Cisco PIX Firewall Command Reference, Version 6.3
D through F Commands
Download this chapter
D through F CommandsD through F Commands
Download the complete book
PDF: Cisco PIX Firewall Command ReferencePDF: Cisco PIX Firewall Command Reference (PDF - 4 MB)
give_us_feedback

Table Of Contents

D through F Commands

debug

dhcpd

dhcprelay

disable

domain-name

dynamic-map

eeprom

enable

established

exit

failover

filter

fixup protocol

flashfs

floodguard

fragment


D through F Commands

debug

You can debug packets or ICMP tracings through the PIX Firewall. The debug command provides information that helps troubleshoot protocols operating with and through the PIX Firewall.

[no] debug aaa [authentication | authorization| accounting | internal]

[no] debug access-list all | standard | turbo

[no] debug arp

[no] debug crypto ca [level]

[no] debug ctiqbe

[no] debug crypto ipsec [level]

[no] debug crypto isakmp [level]

[no] debug crypto vpnclient

[no] debug dhcpc detail | error | packet

[no] debug dhcpd event | packet

[no] debug dhcprelay event | packet | error

[no] debug dns {resolver | all}

[no] debug fixup {udp | tcp}

[no] debug fover option

[no] debug h323 h225 [asn | event]

[no] debug h323 h245 [asn | event]

[no] debug h323 ras [asn | event]

[no] debug icmp trace

[no] debug ils

[no] debug ospf [adj | database-timer | events |f lood | lsa-generation | packet | tree | retransmission | spf [external | internal |intra]]

[no] debug mgcp [messages | parser | sessions]

[no] debug ntp [adjust | authentication | events | loopfilter | packets | params | select | sync | validity]

[no] debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp]  | [proto tcp [sport src_port]  [dport dest_port]]  | [proto udp [sport src_port] [dport dest_port]]  [rx  |  tx  |  both]

[no] debug pdm history

[no] debug ppp error | io | uauth | upap | chap | negotiation

[no] debug pppoe event | error | packet

[no] deubg pptp

[no] debug radius [session | all | user username]

[no] debug rip

[no] debug route

[no] debug rtsp

[no] debug sip

[no] debug skinny

[no] debug sqlnet

[no] debug ssh

[no] debug ssl [cypher | device]

[no] debug vpdn event | error | packet

[no] debug xdmcp

no debug all

undebug all

show debug

Syntax Description

aaa

Displays authentication, authorization, and accounting information.

access-list

Displays access list configuration information.

adjust

Displays NTP clock adjustments.

all

Displays both standard and TurboACL access list information.

authentication

Displays NTP clock authentication.

both

Displays both received and transmitted packets.

chap

Displays CHAP/MS-CHAP authentication.

crypto ca

Displays information about certification authority (CA) traffic.

crypto ipsec

Displays information about IPSec traffic.

crypto isakmp

Displays information about IKE traffic.

crypto vpnclient

Displays information about the firewall EasyVPN client.

ctiqbe

Displays information about CTI Quick Buffer Encoding (CTIQBE), which is used with Cisco TAPI/JTAPI applications.

cypher

Display information about the cipher negotiation between the HTTP server and the client.

device

Displays information about the SSL device including session initiation and ongoing status.

dhcpc detail

Displays detailed information about the DHCP client packets.

dhcpc error

Displays error messages associated with the DHCP client.

dhcpc packet

Displays packet information associated with the DHCP client.

dhcpd event

Displays event information associated with the DHCP server.

dhcpd packet

Displays packet information associated with the DHCP server.

dhcprelay

Displays DHCP Relay Agent information.

dns {resolver | all}

Displays DNS debugging information. The resolver option collects DNS resolution information, and the all option collects all DNS information.

dport dest_port

Destination port.

dst dest_ip

Destination IP address.

events

Displays NTP event information.

fixup {udp | tcp}

Displays fixup information, using either UDP or TCP.

fover option

Displays failover information. Refer to Table 5-1 for the options.

h225 asn

Displays the output of the decoded PDUs.

h225 events

Displays the events of the H.225 signaling, or turn both traces on.

h245 asn

Displays the output of the decoded PDUs.

h245 events

Displays the events of the H.245 signaling, or turn both traces on.

h323

Displays information about the packet-based multimedia communications systems standard.

icmp

Displays information about ICMP traffic.

if_name

Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside.

ils

Displays Internet Locator Service (ILS) fixup information (used in LDAP services).

level

The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to the following events:

Level 1: Interesting events

Level 2: Normative and interesting events

Level 3: Diminutive, normative, and interesting events

Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears within the show debug command.

loopfilter

Displays NTP loop filter information.

messages

Displays debug information for MGCP messages.

negotiation

Equivalent of the error, uauth, upap and chap debug command options.

netmask mask

Network mask.

packet

Displays packet information.

packets

Displays NTP packet information.

params

Displays NTP clock parameters.

parser

Displays debug information about parsing MGCP messages.

pdm history

Turns on the PDM history metrics debugging information. The no version of this command disables PDM history metrics debugging.

ppp

Debugs L2TP or PPTP traffic, which is configured with the vpdn command.

ppp error

Displays L2TP or PPTP PPP virtual interface error messages.

ppp io

Display the packet information for L2TP or PPTP PPP virtual interface.

ppp uauth

Displays the L2TP or PPTP PPP virtual interface AAA user authentication debugging messages.

pppoe error

Displays PPPoE error messages.

pppoe event

Displays PPPoE event information.

pppoe packet

Displays PPPoE packet information.

pptp

Displays PPTP traffic information.

proto icmp

Displays ICMP packets only.

proto tcp

Displays TCP packets only.

proto udp

Displays UDP packets only.

radius all

Enables all RADIUS debug options.

radius session

Logs RADIUS session information and the attributes of sent and received RADIUS packets.

ras asn

Displays the output of the decoded PDUs.

ras events

Displays the events of the RAS signaling, or turn both traces on.

route

Displays information from the PIX Firewall routing module.

rx

Displays only packets received at the PIX Firewall.

select

Displays NTP clock selections.

sessions

Displays debug information for MGCP sessions.

sip

Debug the fixup Session Initiation Protocol (SIP) module.

skinny

Debugs SCCP protocol activity. (Using this option is system-resources intensive and may impact performance on high traffic network segments.)

sport src_port

Source port. See the "Ports" section in ""Using PIX Firewall Commands" for a list of valid port literal names.

sqlnet

Debugs SQL*Net traffic.

src source_ip

Source IP address.

ssh

Debug information and error messages associated with the ssh command.

ssl

Debug information and error messages associated with the ssl command.

standard

Displays non-TurboACL access list information.

sync

Displays NTP clock synchronization.

turbo

Displays TurboACL access list information.

tx

Displays only packets that were transmitted from the PIX Firewall.

upap

Displays PAP authentication.

user username

Specifies to display information for an individual username only.

validity

Displays NTP peer clock validity.

vpdn error

Display L2TP or PPTP protocol error messages.

vpdn event

Display L2TP or PPTP tunnel event change information.

vpdn packet

Display L2TP or PPTP packet information about PPTP traffic.

xdmcp

Display information about the xdmcp negotiation


Defaults

MGCP debugging is disabled by default.

Command Modes

Configuration mode unless otherwise specified.

The debug mgcp command is available in privileged mode.

Usage Guidelines

The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.

Note Use of the debug commands may slow down traffic on busy networks.

Use of the debug packet command on a PIX Firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session.

To let users ping through the PIX Firewall, add the access-list acl_grp permit icmp any   any command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound.

To stop a debug packet trace command, enter the following command: 

no debug packet if_name

Replace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.

no debug all and undebug all

The no debug all and undebug all commands stop any and all debug messages from being displayed.

debug crypto

When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.

Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.

debug dhcpc

The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.

debug h323

The debug h323 command lets you debug H.323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.

Note The debug h323 command, particularly the debug h323 h225 asn, debug h323 h245 asn, and debug h323 ras asn commands, might delay the sending of messages and cause slower performance in a real-time environment.

debug icmp

The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall unit's own interfaces.

To stop a debug icmp trace command, enter the following command: 

no debug icmp trace

debug mgcp

The debug mgcp command displays debug information for Media Gateway Control Protocol (MGCP) traffic. Without any options explicitly specified, the debug mgcp command enables all three MGCP debug options. The no debug mgcp command, without any options explicitly specified, disables all MGCP debugging.

debug ospf

The debug ospf command enables all OSPF debugging options, and the no debug ospf command disables all OSPF debugging options.

The debug ospf spf command enables all SPF options, and the no debug ospf spf command disables all SPF options.

debug sqlnet

The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall.

debug ssh

The debug ssh command reports on information and error messages associated with the ssh command.

debug pptp

The debug pptp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.

debug fover

Table 5-1 lists the options for the debug fover command.

Table 5-1 debug fover Command Options 

Option
Description

cable

Failover cable status

fail

Failover internal exception

fmsg

Failover message

get

IP network packet received

ifc

Network interface status trace

lanrx

LAN-based failover receive process messages

lanretx

LAN-based failover retransmit process messages

lantx

LAN-based failover transmit process messages

lancmd

LAN-based failover main thread messages

open

Failover device open

put

IP network packet transmitted

rx

Failover cable receive

rxdmp

Cable recv message dump (serial console only)

rxip

IP network failover packet received

tx

Failover cable transmit

txdmp

Cable xmit message dump (serial console only)

txip

IP network failover packet transmit

verify

Failover message verify

switch

Failover Switching status


Trace Channel Feature

The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.

If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.

The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:

If you are only using the PIX Firewall serial console, all debug commands display on the serial console.

If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug commands, the output displays on the Telnet console session.

If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session becomes the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.

The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.

Note The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug command output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug command output, which may be unexpected. If you are using the serial console and debug command output is not appearing, use the who command to see if a Telnet console session is running.

Examples

The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after entering the debug dhcpc commands to obtain debugging information. 

debug dhcpc packet

debug dhcpc detail

ip address outside dhcp setroute

DHCP:allocate request

DHCP:new entry. add to queue

DHCP:new ip lease str = 0x80ce8a28

DHCP:SDiscover attempt # 1 for entry:

Temp IP addr:0.0.0.0 for peer on Interface:outside

Temp sub net mask:0.0.0.0

   DHCP Lease server:0.0.0.0, state:1 Selecting

   DHCP transaction id:0x8931

   Lease:0 secs, Renewal:0 secs, Rebind:0 secs

   Next timer fires after:2 seconds

   Retry count:1   Client-ID:cisco-0000.0000.0000-outside


DHCP:SDiscover:sending 265 byte length DHCP packet

DHCP:SDiscover 265 bytes

DHCP Broadcast to 255.255.255.255 from 0.0.0.0

DHCP client msg received, fip=10.3.2.2, fport=67

DHCP:Received a BOOTREP pkt

DHCP:Scan:Message type:DHCP Offer

DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB

	DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB

DHCP:Scan:Lease Time:259200

DHCP:Scan:Subnet Address Option:255.255.254.0

DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140

DHCP:Scan:Domain Name:example.com

DHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87

DHCP:Scan:Router Address Option:10.3.2.1

DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255

...

The following example executes the debug icmp trace command: 

debug icmp trace

When you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1). 

Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2

Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1

Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2

Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1

Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2

NO DEBUG ICMP TRACE

ICMP trace off

This example shows that the ICMP packet length is 32 bytes, the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.

The following is sample output from the show debug command output: 

show debug

debug ppp error

debug vpdn event

debug crypto ipsec 1

debug crypto isakmp 1

debug crypto ca 1

debug icmp trace

debug packet outside both

debug sqlnet

The preceding sample output includes the debug crypto commands.

The following example shows debugging messages for Unity client negotiation using Diffie-Hellman group 5: 

pixfirewall(config)# debug crypto isakmp


check_isakmp_proposal:

is_auth_policy_configured: auth 1

is_auth_policy_configured: auth 4

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 5

ISAKMP:      extended auth RSA sig

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 5

ISAKMP:      extended auth RSA sig

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 5

ISAKMP:      auth RSA sig

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b 

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 5

ISAKMP:      auth RSA sig

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 3

The following example shows possible output for the debug mgcp messages command: 

17: MGCP: Retransmitted command RSIP

        Gateway IP      gate-1

        Transaction ID  1

18: MGCP: Expired command RSIP

        Gateway IP      gate-1

        Transaction ID  1

19: MGCP: New command RSIP

        Gateway IP      gate-1

        Transaction ID  1

        Endpoint name   d001

        Call ID         

        Connection ID   

        Media IP        0.0.0.0

        Media port      0

        Flags           0x80

20: MGCP: Retransmitted command RSIP

        Gateway IP      gate-1

        Transaction ID  1

The following example shows possible output for the debug mgcp parser command: 

28: MGCP packet:

RSIP 1 d001@10.10.10.11 MGCP 1.0

RM: restart


29: MGCP: command verb - RSIP

30: MGCP: transaction ID - 1

31: MGCP: endpoint name - d001

32: MGCP: header parsing succeeded

33: MGCP: restart method - restart

34: MGCP: payload parsing succeeded

35: MGCP packet:

RSIP 1 d001@10.10.10.11 MGCP 1.0

RM: restart


36: MGCP: command verb - RSIP

37: MGCP: transaction ID - 1

38: MGCP: endpoint name - d001

39: MGCP: header parsing succeeded

40: MGCP: restart method - restart

41: MGCP: payload parsing succeeded

The following example shows possible output for the debug mgcp sessions command: 

91: NAT::requesting UDP conn for generic-pc-2/6166 [209.165.202.128/0]

        from dmz/ca:generic-pc-2/2427 to outside:generic-pc-1/2727

92: NAT::reverse route: embedded host at dmz/ca:generic-pc-2/6166

93: NAT::table route: embedded host at outside:209.165.202.128/0

94: NAT::pre-allocate connection for outside:209.165.202.128 to dmz/ca:generic-pc-2/6166

95: NAT::found inside xlate from dmz/ca:generic-pc-2/0 to outside:209.165.201.15/0

96: NAT::outside NAT not needed

97: NAT::created UDP conn dmz/ca:generic-pc-2/6166 <-> outside:209.165.202.128/0

98: NAT::created RTCP conn dmz/ca:generic-pc-2/6167 <-> outside:209.165.202.128/0

99: NAT::requesting UDP conn for 209.165.202.128/6058 [generic-pc-2/0]

        from dmz/ca:genericgeneric-pc-2/2427 to outside:generic-pc-1/2727

100: NAT::table route: embedded host at outside:209.165.202.128/6058

101: NAT::reverse route: embedded host at dmz/ca:generic-pc-2/0

102: NAT::pre-allocate connection for dmz/ca:generic-pc-2 to outside:209.165.202.128/6058

103: NAT::found inside xlate from dmz/ca:generic-pc-2/0 to outside:209.165.201.15/0

104: NAT::outside NAT not needed

105: NAT::created UDP conn dmz/ca:generic-pc-2/0 <-> outside:209.165.202.128/6058

106: NAT::created RTCP conn dmz/ca:generic-pc-2/0 <-> outside:209.165.202.128/6059

107: MGCP: New session

        Gateway IP     generic-pc-2

        Call ID        9876543210abcdef

        Connection ID  6789af54c9

        Endpoint name  aaln/1

        Media lcl port 6166

        Media rmt IP   209.165.202.128

        Media rmt port 6058

108: MGCP: Expired session, active 0:06:05

        Gateway IP      generic-pc-2

        Call ID         9876543210abcdef

        Connection ID   6789af54c9

        Endpoint name   aaln/1

        Media lcl port  6166

        Media rmt IP    209.165.202.128

        Media rmt port  6058

You can debug the contents of packets with the debug packet command: 

debug packet inside

--------- PACKET ---------

-- IP --

4.3.2.1 ==>     255.3.2.1

        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x60

        id = 0x3902     flags = 0x0     frag off=0x0

        ttl = 0x20      proto=0x11      chksum = 0x5885

        -- UDP --

                source port = 0x89      dest port = 0x89

                len = 0x4c      checksum = 0xa6a0

        -- DATA --

                00000014:                                     00 01 00 00            |

         ....

                00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46            | ..

.. EIEPEGEGEFF

                00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43            | CC

NFAEDCACACACAC

                00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01            | AC

AAA.. ..... ..

                00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00                                                                        | ..

....`......

--------- END OF PACKET ---------

This display lists the information as it appears in a packet.

The following is sample output from the show debug command: 

show debug

debug icmp trace off

debug packet off

debug sqlnet off

Related Commands

mgcp

Configures additional support for the Media Gateway Control Protocol fixup (packet application inspection) and is used with the fixup protocol mgcp command.

show conn

Displays all active connections. There is an MGCP show conn option and connection flag, "g".

timeout

Sets the maximum idle time duration. (There is an MGCP timeout option.)


dhcpd

Configures the DHCP server.

[no] dhcpd address ip1[-ip2] if_name

[no] dhcpd auto_config [outside]

[no] dhcpd dns dns1 [dns2]

[no] dhcpd wins wins1 [wins2]

[no] dhcpd lease lease_length

[no] dhcpd domain domain_name

[no] dhcpd enable if_name

[no] dhcpd option 66 ascii {server_name | server_ip_str}

[no] dhcpd option 150 ip server_ip1 [ server_ip2]

no dhcpd option code

[no] dhcpd ping_timeout timeout

[no] debug dhcpd event

[no] debug dhcpd packet

clear dhcpd [binding|statistics]

show dhcpd [binding|statistics]

Syntax Description

address ip1 [ip2]

The IP pool address range. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The unlimited user license on the PIX 501 and all other PIX Firewall platforms support 256 addresses.

If the address pool range is larger than 253 addresses, the netmask of the PIX Firewall interface cannot be a Class C address (for example, 255.255.255.0) and hence needs to be something larger, for example, 255.255.254.0.

auto_config

Enable PIX Firewall to automatically configure DNS, WINS and domain name values from the DHCP client to the DHCP server. If the user also specifies dns, wins, and domain parameters, then the CLI parameters overwrite the auto_config parameters.

binding

The binding information for a given server IP address and its associated client hardware address and lease length.

code

Specifies the DHCP option code, either 66 or 150.

dns dns1 [dns2]

The IP addresses of the DNS servers for the DHCP client. Specifies that DNS A (address) resource records that match the static translation are rewritten. A second server address is optional.

domain domain_name

The DNS domain name. For example, example.com.

if_name

Specifies the interface on which to enable the DHCP server.

lease lease_length

The length of the lease, in seconds, granted to DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds.

option 150

Specifies the TFTP server IP address(es) designated for Cisco IP Phones in dotted-decimal format. DHCP option 150 is site-specific; it gives the IP addresses of a list of TFTP servers.

option 66

Specifies the TFTP server IP address designated for Cisco IP Phones and gives the IP address or the host name of a single TFTP server.

outside

The outside interface of the firewall.

ping_timeout

Allows the configuration of the timeout value of a ping, in milliseconds, before assigning an IP address to a DHCP client.

server_ip(1,2)

Specifies the IP address(es) of a TFTP server.

server_ip_str

Specifies the TFTP server in dotted-decimal format, such as 1.1.1.1, but is treated as a character string by the PIX Firewall DHCP server.

server_name

Specifies an ASCII character string representing the TFTP server.

statistics

Statistical information, such as address pool, number of bindings, malformed messages, sent messages, and received messages.

 

The IP addresses of the Microsoft NetBIOS name servers (WINS server). The second server address is optional.


Command Modes

Configuration mode.

Usage Guidelines

A DHCP server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network. See the Cisco PIX Firewall and VPN Configuration Guide for information on how to implement the DHCP server feature into the PIX Firewall.

You must specify an interface name, if_name, for all DHCP server commands when using PIX Firewall software Version 6.3. In earlier software versions, only the inside interface could be configured as the DHCP server so there was no need to specify if_name.

Note The PIX Firewall DHCP server does not support BOOTP requests and failover configurations.

The dhcpd address ip1[-ip2] if_name command specifies the DHCP server address pool. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled and you must specify the associated PIX Firewall interface with the if_name. In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The unlimited user license on the PIX 501 and all other PIX Firewall platforms support 256 addresses.

Note When the PIX Firewall responds to a DHCP client request, it uses the IP address of the interface where the request was received as the default gateway in the response. It uses the subnet mask on that interface for the subnet mask in its response.

Use caution with names that contain a "-" (dash) character because the dhcpd address command interprets the last (or only) "-" character in the name as a range specifier instead of as part of the name. For example, the dhcpd address command treats the name "host-net2" as a range from "host" to "net2". If the name is "host-net2-section3" then it is interpreted as a range from "host-net2" to "section3".

The no dhcpd address command removes the DHCP server address pool you configured.

The dhcpd lease command specifies the length of the lease in seconds granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address the DHCP granted. The no dhcpd lease command removes the lease length that you specified from your configuration and replaces this value with the default value of 3600 seconds.

The dhcpd domain command specifies the DNS domain name for the DHCP client. For example, example.com. The no dhcpd domain command removes the DNS domain server from your configuration.

The dhcpd enable if_name command enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.

DHCP must be enabled to use this command. Use the dhcpd enable if_name command to turn on DHCP.

Note The PIX Firewall DHCP server daemon does not support clients that are not directly connected to a firewall interface, and the interface must be configured to retrieve DHCP client information (with the dhcprelay enable client_ifc command).

The dhcpd option 66 | 150 command retrieves TFTP server address information for Cisco IP Phone connections.

When a dhcpd option command request arrives at the PIX Firewall DHCP server, the PIX Firewall places the value(s) specified by the dhcpd option 66 | 150 in the response.

Use the dhcpd option code command as follows:

If the TFTP server for Cisco IP Phone connections is located on the inside interface, use the local IP address of the TFTP server in the dhcpd option command.

If the TFTP server is located on a less secure interface, create a group of NAT, global and access-list command statements for the inside IP phones, and use the actual IP address of the TFTP server in the dhcpd option command.

If the TFTP server is located on a more secure interface, create a group of static and access-list command statements for the TFTP server and use the global IP address of the TFTP server in the dhcpd option command.

The show dhcpd command displays dhcpd commands, binding and statistics information associated with all of the dhcpd commands.

The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information.

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.

Examples

The following partial configuration example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable if_name commands to configure an address pool for the DHCP clients and a DNS server address for the DHCP client, and how to enable the dmz interface of the PIX Firewall for the DHCP server function. 

dhcpd address 10.0.1.100-10.0.1.108 dmz

dhcpd dns 209.165.200.226

dhcpd enable dmz

The following partial configuration example shows how to define a DHCP pool of 253 addresses and use the auto_config command to configure the DNS, WINS, and DOMAIN parameters. Note that the dmz interface of the firewall is configured as the DHCP server, and the netmask of the dmz interface is 255.255.254.0: 

ip address dmz 10.0.1.1 255.255.254.0

dhcpd address 10.0.1.2-10.0.1.254 dmz

dhcpd auto_config outside

dhcpd enable dmz

The following partial configuration example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment with the inside interface as the DHCP server: 

! use dhcp to configure the outside interface and default route

ip address outside dhcp setroute

! enable dhcp server daemon on the inside interface

ip address inside 10.0.1.2 255.255.255.0

dhcpd address 10.0.1.100-10.0.1.108 inside

dhcpd dns 209.165.201.2 209.165.202.129

dhcpd wins 209.165.201.5

dhcpd lease 3600

dhcpd domain example.com

dhcpd enable inside

! use outside interface IP as PAT global address

nat (inside) 1 0 0

global (outside) 1 interface

The following is sample output from the show dhcpd command: 

pixfirewall(config)# show dhcpd

dhcpd address 10.0.1.100-10.0.1.108 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd dns 209.165.201.2 209.165.202.129

dhcpd enable inside

The following is sample output from the show dhcpd binding command: 

pixfirewall(config)# show dhcpd binding

IP Address Hardware Address Lease Expiration Type

10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic

The following is sample output from the show dhcpd statistics command: 

show dhcpd statistics

Address Pools 1

Automatic Bindings 1

Expired Bindings 1

Malformed messages 0


Message Received

BOOTREQUEST 0

DHCPDISCOVER 1

DHCPREQUEST 2

DHCPDECLINE 0

DHCPRELEASE 0

DHCPINFORM 0


Message Sent

BOOTREPLY 0

DHCPOFFER 1

DHCPACK 1

DHCPNAK 1

Related Commands

ip address

Configures the IP address and mask for an interface, or defines a local address pool.


dhcprelay

Configures the DHCP relay agent, which relays requests between the firewall interface of the DCHP server and DHCP clients on a different firewall interface.

[no] dhcprelay enable client_ifc

[no] dhcprelay server dhcp_server_ip server_ifc

[no] dhcprelay setroute client_ifc

[no] dhcprelay timeout seconds

[clear|show] dhcprelay [statistics]

Syntax Description

client_ifc

The name of the interface on which the DHCP relay agent accepts client requests.

dhcp_server_ip

The IP address of the DHCP server to which the DHCP relay agent forwards client requests.

enable

Enables the DHCP relay agent to accept DHCP requests from clients on the specified interface.

seconds

The number of seconds allowed for DHCP relay address negotiation.

server_ifc

The name of the firewall interface on which the DHCP server resides.

statistics

The DHCP relay statistics, incremented until a clear dhcprelay statistics command is issued.


Defaults

By default, the DHCP relay agent is disabled.

The default DHCP relay timeout value is 60 seconds.

Command Modes

Configuration mode. The show dhcprelay commands are also available in privileged mode.

Usage Guidelines

Use the dhcprelay enable, dhcprelay server, and dhcprelay timeout commands to configure the DHCP relay agent to relay requests between the firewall interface of the DCHP server and DHCP clients on a different firewall interface.

Note Use network extension mode for DHCP clients whose DHCP server is on the other side of an Easy VPN tunnel. Otherwise, if the DHCP client is behind a PIX Firewall VPN Easy Remote device connected to an Easy VPN Server using client mode, then the DHCP client will not be able to get a DHCP IP address from the DHCP server on the other side of the Easy VPN Server.

dhcprelay enable

For the firewall to start the DHCP relay agent with the dhcprelay enable client_ifc command, you must have a dhcprelay server command already in your configuration. Otherwise, the firewall displays an error message similar to the following: 

DHCPRA:Warning - There are no DHCP servers configured!

No relaying can be done without a server!

Use the 'dhcprelay server <server_ip> <server_ifc>' command

The dhcprelay enable client_ifc command starts a DHCP server task on the specified interface. If this dhcprelay enable command is the first dhcprelay enable command to be issued, and there are dhcprelay server commands in the configuration, then the ports for the DHCP servers referenced are opened and the DHCP relay task starts.

When a dhcprelay enable client_ifc command is removed with a no dhcprelay enable client_ifc command, the DHCP server task for that interface stops. When the dhcprelay enable command being removed is the last dhcprelay enable command in the configuration, all of the ports for the servers specified in the dhcprelay server commands are closed and the DHCP relay task stops.

dhcprelay server

Add at least one dhcprelay server command to your firewall configuration before you enter a dhcprelay enable command or the firewall will issue an error message.

The dhcprelay server command opens a UDP port 67 on the specified interface for the specified server and starts the DHCP relay task as soon as a dhcprelay enable command is added to the configuration. If there is no dhcprelay enable command in the configuration, then the sockets are not opened and the DHCP relay task does not start.

When a dhcprelay server dhcp_server_ip [server_ifc] command is removed, the port for that server is closed. If the dhcprelay server command being removed is the last dhcprelay server command in the configuration, then the DHCP relay task stops.

dhcprelay setroute

The dhcprelay setroute client_ifc command enables you to configure the DHCP Relay Agent to change the first default router address (in the packet sent from the DHCP server) to the address of client_ifc. That is, the DHCP Relay Agent substitutes the address of the default router with the address of client_ifc.

If there is no default router option in the packet, the firewall adds one containing the address of client_ifc. This allows the client to set its default route to point to the firewall.

When the dhcprelay setroute client_ifc command is not configured (and there is a default router option in the packet) it passes through the firewall with the router address unaltered.

dhcprelay timeout

The dhcprelay timeout command sets the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.

no dhcprelay commands

The no dhcprelay enable client_ifc command removes the DHCP relay agent configuration for the interface specified by client_ifc only.

The no dhcprelay server dhcp_server_ip [server_ifc] command removes the DHCP relay agent configuration for the DHCP server and specified by dhcp_server_ip [server_ifc] only.

show dhcprelay

The show dhcprelay command displays the DHCP relay agent configuration, and the show dhcprelay statistics command displays counters for the packets relayed by the DHCP relay agent.

The clear dhcprelay command clears all DHCP relay configurations. The clear dhcprelay statistics command clears the show dhcprelay statistics counters.

Examples

The following example configures the DHCP relay agent for a DHCP server with the IP address of 10.1.1.1 on the outside interface of the firewall and client requests on the inside interface of the firewall, and sets the timeout value to 90 seconds: 

pixfirewall(config)# dhcprelay server 10.1.1.1 outside

pixfirewall(config)# show dhcprelay

dhcprelay server 10.1.1.1 outside

dhcprelay timeout 50


pixfirewall(config)# dhcprelay timeout 60

pixfirewall(config)# show dhcprelay

dhcprelay server 10.1.1.1 outside

dhcprelay timeout 60


pixfirewall(config)# dhcprelay enable inside

pixfirewall(config)# show dhcprelay

dhcprelay server 10.1.1.1 outside

dhcprelay enable inside

dhcprelay timeout 60

The following example shows how to disable the DHCP relay agent if there is only one dhcprelay enable command in the configuration: 

pixfirewall(config)# no dhcprelay enable

pixfirewall(config)# show dhcprelay

dhcprelay server 10.1.1.1 outside

dhcprelay timeout 60

The following is sample output from the show dhcprelay statistics command: 

pixfirewall(config)# show dhcprelay statistics

Packets Relayed

BOOTREQUEST          0

DHCPDISCOVER         7

DHCPREQUEST          3

DHCPDECLINE          0

DHCPRELEASE          0

DHCPINFORM           0


BOOTREPLY            0

DHCPOFFER            7

DHCPACK              3

DHCPNAK              0

Related Commands

dhcpd

Controls the DHCP server feature.


disable

Exit privileged mode and return to unprivileged mode.

enable

disable

Syntax Description

enable

Enter this at the PIX Firewall command-line interface prompt to enter privileged mode.

disable

Enter this at the PIX Firewall command-line interface prompt to exit privileged mode.


Command Modes

Privileged mode.

Usage Guidelines

Use the enable command to enter privileged mode. The disable command exits privileged mode and returns you to unprivileged mode.

Examples

The following example shows how to enter privileged mode: 

pixfirewall> enable

pixfirewall#