Cisco PIX Firewall Command Reference, Version 6.3
G through L Commands
Download this chapter
G through L CommandsG through L Commands
Download the complete book
PDF: Cisco PIX Firewall Command ReferencePDF: Cisco PIX Firewall Command Reference (PDF - 4 MB)
give_us_feedback

Table Of Contents

G through L Commands

global

help

hostname

http

icmp

igmp

interface

ip address

ip audit

ip local pool

ip verify reverse-path

isakmp

isakmp policy

kill

logging

login


G through L Commands

global

Create or delete entries from a pool of global addresses.

[no] global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface

clear global

show global

Syntax Description

clear

Removes global command statements from the configuration.

global_ip

One or more global IP addresses that the PIX Firewall shares among its connections.
If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).

You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have more than one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.

global_mask

The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1-209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address will not be included in the pool of global addresses.

if_name

The external network where you use these global addresses.

interface

Specifies PAT using the IP address at the interface.

nat_id

A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.

netmask

Reserved word that prefaces the network global_mask variable.


Command Modes

Configuration mode.

Usage Guidelines

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.

When used on a PPPoE interface, the global command should explicitly include a netmask. Otherwise, the 255.255.255.255 netmask, assigned to the interface by PPPoE, is used as the broadcast mask. In that case, all addresses in the global pool may become broadcast addresses and will become unusable for address translation.

Use caution with names that contain a "-" (dash) character because the global command interprets the last (or only) "-" character in the name as a range specifier instead of as part of the name. For example, the global command treats the name "host-net2" as a range from "host" to "net2". If the name is "host-net2-section3" then it is interpreted as a range from "host-net2" to "section3".

The following command form is used for Port Address Translation (PAT) only:
global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface}

After changing or removing a global command statement, use the clear xlate command.

Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id.

The show global command displays the global command statements in the configuration.

PAT

You can enable the Port Address Translation (PAT) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the PIX Firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.

When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address is available, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT.

For example: 

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224

global (outside) 1 209.165.201.22 netmask 255.255.255.224

PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the PIX Firewall. Multimedia applications can conflict with port mappings provided by PAT.

The firewall does not PAT all ICMP message types; it only PATs ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, syslog message 305006 (on the PIX Firewall) is generated.

PAT does not work with the established command. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute.

However, for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example: 

fixup protocol ftp strict ftp

access-list acl_in permit tcp any any eq ftp

access-group acl_in in interface inside

nat (inside) 1 0 0

global (outside) 1 209.165.201.5 netmask 255.255.255.224

To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.

The following example enables PAT using the IP address at the outside interface in global configuration mode: 

ip address outside 192.150.49.1

nat (inside) 1 0 0 

global (outside) 1 interface

The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.

When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.

To track usage among different subnets, you can specify multiple PATs using the following supported configurations:

The following example maps hosts on the internal network 10.1.0.0/24 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/24 to global address 209.165.200.225 in global configuration mode. 

nat (inside) 1 10.1.0.0 255.255.255.0

nat (inside) 2 10.1.1.0 255.255.255.0

global (outside) 1 192.168.1.1 netmask 255.255.255.0

global (outside) 2 209.165.200.225 netmask 255.255.255.224

The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode. 

nat (inside) 1 10.1.0.0 255.255.0.0

global (outside) 1 209.165.200.225 netmask 255.255.255.224

global (outside) 1 192.168.1.1 netmask 255.255.255.0

With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.

PAT and DNS

IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the PIX Firewall is pix.example.com, the PTR record would be as follows. 

1.201.165.209.in-addr.arpa. IN PTR pix.example.com

A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT. Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.

For example, PAT is enabled with these commands: 

nat (inside) 1 192.168.1.0 255.255.255.0

global (inside) 1 209.165.202.128 netmask 255.255.255.224

However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.

To ensure that the inside DNS server can access the root name server, insert the following static command statement: 

static (inside,outside) 209.165.202.129 192.168.1.5

The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.

Examples

The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network: 

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224

global (outside) 1 209.165.201.12 netmask 255.255.255.224

Global 209.165.201.12 will be Port Address Translated

nat (inside) 1 0 0

clear xlate

The next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface: 

global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240

global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240

nat (perimeter) 1000 0 0

help

Display help information.

help command

?

Syntax Description

?

Displays all commands available in the current privilege level and mode.

command

Specifies the PIX Firewall command for which to display the PIX Firewall command-line interface (CLI) help.

help

If no command name is specified, displays all commands available in the current privilege level and mode; otherwise, displays the PIX Firewall CLI help for the command specified.


Command Modes

Unprivileged, privileged, and configuration modes.

Usage Guidelines

The help or   ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a "?"(question mark).

If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears: 

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Examples

The following example shows how you can display help information by following the command name with a question mark: 

enable ?

usage: enable password <pw> [encrypted]

Help information is available on the core commands (not the show, no, or clear commands) by entering   ? at the command prompt: 

?

aaa Enable, disable, or view TACACS+ or RADIUS 
   user authentication, authorization and accounting

...

hostname

Change the host name in the PIX Firewall command-line prompt.

hostname newname

Syntax Description

newname

Specifies a new host name for the firewall and is displayed in the firewall prompt. This name can be up to 63 characters, including alphanumeric characters, spaces or any of the following special characters: `( ) + - , . / : = ?


Command Modes

Configuration mode.

Usage Guidelines

The hostname command changes the host name label on prompts. The default host name is pixfirewall.

Note The change of the host name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.

Examples

The following example shows how to change a host name: 

pixfirewall(config)# hostname spinner

spinner(config)# hostname pixfirewall

pixfirewall(config)#

http

Enables the PIX Firewall HTTP server and specifies the clients that are permitted to access it. Additionally, for access, the Cisco PIX Device Manager (PDM) requires that the PIX Firewall have an enabled HTTP server.

[no] http ip_address [netmask] [if_name]

[no] http server enable

clear http

show http

Syntax Description

clear http

Removes all HTTP hosts and disables the server.

http

Relating to the Hypertext Transfer Protocol.

http server enable

Enables the HTTP server required to run PDM.

if_name

PIX Firewall interface name on which the host or network initiating the HTTP connection resides.

ip_address

Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall.

netmask

Specifies the network mask for the http ip_address.


Defaults

If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of IP address. The default if_name is inside.

Command Modes

Configuration mode.

Usage Guidelines

Access from any host will be allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask.

The show http command displays the allowed hosts and whether or not the HTTP server is enabled.

Examples

The following http command example is used for one host: 

http 16.152.1.11 255.255.255.255 outside

The following http command example is used for any host: 

http 0.0.0.0 0.0.0.0 inside

icmp

Configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an interface.

[no] icmp {permit | deny} ip_address net_mask [icmp_type] if_name

clear icmp

show icmp

Syntax Description

deny

Deny access if the conditions are matched.

icmp_type

ICMP message type as described in Table 6-1.

if_name

The interface name.

ip_address

The IP address of the host sending ICMP messages to the interface.

net_mask

The mask to be applied to ip_address.

permit

Permit access if the conditions are matched.


Command Modes

Configuration mode.

Usage Guidelines

By default, the PIX Firewall denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX Firewall to deny all ICMP traffic at the outside interface, or any other interface you deem necessary, by using the icmp command.

The icmp command controls ICMP traffic that received by the firewall. If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface), except that the PIX Firewall does not respond to ICMP echo requests directed to a broadcast address.

The icmp deny command disables pinging to an interface, and the icmp permit command enables pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected on the network. This is also referred to as configurable proxy pinging.

For traffic that is routed through the PIX Firewall only, you can use the access-list or access-group commands to control the ICMP traffic routed through the PIX Firewall.

We recommend that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.

If an ICMP control list is configured, then the PIX Firewall uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP control list is not configured; in that case, a permit is assumed.

The syslog message is as follows: 

%PIX-3-313001: Denied ICMP type=type, code=code from source_address on  
interface interface_number

If this message appears, contact the peer's administrator.

ICMP Message Types

Table 6-1 lists possible ICMP type values.

Table 6-1 ICMP Type Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

mask-request

18

mask-reply

31

conversion-error

32

mobile-redirect


Examples

1. Deny all ping requests and permit all unreachable messages at the outside interface: 

icmp permit any unreachable outside

The default behavior of the PIX Firewall is to deny ICMP messages to the outside interface.

2. Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface: 

icmp permit host 172.16.2.15 echo-reply outside 

icmp permit 172.22.1.0 255.255.0.0 echo-reply outside 

icmp permit any unreachable outside

igmp

Refer to the multicast command for the igmp subcommands.

The Internet Group Management Protocol (IGMP) enables IP hosts to report their multicast group memberships to an adjacent multicast router. On the PIX Firewall, IGMP support is implemented as a subcommand to the multicast command.

interface

Sets network interface parameters and configures VLANs.

interface hardware_id [hardware_speed [shutdown]]

[no] interface hardware_id vlan_id [logical | physical] [shutdown]

interface hardware_id change-vlan old_vlan_id new_vlan_id

clear interface

show interface hardware_id [hardware_speed] [shutdown]

Syntax Description

change-vlan

Keyword to change the VLAN identifier for an interface.

hardware_id

Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernetn, or gb-ethernetn, depending on how many network interfaces are in the PIX Firewall.

hardware_speed

Network interface speed (optional).

aui—Set 10 for Mbps Ethernet half-duplex communication with an AUI cable interface.

auto—Negotiates Ethernet speed and duplex settings automatically. The auto keyword can only be used with the Intel 10/100 automatic speed-sensing network interface card.

bnc—Set for 10 Mbps Ethernet half-duplex communication with a BNC cable interface.

Possible Ethernet values are:

10baseT—To set for 10 Mbps Ethernet half-duplex communication.

10full—To set for 10 Mbps Ethernet full-duplex communication.

100baseTX—To set for 100 Mbps Ethernet half-duplex communication.

100full—To set for 100 Mbps Ethernet full-duplex communication.

Possible Gigabit Ethernet (gb-ethernetX) values are:

1000auto—To auto negotiate speed and duplex.

1000full—To auto negotiate, advertising 1000 Mbps full duplex.

1000full nonegotiate—To force link to 1000 Mbps full duplex.

logical

Creates a logical interface and applies the VLAN.

new_vlan_id

The new VLAN indentifier.

old_vlan_id

The current VLAN indentifier.

physical

Apply VLAN to physical interface.

shutdown

Disable an interface.

vlan_id

The VLAN identifier. For example: vlan10, vlan20, and so on.


Command Modes

Configuration mode.

Defaults

When configured, VLAN logical interfaces are enabled by default.

Usage Guidelines

The interface command sets the speed and duplex settings of the network interface boards, and brings up the interfaces specified. After changing an interface command, use the clear xlate command.

Note For Stateful Failover to work properly, set the Stateful Failover dedicated interface to 100 Mbps full duplex using the 100full option to the interface command.

The i82542 Gigabit Ethernet interface currently used in the PIX Firewall does not support half duplex; as a result, 1000auto is equivalent to 1000full when using this interface.

VLAN interfaces

With Version 6.3, you can assign VLANs to physical interfaces on the PIX Firewall, or you can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.

Physical interfaces are one per each NIC, in place at boot time, and non-removable. Logical interfaces that can be many-to-one for each NIC, are created at run time, and can be removed through software reconfiguration. A minimum of two physical interfaces are required for all PIX Firewall platforms to support VLANs.

A logical interface is similar in many respects to a so-called physical interface. Both logical and physical interfaces are software objects (the actual physical object is the network interface card on the PIX Firewall unit). What is called the physical interface for the purpose of configuration is a software object that has both Layer 2 (Data link) and Layer 3 (Network) attributes. Layer 2 attributes include maximum transmission unit (MTU) size and failover status, while Layer 3 attributes include IP address and security level.

A logical interface has only Layer 3 attributes. As a result, you can issue certain commands, such as failover link if_name or failover lan interface if_name on a physical interface that you cannot use with a logical interface. When you disable a physical interface, all the associated logical interfaces are also disabled. When you disable a logical interface, it only affects the logical interface.

The number of logical interfaces that you can configure varies according to the model. The minimum number of interfaces for any PIX Firewall is two. Table 6-2 lists the maximum number of logical interfaces supported on a specific PIX Firewall model:

Table 6-2 Maximum Number of Interfaces Supported on PIX Firewall Models 

Model
Restricted License1
Unrestricted License
 
Total Interfaces
Physical Interfaces
Logical Interfaces
Total Interfaces
Physical Interfaces
Logical Interfaces

PIX 5012

NA

NA

NA

2

2

Not supported

PIX 506/506E

NA

NA

NA

2

2

2

PIX 515/515E

5

3

3

10

6

8

PIX 5203

NA

NA

NA

12

6

10

PIX 525

8

6

6

12

8

10

PIX 535

10

8

8

24

10

22

1 PIX 501 and PIX 506/506E do not support Restricted/Unrestricted licenses.

2 One interface of the PIX 501 connects to an integrated 4-port switch.

3 PIX 520 supports a connection license and the number of interfaces does not vary with the connection license.


Note To determine the maximum number of logical interfaces that you can use, subtract the number of physical interfaces in use on your PIX Firewall from the number of total interfaces.

Use the show interface command to display information about the VLAN configuration.

Use the interface hardware_id vlan_id logical shutdown command to temporarily disable a logical interface.

Use the interface hardware_id change-vlan old_vlan_id new_vlan_id command to reassign a VLAN.

Use the no interface hardware_id vlan_id logical command to remove the VLAN configuration.

no and clear commands

The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except Gigabit Ethernet. The clear interface command also clears the packet drop count of Unicast RPF for all interfaces.

Use the no interface command to remove logical interfaces and VLAN definitions. (However, a no interface command does not negate an interface shutdown command.)

Note Using a no interface command on a logical interface (used for VLAN configuration) removes the logical interface from the system. Removing the logical interface also deletes all configuration rules applied to that interface, so exercise caution when using no interface commands with logical interfaces.

The shutdown option lets you disable an interface. When you first install PIX Firewall, all interfaces are shut down by default. You must explicitly enable an interface by entering the command without the shutdown option. If the shutdown option does not exist in the command, packets are passed by the driver to and from the card.

If the shutdown option does exist, packets are dropped in either direction. Inserting a new card defaults to the default interface command containing the shutdown option. (That is, if you add a new card and then enter the write memory command, the shutdown option is saved into Flash memory for the interface.) When upgrading from a previous version to the current version, interfaces are enabled.

The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.

Note Even though the default is to set automatic speed sensing for the interfaces with the interface hardware_id auto command, we recommend that you specify the speed of the network interfaces; for example, 10baseT or 100baseTX. This lets PIX Firewall operate in network environments that may include switches or other devices that do not handle auto sensing correctly.

show interface

The show interface command lets you view network interface information for Ethernet. This is one of the first commands you should use when establishing network connectivity after installing a PIX Firewall.

Note The PIX 501 switch interface always indicates 100000 Kbit full duplex (100,000 Kbps full duplex) even though the switch ports have negotiated the speed and duplex settings. The PIX Firewall automatically negotiates the inside interface setting at 100full and this is not configurable.

Gigabit interface cards do not provide information for the extended show interface command counters introduced in Version 5.0(3). For Gigabit Ethernet interfaces, the current and maximum count for the number of blocks on the input (receive) queue will always be the same (63).

The information in the show interface command is as follows in Table 6-3:

Table 6-3 show interface Description 

Show Interface Command Output
Description

Ethernet string

Indicates that you have used the interface command to configure the interface. The statement indicates either outside or inside, and whether the interface is available ("up") or not available ("down").

line protocol up

or

line protocol down

The message "line protocol up" means a working cable is plugged into the network interface. If the message is "line protocol down," either the cable is incorrect or not plugged into the interface connector. The show interface command reports "line protocol down" for BNC cable connections and for 3Com cards.

Network interface type

Indicates type of network interface.

Interrupt vector

Note: It is acceptable for interface cards to have the same interrupts.

MAC address

Intel cards start with "i" and 3Com cards with "3c."

Maximum transmission unit (MTU)

The size, in bytes, that data can best be sent over the network.

nn packets input

Indicates that packets are being received in the PIX Firewall.

nn packets output

Indicates that packets are being sent from the PIX Firewall.

Line duplex status

Half duplex indicates that the network interface switches back and forth between sending and receiving information; full duplex indicates that the network interface can send or receive information simultaneously.

Line speed

10baseT is listed as 10,000 Kb; 100baseTX is listed as 100,000 Kb.


The show interface command includes eight status counters (valid only for Ethernet interfaces).

The following example shows sample output: 

show interface

interface ethernet0 "outside" is up, line protocol is up

 Hardware is i82559 ethernet, address is 00aa.0000.003b

 IP address 209.165.201.7, subnet mask 255.255.255.224

 MTU 1500 bytes, BW 100000 Kbit half duplex

        1184342 packets input, 1222298001 bytes, 0 no buffer

        Received 26 broadcasts, 27 runts, 0 giants

        4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort

        1310091 packets output, 547097270 bytes, 0 Andorrans, 0 unicast 

repave drops

        0 output errors, 28075 collisions, 0 interface resets

        0 babbles, 0 late collisions, 117573 deferred

        0 lost carrier, 0 no carrier

input queue (cure/max blocks): hardware (128/128) software (0/1)

        output queue (cure/max blocks): hardware (0/2) software (0/1)

The show interface counter descriptions are as follows in Table 6-4:

Table 6-4 show interface Counters 

Counter
Description

output errors

The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.

collisions

The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.

interface resets

The number of times an interface has been reset. If an interface is unable to transmit for three seconds, PIX Firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.

babbles

Unused. ("babble" means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.)

late collisions

The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait.

If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.

deferred

The number of frames that were deferred before transmission due to activity on the link.

lost carrier

The number of times the carrier signal was lost during transmission.

no carrier

Unused.

input queue (curr/max blocks)

Input queue—The input (receive) hardware and software queue.

hardware—(current and maximum blocks). The number of blocks currently present on the input hardware queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 128 blocks on the input hardware queue, and the maximum number of blocks ever present on this queue was 128.

software—(current and maximum blocks). The number of blocks currently present on the input software queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the input software queue, and the maximum number of blocks ever present on this queue was 1.

output queue (curr/max blocks)

Output queue—The output (transmit) hardware and software queue.

hardware—(current and maximum blocks). The number of blocks currently present on the output hardware queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the output hardware queue, and the maximum number of blocks ever present on this queue was 2.

software—(current and maximum blocks). The number of blocks currently present on the output software queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the output software queue, and the maximum number of blocks ever present on this queue was 1.


Examples

The following example shows interface activity on the interface ethernet0, which has been named outside: 

show interface

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0000.0001.0001

  IP address 209.165.201.17, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit full duplex

        4203 packets input, 376390 bytes, 0 no buffer

        Received 3894 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1320 packets output, 123652 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (35/128) software (0/2)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

The following example sets a Gigabit Ethernet interface named gb0 to 1000full nonegotiate: 

pixfirewall(config)# interface gb0 1000full nonegotiate

Sample output from the subsequent show interface command is as follows: 

pixfirewall(config)# show interface gb0

interface gb-ethernet0 "intf2" is up, line protocol is down

Hardware is i82543 rev02 gigabit ethernet, address is 0003.47df.1e1c

MTU 1500 bytes, BW 1 Gbit full duplex, Force link-up

5133 packets input, 628176 bytes, 0 no buffer

Received 4202 broadcasts, 2 runts, 8 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1832 packets output, 124948 bytes, 0 underruns

input queue (curr/max blocks): hardware (41/128) software (0/2)

output queue (curr/max blocks): hardware (0/2) software (0/4)

The "Force link-up" keyword indicates that the link was forced and not negotiated.

The following is sample output from the show interface command on a PIX 501. Notice that the interface speed and settings are always displayed as 100000 Kbit half duplex. 

pixfirewall(config)# show interface

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0007.eb9b.56aa

  MTU 1500 bytes, BW 100000 Kbit half duplex

        114 packets input, 6840 bytes, 0 no buffer

        Received 114 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        62982 packets output, 78915110 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        1483 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/1)

        output queue (curr/max blocks): hardware (0/115) software (0/64)

interface ethernet1 "inside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0007.eb9b.56ab

  IP address 192.168.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

        55005197 packets input, 903916376 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        2 packets output, 120 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/59)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

Related Commands

nameif

Assigns a name to an interface.

ip address

Configures the IP address and mask for an interface, or defines a local address pool.


ip address

Identifies addresses for network interfaces, and enables you to set the number of times the PIX Firewall will poll for DHCP information.

[no] ip address if_name ip_address [netmask]

[no] ip address outside dhcp [setroute] [retry retry_cnt]

[no] ip address if_name pppoe [setroute]

[no] ip address if_name ip_address netmask pppoe [setroute]

clear ip

show ip

show ip address if_name dhcp

show ip address if_name pppoe

Syntax Description

clear ip

Clears all interface IP addresses. The clear ip command does not affect the ip local pool or ip verify reverse-route commands.

dhcp

Specifies PIX Firewall will use DHCP to poll for information. Enables the DHCP client feature on the specified interface.

if_name

The internal or external interface name designated by the nameif command.

ip_address

PIX Firewall unit's network interface IP address. Each interface IP address must be unique. Two or more interfaces must not be given the same IP address or IP addresses which are on the same IP network.

netmask

Network mask of ip_address.

outside

Interface from which the PIX Firewall will poll for information.

pppoe

Specifies to use Point-to-Point Protocol over Ethernet (PPPoE) to assign an IP address. The netmask of a dynamically retrieved address from PPPoE is 255.255.255.255.

retry

Enables PIX Firewall to retry a poll for DHCP information.

retry_cnt

Specifies the number of times PIX Firewall will poll for DHCP information. The values available are 4 to 16. If no value is specified, the default is 4.

setroute

This option tells the PIX Firewall to set the default route using the default gateway parameter the DHCP or PPPoE server returns.


Command Modes

Configuration mode.

Defaults

By default, the PIX Firewall will not retry to poll for DHCP information. The default value for retry_cnt is 4.

Usage Guidelines

The ip address command lets you assign an IP address to each interface.

Note Each interface IP address must be unique and not on the same network as any another interface on the firewall.

Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, reenter the command with the correct information. The clear ip command clears all interface IP addresses. The clear ip command does not affect the ip local pool or ip verify reverse-route commands.

Note The clear ip command stops all traffic through the PIX Firewall unit.

After changing an ip address command, use the clear xlate command.

Always specify a network mask with the ip address command. If you let PIX Firewall assign a network mask based on the IP address, you may not be permitted to enter subsequent IP addresses if another interface's address is in the same range as the first address. For example, if you specify an inside interface address of 10.1.1.1 without specifying a network mask and then try to specify 10.1.2.2 for a perimeter interface mask, PIX Firewall displays the error message, "Sorry, not allowed to enter IP address on same network as interface n." To fix this problem, reenter the first command specifying the correct network mask.

Do not set the netmask to all 255s, such as 255.255.255.255. This stops access on the interface. Instead, use a network address of 255.255.255.0 for Class C addresses, 255.255.0.0 for Class B addresses, or 255.0.0.0 for Class A addresses.

PIX Firewall configurations using failover require a separate IP address for each network interface on the standby unit. The system IP address is the address of the active unit. When the show ip command is executed on the active unit, the current IP address is the same as the system IP address. When the show ip command is executed on the standby unit, the system IP address is the failover IP address configured for the standby unit.

Note If an IP address has not been configured for a physical or VLAN interface, or the IP address for the interface has been deleted using the clear ip command, the IP address for that interface is no longer set to 127.0.0.1 by default. In this case, the interface is does not have an IP address.

Note When using the IP address of an interface as the device ID in logging messages sent to a syslog server and the IP address of that interface is cleared, the device ID uses 0.0.0.0.

show ip address commands

The show ip command isplays IP addresses assigned to the network interfaces.

The show ip address if_name dhcp command displays detailed information about the DHCP lease.

The show ip address if_name pppoe command displays detailed information about the PPPOE connection.

DHCP client

The ip address dhcp command enables the DHCP client feature within the PIX Firewall. This command allows the PIX Firewall to be a DHCP client to a DHCP server that provides configuration parameters to the client. In this case, the configuration parameters the DHCP server provides is an IP address and a subnet mask to the interface on which the DHCP client feature is enabled. The optional setroute argument tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns. If the setroute argument is configured, the show route command output shows the default route as being set by a DHCP server. To reset the interface and delete the DHCP lease from PIX Firewall, configure a static IP address with the ip address if_name ip_address [netmask] or ip address if_name pppoe | dhcp [setroute] command, or use the clear ip command.

The ip address dhcp and pppoe command options are mutually exclusive.

Note Do not configure the PIX Firewall with a default route when using the setroute argument of the ip address dhcp or ip address pppoe command.

PPPoE client

The PPPoE client functionality is turned off by default, and you must first use the vpdn commands to configure the PIX Firewall for PPPoE; the vpdn commands set the username, password, and authentication protocol for PPPoE access.

PPPoE is only supported on the PIX Firewall outside interface in PIX Firewall software Version 6.2.

The ip address pppoe command enables the PPPoE client feature within the PIX Firewall. (You can also use this command to clear and restart a PPPoE session; the current session shuts down and a new one restarts after entering this command.) You must enter the PPPoE configuration using the vpdn commands before enabling PPPoE with the ip address pppoe command.

You can also enable PPPoE by manually entering the IP address, using the ip address if_name ip_address netmask pppoe command. This command sets the PIX Firewall to use the specified address instead of negotiating with the PPPoE server to assign an address.

The ip address setroute command enables an access concentrator to set the default routes for the PPPoE client.

The ip address pppoe and dhcp command options are mutually exclusive.

For more information

Examples

The following is sample output from the show ip command: 

show ip 

System IP Addresses:

        ip address outside 209.165.201.2 255.255.255.224

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.168.70.3 255.255.255.0

Current IP Addresses:

        ip address outside 209.165.201.2 255.255.255.224

        ip address inside 192.168.2.1 255.255.255.0

        ip address perimeter 192.168.70.3 255.255.255.0

The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.

The following is sample output from the show ip address dhcp command: 

show ip address outside dhcp

Temp IP Addr:209.165.201.57 for peer on interface:outside

Temp sub net mask:255.255.255.224

DHCP Lease server:209.165.200.225, state:3 Bound

DHCP Transaction id:0x4123

Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs

Temp default-gateway addr:209.165.201.1

Next timer fires after:111797 secs

Retry count:0, Client-ID:cisco-0000.0000.0000-outside


ip address outside dhcp retry 10

Related Commands

dhcpd

Configures the DHCP server.

vpdn

Configures VPDN (PPTP, L2TP, PPPoE) policy.


ip audit

Configures IDS signature use.

[no] ip audit attack [action [alarm] [drop] [reset]]

[no] ip audit info [action [alarm] [drop] [reset]]

[no] ip audit interface if_name audit_name

[no] ip audit name audit_name attack [action [alarm] [drop] [reset]]

[no] ip audit name audit_name info [action [alarm] [drop] [reset]]

[no] ip audit signature signature_number disable

show ip audit count [global] [interface interface]

show ip audit {info | attack}

show ip audit interface [if_name]

show ip audit name [audit_name [info|attack]]

show ip audit signature [signature_number]

clear ip audit [configuration]

clear ip audit count [global | interface interface]

Syntax Description

action [alarm] [drop] [reset]

The alarm option reports to all configured syslog servers that a signature match is detected in a packet. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm. When no option is specified (you enter "ip audit info action" only), all actions are disabled.

audit attack

Specify the default actions to be taken for attack signatures.

audit info

Specify the default actions to be taken for informational signatures or disable all actions.

audit interface

Apply an audit specification or policy (via the ip audit name command) to an interface.

audit name

Specify informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy.

audit signature

Specify which messages to display, attach a global policy to a signature, and disable or exclude a signature from auditing.

audit_name

Audit policy name viewed with the show ip audit name command.

clear

Resets name, signature, interface, attack, info to their default values.

configuration

The already configured ip audit commands.

count

The number of signature matches.

global

All firewall interfaces.

interface interface

The name of a firewall interface, defined by the nameif command.

signature_number

An IDS signature number.


Command Modes

Configuration mode.

Usage Guidelines

Cisco Intrusion Detection System (Cisco IDS) provides the following for IP-based systems:

Traffic auditing. Application-level signatures will only be audited as part of an active session.

Applies the audit to an interface.

Supports different audit policies. Traffic matching a signature triggers a range of configurable actions.

Disables the signature audit.

Enables IDS and still disables actions of a signature class (informational, attack).

Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures.

PIX Firewall supports both inbound and outbound auditing.

For a complete list of supported Cisco IDS signatures, their wording, and whether they are attack or informational messages, refer to Cisco PIX Firewall System Log Messages.

Refer to the Cisco Intrusion Prevention System end-user guides for detailed information on each signature.

The ip audit commands are described in the sections that follow.

ip audit attack

The ip audit attack [action [alarm] [drop] [reset]] command specifies the default actions to be taken for attack signatures. An audit policy (audit rule) defines the attributes for all signatures that can be applied to an interface along with a set of actions. Using an audit policy may limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies; one for informational signatures and one for attack signatures. If a policy is defined without actions, then the configured default actions will take effect. Each policy requires a different name.

The no ip audit attack command resets the action to be taken for attack signatures to the default action.

ip audit info

The ip audit info [action [alarm] [drop] [reset]] command specifies the default action to be taken for signatures classified as informational signatures. The ip audit info action command disables all actions. For example, 

pixfirewall(config)# ip audit info action

Warning: no actions specified. All actions disabled.

The no ip audit info command sets the action to be taken for signatures classified as informational and reconnaissance to the default action.

ip audit interface

The ip audit interface if_name audit_name command applies an audit specification or policy (via the ip audit name command) to an interface. The no ip audit interface [if_name] command removes a policy from an interface.

ip audit name

The ip audit name audit_name info [action [alarm] [drop] [reset]] command specifies the informational signatures except those disabled or excluded by the ip audit signature command that are considered part of the policy. The no ip audit name audit_name [info] command removes the audit policy audit_name.

ip audit signature

The ip audit signature signature_number disable command specifies which messages to display, attaches a global policy to a signature, and disables or excludes a signature from auditing. The no ip audit signature signature_number command removes the policy from a signature. It is used to reenable a signature.

show ip audit commands

The show ip audit attack command displays the default attack actions.

The show ip audit info command displays the default informational actions.

The show ip audit interface command displays the interface configuration.

The show ip audit name command displays all audit policies or specific policies referenced by name and type where possible.

The show ip audit signature command displays disabled signatures.

Supported IDS Signatures

PIX Firewall lists the follo