Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

CiscoWorks Management Center for Firewalls

Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.3.4

Downloads

Table Of Contents

Supported Devices, OS Versions and Commands for Management Center for
Firewalls 1.3.4

Supported Devices

Support for PIX Firewall and Firewall Services Module CLI Commands

Summary of Commands Not Supported


Supported Devices, OS Versions and Commands for Management Center for
Firewalls 1.3.4

Revised: September 16, 2005

This document includes:

Supported Devices

Support for PIX Firewall and Firewall Services Module CLI Commands

Summary of Commands Not Supported

Supported Devices

Table 1 lists the devices supported by Management Center for Firewalls 1.3.4.

Table 1 Devices 

Series
Devices Supported
Software

Cisco PIX Firewall Series

PIX 501, PIX 506, PIX 506E, PIX 515, PIX 515E, PIX 525, PIX 535

PIX OS Version:

6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4.

FWSM

N/A

FWSM OS Version:

1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.1.0, 2.1.1, 2.2, 2.2.1, 2.3., 2.3.2.


Support for PIX Firewall and Firewall Services Module CLI Commands

PIX Firewall and Firewall Services Module (FWSM) CLI commands receive different levels of support from Firewall MC 1.3.4. You should fully understand the level of support that each command receives from Firewall MC; this understanding enables you to use commands or command combinations in PIX Firewall and FWSM configuration files so that import operations and deployment jobs succeed.

The levels of support provided by Firewall MC are:

Supported—Firewall MC fully supports the command. It can import and deploy a configuration with the command.

Unsupported—Firewall MC does not support the command. Based on the value of the Action on Unknown commands setting (Configuration > MC Settings > Management), Firewall MC generates an error or places the command as an ending command.

Error—Commands in this category can interact unpredictably with Firewall MC features that may be configured in the user interface. If a command in this category appears in a configuration during import or during deploy to device, Firewall MC generates an error and the import fails.

Ignored—Commands in this category do not interact with features configured in the Firewall MC user interface. These commands are copied verbatim during import as an ending command.

Discarded—Commands in this category are discarded upon import.

Deprecated—Commands in this category are supported in beginning and ending commands, but can result in overlapping commands with unexpected results. These commands have been outdated by newer CLI constructs and might become obsolete in future versions of CLI. We recommend that you not use deprecated commands.

Not Used—The command is not designed for use with a particular platform.

Note To access ending commands, select Configuration > Device Settings > Configuring Additions > Ending Commands.

Command descriptions showin in Table 2 use these conventions:

Braces ({ }) indicate a required choice.

Square brackets ([ ]) indicate optional elements.

Vertical bars ( | ) separate alternative, mutually exclusive elements.

Table 2 Firewall MC 1.3.4 CLI Commands Support Status 

Command Reference
CLI Commands
Supported
Unsupported
Error
Ignored
Discarded
Not Used
aaa accounting

aaa accounting include | exclude acctg_service inbound | outbound | interface_name local_ip local_mask foreign_ip foreign_mask group_tag

Note Include and exclude are not supported, but can be manually converted to an ACL.

PIX Firewall

   

X

     

FWSM

   

X

     

aaa accounting match acl_name inbound | outbound | interface_name group_tag

PIX Firewall

X

         

FWSM

X

         
aaa authentication

aaa authentication include | exclude authen_service inbound | outbound | if _name local_ip local_mask foreign_ip foreign_mask group_tag

Note Include and exclude are not supported, but can be manually converted to an ACL.

PIX Firewall

   

X

     

FWSM

   

X

     

aaa authentication match acl_name inbound | outbound | interface_name group_tag

PIX Firewall

X

         

FWSM

X

         
 

[no] aaa authentication secure-http-client

PIX Firewall

         

X

FWSM

X

         

aaa authentication [serial | enable | telnet | ssh | http] console group_tag [LOCAL]

PIX Firewall

X

         

FWSM

X

         

aaa authentication secure-http-client

PIX Firewall

X

         

FWSM

X

         
aaa authorization

aaa authorization command {LOCAL | tacacs_server_tag} [LOCAL]

PIX Firewall

 

X

       

FWSM

 

X

       

aaa authorization include | exclude author_service inbound | outbound | interface_name local_ip local_mask foreign_ip foreign_mask

Note Include and exclude are not supported, but can be manually converted to an ACL.

PIX Firewall

   

X

     

FWSM

   

X

     

aaa authorization match acl_name inbound | outbound | interface_name group_tag

PIX Firewall

X

         

FWSM

X

         
aaa mac-exempt

aaa mac-exempt match id

PIX Firewall

 

X

       

FWSM

 

X

       
aaa proxy-limit

aaa proxy-limit proxy limit | disable

PIX Firewall

 

X

       

FWSM

 

X

       
aaa-server

aaa-server group_tag (interface_name) host server_ip key timeout seconds

PIX Firewall

X

         

FWSM

X

         

aaa-server group_tag protocol auth_protocol

PIX Firewall

X

         

FWSM

X

         

aaa-server radius-acctport port

PIX Firewall

 

X

       

FWSM

 

X

       

aaa-server radius-authport port

PIX Firewall

 

X

       

FWSM

 

X

       

debug radius session

PIX Firewall

       

X

 

FWSM

       

X

 

[no] aaa-server <tag> max-failed-attempts <tries>

PIX Firewall

X

         

FWSM

X

         

[no] aaa-server <tag> deadtime <deadtimeout>

PIX Firewall

X

         

FWSM

X

         
access-group

access-group acl_ID in interface interface_name

PIX Firewall

X

         

FWSM

X

         

[no] access-group access-list in interface interface_name [per-user-override]

PIX Firewall

   

X

     

FWSM

         

X

access-list

Note The optional line number arguments are not supported. These arguments will never appear in show config; they are used as an active command to allow you to edit the ACLs inline.

access-listacl_ID ] compiled

Note Once defined, it is applied globally.

PIX Firewall

X

         

FWSM

X

         

access-list deny-flow-max n

PIX Firewall

X

         

FWSM

X

         

access-list alert-interval secs

PIX Firewall

X

         

FWSM

X

         

access-list id [deny | permit ] icmp {source_addr | local_addr} {source_mask | local_mask} {destination_addr | remote_addr} {destination_mask | remote_mask } icmp_type

PIX Firewall

X

         

FWSM

         

X

 

access-list iddeny | permit ] icmp host sip | sip smask | object-group network_obj_grp_id dip dmask | object-group network_obj_grp_id icmp_type | object-group icmp_type_obj_grp_id ] [ log [ disable ] | [ level ] | [ default ] [ interval secs ]]

PIX Firewall

         

X

FWSM

X

         

access-list id {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} | interface interface_name | object-group network_obj_grp_id {destination_addr | remote_addr} {destination_mask | remote_mask} | interface interface_name | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id] [log [[disable | default] | [level]]] [interval secs]]

Note The interface argument is not supported and results in an error during import.

PIX

X

         

FWSM

         

X

access-list acl_IDdeny | permit } protocol {source_addr | local_addr} {source_mask | local_mask}[operator port [port] { destination_addr | remote_addr } { destination_mask | remote_mask } [ operator port  port ]

PIX

X

         

FWSM

         

X

 

access-list id {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr | local_addr} {source_mask | local_mask} | object-group network_obj_grp_id [operator port [port] | interface interface_name | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [[disable | default] | [level]]] [interval secs]]

Note The interface argument is not supported and results in an error during import.

PIX Firewall

X

         

FWSM

         

X

access-list id deny|permit {any | <ip> <mask>}

PIX Firewall

         

X

FWSM

 

X

       

access-list id extended deny  | permit protocolobject-group protocol_obj_grp_id host sip | sip smask | object-group network_obj_grp_id operator <port> [<port>] | object-group service_obj_grp_id dip dmask | object-group network_obj_grp_id [ operator <port> [ <port> ] | object-group service_obj_grp_id ] [ logdisable ] | [ level ] | [ default ] [ interval secs ]]

PIX Firewall

         

X

FWSM

X

         

access-list id remark text

Note This command is discarded on import. Your annotations will be lost; however, the import will succeed.

PIX Firewall

       

X

 

FWSM

       

X

 
 

debug access-list all | standard | turbo

PIX Firewall

       

X

 

FWSM

       

X

 

access-list id object-group-search

Note This command might not be added to the epilog in Firewall MC because Firewall MC could modify the ACL name during deployment. If the object-group-search command is in the epilog, its ACL name might not match the one that Firewall MC deploys.

PIX Firewall

       

X

 

FWSM

         

X

access-list mode auto-commit|manual-commit

Note Firewall MC automatically generates this command during deployment.

PIX Firewall

         

X

FWSM

       

X

 

access-list commit

PIX Firewall

       

X

 

FWSM

       

X

 
activation-key

activation-key activation-key-four-tuple

PIX Firewall

       

X

 

FWSM

       

X

 
admin-context

admin-context admin-context-name

PIX Firewall

         

X

FWSM

 

X

       
alias

alias [(interface_name) ] dnat_ip foreign_ip netmask ]

PIX Firewall

 

X

       

FWSM

 

X

X (L2)

     
allocate-
interface

[no] allocate-interface vlan number-vlan number ] [ context_alias -context_alias]]

PIX Firewall

         

X

FWSM

 

X

       
area

[no] area area_id {authentication [message-digest]} | { default-cost cost } | { filter-list prefixprefix_list_name in | out }} | { range ip_address netmaskadvertise | not-advertise ]}

PIX Firewall

 

X

       

FWSM

 

X

       

[no] area area_id nssano-redistribution ] [ default-information-originate [metric-type 1 | ] [ metric metric_value ]] [ no-summary ]

PIX Firewall

 

X

       

FWSM

 

X

       

area area_id stubno-summary ]

PIX Firewall

 

X

       

FWSM

 

X

       

[no] area area_idvirtual-link router_id } [authenticationmessage-digest  | null ]] [ hello-interval seconds ] [ retransmit-interval seconds ] [ transmit-delay seconds ] [ dead-interval seconds ] [ authentication-key password ] [ message-digest-key id md5 password ]

PIX Firewall

 

X

       

FWSM

 

X

       
arp

arp interface_name ip_address mac_address [ alias ]

PIX Firewall

     

X

   

FWSM

     

X

   

arp timeout seconds

PIX Firewall

     

X

   

FWSM

     

X

   
arp-inspection

[no] arp-inspection

PIX Firewall

         

X

FWSM

     

X

   
auth-prompt

auth-prompt [ accept | reject | prompt ] string

PIX Firewall

X

         

FWSM

X

         
auto-update

auto-update device-id harware-serial | hostname | ipaddressinterface_name ] | mac-addressinterface_name ] string text

PIX Firewall

X

         

FWSM

         

X

auto-update poll-period poll_period retry_countretry_period ]]

PIX Firewall

X

         

FWSM

         

X

 

auto-update server urlverify_certificate ]

PIX Firewall

X

         

FWSM

         

X

auto-update timeout period

PIX Firewall

X

         

FWSM

         

X

banner

banner {exec | login | motd} text

PIX Firewall

     

X

   

FWSM

     

X

   
ca

ca authenticate ca_nicknamefingerprint ]

PIX Firewall

     

X

   

FWSM

     

X

   

ca configure ca_nickname ca | ra retry_period retry_countcrloptional ]

PIX Firewall

     

X

   

FWSM

     

X

   

ca crl request ca_nickname

PIX Firewall

     

X

   

FWSM

     

X

   

ca enroll ca_nickname challenge_passwordserial] [ ipaddress ]

PIX Firewall

     

X

   

FWSM

     

X

   

ca generate rsakey | specialkey} key_modulus_size

PIX Firewall

     

X

   

FWSM

     

X

   
 

ca identity ca_nickname ca_ipaddress:ca_script_location ] [ ldap_ip address ]

PIX Firewall

     

X

   

FWSM

     

X

   

ca save all

PIX Firewall

     

X

   

FWSM

     

X

   

ca subject-name ca_nickname X.500_string

PIX Firewall

     

X

   

FWSM

     

X

   

ca verifycertdn X.500_string

PIX Firewall

     

X

   

FWSM

     

X

   

ca zeroize rsa keypair_name ]

PIX Firewall

     

X

   

FWSM

     

X

   
ca generate rsa key

ca generate rsa key modulus

PIX Firewall

     

X

   

FWSM

         

X

capture

capture capture_nameaccess-list acl_name ][ buffer bytes ] [ ethernet-type type ][ interface name ] [ packet-length bytes ] [ circular-buffer ]

PIX Firewall

       

X

 

FWSM

       

X

 
cd

cddisk: ] [ path ]

PIX Firewall

         

X

FWSM

       

X

 
changeto

changeto {system | context name}

PIX Firewall

         

X

FWSM

       

X

 
class

[no] class name

PIX Firewall

         

X

FWSM

 

X

       
clear

clear file configuration | pdm | pki

PIX Firewall

       

X

 

FWSM

       

X

 
clock

clock set hh:mm:ss {day month | month day} year

PIX Firewall

       

X

 

FWSM

         

X

clock summer-time zone recurringweek weekday month hh:mm week weekday month hh:mm ] [ offset ]

PIX Firewall

     

X

   

FWSM

         

X

clock summer-time zone dateday month month day } year hh:mm
day month | month day } year hh:mmoffset ]

PIX Firewall

     

X

   

FWSM

         

X

 

clock timezone zone hoursminutes ]

PIX Firewall

 

X

       

FWSM

         

X

conduit

Note Conduits rely on the converter tool to translate conduits and outbounds to access-list commands. Otherwise, errors result during import.

conduit { permit | deny } protocol global_ip global_maskoperator port port ]] foreign_ip foreign_maskoperator port  [ port ]]

PIX Firewall

   

X

     

FWSM

   

X

     

conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type]

PIX Firewall

   

X

     

FWSM

   

X

     

conduit deny | permit protocol | object-group protocol_obj_grp_id global_ip global_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] foreign_ip foreign_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]

PIX Firewall

   

X

     

FWSM

   

X

     

conduit deny | permit icmp global_ip global_mask | object-group network_obj_grp_id foreign_ip foreign_mask | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]

PIX Firewall

   

X

     

FWSM

   

X

     
compatible rfc1583

[no] compatible rfc1583

PIX Firewall

 

X

       

FWSM

 

X

       
configure

configure factory-default [inside_ip_address [address_mask]]

Note Applies to PIX 501 and PIX 506/506E only.

PIX Firewall

       

X

 

FWSM

         

X

configure floppy

Note Applies only to older PIX Firewalls that have a floppy drive.

PIX Firewall

       

X

 

FWSM

         

X

configure http[s] :// [user:password@] location [ :port ] / http_pathname

PIX Firewall

       

X

 

FWSM

       

X

 

configure memory

PIX Firewall

       

X

 

FWSM

       

X

 

configure net [[server_ip]:[filename]]

PIX Firewall

       

X

 

FWSM

       

X

 

configure terminal

PIX Firewall

       

X

 

FWSM

       

X

 
config-url

[no] config-url url

PIX Firewall

         

X

FWSM

 

X

       
console timeout

console timeout number

PIX Firewall

X

         

FWSM

X

         
context

[no] context name

PIX Firewall

         

X

FWSM

 

X

       

copy

copy capture: capture_name tftp://location/pathpcap ]

PIX Firewall

       

X

 

FWSM

       

X

 

copy disk: [ path ]  tftp [:[[ //location ][ /pathname ]]]

copy disk: [ path ]  disk:[ path ]

copy disk: [ path ] flash[:[ image | pdm ]]

copy disk: [ path ] [ startup-config  | running-config ]

copydisk: [ path ftp:// user :password ]@location/pathname ;type=xx ]

PIX Firewall

         

X

FWSM

       

X

 

copy flash [:[ image | pdm ]] tftp [:[[ //location ][ /pathname ]]]

copy flash :[ image | pdm ]] disk: [ path ]

PIX Firewall

         

X

FWSM

       

X

 
 

copy http[s]://user:password@] location [:port ] / http_pathname flash [: [ image | pdm] ]

PIX Firewall

       

X

 

FWSM

       

X

 

copy running-config startup-config

PIX Firewall

         

X

FWSM

       

X

 

copystartup-config | running-config ] disk: [path]

copy startup-config running-config

copystartup-config | running-config ] tftp[:[[//location][/pathname]]]

PIX Firewall

         

X

FWSM

       

X

 

copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]

PIX Firewall

       

X

 

FWSM

       

X

 
crashinfo

crashinfo test

PIX Firewall

       

X

 

FWSM

       

X

 

crashinfo force [page-fault | watchdog]

PIX Firewall

       

X

 

FWSM

       

X

 

crashinfo save [enable | disable]

PIX Firewall

     

X

   

FWSM

     

X

   
crypto dynamic-map

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num subcommand

PIX Firewall

         

X

FWSM

 

X

       

[no] crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

PIX Firewall

X

         

FWSM

         

X

crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address

PIX Firewall

X

         

FWSM

         

X

crypto dynamic-map dynamic-map-name dynamic-seq-num set pfsgroup1 | group2 group5 ]

PIX Firewall

X

         

FWSM

         

X

crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes

PIX Firewall

X

         

FWSM

         

X

crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [ transform-set-name9 ]

PIX Firewall

X

         

FWSM

         

X

crypto ipsec

crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes

PIX Firewall

X

         

FWSM

 

X

       

crypto ipsec transform-set transform-set-name transform1 [transform2 [ transform3 ]]

PIX Firewall

X

         

FWSM

         

X

crypto ipsec transform-set transform-set-name mode transport

PIX Firewall

X

         

FWSM

         

X

[no] crypto ipsec transform-set transform-set-name {{ transform1 [transform2 [transform3]]} | mode transport }

PIX Firewall

         

X

FWSM

 

X

       

crypto ipsec transform-set transform-set-name [ah-md5-hmac | ah-sha-hmac] [esp-aes | esp-aes-192 | esp-aes-256 | esp-des | esp-3des | esp-null] [esp-md5-hmac | esp-sha-hmac]

PIX Firewall

         

X

FWSM

 

X

       
crypto map

crypto map map-name client [token] authentication aaa-server-name [LOCAL]

PIX Firewall

X

         

FWSM

 

X

       

crypto map map-name client configuration address initiate | respond

PIX Firewall

X

         

FWSM

 

X

       
 

crypto map map-name interface interface-name

PIX Firewall

X

    &