Cisco PIX Firewall Command Reference, Version 6.3
T through Z Commands
Download this chapter
T through Z CommandsT through Z Commands
Download the complete book
PDF: Cisco PIX Firewall Command ReferencePDF: Cisco PIX Firewall Command Reference (PDF - 4 MB)
give_us_feedback

Table Of Contents

T through Z Commands

telnet

terminal

tftp-server

timeout

url-block

url-cache

url-server

username

virtual

vpdn

vpnclient

vpngroup

who

write

Y and Z Commands


T through Z Commands

telnet

Specify the host for PIX Firewall console access via Telnet.

telnet ip_address [netmask] [if_name]

clear telnet [ip_address [netmask] [if_name]]

no telnet [ip_address [netmask] [if_name]]

telnet timeout minutes

show telnet

show telnet timeout

Syntax Description

if_name

If IPSec is operating, PIX Firewall lets you specify an unsecure interface name, typically, the outside interface. At a minimum, the crypto map command must be configured to specify an interface name with the telnet command.

ip_address

An IP address of a host or network that can access a PIX Firewall Telnet management session. If an interface name is not specified, the address is assumed to be on an internal interface. PIX Firewall automatically verifies the IP address against the IP addresses specified by the ip address commands to ensure that the address you specify is on an internal interface. If an interface name is specified, PIX Firewall only checks the host against the interface you specify.

netmask

Bit mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of local_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address.

timeout minutes

The number of minutes that a Telnet session can be idle before being closed by PIX Firewall. The default is 5 minutes. The range is 1 to 60 minutes.


Command Modes

Configuration mode.

Usage Guidelines

The telnet command lets you specify which hosts can access the PIX Firewall console with Telnet. You can enable Telnet to the PIX Firewall on all interfaces. However, the PIX Firewall enforces that all Telnet traffic to the outside interface be IPSec protected. Therefore, to enable Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic generated by the PIX Firewall and enable Telnet on the outside interface.

A maximum of five (5) active Telnet management sessions to the PIX Firewall are allowed at the same time. The show telnet command displays the current list of IP addresses authorized to Telnet to the PIX Firewall. Use the no telnet or clear telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout feature to set the maximum time a console Telnet session can be idle before being logged off by PIX Firewall. The clear telnet command does not affect the telnet timeout command duration. The no telnet command cannot be used with the telnet timeout command.

Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the PIX Firewall console. Use the kill command to terminate an active Telnet management session.

If the aaa command is used with the console option, Telnet management access must be authenticated with an authentication server.

Note If you have configured the aaa command to require authentication for PIX Firewall Telnet management access and the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the password that was set with the enable password command.

Usage Notes

1. If you do not specify the interface name, the telnet command adds command statements to the configuration to let the host or network access the Telnet management session from all internal interfaces.

When you use the show telnet command, this assumption may not seem to make sense. For example, if you enter the following command without a netmask or interface name. 

telnet 192.168.1.1

If you then use the show telnet command, you see that not just one command statement is specified, but all internal interfaces are represented with a command statement: 

show telnet

192.168.1.1 255.255.255.255 inside

192.168.1.1 255.255.255.255 intf2

192.168.1.1 255.255.255.255 intf3

The purpose of the show telnet command is that, were it possible, the 192.168.1.1 host could access the Telnet management session from any of these internal interfaces. An additional facet of this behavior is that you must delete each of these command statements individually with the following commands. 

no telnet 192.168.1.1 255.255.255.255 inside

no telnet 192.168.1.1 255.255.255.255 intf2

no telnet 192.168.1.1 255.255.255.255 intf3

2. To access the PIX Firewall with Telnet from the intf2 perimeter interface, use the following command: 

telnet 192.168.1.1 255.255.255.255 int2

3. The default password to access the PIX Firewall console via Telnet is cisco.

4. Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall unit's command history feature via the arrow keys. However, you can access the last entered command by pressing Ctrl-P.

5. The telnet timeout command affects the next session started but not the current session.

6. If you connect a computer directly to the inside interface of the PIX Firewall with Ethernet to test Telnet access, you must use a cross-over cable and the computer must have an IP address on the same subnet as the inside interface. The computer must also have its default route set to be the inside interface of the PIX Firewall.

7. If you need to access the PIX Firewall console from outside the PIX Firewall, you can use a static and access-list command pair to permit a Telnet session to a Telnet server on the inside interface, and then from the server to the PIX Firewall. In addition, you can attach the console port to a modem but this may add a security problem of its own. You can use the same terminal settings as for HyperTerminal, which is described in the Cisco PIX Firewall and VPN Configuration Guide.

If you have IPSec configured, you can access the PIX Firewall console with Telnet from outside the PIX Firewall. Once an IPSec tunnel is created from an outside host to the PIX Firewall, you can access the console from the outside host.

8. Output from the debug crypto ipsec, debug crypto isakmp, and debug ssh commands do not display in a Telnet or SSH console session. For information about the debug crypto ipsec and debug crypto isakmp commands, refer to the debug command page.

Examples

The following examples permit hosts 192.168.1.3 and 192.168.1.4 to access the PIX Firewall console via Telnet. In addition, all the hosts on the 192.168.2.0 network are given access: 

telnet 192.168.1.3 255.255.255.255 inside

telnet 192.168.1.4 255.255.255.255 inside

telnet 192.168.2.0 255.255.255.0 inside

show telnet

          192.168.1.3 255.255.255.255 inside

          192.168.1.4 255.255.255.255 inside

          192.168.2.0 255.255.255.0 inside

You can remove individual entries with the no telnet command or all telnet command statements with the clear telnet command: 

no telnet 192.168.1.3 255.255.255.255 inside

show telnet

          192.168.1.4 255.255.255.255 inside

          192.168.2.0 255.255.255.0 inside

clear telnet

show telnet

You can change the maximum session idle duration as follows: 

telnet timeout 10

show telnet timeout

telnet timeout 10 minutes

An example Telnet login session appears as follows (the password does not display when entered): 

PIX passwd: cisco


Welcome to the PIX Firewall

...

Type help or `?' for a list of available commands.

pixfirewall>

Related Commands

aaa accounting

kill

password

who

terminal

Change console terminal settings.

terminal monitor

terminal no monitor

terminal width characters

Syntax Description

characters

Permissible values are 0, which means 511 characters, or a value in the range of 40 to 511.

monitor

Enable or disable syslog message displays on the console.

width

Set the width for displaying information during console sessions.


Command Modes

Configuration mode.

Usage Guidelines

The terminal monitor command lets you enable or disable the display of syslog messages in the current session for Telnet access to the PIXFirewall console. Use the logging monitor command to enable or disable various levels of syslog messages to the Telnet console; use the terminal no monitor command to disable the messages on a per session basis. Use the terminal monitor command to restart the syslog messages for the current session.

The terminal width command sets the width for displaying command output. The terminal width is controlled by the command: terminal width nn, where nn is the width in characters. If you enter a line break, it is not possible to backspace to the previous line.

Examples

The following example shows enabling logging and then disabling logging only in the current session with the terminal no monitor command: 

logging monitor

...

terminal no monitor

tftp-server

Specify the IP address of the TFTP configuration server.

[no] tftp-server [if_name] ip_address path

clear tftp-server [[if_name] ip_address path]

show tftp-server

Syntax Description

if_name

Interface name on which the TFTP server resides. If not specified, an internal interface is assumed. If you specify the outside interface, a warning message informs you that the outside interface is unsecure.

ip_address

The IP address or network of the TFTP server.

path

The path and filename of the configuration file. The format for path differs by the type of operating system on the server. The contents of path are passed directly to the server without interpretation or checking. The configuration file must exist on the TFTP server. Many TFTP servers require the configuration file to be world-writable to write to it and world-readable to read from it.


Command Modes

Configuration mode.

Usage Guidelines

The tftp-server command lets you specify the IP address of the server that you use to propagate PIX Firewall configuration files to your firewalls. Use the tftp-server command with the configure net command to read from the configuration or with the write net command to store the configuration in the file you specify. The clear tftp-server command removes the tftp-server command from your configuration.

PIX Firewall supports only one TFTP server.

The path name you specify in the tftp-server is appended to the end of the IP address you specify in the configure net and write net commands. The more you specify of a file and path name with the tftp-server command, the less you need to specify with the configure net and write net commands. If you specify the full path and filename in the tftp-server command, the IP address in the configure net and write net commands can be represented with a colon ( : ).

The no tftp server command disables access to the server. The show tftp-server command lists the tftp-server command statements in the current configuration.

Note If the TFTP server to which the firewall is trying to connect is not running the TFTP service, the firewall hangs and does not timeout. Press "ESC" key on the firewall console to abort the TFTP session and return to the firewall command line prompt.

Examples

The following example specifies a TFTP server and then reads the configuration from /pixfirewall/config/test_config: 

tftp-server 10.1.1.42 /pixfirewall/config/test_config

...

configure net :

timeout

Set the maximum idle time duration.

timeout [xlate hh[:mm[:ss]]] [conn hh[:mm[:ss]]] [half-closed hh[:mm[:ss]]] [udp hh[:mm[:ss]]] [rpc hh[:mm[:ss]]] [h225 hh[:mm[:ss]]] [h323 hh[:mm[:ss]]] [mgcp hh[:mm[:ss]]] [sip hh[:mm[:ss]]] [sip_media hh[:mm[:ss]]][uauth hh[:mm[:ss]] [absolute  |  inactivity]]

clear timeout

show timeout

Syntax Description

absolute

Run uauth timer continuously, but after timer elapses, wait to reprompt the user until the user starts a new connection, such as clicking a link in a web browser. The default uauth timer is absolute. To disable absolute, set the uauth timer to 0 (zero).

conn hh[:mm[:ss]]

Idle time after which a connection closes. Use 0:0:0 for the time value to never time out a connection. This duration must be at least 5 minutes. The default is 1 hour.

h225 hh[:mm[:ss]]

The idle time after which H.225 signalling closes, where hh is hours, mm is minutes, and ss is seconds. The default is 1 hour. A timeout value of h225 00:00:00 means never tear down H.225 signalling. A timeout value of h225 00:00:01 disables the timer and closes the TCP connection immediately after all calls are cleared.

h323 hh[:mm[:ss]]

The idle time after which an H.323 media connection closes. The default is 5 minutes. (This is the H.323 UDP inactivity timer.)

half-closed hh[:mm[:ss]]

Idle time until a TCP half-close connection is freed. The default is 10 minutes. Use 0:0:0 to never time out a half-closed connection. The minimum is 5 minutes.

inactivity

Start uauth timer after a connection becomes idle.

mgcp hh[:mm[:ss]]

Sets the duration for the Media Gateway Control Protocol (MGCP) inactivity timer. The default is 5 minutes.

rpc hh[:mm[:ss]]

Idle time until an RPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes.

sip hh[:mm[:ss]]

Modifies the SIP timer which is used for UDP signalling connections identified by the value T in the output from the show conn detail command. The default timeout value is 30 minutes.

sip_media hh[:mm[:ss]]

Modifies the media timer, which is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout. SIP media port is set to 2 minutes in the list of protocol timers.

uauth hh[:mm[:ss]]

Duration before authentication and authorization cache times out and user has to re authenticate next connection. This duration must be shorter than the xlate values. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.

Note All traffic will reset the timer. This includes non-http traffic.

udp hh[:mm[:ss]]

Idle time until a UDP slot is freed. This duration must be at least 1 minute. The default is 2 minutes.

xlate hh[:mm[:ss]]

Idle time until a translation slot is freed. This duration must be at least 1 minute. The default is 3 hours.

Note PIX Firewall clears UDP PAT connections 30 seconds after the connection is closed, regardless of the setting of the timeout xlate command.


Command Modes

Configuration mode.

Usage Guidelines

The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.

The clear timeout command sets the durations to their default values.

This command is used in conjunction with the show and clear uauth commands.

Note Do not use the timeout uauth 0:0:0 command if passive FTP is used for the connection, or if the virtual command is used for Web authentication.

The connection timer takes precedence over the translation timer, such that the translation timer only works after all connections have timed out.

timeout mgcp

The timeout mgcp hh:mm:ss command sets the duration for the MGCP inactivity timer. If this time elapses before new activity occurs, the MGCP media ports close. The default is five minutes. For example, to set the MGCP timeout to five minutes, enter the following: 

pixfirewall(config)# timeout mgcp 00:05:00

Uauth Inactivity and Absolute Qualifiers

The uauth inactivity and absolute qualifiers cause users to have to reauthenticate after either a period of inactivity or an absolute duration.

If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses. If you set both timers to zero, then users have to reauthenticate on every new connection.

The inactivity timer starts after a connection becomes idle. If a user establishes a new connection before the duration of the inactivity timer, the user is not required to reauthenticate. If a user establishes a new connection after the inactivity timer expires, the user must reauthenticate. The default durations are zero for the inactivity timer and 5 minutes for the absolute timer; that is, the default behavior is to cause the user to reauthenticate every 5 minutes.

The absolute timer runs continuously, but waits to reprompt the user when the user starts a new connection, such as clicking a link and the absolute timer has elapsed, then the user is prompted to reauthenticate. The absolute timer must be shorter than the xlate timer; otherwise, a user could be reprompt after their session already ended.

Inactivity timers give users the best Web access because they are not prompted to regularly reauthenticate. Absolute timers provide security and manage the PIX Firewall connections better. By being prompted to reauthenticate regularly, users manage their use of the resources more efficiently. Also by being reprompted, you minimize the risk that someone will attempt to use another user's access after they leave their workstation, such as in a college computer lab. You may want to set an absolute timer during peak hours and an inactivity timer thereafter.

Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.

Note RPC and NFS are very insecure protocols and should be used with caution.

Examples

The following is sample output from the show timeout command: 

show timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00  
sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

The following is sample output from the timeout command in which variables are changed and then displayed with the show timeout command: 

timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity

show timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00  
sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

Related Commands

show xlate/clear xlate

show uauth/clear uauth

url-block

For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the PIX Firewall to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default PIX Firewall behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.

If you use the url-block block command and the filtering server permits the connection, the PIX Firewall sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the PIX Firewall sends a deny message to the web client and removes the blocks from the HTTP response buffer.

[no] url-block block block_buffer_limit

clear url-block block stat

show url-block block stat

Websense only:

[no] url-block url-mempool memory_pool_size

[no] url-block url-size long_url_size

Syntax Description

block block_buffer_limit

Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. The permitted values are from 0 to 128, with specifies the number of 1550-byte blocks.

stat

Displays block buffer usage statistics.

url-mempool memory_pool_size

For Websense URL filtering only. The size of the URL buffer memory pool in Kilobytes (KB). The permitted values are from 2  to 10240, which specifies a URL buffer memory pool from 2 KB to 10240 KB.

url-size long_url_size

For Websense URL filtering only. The maximum allowed URL size in KB. The permitted values are 2, 3, or 4, which specifies a maximum URL size of 2 KB, 3 KB, or 4KB.


Command Modes

Configuration mode.

Usage Guidelines

Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.

Use the url-block url-size command with the url-block url-mempool command to specify the maximum length of a URL to be filtered by a Websense filtering server and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense server (through a TCP packet stream) so that the Websense server can grant or deny access to that URL.

The clear url-block block stat command clears the block buffer usage counters, except for the Current number of packets held (global) counter.

The show url-block block stat command displays the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.

Examples

The following example illustrates the use of the show url-block block stat and clear url-block block stat commands: 

pixfirewall(config)# sh url-block block stat


URL Pending Packet Buffer Stats with max block  128 

----------------------------------------------------- 

Cumulative number of packets held:              896

Maximum number of packets held (per URL):       3

Current number of packets held (global):        38

Packets dropped due to

       exceeding url-block buffer limit:        7546

       HTTP server retransmission:              10

Number of packets released back to client:      0


pixfirewall(config)# sh url-block

    url-block url-mempool 128 

    url-block url-size 4 

    url-block block 128 


pixfirewall(config)# clear url-block block stat

pixdocipsec1(config)# show url-block block stat


URL Pending Packet Buffer Stats with max block  0

-----------------------------------------------------

Cumulative number of packets held:              0

Maximum number of packets held (per URL):       0

Current number of packets held (global):        38

Packets dropped due to

       exceeding url-block buffer limit:        0

       HTTP server retransmission:              0

Number of packets released back to client:      0

url-cache

Caches URL access privileges that were previously retrieved from a Websense or N2H2 server.

[no] url-cache {dst |   src_dst} size kbytes

clear url-cache

show url-cache stats

Syntax Description

dst

Cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the N2H2 or Websense server.

size kbytes

Specifies a value for the cache size within the range 1 to 128 KB.

src_dst

Cache entries based on the both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the N2H2 or Websense server.

stat

Use the stat option to display additional URL cache statistics, including the number of cache lookups and hit rate.


Command Modes

Configuration mode.

Usage Guidelines

The url-cache command provides a configuration option to allow the PIX to cache previously retrieved URL access privileges from a Websense or N2H2 server.

Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.

Caching stores URL access privileges in memory on the PIX Firewall. When a host requests a connection, the PIX Firewall first looks in the URL cache for matching access privileges instead of forwarding the request to the N2H2 or Websense server. Disable caching with the no url-cache command.

The clear url-cache command removes url-cache command statements from the configuration.

Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 and for N2H2 URL filtering while using the url-cache command.

Note If you change settings on the N2H2 or Websense server, disable the cache with the no url-cache command and then reenable the cache with the url-cache command.

The show url-cache command with the stats option displays the following entries:

Size—The size of the cache in kilobytes, set with the url-cache size option.

Entries—The maximum number of cache entries based on the cache size.

In Use—The current number of entries in the cache.

Lookups—The number of times the PIX Firewall has looked for a cache entry.

Hits—The number of times the PIX Firewall has found an entry in the cache.

You can view additional information about N2H2 or Websense filtering activity with the show perfmon command.

Examples

The following example caches all outbound HTTP connections based on the source and destination addresses: 

url-cache src_dst 128

The following is sample output from the show url-cache stat command: 

show url-cache stat


URL Filter Cache Stats

----------------------

    Size :                               1KB

 Entries :                                   36

             In Use :                                   30

 Lookups :                                   300

    Hits :                                   290

url-server

Designate a server running either N2H2 or Websense for use with the filter command; you cannot run both of these URL filtering services simultaneously.

N2H2

[no] url-server [(if_name)] vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP}]

Websense

[no] url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP} version]

show url-server

show url-server stats

Syntax Description

N2H2

host local_ip

The server that runs the URL filtering application.

if_name

The network interface where the authentication server resides. If not specified, the default is inside.

port number

The N2H2 server port. The PIX Firewall also listens for UDP replies on this port. The default port number is 4005.

protocol

The protocol can be configured using TCP or UDP keywords. The default is TCP.

timeout seconds

The maximum idle time permitted before PIX Firewall switches to the next server you specified. The default is 5 seconds.

vendor n2h2

Indicates URL filtering service vendor is N2H2.


Websense

if_name

The network interface where the authentication server resides. If not specified, the default is inside.

host local_ip

The server that runs the URL filtering application.

timeout seconds

The maximum idle time permitted before PIX Firewall switches to the next server you specified. The default is 5 seconds.

protocol

The protocol can be configured using TCP or UDP keywords. The default is TCP protocol, Version 1.

vendor websense

Indicates URL filtering service vendor is Websense.

version

Specifies protocol Version 1 or 4. The default is TCP protocol Version 1. TCP can be configured using Version 1 or Version 4. UDP can be configured using Version 4 only.


Command Modes

Configuration mode.

Usage Guidelines

The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the PIX Firewall does not update the configuration on the application server; this must be done separately, according to the individual vendor's instructions.

Once you designate the server, enable the URL filtering service with the filter command.

Follow these steps to filter URLs:

Step 1 Designate the URL filtering application server with the appropriate form of the vendor-specific url-server command.

Step 2 Enable URL filtering with the filter command.

Step 3 (Optional) Use the url-cache command to enable URL caching to improve perceived response time.

Step 4 (Optional) Enable long URL and HTTP buffering support using the url-block commands.

Step 5 Use the show url-block block stats, show url-cache stats, show url-server stats, and the show pdm commands to view run information.

For more information about Filtering by N2H2, visit N2H2's website at:

http://www.n2h2.com

For more information on Websense filtering services, visit the following website:

http://www.websense.com/

The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.

show url-server commands

The show url-server stats command displays the URL server vendor; number of URLs total, allowed, and denied; number of HTTPS connections total, allowed, and denied; number of TCP connections total, allowed, and denied; and the URL server status.

The show url-server command displays the following information:

For N2H2, url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol [{TCP | UDP}{version 1 | 4}]

For Websense, url-server (if_name) vendor websense host local_ip timeout seconds protocol [{TCP | UDP}]

Examples

Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host: 

url-server (perimeter) vendor n2h2 host 10.0.1.1

filter url http 0 0 0 0

filter url except 10.0.2.54 255.255.255.255 0 0

Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host: 

url-server (perimeter) vendor websense host 10.0.1.1

filter url http 0 0 0 0

filter url except 10.0.2.54 255.255.255.255 0 0

The following is sample output from the show url-server stats command: 

pixfirewall# show url-server stats

URL Server Statistics: 

---------------------- 

Vendor websense 

HTTPs total/allowed/denied 0/0/0 

HTTPSs total/allowed/denied 0/0/0 

FTPs total/allowed/denied 0/0/0 

URL Server Status: 

------------------ 

172.23.58.103 UP 

URL Packets Send and Recieve Stats: 

------------------------------------ 

Message Send Recieve 

STATUS_REQUEST 200 200 

LOOKUP_REQUEST 10 10 

LOG_REQUEST 20 NA

Related Commands

aaa authorization

filter

show

username

Sets the username for the specified privilege level.

username username {[{nopassword | password password} [encrypted]] [privilege level]}

no username username

clear username

show username username

Syntax Description

username

Specifies the name of a specific user in the local PIX Firewall authentication database.


Command Modes

Configuration mode.

Usage Guidelines

The local PIX Firewall user authentication database consists of the users entered with the username command. The PIX Firewall login command uses this database for authentication.

The show username username command displays users entered in the local PIX Firewall user authentication database.

Related Commands

login

privilege

virtual

Access the PIX Firewall virtual server.

virtual http ip_address [warn]

virtual telnet ip_address

Syntax Description

ip_address

For outbound use, ip_address must be an address routed to the PIX Firewall. Use an RFC 1918 address that is not in use on any interface.

For inbound use, ip_address must be an unused global address. An access-list and static command pair must provide access to ip_address, as well as an aaa accounting authentication command statement. See the "Examples" section for more information.

For example, if an inside client at 192.168.0.100 has a default gateway set to the inside interface of the PIX Firewall at 192.168.0.1, the ip_address can be any IP address not in use on that segment (such as 10.2.3.4). As another example, if the inside client at 192.168.0.100 has a default gateway other than the PIX Firewall (such as a router at 192.168.0.254), then the ip_address would need to be set to a value that would get statically routed to the PIX Firewall. This might be accomplished by using a value of 10.0.0.1 for the ip_address, then on the client, setting the PIX Firewall at 192.168.0.1 as the route to host 10.0.0.1.

warn

Let virtual http command users know that the command was redirected. This option is only applicable for text-based browsers where the redirect cannot happen automatically.


Command Modes

Configuration mode.

Usage Guidelines

The virtual http command lets web browsers work correctly with the PIX Firewall aaa command. The aaa command assumes that the AAA server database is shared with a web server. PIX Firewall automatically provides the AAA server and web server with the same information. The virtual http command works with the aaa command to authenticate the user, separate the AAA server information from the web client's URL request, and direct the web client to the web server. Use the show virtual http command to list commands in the configuration. Use the no virtual http command to disable its use.

The virtual http command works by redirecting the web browser's initial connection to the ip_address, which resides in the PIX Firewall, authenticating the user, then redirecting the browser back to the URL which the user originally requested. This mechanism comprises the PIX Firewall unit's new virtual server feature. The reason this command is named as it is, is because the virtual http command accesses the virtual server for use with HTTP, another name for the Web. This command is especially useful for PIX Firewall interoperability with Microsoft IIS, but is useful for other authentication servers.

When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.

Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server.  Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.

Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set.  This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts.  Flushing the cache is of no use.

If you want double authentication through the authentication and web browser, configure the authentication server to not accept anonymous connections.

Note Do not set the timeout uauth duration to 0 seconds when using the virtual command because this will prevent HTTP connections to the real web server.

For both the virtual http and virtual telnet commands, if the connection is started on either an outside or perimeter interface, a static and access-list command pair is required for the fictitious IP address.

The virtual telnet command allows the Virtual Telnet server to provide a way to pre-authenticate users who require connections through the PIX Firewall using services or protocols that do not support authentication.

The virtual telnet command can be used both to log in and log out of the PIX Firewall. When an unauthenticated user Telnets to the virtual IP address, they are challenged for their username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, they see the message "Authentication Successful" and their authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout.

If a user wishes to log out and clear their entry in the PIX Firewall uauth cache, the user can again Telnet to the virtual address. The user is prompted for their username and password, the PIX Firewall removes the associated credentials from the uauth cache, and the user will receive a "Logout Successful" message.

If inbound users on either the perimeter or outside interfaces need access to the Virtual Telnet server, a static and access-list command pair must accompany use of the virtual telnet command.

The Virtual Telnet server provides a way to pre-authenticate users who require connections through the PIX Firewall using services or protocols that do not support authentication. Users first connect to the Virtual Telnet server IP address, where the user is prompted for a username and password.

Examples

virtual http—The following example shows the commands required to use the virtual http command for an inbound connection: 

static (inside, outside) 209.165.201.1 209.165.201.1 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.201.1 eq 80 

access-group acl_out in interface outside

aaa authentication include any inbound 209.165.201.1 255.255.255.255 0 0 tacacs+

virtual http 209.165.201.1

This configuration uses an identity static, where both the global IP address and the local address in the static command is the IP address of the virtual server.

The next example is sample output from the show virtual command: 

show virtual http

virtual http 209.165.201.1

virtual telnet—After adding the virtual telnet command to the configuration and writing the configuration to Flash memory, users wanting to start PPTP sessions through PIX Firewall use Telnet to access the ip_address as shown in the following example:

On the PIX Firewall: 

virtual telnet 209.165.201.25

static (inside, outside) 209.165.201.25 209.165.201.25 netmask 255.255.255.255

access-list acl_out permit tcp any host 209.165.201.25 eq telnet 

access-group acl_out in interface outside

write memory

This configuration uses an identity static, where both the global IP address and the local address in the static command is the IP address of the virtual server.

On an inside host: 

/unix/host%telnet 209.165.201.30

Trying 209.165.201.25...

Connected to 209.165.201.25.

Escape character is `^]'.


username: username


TACACS+ Password: password


Authentication Successful


Connection closed by foreign host.

/unix/host%

The username and password are those for the user on the TACACS+ server.

vpdn

Configure Virtual Private Dial-up Networking using the L2TP, PPTP, or PPPoE.

vpdn group group_name [[accept dialin pptp | l2tp] | request dialout pppoe] | [ ppp authentication pap|chap|mschap] | [ppp encryption mppe 40 | 128| auto [required]] | [ client configuration address local address_pool_name ] | [client configuration dns dns_ip1 [dns_ip2]] | [ client configuration wins wins_ip1 [wins_ip2]] | [client authentication local | aaa auth_aaa_group] | [ client accounting acct_aaa_group] | [pptp echo echo_time] | [ l2tp tunnel hello hello_time]

vpdn username name password passwd [store-local]

vpdn enable if_name

show vpdn tunnel [l2tp|pptp|pppoe] [id tnl_id | packets | state | summary | transport]

show vpdn session [l2tp|pptp|pppoe] [id sess_id | packets | state| window]

show vpdn pppinterface [id dev_id]

show vpdn group [group_name]

show vpdn username [user_name]

clear vpdn [group | interface| tunnel tnl_id | username]

Syntax Description

accept dialin pptp|l2tp pptp

Accept a dial-in request using PPTP or L2TP.

all

[clear command only]—Removes all L2TP or PPTP tunnels from the configuration.

client accounting aaa-server-group

Specifies the AAA server group for accounting. The accounting AAA server group can be different from the AAA server group for user authentication.

client authentication aaa aaa_server_group

Specifies the AAA server group for user authentication.

client authentication local

Authenticate using the local username and password entries you specify in the PIX Firewall configuration.

client configuration address local address_pool_name

Specifies the local address pool used to allocate an IP address to a client. Use the ip local pool command to specify the IP addresses for use by the clients.

client configuration dns dns_server_ip1 [dns_server_ip2]

Specifies up to two DNS server IP addresses. If set, the PIX Firewall sends this information to the Windows client during the IPCP phase of PPP negotiation.

client configuration wins wins_server_ip1 [wins_server_ip2]

Specifies up to two WINS server IP addresses.

enable if_name

Enable the VPDN function on a PIX Firewall interface. Specifies the interface in if_name where L2TP or PPTP traffic is received. Only inbound connections are supported.

group

[clear command only]—Removes all vpdn group commands from the configuration.

group group_name

Specifies the VPDN group name. The VPDN group_name is an ASCII string to denote a VPDN group. You can make up the name. The maximum length is 63 characters.

id

Identify tunnel or session.

id session_id

Unique session identifier.

id tnl_id

Unique tunnel identifier.

l2tp | pptp | pppoe

Select either l2tp, pptp, or pppoe to display information for only that tunnel type.

l2tp tunnel hello hello_timeout

Specifies L2TP tunnel keep-alive hello timeout value in seconds. Default is 60 seconds if not specified. The value can be between10 to 300 seconds.

localname username

Assigns a name to the group for PPPoE use. This is also the name in the vpdn username command.

packets

Packet and byte count.

passwd

Specifies the password for the local group used for PPPoE.

password

Specifies local user password.

ppp authentication PAP | CHAP | MSCHAP

Specifies the Point-to-Point Protocol (PPP) authentication protocol. The Windows client dial-up networking settings lets you specify what authentication protocol to use (PAP, CHAP, or MS-CHAP). Whatever you specify on the client must match the setting you use on the PIX Firewall. Password Authentication Protocol (PAP) lets PPP peers authenticate each other. PAP passes the host name or username in clear text. Challenge Handshake Authentication Protocol (CHAP) lets PPP peers prevent unauthorized access through interaction with an access server. MS-CHAP is a Microsoft derivation of CHAP. PIX Firewall supports MS-CHAP Version 1 only (not Version 2.0).

If an authentication protocol is not specified on the host, do not specify the ppp authentication option in your configuration.

ppp encryption mppe 40 | 128 | auto [required]

Specifies the number of session key bits used for MPPE (Microsoft Point-to-Point Encryption) negotiation. The domestic version of the Windows client can support 40- and 128-bit session keys, but international version of the Windows client only supports 40-bit session keys. On the PIX Firewall, use auto to accommodate both. Use required to indicate that MPPE must be negotiated or the connection will be terminated.

pppinterface id intf_id

A PPP virtual interface is created for each PPTP or PPPoE tunnel.

pptp echo echo_timeout

Specifies the PPTP keep-alive echo timeout value in seconds. PIX Firewall terminates a tunnel if an echo reply is not received within the timeout period you specify.

request dialout pppoe

Specifies to allow dialout PPPoE requests.

state

Session state.

store-local

Store in local Flash memory instead of using external configuration.

summary

Tunnel summary information.

transport

Tunnel transport information.

tunnel

[clear command only]—Removes one or more L2TP or PPTP tunnels from the configuration.

tunnel tnl_id

[clear command only]—Removes PPTP tunnels from the configuration that match tnl_id. You can view the tunnel IDs with the show vpdn tunnel command.

username name

Enter or display local username. However, when used as a clear command option, username removes all vpdn username commands from the configuration.

window

Window information.


Command Modes

Configuration mode.

Usage Guidelines

Virtual Private Dial-up Networking (VPDN) is used to provide long distance, point-to-point connections between remote dial-in users and a private network. VDPN uses Layer 2 tunnelling technologies (L2TP, PPTP, and PPPOE) to establish dial-up networking connections from the remote user to the private network across a public network.

Point-to-Point Tunneling Protocol (PPTP) is a Layer 2 protocol that tunnels the IP protocol. (For more details on PPTP, see RFC 2637, which describes the PPTP protocol.)

L2TP supports PPP by managing communications transactions. (There is a one-to-one relationship between a PPP connection and L2TP session.)

PPPOE is the Point-to-Point Protocol (PPP) over Ethernet. PPP is designed to work with network layer protocols such as IP, IPX, and ARA. PPP also has CHAP and PAP as built-in security mechanisms.

The vpdn command implements the L2TP, PPTP, and PPPoE features for the inbound connections. Refer to the Cisco PIX Firewall and VPN Configuration Guide for L2TP, PPTP, and PPPOE configuration examples.

Note The PIX Firewall is a PPTP and L2TP Server and a PPPoE client.

The show vpdn tunnel and show vpdn session commands display tunnel and session information (respectively) for LT2P (l2tp), PPTP (pptp), and PPPOE (pppoe). If you want to display information for only one protocol, use the option for that protocol. For example, the show vpdn session pppoe command displays session information for PPPOE sessions only.

The clear vpdn command removes all vpdn commands from the configuration and stops all the active PPTP, L2TP, and PPPoE tunnels. The clear vpdn all command lets you remove all tunnels, and the clear vpdn id tnl_id command lets you remove tunnels associated with tnl_id. (You can view the tnl_id with the show vpdn command.) The clear vpdn group command removes all the v