Table Of Contents
M through R Commands
mac-list
Adds a list of MAC addresses using a first match search. This command is used by the firewall VPN client in performing MAC-based authentication.
[no] mac-list id deny|permit mac macmask
show mac-list [id]
clear mac-list [id]
Syntax Description
Defaults
None.
Command Modes
The mac-list command is available in configuration mode.
The show mac-list command is available in privileged mode.
Usage Guidelines
The mac-list command, similar to the access-list command, can be entered multiple times with same id to group a set of MAC addresses.
Only AAA exemption is provided. Authorization is automatically exempted for MACs for which authentication is exempted. Other types of AAA with mac-list are not supported.
The clear aaa command removes the mac-list command statements along with the rest of the AAA configuration.
The show aaa command displays mac-list command statements as part of the AAA configuration.
Note
When configuring mac-exempt, it is recommended not to use the same IP address for both the MACs. However, in case the the hosts are getting their IP addresses from a DHCP Server, one can receive an IP address that another host in the same network used earlier. For example, if the mac-exempt command is configured for both the MACs, M1 and M2 when these two hosts are getting their IP addresses from the DHCP Server. Assume M1 with IP1 has gone through the PIX firewall earlier. At a later time, both hosts will get new IP addresses from the DHCP Server and this time M2 gets IP1. In this case the traffic from M1 is allowed to go through but the traffic from M2 would be dropped. However, If a mac-exempt is configured for one of them, then the traffic from both hosts would be allowed to pass in case they happend to send the traffic with the same IP address. A syslog alerting you to a possible spoof attack, is generated.
Examples
The following example shows how to configure a MAC access list:
pixfirewall(config)# mac-list adc permit 00a0.c95d.0282 ffff.ffff.ffffpixfirewall(config)# mac-list adc deny 00a1.c95d.0282 ffff.ffff.ffffpixfirewall(config)# mac-list ac permit 0050.54ff.0000 ffff.ffff.0000pixfirewall(config)# mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffpixfirewall(config)# mac-list ac deny 0072.54ff.b440 ffff.ffff.ffffpixfirewall(config)# show mac-listmac-list adc permit 00a0.c95d.0282 ffff.ffff.ffffmac-list adc deny 00a1.c95d.0282 ffff.ffff.ffffmac-list ac permit 0050.54ff.0000 ffff.ffff.0000mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffmac-list ac deny 0072.54ff.b440 ffff.ffff.ffffRelated Commands
management-access
Enables access to an internal management interface on the firewall.
[no] management-access mgmt_if
show management-access
Syntax Description
Defaults
None.
Command Modes
The management-access mgmt_if command is available in configuration mode.
The show management-access is available in privileged mode.
Usage Guidelines
The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
•
•
•
•
•
•
The show management-access command displays the firewall management access configuration.
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
pixfirewall(config)# management-access insidepixfirewall(config)# show management-accessmanagement-access insidemgcp
Configures additional support for the Media Gateway Control Protocol (MGCP) fixup (packet application inspection) and is used with the fixup protocol mgcp command.
[no] mgcp call-agent ip_address group_id
[no] mgcp command-queue limit
[no] mgcp gateway ip_address group_id
show mgcp {commands | sessions} [detail]
clear mgcp
Syntax Description
Defaults
The default for the MGCP command queue is 200.
Command Modes
The mgcp command is available in configuration mode.
The show mgcp command is available in privileged mode.
Usage Guidelines
The mgcp commands are used to provide additional support for the MGCP fixup. The MGCP fixup itself is enabled with the fixup protocol mgcp command.
mgcp call-agent
The mgcp call-agent command is used to specify a group of Call Agents that can manage one or more gateways. The Call Agent group information is used to open connections for the Call Agents in the group (other than the one a gateway sends a command to) so that any of the Call Agents can send the response. Call Agents with the same group_id belong to the same group. A Call Agent may belong to more than one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies the IP address of the Call Agent.
mgcp command-queue
The mgcp command-queue command specifies the maximum number of MGCP commands that are queued while waiting for a response. The range of allowed values is from 1 to 4294967295. The default is 200. When the limit has been reached and a new command arrives, the command that has been in the queue for the longest time is removed.
mgcp gateway
The mgcp gateway command is used to specify which group of Call Agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the Call Agents that are managing the gateway. A gateway may only belong to one group.
clear mgcp and show mgcp
The clear mgcp command removes the MGCP configuration and resets the command queue limit to the default of 200.
The show mgcp commands command lists the number of MGCP commands in the command queue. The show mgcp sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output.
Examples
pixfirewall(config)# mgcp call-agent 10.10.11.5 101pixfirewall(config)# mgcp call-agent 10.10.11.6 101pixfirewall(config)# mgcp call-agent 10.10.11.7 102pixfirewall(config)# mgcp call-agent 10.10.11.8 102pixfirewall(config)# mgcp command-queue 150pixfirewall(config)# mgcp gateway 10.10.10.115 101pixfirewall(config)# mgcp gateway 10.10.10.116 102pixfirewall(config)# mgcp gateway 10.10.10.117 102The following are examples of the show mgcp command options:
pixfirewall# show mgcp commands1 in use, 1 most used, 200 maximum allowedCRCX, gateway IP: host-pc-2, transaction ID: 2052, idle: 0:00:07pixfirewall# show mgcp commands detail1 in use, 1 most used, 200 maximum allowedCRCX, idle: 0:00:10Gateway IP host-pc-2Transaction ID 2052Endpoint name aaln/1Call ID 9876543210abcdefConnection IDMedia IP 192.168.5.7Media port 6058pixfirewall# show mgcp sessions1 in use, 1 most usedGateway IP host-pc-2, connection ID 6789af54c9, active 0:00:11pixfirewall# show mgcp sessions detail1 in use, 1 most usedSession active 0:00:14Gateway IP host-pc-2Call ID 9876543210abcdefConnection ID 6789af54c9Endpoint name aaln/1Media lcl port 6166Media rmt IP 192.168.5.7Media rmt port 6058Related Commands
mroute
Configures a static multicast route.
[no] mroute src smask in_if_name dst dmask out_if_name
show mroute [dst [src]]
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
The mroute command supports routing multicast traffic through the PIX Firewall.
The show mroute command displays the current multicast route table.
Examples
In the following example, the multicast sources are the inside interface and DMZ with no internal receivers:
multicast interface outsidemulticast interface insidemulticast interface dmzmroute 1.1.1.1 255.255.255.255 inside 230.1.1.2 255.255.255.255 outsidemroute 2.2.2.2 255.255.255.255 dmz 230.1.1.2 255.255.255.255 outsideThe following example shows sample output from the show mroute command. This output shows that the PIX Firewall has dropped 502 packets because of an empty output interface list (Olist).
pixfirewall(config)# show mrouteIP Multicast Forwarding Information BaseEntry flags: C - Directly-Connected Check, S - Signal, D - DropInterface flags: F - Forward, A - Accept, IC - Internal Copy,NS - Negate Signal, DP - Don't Preserve, SP - Signal Present,EG - EgressForwarding Counts: Packets in/Packets out/Bytes outFailure Counts: RPF / TTL / Empty Olist / Other(*,225.2.1.14), Flags: SLast Used: 0:02:18Forwarding Counts: 4/1/188Failure Counts: 0/0/3/0inside Flags: F(192.168.1.35,225.2.1.14), Flags:Last Used: 17:57:09Forwarding Counts: 502/0/0Failure Counts: 0/0/502/0outside Flags: A SPinside Flags: FEven though the Outside Flags indicate that the PIX Firewall is receiving the multicast traffic, and the Inside Flag indicates it is forwarding the traffic, an ACL on the Outside interface is causing the inbound multicast traffic stream to be dropped.
mtu
Specify the maximum transmission unit (MTU) for an interface.
[no] mtu if_name bytes
show mtu
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
The mtu command sets the size of data sent on a connection. Data larger than the maximum transmission unit (MTU) value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes.
For PIX Firewall software Version 6.2, MTU size must be greater than or equal to 1500 for the Stateful Failover link and greater than or equal to 576 for the LAN-based failover link.
For PIX Firewall software Versions 5.2 through 6.1, MTU size must be greater than or equal to 256 bytes for the Stateful Failover link.
PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
For Ethernet interfaces, the default MTU is 1500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it.
The no mtu command resets the MTU block size to 1500 for Ethernet interfaces. The show mtu command displays the current block size. The show interface command also shows the MTU value.
Note
Examples
The following example shows the use of the mtu command with Ethernet:
interface ethernet1 automtu inside 8192show mtumtu outside 1500mtu inside 8192multicast
Enables multicast traffic to pass through the PIX Firewall. Includes an igmp subcommand mode for multicast support.
[no] multicast interface interface_name
clear multicast
show igmp [group | interface interface_name] [detail]
show multicast [interface interface_name]
Subcommands to the multicast command:
igmp forward interface interface_name
igmp access-group id
igmp version {1 | 2}
igmp join-group group
igmp max-groups number
igmp query-interval seconds
igmp query-max-response-time seconds
no igmp
clear igmp [group | interface interface_name]
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
The multicast command supports routing multicast traffic through the PIX Firewall.
The PIX Firewall igmp commands are subcommands of the multicast command.
The clear igmp [group | interface interface_name] command clears IGMP entries.
Note
The show igmp [group | interface interface_name] [detail] command displays the IGMP information for a multicast group, whether statically configured or dynamically created.
The show multicast [interface interface_name] command displays all or per-interface multicast settings. Also displays the IGMP configuration for any interface that is specified.
Examples
The following example shows use of the multicast command with corresponding igmp subcommands:
multicast interface outsidemulticast interface insideigmp forward interface outsideigmp join-group 224.1.1.1The following is sample output from the show igmp command:
pixfirewall(config)# show igmpIGMP is enabled on interface insideCurrent IGMP version is 2IGMP query interval is 60 secondsIGMP querier timeout is 125 secondsIGMP max query response time is 10 secondsLast member query response interval is 1 secondsInbound IGMP access group isIGMP activity: 0 joins, 0 leavesIGMP querying router is 10.1.3.1 (this system)IGMP Connected Group MembershipGroup Address Interface Uptime Expires Last Reportedname / names
Associate a name with an IP address.
[no] name ip_address name
[no] names
clear names
show names
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you must ensure that the host names either match existing names or you have a map to list the differences.
The name command maps text strings to IP addresses. The clear names command clears the list of names from the PIX Firewall configuration. The no names command disables the use of the text names, but does not remove them from the configuration. The show names command lists the name command statements in the configuration.
Usage Notes
1.
2.
3.
4.
5.
name 255.255.255.0 class-C-mask
Note
Examples
In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 209.165.201.3. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command restores their display.
pixfirewall(config)# namespixfirewall(config)# name 192.168.42.3 pix_insidepixfirewall(config)# name 209.165.201.3 pix_outsidepixfirewall(config)# ip address inside pix_inside 255.255.255.0pixfirewall(config)# ip address outside pix_outside 255.255.255.224pixfirewall(config)# show ip addressSystem IP Addresses:inside ip address pix_inside mask 255.255.255.0outside ip address pix_outside mask 255.255.255.224pixfirewall(config)# no namespixfirewall(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224pixfirewall(config)# namespixfirewall(config)# show ip addressSystem IP Addresses:inside ip address pix_inside mask 255.255.255.0outside ip address pix_outside mask 255.255.255.224pixfirewall(config)# show namesSystem IP Addresses:name 192.168.42.3 pix_insidename 209.165.201.3 pix_outsidenameif
Name interfaces and assign security level.
nameif {hardware_id | vlan_id} if_name security_level
clear nameif
show nameif
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.
Use nameif hardware_id if_name security_level to set name of a physical interface and use the nameif vlan_id if_name security_level command to set the name of a logical interface. Physical interfaces are one per each NIC, in place at boot time, and non-removable. Logical interfaces can be many-to-one for each NIC, are created at run time, and can be removed through software reconfiguration.
Usage Notes
1.
2.
3.
4.
Examples
The following example shows how to use the nameif hardware_id if_name security_level command:
nameif ethernet2 perimeter1 sec50nameif ethernet3 perimeter2 sec20The following example shows how to use the nameif vlan_id if_name security_level command:nameif vlan10 perimeter3 sec10The following example is a configuration that uses both physical and VLAN interfaces:nameif ethernet0 outside security0nameif ethernet1 intf6 security90nameif ethernet2 dmz security50nameif vlan4 intf4 security10nameif vlan5 intf5 security10nameif vlan10 intf5 security10Related Commands
nat
Associate a network with a pool of global IP addresses.
[no] nat [(local_interface)] id local_ip [mask [dns] [outside | [norandomseq] [max_conns [emb_limit]]]]
[no] nat [(local_interface)] id access-list acl_name [dns] [outside | [norandomseq] [max_conns [emb_limit]]]
[no] nat [(local_interface)] 0 access-list acl_name [outside]
clear nat
show nat
Syntax Description
access-list
Lets you identify local traffic for network address translation (NAT) by specifying the local and destination addresses (or ports). This feature is known as policy NAT.
Note
You can only include permit statements in the access list.
Local traffic is matched to the first matching policy NAT statement. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.
acl_id
Specifies the access list name.
clear nat
Removes nat command statements from the configuration.
dns
Specifies to use the created translation to rewrite the DNS address record.
emb_limit
Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN cookies.
Note
(local_interface)
Specifies the name of the network interface, as defined by the nameif command, through which the hosts or network designated by local_ip or access-list acl_id are accessed. You must enter the interface name in parentheses. If you do not enter the interface name, then the default is inside.
local_ip
Specifies the addresses to translate. You can use 0.0.0.0 (or 0 for short) to identify all hosts. Local traffic is matched to a nat statement using the best match. See the "Order of NAT Commands Used to Match Local Addresses" section for more information.
mask
Specifies the IP netmask to apply to local_ip. If you do not specify a mask, the PIX Firewall derives the network mask from the class of the IP address. For example, the command nat 0 10.130.36.0 causes all addresses in the 10.0.0.0 network to be translated and not only those in the 10.130.36.0 network. For this reason, you should specify the network mask when configuring an IP address that is not classful. You must also specify the mask to set other options, such as outside.
max_conns
Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
Note
nat_id
Specifies an integer for the NAT ID. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.
Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0.
See the "nat 0 (Identity NAT)" section and the "nat 0 access-list (NAT Exemption)" section for more information about NAT identity and exemption.
norandomseq
Disables TCP Initial Sequence Number (ISN) randomization protection. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.
Unless you enable the norandomseq option, RCP connections may show a noticable delay with TCP/IP stacks that quickly reuse TCP connections before the timewait state has expired (such as IBM AIX or HP-UX) .
Note
outside
If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
Note
Command Modes
Configuration mode.
Usage Guidelines
Network Address Translation (NAT) substitutes the local address of a packet with a global address that is routable on the destination network.
When hosts on a higher security interface (inside) access hosts on a lower security interface (outside), you must configure NAT on the inside hosts or specifically configure the inside interface to bypass NAT.
An inside host can communicate with the untranslated local address of the outside host without any special configuration on the outside interface. However, you can also optionally perform NAT on the outside network.
The nat command identifies the local addresses for translation using dynamic NAT or port address translation (PAT). The global command identifies the global addresses used for translation on a given destination interface. Each nat statement matches a global statement by comparing the NAT ID on each statement. If you bypass NAT using identity NAT or NAT exemption, then no global command is required. See the "nat 0 (Identity NAT)" section and the "nat 0 access-list (NAT Exemption)" section for more information on bypassing NAT.
After changing or removing a nat command statement, use the clear xlate command.
You can use the no nat command to remove a nat command statement.
Note
The PIX Firewall does not support outside NAT for non-H.323 multimedia applications or between overlapping network addresses.Dynamic NAT and PAT
Dynamic NAT translates a group of local addresses to a pool of global addresses that are routable on the destination network. The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the FWSM assigns it an IP address from the global pool. Because the translation is only in place for the duration of the connection, a given user does not keep the same IP address between connections. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list). Not only can you not predict the IP address of the host, but the host does not have a global address unless the host is the initiator. See the static command for reliable access to hosts.
PAT translates a group of local addresses to a single global IP address combined with a unique source port (above 1024). When a local host accesses the destination network, the FWSM assigns it the global IP address and then a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the responding traffic, which includes the IP address and port number as the destination, can be assigned to the correct host. Because there are over 64,000 ports available, you are unlikely to run out of addresses, which can happen with dynamic NAT.
Like dynamic NAT, the translation is only in place for the duration of the connection, so a given user does not keep the same port number between connections.
PAT allows you to use a single global address, thus conserving routable addresses. You can even use the destination interface IP address as the PAT address. PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path.
Dynamic NAT has these disadvantages:
•
Use PAT if this event occurs often.
•
The advantage of dynamic NAT is that some protocols cannot use PAT, which does not work with applications that have an inbound data stream on one port and the outgoing control path on another, such as multimedia applications.
nat Vs. static Commands
The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.
Table 7-1 helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.
nat 0 (Identity NAT)
The nat 0 command enables identity NAT. Use this command to bypass NAT and allow the local addresses to be used unchanged. Adaptive Security remains in effect with the nat 0 command. Both the nat 0 command and the nat 0 access-list command (NAT exemption) may be configured concurrently in PIX Firewall software Version 5.3 and higher.
It is important to understand the difference between identity NAT and NAT exemption. With identity NAT, you can accept the inbound traffic only when the traffic is initiated from the inside and after the xlate is created. NAT exemption allows traffic whenever it matches the referenced ACL, regardless of whether or not there is already an xlate. Identity NAT allows you to set additional NAT parameters, such as norandomseq. NAT exemption allows only the outside option.
The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat or static command statements appear in the configuration.
nat 0 access-list (NAT Exemption)
The nat 0 access-list command disables NAT, specifically proxy ARPing, for the IP addresses specified by the ACL referenced by acl_id. (The acl_id is the name you use to identify the access-list command statement.) This feature is known as NAT exemption. NAT exemption is not backward compatible with PIX Firewall software Version 5.2 or earlier versions.
This feature is useful in a Virtual Private Network (VPN) configuration where traffic between private networks should be exempted from NAT.
While NAT exemption lets you exempt traffic that is matched by the access-list command statement from NAT services, Adaptive Security remains in effect. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access; NAT exemption allows both inbound and outbound traffic no matter which side initiates, as long as it is permitted by the referenced ACL.
Unlike policy NAT, the PIX Firewall ignores any port setting in your ACL command statement and so NAT exemption cannot be used to permit or deny traffic on a per-port basis.
nat outside (Outside NAT)
The nat outside option lets you enable or disable outside NAT, which translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called bidirectional NAT.
If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts.
The norandomseq and emb_limit options are not supported with outside NAT.
Note
nat nat_id access-list (Policy NAT)
When you use an access list with the nat command for any NAT ID other than 0, then you enable policy NAT.
Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.
Note
With policy NAT, you can create multiple NAT or static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.
Order of NAT Commands Used to Match Local Addresses
The firewall matches local traffic to NAT commands in the following order:
1.
2.
3.
4.
5.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1.
2.
3.
Examples
The nat 0 (identity NAT) command allows traffic to be initiated from the local host only.
If you want the addresses to be visible from the outside network, use NAT exemption, or use the static command as follows:
nat (inside) 0 209.165.201.0 255.255.255.224static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftpaccess-group acl_out in interface outsidenat (inside) 0 209.165.202.128 255.255.255.224static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.255access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftpaccess-group acl_out in interface outsideThe following example shows use of the nat 0 access-list command (NAT exemption) to permit internal host 10.1.1.15, which is accessible through the inside interface, to bypass NAT when connecting to outside host 10.2.1.3.
access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3nat (inside) 0 access-list no-natThe following commands use NAT exemption on a PIX Firewall with three interfaces:
access-list all-ip-packet permit ip 0 0 0 0nat (dmz) 0 access-list all-ip-packetnat (inside) 0 access-list all-ip-packetGiven outbound traffic and the following example, for the nat command statements with a nat_id of 1, any of the hosts on the 10.1.1.0 network are translated to the range of 209.165.201.25-209.165.201.27. After all three addresses have been used, the translation rule starts using 209.165.201.30 as the PAT address. For the nat command statements with a nat_id of 3, all of the hosts on the 10.1.3.0 network are translated to the outside IP address of the FWSM using PAT.
nat (inside) 1 10.1.1.0 255.255.255.0global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224global (outside) 1 209.165.201.30nat (inside) 3 10.1.3.0 255.255.255.0global (outside) 3 209.165.201.30The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 10.3.3.0 inside networks can start outbound connections. The global command statements create unique pools of global addresses for those hosts that cannot overlap.
nat (inside) 1 10.0.0.0 255.0.0.0global (outside) 1 209.165.201.24-209.165.201.27 netmask 255.255.255.224global (outside) 1 209.165.201.30nat (inside) 3 10.3.3.0 255.255.255.0global (outside) 3 209.165.201.10-209.165.201.23 netmask 255.255.255.224The following policy NAT example shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the local address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the local address is translated to 209.165.202.130.
access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224nat (inside) 1 access-list NET1global (outside) 1 209.165.202.129 255.255.255.255nat (inside) 2 access-list NET2global (outside) 2 209.165.202.130 255.255.255.255The following policy NAT example shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the local address is translated to 209.165.202.130.
access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23nat (inside) 1 access-list WEBglobal (outside) 1 209.165.202.129 255.255.255.255nat (inside) 2 access-list TELNETglobal (outside) 2 209.165.202.130 255.255.255.255Related Commands
ntp
Synchronizes the PIX Firewall with a network time server using the Network Time Protocol (NTP).
[no] ntp authenticate
[no] ntp authentication-key number md5 value
ntp server ip_address [key number] source if_name [prefer]
no ntp server ip_address
[no] ntp trusted-key number
clear ntp
show ntp
show ntp associations [detail]
show ntp status
Syntax Description
Command Modes
Configuration mode.
Usage Guidelines
The ntp command synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set.
The authentication keys for the ntp commands are defined in the ntp authentication-key command. If authentication is used, the PIX Firewall and NTP server must be configured with the same key.
If authentication is enabled, use the ntp trusted-key command to define one or more key numbers that the NTP server needs to provide in its NTP packets for the PIX Firewall to accept synchronization with the NTP server.
The PIX Firewall listens for NTP packets (port 123) only on interfaces that have an NTP server configured through the ntp server command. NTP packets that are not responses from a request by the PIX Firewall are dropped.
The ntp authenticate command enables NTP authentication.
The clear ntp command removes the NTP configuration, including disabling authentication and removing all authentication keys and NTP server designations.
show ntp commands
To view information about the NTP configuration and status, use the show ntp, show ntp associations [detail], or show ntp status commands.
The show ntp command displays the current NTP configuration.
The show ntp associations [detail] command displays the configured network time server associations.
The show ntp status command displays the NTP clock information.
The following is sample output from the show ntp associations command:
pixfirewall> show ntp associationsaddress ref clock st when poll reach delay offset disp~172.31.32.2 172.31.32.1 5 29 1024 377 4.2 -8.59 1.6+~192.168.13.33 192.168.1.111 3 69 128 377 4.1 3.48 2.3*~192.168.13.57 192.168.1.111 3 32 128 377 7.9 11.18 3.6* master (synced), # master (unsynced), + selected, - candidate, ~ configuredTable 7-2 describes the values in the show ntp associations command output:
