 to 31). The month parameter is the full name of the month (January, February,...). The year parameter is the four-digit year (1993 to 2035). The hh:mm parameter is the time (24-hour military format) in hours and minutes. The offset option is the number of minutes to add during summer time (default is 60).
To set the time zone for display purposes only, enter the following command:
clock timezone zone hours [minutes]The clock timezone command sets the time zone for display purposes (internally, the time is kept in UTC). The no form of the command is used to set the time zone to Coordinated Universal Time (UTC). The zone parameter is the name of the time zone to be displayed when standard time is in effect. The hours parameter is the hours offset from UTC. The minutes option is the minutes offset from UTC.
The clear clock command will remove the summer time setting and set the time zone to UTC.
Using Telnet for Remote System Management
The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from lower security interfaces.
Note
This section includes the following topics:
•
•
Configuring Telnet Console Access to the Inside Interface
Note
Follow these steps to configure Telnet console access:
Step 1
For example, to let a host on the internal interface with an address of 192.168.1.2 access the PIX Firewall, enter the following:
telnet 192.168.1.2 255.255.255.255 insideTo Telnet to a lower security interface, refer to "Allowing a Telnet Connection to the Outside Interface."
Step 2
The default duration, 5 minutes, is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed. Set a longer idle time duration as shown in the following example.
telnet timeout 15Step 3
This requires that you have a username and password on the authentication server. When you access the console, PIX Firewall prompts you for these login credentials. If the authentication server is off line, you can still access the console by using the username pix and the password set with the enable password command.
Step 4
Example 9-4 shows commands for using Telnet to permit host access to the PIX Firewall console.
Example 9-4 Using Telnet
telnet 10.1.1.11 255.255.255.255telnet 192.168.3.0 255.255.255.0The first telnet command permits a single host, 10.1.1.11 to access the PIX Firewall console with Telnet. The 255 value in the last octet of the netmask means that only the specified host can access the console.
The second telnet command permits PIX Firewall console access from all hosts on the 192.168.3.0 network. The 0 value in the last octet of the netmask permits all hosts in that network access. However, Telnet only permits 16 hosts simultaneous access to the PIX Firewall console over Telnet.
Allowing a Telnet Connection to the Outside Interface
This section tells you how to configure a Telnet connection to a lower security interface of the PIX Firewall. It includes the following topics:
•
Overview
This section also applies when using the Cisco Secure Policy Manager version 2.0 or higher. It is assumed you are using the Cisco VPN Client version 3.x, Cisco Secure VPN Client version 1.1, or the Cisco VPN 3000 Client version 2.5/2.6, to initiate the Telnet connection.
Note
Once you have configured Telnet access, refer to "Using Telnet" for more information about using this command.
Note
Using Cisco Secure VPN Client
This section applies only if you are using a Cisco Secure VPN Client. In the example, the IP address of the PIX Firewall's outside interface is 168.20.1.5, and the Cisco Secure VPN Client's IP address, derived from the virtual pool of addresses, is 10.1.2.0.
To encrypt your Telnet connection to a PIX Firewall lower interface, perform the following steps as part of your PIX Firewall configuration:
Step 1
access-list 80 permit ip host 168.20.1.5 10.1.2.0 255.255.255.0Step 2
telnet 10.1.2.0 255.255.255.0 outsideSpecify the VPN client's address from the local pool and the outside interface.
Step 3
Step 4
Using Cisco VPN 3000 Client
This section applies only if you are using a Cisco VPN 3000 Client. To encrypt your Telnet connection to the PIX Firewall's outside interface, perform the following step as part of your PIX Firewall configuration. In the following example, the IP address of the PIX Firewall's outside interface is 168.20.1.5, and the Cisco VPN 3000 Client's IP address stemming from the virtual pool of addresses is 10.1.2.0.
Specify which host can access the PIX Firewall console with Telnet. Specify the VPN client's address from the local pool and the outside interface.
telnet 10.1.2.0 255.255.255.0 outside
Note
Using Telnet
Perform the following steps to test Telnet access:
Step 1
If you are using Windows 95 or Windows NT, click Start>Run to start a Telnet session. For example, if the inside interface IP address is 192.168.1.1, enter the following command.
telnet 192.168.1.1Step 2
PIX passwd:Enter cisco and press the Enter key. You are then logged into the PIX Firewall.
The default password is cisco, which you can change with the passwd command.
You can enter any command on the Telnet console that you can set from the serial console, but if you reboot the PIX Firewall, you will must log back into the PIX Firewall after it restarts.
Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall's command history feature used with the arrow keys. However, you can access the last entered commands by pressing Ctrl-P.
Step 3
You can view ping information from Telnet sessions with the debug icmp trace command. The Trace Channel feature also affects debug displays, which is explained in "Trace Channel Feature."
Messages from a successful ping appear as follows:
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.23Step 4
a.
If you are using the PIX Firewall in production mode, you may wish to use the logging buffered 7 command to store messages in a buffer that you can view with the show logging command, and clear the buffer for easier viewing with the clear logging command. To stop buffering messages, use the no logging buffered command.
You can also lower the number from 7 to a lesser value, such as 3, to limit the number of messages that appear.
b.
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.
If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.
The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:
•
•
•
The debug commands are shared between all Telnet and serial console sessions.
Note
Using SSH for Remote System Management
This section describes how to use Secure Shell (SSH) for remote access to the PIX Firewall console. It includes the following topics:
•
•
•
Overview
SSH (Secure Shell) is an application running on top of a reliable transport layer, such as TCP/IP that provides strong authentication and encryption capabilities. PIX Firewall supports the SSH remote shell functionality provided in SSH version 1. SSH version 1 also works with Cisco IOS software devices. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console.
Note
Another method of remotely configuring a PIX Firewall unit involves using a Telnet connection to the PIX Firewall to start a shell session and then entering configuration mode. This connection method can only provide as much security as Telnet provides, which is only provided as lower-layer encryption (for example, IPSec) and application security (username/password authentication at the remote host).
Note
Obtaining an SSH Client
Note
Download an SSH v1.x client from one of the following websites.
•
http://hp.vector.co.jp/authors/VA002416/teraterm.html
The TTSSH security enhancement for Tera Term Pro is available at the following website:
http://www.zip.com.au/~roca/ttssh.html
Note
•
http://www.openssh.com
•
http://www.lysator.liu.se/~jonasw/freeware/niftyssh/
Identifying the Host Using an SSH Client
Identify each host to be used to access the PIX Firewall console using SSH by entering the following command:
[no] ssh ip_address [netmask] [interface_name]To use this command:
•
•
Note
•
To specify the duration in minutes that a session can be idle before being disconnected, enter the following command:
ssh timeout numberReplace number with a value from 1 to 60 (minutes). The default duration is 5 minutes.
To disconnect a specific session, enter the following command:
ssh disconnect session_idReplace session_id with the identifier for the specific session that you want to disconnect. To display the identifiers for the active sessions, use the show ssh sessions command.
To remove all ssh command statements from the configuration, enter the following command:
clear sshUse the no keyword to remove selected ssh command statements from the configuration.
Note
Configuring Authentication for an SSH Client
To configure local authentication for an SSH client accessing the PIX Firewall from a Linux or UNIX command line, enter the following command:
ssh -c 3des -1 pix -v ipaddressUse the -c option to identify the cipher used. PIX Firewall accepts 3des and des. Use the -l option to identify the password used for connecting to the PIX Firewall. If no authentication is enabled on the SSH connection, use the default user name pix. Use the -v option to enable verbose mode, and replace ipaddress with the address of the PIX Firewall.
Note
The password used to perform local authentication is the same as the one used for Telnet access. The default for this password is cisco. To change this password, enter the following command:
passwd stringSSH permits up to 100 characters for a username and up to 50 characters for the password.
To enable authentication using a AAA server, enter the following command:
aaa authenticate ssh console server_tagReplace server_tag with the identifier for the AAA server.
Connecting to the PIX Firewall with an SSH Client
To gain access to the PIX Firewall console using SSH, at the SSH client, enter the username pix and enter the Telnet password.
When starting an SSH session, a dot (.) displays on the PIX Firewall console before the SSH user authentication prompt appears, as follows:
pixfirewall(config)# .The display of the dot does not affect the functionality of SSH. The dot appears at the console when generating a server key or decrypting a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.
Viewing SSH Status
To view the status of SSH sessions, enter the following command:
show ssh [sessions [ip_address]]The show ssh sessions command provides the following display:
Session ID Client IP Version Encryption State Username0 172.16.25.15 1.5 3DES 4 -1 172.16.38.112 1.5 DES 6 pix2 172.16.25.11 1.5 3DES 4 -The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption the SSH client is using. The State column lists the progress the client is making as it interacts with the PIX Firewall. The Username column lists the login username that has been authenticated for the session. The "pix" username appears when non-AAA authentication is used.
Enabling Auto Update Support
Auto Update is a protocol specification introduced with PIX Firewall version 6.2. This section describes how to enable support for this specification on a PIX Firewall and includes the following topics:
•
•
Overview
The Auto Update specification provides the infrastructure necessary for remote management applications to download PIX Firewall configurations, software images, and to perform basic monitoring from a centralized location.
The Auto Update specification allows the Auto Update Server to either push configuration information and send requests for information to the PIX Firewall, or to cause the PIX Firewall to periodically poll the Auto Update Server. The Auto Update Server can also send a command to the PIX Firewall to send an immediate polling request at any time. Communication between the Auto Update Server and the PIX Firewall requires a communications path and local CLI configuration on each PIX Firewall.
Identifying the Auto Update Server
To specify the URL of the Auto Update Server, use the following command:
[no] auto-update server url [verify-certificate]Only one server can be configured. Replace url with a URL using the following syntax:
[http[s]://][user:password@]location[:port]/pathnameSSL will be used when https is specified. The user and password segment is used for Basic Authentication when logging in to the server. The user and password are replaced with `********' when the configuration is viewed with either the write terminal, show configuration or show tech-support commands.
Replace location with the IP address (or a DNS host name that resolves to the IP address) of the server. The port segment specifies the port to contact on the server. The default is 80 for HTTP and 443 for HTTPS. The pathname segment is the name of the resource.
The verify-certificate option specifies that the certificate returned by the server should be verified.
The no auto-update server command disables polling for updates by terminating the Auto Update daemon running on the PIX Firewall.
Managing Auto Update Support
To enable the PIX Firewall for polling a Auto Update Server, use the following command:
[no] auto-update device-id hardware-serial | hostname | ipaddress [if-name] | mac-address [if-name] | string textThe auto-update device-id command is used to identify the device ID to send when communicating with the Auto Update Server. The identifier used is determined by using one of the following parameters:
•
•
•
•
•
Use the no auto-update device-id command to reset the device ID to the default of host name.
To specify how often to poll the Auot Update server for configuration or image updates, enter the following command:
[no] auto-update poll-period poll-period [retry-count [retry-period]]The poll-period parameter specifies how often (in minutes) to check for an update. The default is 720 minutes (12 hours). The retry-count option specifies how many times to try re-connecting to the server if the first attempt fails. The default is 0. The retry-period option specifies how long to wait (in minutes) between retries. The default is 5.
Use the no auto-update poll-period command to reset the poll period to the default.
To cause the PIX Firewall to stop all new connections if the Auto Update server has not been contacted for a period of time, enter the following command:
[no] auto-update timeout periodUse this command to ensure that the PIX Firewall has the most recent image and configuration. This condition will be reported with the existing syslog %PIX-3-201008.
To remove the entire Auto Update configuration, enter the following command:
clear auto-updateViewing the Auto Update Configuration
To display the Auto Update Server, poll time, timeout period, device ID, poll statistics and update statistics, enter the following command:
show auto-updateThe following is sample output from the show auto-update command:
show auto-updateServer: https://********@172.23.58.115:1742/management.cgi?1276Certificate will be verifiedPoll period: 720 minutes, retry count: 2, retry period: 5 minutesTimeout: noneDevice ID: host name [jeffryp-pix-pri]Next poll in 4.93 minutesLast poll: 11:36:46 PST Tue Nov 13 2001Last PDM update: 23:36:46 PST Tue Nov 12 2001Capturing Packets
This section describes the packet capture utility introduced with PIX Firewall version 6.2. It includes the following topics:
•
Overview
Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. You can use the PIX Firewall packet capture utility to capture specific types of traffic on any PIX Firewall interface.
The packet capture utility provides the following features:
•
•
•
•
•
•
•
Configuration Procedure
To capture and display packets on a PIX Firewall interface, perform the following steps:
Step 1
capture capture-name [access-list acl_id][buffer bytes] [ethernet-type type][interface name][packet-length bytes]Replace capture-name with an alphanumeric identifier that you will use to display or copy the captured packets. The PIX Firewall captures packets on the interface specified by name until the packet capture buffer is full.
Replace acl_id with the name of any existing access list, which can limit the capture based on one or more of the following selection criteria:
•
•
•
•
For information about configuring an access control list, refer to "Controlling Outbound Connectivity" in Chapter 3, "Controlling Network Access and Use."
To use the buffer option, replace bytes with the number of bytes you want to assign to the packet capture buffer, subject to the memory available on the PIX Firewall. The default buffer size is 512 K. You can run multiple packet captures on different interfaces concurrently if the PIX Firewall has sufficient memory.
To use the ethernet option, replace type with one of the following packet types: ip, arp, rarp, vlan, 802.1Q, ipx, ip6, pppoed, pppoes, or any number in the range from 1 to 65536 (corresponding to the protocol type specified in the Ethernet packet). When using 802.1Q (VLAN), the 802.1Q tag is automatically skipped and the inner ethernet-type is used for matching. If you enter ethernet-type 0, all packet types are captured.
To use the packet-length option, replace bytes with the maximum number of bytes from each packet that you want copied to the capture buffer. By default, the limit is 68 bytes.
Step 2
show capture [capture-name][access-list acl_id][count count][detail] [dump]Replace capture-name with the identifier you assigned to the packet capture. Replace acl_id with the name of an access control list to restrict the display of the captured packets. Replace count with the number of packets to display.
The fields included when you use the detail option are listed within square brackets ([]) in Table 9-4.
The dump option displays a hexadecimal display of the packet transported over the data link transport. Note that Media Access Control (MAC) information is not shown. A dump is also displayed if no protocol is available.
Use the show capture command without any parameters to display the current runtime configuration for packet captures.
Step 3
https://pix-host/capture/capture-name[/pcap]Replace pix-host with the IP address or host name of the PIX Firewall where the packet capture occurred. Replace capture-name with the name of the packet capture you want to view.
The pcap option causes the packet capture to be downloaded to the web browser in libpcap format. After you save the packet capture from the browser, you can view a libpcap file with tcpdump or other applications.
Step 4
copy capture:capture-name tftp://location/path [pcap]Replace capture-name with the name of the packet capture you want to view. Replace location and path with the host name, path name, and file name of the file where you want to store the captured packets. Some TFTP servers may require that the file already exists with write permission assigned to "world." The pcap option causes the file to be created in libpcap format, which can be viewed with tcpdump or other applications.
Step 5
clear capture capture-nameStep 6
no capture capture-nameReplace capture-name with the name of the packet capture you want to clear.
Step 7
no capture capture-name [interface name]Replace capture-name with the name of the packet capture you want to stop. When you use the interface option to identify a specific interface, replace name with the name assigned to the interface.
Step 8
no capture capture-name access-list acl_idReplace capture-name with the name of the packet capture and replace acl_id with the name of the access list.
Packet Capture Output Formats
Table 9-4 shows the output formats for packet captures of different protocol types. The decoded output of the packets is dependent on the protocol of the packet. The output in square brackets is displayed when you use the capture command with the detail option.
Packet Capture Examples
This section includes examples of different types of packet captures.
Example 9-5 illustrates an HTTP packet capture.
Example 9-5 Capturing an HTTP Session
In the following example, traffic is captured from an outside client at 209.165.200.225 to an inside HTTP server:
access-list http permit tcp host 10.120.56.15 eq http host 209.165.200.225access-list http permit tcp host 209.165.200.225 host 10.120.56.15 eq httpcapture capweb access-list http packet-length 74 interface insideExample 9-6 illustrates how to display a packet capture using a web browser.
Example 9-6 Displaying a libpcap File with a Web Browser
The following command downloads a libpcap file to a local machine, using a web browser such as Internet Explorer or Netscape Communicator:
https://209.165.200.226/capture/http/pcapExample 9-7 copies an FTP trace to the file "ftp-dump" on the TFTP server 209.165.200.226.
Example 9-7 Saving to a Remote TFTP Server
pixfirewall# copy capture:ftp tftp://209.165.200.226/ftp-dumpWriting to file '/tftpboot/ftp-dump' at 209.165.200.226 on outsideExample 9-8 illustrates a packet capture of ARP packets:Example 9-8 ARP Packet Capture
+-----------------------------------------------------------------+| pixfirewall# capture arp ethernet-type arp interface outside || pixfirewall# show capture || capture arp ethernet-type arp interface outside || pixfirewall# show capture arp || 6 packets captured, 6 packets to be shown || 10:46:25.452369 arp who-has 209.165.200.225 (ff:ff:ff:ff:ff:ff) || tell 209.165.200.235 || 10:46:26.312850 arp who-has 209.165.201.2 tell 209.165.200.227 || 10:46:26.392283 arp who-has 209.165.200.225 (ff:ff:ff:ff:ff:ff) || tell 209.165.200.235 || 10:46:28.923368 arp who-has 209.165.200.226 (ff:ff:ff:ff:ff:ff || tell 209.165.200.235 || 10:46:29.255998 arp who-has 209.165.202.129 || tell 209.165.202.130 (0:2:b9:45:bf:7b) || 10:46:29.256136 arp reply 209.165.202.129 is-at 0:a0:c9:86:8e:9c|+-----------------------------------------------------------------+Example 9-9 illustrates a packet capture of PPPoE discovery packets:Example 9-9 Capturing PPPoE Discovery
+--------------------------------------------------------------------+| pixfirewall# capture pppoed ethernet-type pppoed interface outside || pixfirewall(config)# show capture || capture pppoed ethernet-type pppoed interface outside || pixfirewall(config)# show capture pppoed || 3 packets captured, 3 packets to be shown || 02:13:21.844408 ffff.ffff.2ac5 ffff.ffff.ffff 0x8863 32: || 1109 0000 000c 0101 0000 0103 0004 386c || f280 || 02:13:25.841738 ffff.ffff.3cc0 ffff.ffff.ffff 0x8863 32: || 1109 0000 000c 0101 0000 0103 0004 386c || f280 || 02:13:33.841875 ffff.ffff.76c0 ffff.ffff.ffff 0x8863 32: || 1109 0000 000c 0101 0000 0103 0004 386c || f280 |+--------------------------------------------------------------------+Example 9-9 illustrates a packet capture on multiple interfaces. The example captures an FTP session to an FTP server at host 209.165.202.129.
Example 9-10 Capturing On Multiple Interfaces
+--------------------------------------------------------------------------+| pixfirewall(config)# access-list ftp tcp any host 209.165.202.129 eq ftp || pixfirewall(config)# access-list ftp tcp host 209.165.202.129 eq ftp any || pixfirewall# capture ftp access-list ftp || pixfirewall# capture ftp interface inside interface outside || pixfirewall# show capture || capture ftp access-list ftp interface outside interface inside || pixfirewall# || pixfirewall# show capture ftp || 5 packets captured, 5 packets to be shown || 11:21:17.705041 10.1.1.15.2158 > 10.1.1.15.2158: || S 3027585165:3027585165(0) win 512 <mss 1460> || 11:21:17.705133 209.165.202.130.2158 > 209.165.202.130.2158: || S 4192390209:4192390209(0) win 512 <mss 1380> || 11:21:17.705651 10.1.1.15.2158 > 10.1.1.15.2158: || . ack 3463843411 win 32120 || 11:21:17.705667 209.165.202.130.2158 > 209.165.202.130.2158: || . ack 3463843411 win 32120 || 11:21:20.784337 10.1.1.15.2158 > 10.1.1.15.2158: || . ack 3463843521 win 32120 |+--------------------------------------------------------------------------+IDS Syslog Messages
PIX Firewall lists single-packet (atomic) Cisco Intrusion Detection System (IDS) signature messages via syslog. Refer to Cisco PIX Firewall System Log Messages for a list of the supported messages. You can view this document online at the following website:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/index.htm
All signature messages are not supported by PIX Firewall in this release. IDS syslog messages all start with PIX-4-4000nn and have the following format:
%PIX-4-4000nn IDS:sig_num sig_msg from ip_addr to ip_addr on interface int_nameFor example:
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside
Note
Table 9-5 lists the values and the meaning of each syslog output parameter.
Table 9-6 summarizes the commands that you can use to determine the messages that are displayed.
Using SNMP
This section describes how to enable SNMP for monitoring the PIX Firewall with a network management system (NMS). It includes the following topics:
•
•
Overview
The snmp-server command causes the PIX Firewall to send SNMP traps so that the PIX Firewall can be monitored remotely. Use snmp-server host command to specify which systems receive the SNMP traps.
The PIX Firewall SNMP MIB-II groups available are System and Interfaces. The Cisco Firewall MIB and Cisco Memory Pool MIB are also available.
All SNMP values are read only (RO).
Using SNMP, you can monitor system events on the PIX Firewall. SNMP events can be read, but information on the PIX Firewall cannot be changed with SNMP.
The PIX Firewall SNMP traps available to an SNMP management station are as follows:
•
–
–
–
•
–
–
–
Use CiscoWorks for Windows or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse an MIB. SNMP traps occur at UDP port 162.
MIB Support
Note
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values.
The Cisco Firewall MIB and Cisco Memory Pool MIB are available.
PIX Firewall does not support the following in the Cisco Firewall MIB:
•
•
•
•
•
•
SNMP CPU Utilization
PIX Firewall version 6.2 introduces support for monitoring CPU utilization through SNMP. This feature allows network administrators to monitor PIX Firewall CPU usage using SNMP management software, (such as HP OpenView) for capacity planning.
This functionality is implemented through support for the cpmCPUTotalTable of the Cisco Process MIB (CISCO-PROCESS-MIB.my.) The other two tables in the MIB, cpmProcessTable and cpmProcessExtTable are not supported in this release.
Each row of the cpmCPUTotalTable consists of the following five elements:
•
Note
•
•
•
•
The values of the last three elements will be the same as the output of the show cpu usage command.
PIX Firewall does not support the following new MIB objects in the cpmCPUTotalTable:
•
•
•
SNMP Usage Notes
•
•
•
SNMP Traps
Traps are different than browsing; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.
An SNMP object ID (OID) for PIX Firewall displays in SNMP event traps sent from the PIX Firewall. PIX Firewall provides system OID in SNMP event traps & SNMP mib-2.system.sysObjectID variable based on the hardware platform.
Table 9-8 lists the system OID in PIX Firewall platforms:
The SNMP service running on the PIX Firewall performs two different functions:
•
•
Receiving Requests and Sending Syslog Traps
Follow these steps to receive requests and send traps from the PIX Firewall to an SNMP management station:
Step 1
Step 2
If you only want to send the cold start, link up, and link down generic traps, no further configuration is required.
If you only want to receive SNMP requests, no further configuration is required.
Step 3
Step 4
logging history debuggingWe recommend that you use the debugging level during initial set up and during testing. Thereafter, set the level from debugging to a lower value for production use.
(The logging history command sets the severity level for SNMP syslog messages.)
Step 5
Step 6
The commands in Example 9-11 specify that PIX Firewall can receive the SNMP requests from host 192.168.3.2 on the inside interface but does not send SNMP syslog traps to any host.
Example 9-11 Enabling SNMP
snmp-server host 192.168.3.2snmp-server location building 42snmp-server contact polly hedrasnmp-server community ohwhatakeyistheeThe location and contact commands identify where the host is and who administers it. The community command specifies the password in use at the PIX Firewall SNMP agent and the SNMP management station for verifying network access between the two systems.
Compiling Cisco Syslog MIB Files
To receive security and failover SNMP traps from the PIX Firewall, compile the Cisco SMI MIB and the Cisco syslog MIB into your SNMP management application. If you do not compile the Cisco syslog MIB into your application, you only receive traps for link up or down, firewall cold start and authentication failure.
You can select Cisco MIB files for PIX Firewall and other Cisco products from the following website:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
From this page, select PIX Firewall from the Cisco Secure & VPN selection list.
Follow these steps to compile Cisco syslog MIB files into your browser using CiscoWorks for Windows (SNMPc):
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Step 18
Note
Using the Firewall and Memory Pool MIBs
The Cisco Firewall and Memory Pool MIBs let you poll failover and system status.
This section contains the following topics:
In the tables that follow in each section, the meaning of each returned value is shown in parentheses.
ipAddrTable Notes
Use of the SNMP ip.ipAddrTable entry requires that all interfaces have unique addresses. If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Having duplicate IP addresses causes the SNMP management station to loop indefinitely. The workaround is to assign each interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on.
SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. Therefore, if two consecutive interfaces have the same IP 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct; however, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely.
For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)In SNMP protocol, the MIB table index should be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the PIX Firewall interface IP address, so the IP address should be unique; otherwise, the SNMP agent will get confused and may return information of another interface (row), which has the same IP (index).
Viewing Failover Status
The Cisco Firewall MIB's cfsHardwareStatusTable lets you determine whether failover is enabled and which unit is active. The Cisco Firewall MIB indicates failover status by two rows in the cfwHardwareStatusTable object. From the PIX Firewall command line, you can view failover status with the show failover command. You can access the object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTableTable 9-9 lists which objects provide failover information.
In the HP OpenView Browse MIB application's "MIB values" window, if failover is disabled, a sample MIB query yields the following information:
cfwHardwareInformation.6 :cfwHardwareInformation.7 :cfwHardwareStatusValue.6 :0cfwHardwareStatusValue.7 :0cfwHardwareStatusDetail.6 :Failover OffcfwHardwareStatusDetail.7 :Failover OffFrom this listing, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query yields the following information:
cfwHardwareInformation.6 :cfwHardwareInformation.7 :cfwHardwareStatusValue.6 : activecfwHardwareStatusValue.7 : standbycfwHardwareStatusDetail.6 :cfwHardwareStatusDetail.7 :In this listing, only the cfwHardwareStatusValue contains values, either active or standby to indicate the status of each unit.
Verifying Memory Usage
You can determine how much free memory is available with the Cisco Memory Pool MIB. From the PIX Firewall command line, memory usage is viewed with the show memory command. The following is sample output from the show memory command.
show memory16777216 bytes total, 5595136 bytes freeYou can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTableTable 9-10 lists which objects provide memory usage information.
In the HP OpenView Browse MIB application's "MIB values" window a sample MIB query yields the following information:
ciscoMemoryPoolName.1 :PIX system memoryciscoMemoryPoolAlternate.1 :0ciscoMemoryPoolValid.1 :trueciscoMemoryPoolUsed.1 :12312576ciscoMemoryPoolFree.1 :54796288ciscoMemoryPoolLargestFree.1 :0From this listing, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use, 12312576, and the ciscoMemoryPoolFree object lists the number of bytes currently free 54796288. The other objects always list the values described in Table 9-10.
Viewing The Connection Count
You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall MIB. From the PIX Firewall command line, you can view the connection count with the show conn command. The following is sample output from the show conn command to demonstrate where the information in cfwConnectionStatTable originates.
show conn15 in use, 88 most usedThe cfwConnectionStatTable object table can be accessed from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTableTable 9-11 lists which objects provide connection count information.
In the HP OpenView Browse MIB application's "MIB values" window a sample MIB query yields the following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewallcfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startupcfwConnectionStatCount.40.6 :0cfwConnectionStatCount.40.7 :0cfwConnectionStatValue.40.6 :15cfwConnectionStatValue.40.7 :88From this listing, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object and the table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections. The cfwConnectionStatValue object then lists the connection count. The cfwConnectionStatCount object always returns 0 (zero).
Viewing System Buffer Usage
You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the cfwBufferStatsTable. The system buffer usage provides an early warning of the PIX Firewall reaching the limit of its capacity. On the command line, you can view this information with the show blocks command. The following is sample output from the show blocks command to demonstrate how cfwBufferStatsTable is populated.
show blocksSIZE MAX LOW CNT4 1600 1600 160080 100 97 97256 80 79 791550 780 402 40465536 8 8 8You can view cfwBufferStatsTable at the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTableTable 9-12 lists the objects required to view the system block usage.
Note
In the HP OpenView Browse MIB application's "MIB values" window a sample MIB query yields the following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blockscfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startupcfwBufferStatInformation.4.8 :current number of available 4 byte blockscfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blockscfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startupcfwBufferStatInformation.80.8 :current number of available 80 byte blockscfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blockscfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startupcfwBufferStatInformation.256.8 :current number of available 256 byte blockscfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blockscfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startupcfwBufferStatInformation.1550.8 :current number of available 1550 byte blockscfwBufferStatValue.4.3: 1600cfwBufferStatValue.4.5: 1600cfwBufferStatValue.4.8: 1600cfwBufferStatValue.80.3: 400cfwBufferStatValue.80.5: 396cfwBufferStatValue.80.8: 400cfwBufferStatValue.256.3: 1000cfwBufferStatValue.256.5: 997cfwBufferStatValue.256.8: 999cfwBufferStatValue.1550.3: 1444cfwBufferStatValue.1550.5: 928cfwBufferStatValue.1550.8: 932From this listing, the first table index, cfwBufferStatSize, appears as first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5, or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value and the cfwBufferStatValue object identifies the number of bytes for each value.
