Command Reference

Table Of Contents

Command Reference

Introduction

Help Information

Comments

Abbreviating Commands

"Type `?' for a list of commands" Message

Version 4 Command Changes

Access Modes

aaa authentication

aaa authorization

age

alias

apply

arp

arp timeout

clear

clear apply

clear arp

clear http

clear lnkopath

clear names

clear mailhost

clear outbound

clear radius-server

clear route

clear snmp-server

clear static

clear syslog

clear tacacs-server

clear telnet

clear uauth

conduit

configure floppy

configure memory

configure terminal

disable

enable

enable password

established

failover

global

groom

help

hostname

http

interface ethernet

interface token

ip address

kill

link

linkpath

lnko

lnkopath

mailhost

mtu

name

names

nat

no

no aaa authentication

no aaa authorization

no alias

no apply

no arp

no conduit

no established

no failover

no global

no http

no link

no linkpath

no lnko

no lnkopath

no mailhost

no mtu

no name

no names

no nat

no outbound

no radius-server

no rip

no route

no session

no snmp-server

no static

no syslog

no tacacs-server

no telnet

outbound

passwd

ping

radius-server host

reload

rip

route

session

show

show aaa

show actkey

show age

show alias

show apply

show arp

show arp timeout

show blocks

show conduit

show configure

show conn

show established

show failover

show global

show http

show hw

show interface

show ip address

show link

show linkpath

show lnko

show lnkopath

show mailhost

show memory

show mtu

show nat

show outbound

show passwd

show processes

show rip

show route

show session

show snmp-server

show static

show syslog

show telnet

show timeout

show uauth

show version

show who

show xlate

snmp-server

static

syslog console

syslog host

syslog output

tacacs-server host

telnet

timeout

who

write erase

write floppy

write memory

write terminal


Command Reference


Configure PIX Firewall using the commands that follow. You can enter commands from your console computer or terminal, or through Telnet or the HTML management interface.

Introduction

This chapter describes how to use each command. For configuring by feature, refer to the previous chapter. The sections that follow before the command reference provide information to help you while configuring your firewall.

Help Information

Help information is available by entering a question mark by itself for a listing of all commands, or with a command for command syntax. For example:

pixfirewall> int ?
usage: interface ethernet inside|outside 10baseT|100baseTX|auto|100full
                                                 interface token-ring inside|outside 4Mbps|16Mbps

When you use the ? (help) command, 22 lines display and the listing pauses with the following prompt:

<--- More --->

The More prompt uses the same syntax as the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Comments

You can add comments to your configuration by entering a colon (:) as the first command in a line. Use comments to improve configuration file readability or to make configuration file commands not executable.

Abbreviating Commands

You can abbreviate most commands down to the fewest unique characters for a command; for example, you can enter wr t to view the configuration instead of entering the full command write terminal, or you can enter en (enable) to start privileged mode and co t (configure terminal) to start configuration mode.

In addition, you can abbreviate 0.0.0.0 as 0.

"Type `?' for a list of commands" Message

To simplify the PIX Firewall interface, the "Type `?' for a list of commands" message displays for a variety of reasons:

Incorrect access mode—Ensure you are in configuration mode before entering configuration mode commands. From unprivileged mode, enter the enable command to start privileged mode. From privileged mode, enter config terminal to start configuration mode.

Incorrect number of parameters—Enter the help command. If the command you want to use is not listed, you are in the wrong access mode. If so, refer to the last bullet item for how to change modes. If you are in the correct mode, enter the first part of the command followed by a question mark, for example:

pixfirewall(config)# hostname ?
usage: hostname <newname>

Incorrect abbreviations—Try the command again with more characters or the full command. Use the help or command ? commands to view information.

Version 4 Command Changes

Between PIX Firewall version 3 and version 4, the following commands became obsolete:

Command
Replacement

auth

aaa authentication

auth-server

radius-server and tacacs-server

auth-user

aaa authentication

clear auth-server

no aaa authentication

clear auth-user

no aaa authentication

multimedia

established

no auth

no aaa authentication

no auth-server

no radius-server and no tacacs-server

no auth-user

no aaa authentication

show auth

show aaa authentication

show auth-server

show radius-server and show tacacs-server

show auth-user

show aaa authentication



Note   The auth, auth-server, and auth-user command variants have been removed from this chapter, but are summarized in Appendix A.


Access Modes

The PIX Firewall command interpreter provides a command set based on Cisco IOS technologies. This command set provides three administrator access modes:

Unprivileged mode displays the ">" prompt and lets you view current running settings.

Privileged mode displays the "#" prompt and lets you change current settings and write to flash memory. Any unprivileged command also works in privileged mode.

Configuration mode displays the "(config)#" prompt and lets you change system configurations. Only configuration mode commands work in this mode.

By default, the console is in unprivileged mode. You can access privileged mode by entering the enable command. PIX Firewall then prompts you for a password. Enter the default password cisco.

When you are done configuring PIX Firewall, change the password with the enable password command.


Note   Write down the new password and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password.


Exit privileged mode by entering the disable command.

You can access configuration mode by entering the config command. You can then write your settings to flash memory, diskette, or to your console computer. Exit configuration mode by entering the ^z command.

aaa authentication

Enable access to Authentication, Authorization, and Accounting (AAA). (Configuration mode.)

aaa authentication service inbound|outbound ip_address netmask tacacs+|radius

Syntax Description

service

The service to be authenticated. Use any, ftp, http, or telnet. The any value specifies that FTP, HTTP, or Telnet connections be authenticated. (HTTP is the web and only applies to web browsers that can prompt for a user name and password.)

inbound

Authenticate inbound connections.

outbound

Authenticate outbound connections.

ip_address

IP address from which or to which access is authenticated. If you want every system in your network to authenticate to this type of server, use 0.0.0.0 for the IP address. You can specify a network IP address by entering zero in each octet of the host portion of the IP address; for example, for a class C address, code 0 in the last octet, such as 192.168.42.0. The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask of ip_address. Always specify a specific mask value. If you want to limit authentication to a single IP address, use 255 in each octet; for example, 255.255.255.255.

tacacs+

Authenticate using Terminal Access Controller Access Control System (TACACS+).

radius

Authenticate using Remote Authentication Dial-In User Service (RADIUS).


Usage Guidelines

For outside connections, a challenge prompt appears during FTP or Telnet sessions as defined by the type of authentication server.

Authorization notes:

1 When a host is configured for authentication, all users on the host have to use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that they must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.

2 PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8-bits if required. During authentication, PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).

3 You can have up to 64 simultaneous authentication or authorization sessions. Up to 16 items are permitted in each list of authentication or authorization addresses. Up to 16 TACACS+ or RADIUS servers are permitted. When a user logs in, the servers are accessed top to bottom, until a server responds.

4 PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.

5 PIX Firewall permits a user up to five chances to log in with Telnet and then if the user name or password still fails, PIX Firewall drops the connection. If a user enters an incorrect password in FTP or HTTP, the connection is dropped immediately.

6 PIX Firewall supports up to 127 characters in the user name and up to 63 in the password.

7 For the TACACS+ server, if you do not specify a key to the tacacs-server command, no encryption occurs.

8 Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.

9 Some FTP graphical user interfaces (GUIs) do not display challenge values.

10 PIX Firewall does not support at signs (@) in an authentication user name or password. (See the next note for more information.)

11 If the user name or password on the authentication database differs from the user name or password on the remote host to which you are using FTP to access, enter the user name and password in these formats:

    authentication_user_name@remote_system_user_name
   authentication_password@remote_system_password

12 If you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and user name as shown in the last note with an additional at (@) sign and password or user name for each daisy-chained system. Users could exceed the 63-character password limit depending on how many units are daisy-chained and password length.

See also: no aaa authentication, show aaa authentication, aaa authorization, radius-server, tacacs-server.

Example

pixfirewall(config)# aaa authent ftp inb 10.0.0.1 255.255.255.255 tacacs+
pixfirewall(config)# 

aaa authorization

Set parameters that restrict a user's network access based on TACACS+ or RADIUS authentication. (Configuration mode.)

aaa authorization  service inside | outside ip_address netmask

Syntax Description

service

Service on which to authorize, ftp, http, telnet, a port range, or any. Specify a TCP port or port range for FTP, HTTP, or Telnet services that are not on the standard ports for these services. The standard ports are 20 and 21 for FTP, 80 for HTTP, and 23 for Telnet.

inbound

Authorize on inbound connections.

outbound

Authorize on outbound connections.

ip_address

IP address from which or to which access is authorized. If you want every system in your network to authorize to this type of server, use 0.0.0.0 for the IP address. You can specify a network IP address by entering zero in each octet of the host portion of the IP address; for example, for a class C address, code 0 in the last octet, such as 192.168.42.0. The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask of ip_address.  Always specify a specific mask value.  If you want to limit authentication to a single IP address use 255 in each octet; for example, 255.255.255.255.


Usage Guidelines

This command determines what service a host can use and what IP address it can access. Only use this command after the aaa authentication command, which determines whether users are authenticated with TACACS+ or RADIUS.

You cannot authorize FTP using a web browser's FTP; for example, ftp://ftp.xxx.com, and expect the World Wide Web HTTP authentication screen to display. To enable authorization for web use, but not FTP, use these commands:

                aaa authorization http inside ip_address netmask
                aaa authorization telnet inside ip_address netmask

FTP authorization is only supported for command line FTP clients or ws_ftp (a Windows GUI-based FTP client).

See also: aaa authentication, radius-server, tacacs-server.

Example

pixfirewall(config)# aaa author ftp inb 192.168.42.0 10.0.0.0 255.255.255.255
pixfirewall(config)# 

age

Set Private Link key duration. (Configuration mode.)

age minutes

Syntax Description

minutes

Duration in minutes that a Private Link key is used to encrypt information on the connection. The maximum duration is 130000000 minutes (247 years).


Usage Guidelines

The age command specifies the length of time in minutes that a key is active over Private Link. Private Link supports up to seven keys that it selects sequentially to ensure additional security.


Note   Use the same link statements on either side of the Private Link to ensure that the keys are the same and in the same order on both sides of the link.

Private Link packet information tells the remote side what key number to use to decrypt the data. The aging duration can be different, as well as the system clocks themselves on either side of the link, but as long as you use the same link statements on both sides, all information decrypts correctly.


See also: link, show age.

Example

pixfirewall(config)# age 10
pixfirewall(config)# show age
Private Link Key Aging: 10 minutes
pixfirewall(config)# 

alias

Administer overlapping addresses with dual NAT. (Configuration mode.)

alias inside_net outside_net [netmask]

Syntax Description

inside_net

IP address on the inside network that is an alias for the outside_net address. This is a NIC-registered IP address assigned to a network on the inside of the firewall.

The inside and outside networks have to be of the same class—if inside_net is a class C, ouside_net must also be class C or use netmask to force it so; for example,
alias 192.168.42.54 10.1.1.54 255.255.255.0

outside_net

IP address on the outside network. This is a NIC-registered address assigned to a site on the Internet.

netmask

Network mask applied to both inside_net and outside_net.


Usage Guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet.

Only use alias with a DNS entry to separate the traffic destined for an inside address from the same address on the outside network. The entry should associate a domain name of the outside address say B with a unique address say A. The PIX Firewall should specify alias A B. Then traffic destined for external B first goes to the DNS server to translate the domain name associated with B to A. The alias command then translates A back to B and presents it to the outside network. The traffic destined for internal B goes to B without any translations.

You can specify a net alias by using network addresses for the inside_net and ouside_net IP addresses. For example, alias 204.31.17.0 10.1.1.0 255.255.255.0 creates aliases for each IP address between 204.31.17.1 and 204.31.17.254.

Clear an alias with the no alias command. View the alias statements in the configuration with
show alias.

See also: no alias, show alias.

Example

In this example, a network uses IP address 192.9.200.33, which on the Internet belongs to oak.com. The PIX Firewall translates addresses to 204.31.17.0, but when inside clients try to access oak.com, the packets never even go to the firewall because the client thinks 192.9.200.33 is on the local inside segment. To correct this a net alias is created as follows:

pixfirewall(config)# alias 192.168.1.0 192.9.200.0
pixfirewall(config)# 

At the local DNS server, create a file called named.oak (use any name you want) for oak.com:

oak.com                IN                                      A                                                192.168.1.33

In the named.boot file, add an entry such as the following to have the authority for oak.com be taken from the named.oak file:

primary oak.com named.oak

When client 192.9.200.123 connects to oak.com the DNS response would be 192.168.1.33.

The packet goes to the PIX Firewall with SRC=192.9.200.123 and DST=192.168.88.33. The PIX Firewall translates to SRC=204.31.17.254 and DST=192.9.200.33 on the outside.

apply

Apply outbound access list to an IP address. (Configuration mode.)

apply number outgoing_src|outgoing_dest

Syntax Description

number

An outbound access list identification number previously created with the outbound command.

outgoing_src

Applies the access list to the source address(es) of packets received on the inside interface. This allows security policies regarding access to outside services from specific inside systems to be implemented. For example, specify outgoing_src if you want to prevent an inside system using the web.

outgoing_dest

Applies the access list to the destination address(es) of packets received on the inside interface. This allows security policies regarding access to specific outside services and systems from the inside network to be implemented. For example, specify outgoing_dest to prevent inside systems from accessing a specific
web site.


Usage Guidelines

The apply command applies the outbound list parameters to permit or deny access from an IP address in your inside network to an IP address in the outside network. Use outbound lists to permit or deny access to system ports.

Outbound lists have no effect on conduits which operate on inbound connections.

See also: clear apply, name, no apply, outbound, show apply, show outbound.

Example

The following commands prevent host 192.168.1.49 from accessing the World Wide Web (port 80).

pixfirewall(config)# outbound 11 deny 192.168.1.49 255.255.255.255 80
pixfirewall(config)# apply 11 outgoing_src

If your employees are spending too much time examining GIF images on a particular site with two web servers, you can use the following lines to restrict this access:

pixfirewall(config)# outbound 12 deny 192.168.146.201 255.255.255.255 80
pixfirewall(config)# outbound 12 deny 192.168.146.202 255.255.255.255 80
pixfirewall(config)# apply 12 outgoing_dest

arp

Add entry to PIX Firewall ARP table. (Configuration mode.)

arp inside|outside ip_address mac_address [alias]

Syntax Description

inside

Network interface that protects the inside network.

outside

Network interface for the unprotected outside network connection to the PIX Firewall.

ip_address

IP address for the ARP table entry.

mac_address

Hardware MAC address for the ARP table entry.

alias

Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration.


Usage Guidelines

The arp command adds an entry to the PIX Firewall ARP table. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address.

See also: clear arp, no arp, show arp.

Example

pixfirewall(config)# arp inside 192.168.0.42 0000.0101.0202
pixfirewall(config)# arp outside 192.168.0.43 0000.0101.0203 alias
pixfirewall(config)# 

arp timeout

Change PIX Firewall ARP table entry duration. (Configuration mode.)

arp timeout seconds

Syntax Description

seconds

Duration that an ARP entry can exist in the ARP table before being cleared.


Usage Guidelines

The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14400 seconds (4 hours).

See also: no arp timeout, show arp timeout.

Example

pixfirewall(config)# arp timeout 42
pixfirewall(config)# show arp timeout
arp timeout 42 seconds
pixfirewall(config)# 

clear

Display clear commands. (Configuration and privileged modes.)

clear

clear ?

Example

pixfirewall(config)# clear
apply		Apply outbound lists
arp	ARP table manipulation
http	Add authorized IP addresses for http access to PIX
lnkopath	Set the network paths for Private Links (OLD)
mailhost	Add/Remove mailhosts
names	Enable, disable or display IP address to name conversion
outbound	Create outbound lists
radius-server	Configure a RADIUS server
route	Set the network default router
snmp-server	Administer SNMP daemon
static	Reserve a local to global address translation table entry
syslog	Log messages to SYSLOG server
tacacs-server	Configure a TACACS+ server
telnet	Add authorized IP addresses for telnet access to PIX
uauth	Display or clear current user authorization information
pixfirewall(config)#

clear apply

Clear all apply statements in configuration. (Configuration mode.)

clear apply

Usage Guidelines

The clear apply command clears all outbound access lists created by a previous use of apply.

See also: apply, no apply, show apply.

Example

pixfirewall(config)# clear apply
pixfirewall(config)# 

clear arp

Clear PIX Firewall ARP table entry. (Configuration mode.)

clear arp [inside|outside ip_address]

Syntax Description

inside

PIX Firewall inside network interface ARP table.

outside

PIX Firewall outside network interface ARP table.

ip_address

IP address.


Usage Guidelines

The clear arp command clears the non-aliased ARP table entries from the firewall's ARP table. You can only clear alias entries if you specify the IP address.

This command is the same as no arp.

See also: arp, no arp, show arp.

Example

This example creates two ARP entries, one regular and the other aliased. Then, the regular entry is cleared with the clear arp command. Clearing the alias entry requires specifying the IP address.

pixfirewall# arp inside 192.168.42.3 1000.beee.beee
pixfirewall# arp inside 192.168.42.42 0000.1010.2020 alias
pixfirewall# show arp
                                                        inside 192.168.42.42 0000.1010.2020 alias
                                                        inside 192.168.42.3 1000.beee.beee
pixfirewall# clear arp
pixfirewall# show arp
                                                        inside 192.168.42.42 0000.1010.2020 alias
pixfirewall# clear arp inside 192.168.42.42
pixfirewall# show arp
pixfirewall# 


clear http

Stop HTTP access to one or more inside hosts. (Configuration mode.)

clear http ip_address [netmask]

ip_address

IP address of systems on the inside of the PIX Firewall that are able to access the HTML management interface. You can give access to a maximum of 16 IP addresses.

netmask

Network mask of ip_address.


Syntax Description

Usage Guidelines

The clear http command removes HTTP access to an IP address of an inside host. This is the same as the no http command.


Note   If you specify clear http without specifying an IP address, all HTTP access stops.


See also: http, show http.

Example

This example stops HTTP access on a host with an IP address of 192.168.42.42.

pixfirewall(config)# clear http 192.168.42.42 255.255.255.255
pixfirewall(config)# 

clear lnkopath

Clear a version 2 Private Link remote host path. (Configuration mode.)

clear lnkopath

Usage Guidelines

The clear lnkopath command clears a version 2 Private Link remote host path.

Example

pixfirewall(config)# clear lnkopath
pixfirewall(config)#

clear names

Remove all name commands from configuration. (Configuration mode).

clear names

Usage Guidelines

The clear names command deletes all instances of the name command from the configuration.

See also: name, names, no name, no names, show names.

Example

pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# name console_access_host_1 192.168.42.3
pixfirewall(config)# telnet console_access_host_1
pixfirewall(config)# sho tel
console_access_host_1 255.255.255.255
pixfirewall(config)# clear names 
pixfirewall(config)# sho tel
192.168.42.3 255.255.255.255
pixfirewall(config)# 

clear mailhost

Clear mailhost entries. (Configuration mode.)

clear mailhost

Usage Guidelines

The clear mailhost command clears mailhost entries.

Example

pixfirewall(config)# clear mailhost
pixfirewall(config)# 

clear outbound

Clear outbound access list. (Configuration mode.)

clear outbound num [permit|deny ip_address netmask port]

num

A tag number for the access list.

permit

Allow the access list to access the specified IP address and port.

deny

Deny the access list access to the specified IP address and port.

ip_address

The IP address for this access list entry.

netmask

The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire class C address. 0.0.0.0 disables all access. The 0.0.0.0 netmask can be abbreviated as 0.

port

A port or range of ports that the access list is permitted or denied access to; for example, 1-1024.


Syntax Description

Usage Guidelines

The clear outbound command clears an outbound access list or specific details within it.

See also: apply, no outbound, outbound, show outbound.

Example

pixfirewall(config)# clear outbound 1
pixfirewall(config)# clear apply 
pixfirewall(config)# 

clear radius-server

Remove access to a RADIUS server. (Privileged mode.)

clear radius-server ip_address key

Syntax Description

ip_address

The IP address of the authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts.


Usage Guidelines

Without arguments, the clear radius-server command removes all radius-server commands from the configuration. By specifying an IP address, you can limit the deletion to a single radius-server statement.

See also: radius-server, show radius-server.

Example

pixfirewall(config)# rad host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# clear rad
pixfirewall(config)# show rad
pixfirewall(config)# 

clear route

Clear the inside or outside interface's routing table. (Configuration mode.)

clear route inside|outside

Syntax Description

inside|outside

Set the network default route and path for either the inside or outside interface.


Usage Guidelines

The clear route command clears the routing table for the specified interface. You can clear both routing tables by entering clear route without the inside or outside keywords. To remove an individual route without clearing the entire table, use the no route command.

See also: no route, route, show route.

Example

pixfirewall(config)# clear route inside 
pixfirewall(config)# 

clear snmp-server

Clear SNMP contact or location, or stop sending SNMP event information. (Configuration mode.)

clear snmp-server contact|location|host value

Syntax Description

contact

Clear the contact information.

location

Clear the PIX Firewall location.

host

Stop sending SNMP event information.

value

When used with contact, specify your name or that of the PIX Firewall system administrator. When used with location, specify your PIX Firewall location. If the location name contains spaces, surround the string in single quotes; for example, 'building 42'.


Usage Guidelines

The clear snmp-server contact command deletes the contact information sent to the SNMP server. The
clear snmp-server location command has the same effect for the location. Use these commands when you want to change the text in the contact or location fields; that is, by clearing it and then replacing the information with the snmp-server command.

The clear snmp-server host command stops sending SNMP traps, or you can specify one or more IP addresses to which SNMP traps are not sent.

Using SNMP, you can monitor system events on the PIX Firewall.

See also: no snmp-server, snmp-server, show snmp-server.

Example

pixfirewall(config)# clear snmp-server location
pixfirewall(config)# 

clear static

Clear a static connection. (Configuration mode.)

clear static

Usage Guidelines

The clear static command clears a static connection.

Example

pixfirewall(config)# clear static
pixfirewall(config)#

clear syslog

Stop logging SYSLOG messages. (Configuration mode.)

clear syslog console

clear syslog host ip_address

clear syslog output facility.level

Syntax Description

ip_address

SYSLOG host IP address.

facility

Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message.

level

Message type; sets the level above which PIX Firewall suppresses messages to the SYSLOG hosts. Setting the level to 3, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The levels are:

0 — System unusable

1 — Take immediate action

2 — Critical condition

3 — Error message

4 — Warning message

5 — Normal but significant condition

6 — Informational

7 — Debug message


Usage Guidelines

The clear syslog console command disables SYSLOG messages on the console. The clear syslog host command disables sending SYSLOG messages to the specified host. The clear syslog output command stops sending all SYSLOG messages. This command is the same as no syslog.

See also: syslog, show syslog.

Example

pixfirewall(config)# clear syslog
pixfirewall(config)# 

clear tacacs-server

Remove access to one or more TACACS+ server. (Privileged mode.)

clear tacacs-server ip_address key

Syntax Description

ip_address

The IP address of the authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts.


Usage Guidelines

Without arguments, the clear tacacs-server command removes all tacacs-server commands from the configuration. By specifying an IP address, you can limit the deletion to a single tacacs-server statement. Use show tacacs-server to examine the information.

See also: tacacs-server, show tacacs-server.

Example

pixfirewall(config)# tac host 192.168.42.42 whatakey
pixfirewall(config)# clear tacacs
pixfirewall(config)# show tacacs
pixfirewall(config)#

clear telnet

Disable Telnet access to the PIX Firewall console. (Configuration mode.)

clear telnet ip_address netmask

Syntax Description

ip_address

The IP address or network of a host that is authorized to access the PIX Firewall Telnet management interface.

netmask

The netmask for the network specified in this telnet command. This allows multiple machines on a particular IP subnet access to the PIX Firewall console.


Usage Guidelines

The clear telnet command disables console access via Telnet to an IP address. Up to 16 hosts or networks are allowed access to the PIX Firewall console using Telnet, 4 simultaneously. The show telnet command displays the current list of IP addresses authorized to access the PIX Firewall console. You can use the who command to see which IP addresses are currently accessing the firewall console with Telnet.

See also: show telnet, who.

Example

pixfirewall(config)# clear telnet 192.168.42.42
pixfirewall(config)# 

clear uauth

Delete all authorization caches for a user. (Privileged mode).

clear uauth

Usage Guidelines

The clear uauth command deletes all users' authorization caches, which causes all authorized users to have to reauthenticate the next time they create a connection.

Each user host's IP address has an authorization cache attached to it. If the user attempts to access a service that has been cached from the correct host, the firewall considers it preauthorized and immediately unproxies the connection. This means that once you are authorized to access a web site, for example, the authorization server is not contacted for each of the images as they are loaded (assuming they come from the same IP address). This significantly increases performance and reduces load on the authorization server.

See also: aaa authorization, show uauth, timeout.

Example

pixfirewall# show uauth
user `winifred' from 207.31.17.42 authenticated
user `pollyhedra' from 207.31.17.54 authorized to:
                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001
                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp
user `oakman' from 207.31.17.207 authorized to:
                       port 262.146.153.50/http                                     262.71.177.69/http
pixfirewall# clear uauth 
pixfirewall# show uauth
pixfirewall#

conduit

Add conduit through firewall for incoming connections. (Configuration mode.)

conduit global_ip port[-port] udp|tcp ip_address [netmask]

global_ip

The IP address from the global pool to associate with this conduit. This address can be class A, B, or C.

port

Destination port number into which connections are permitted on the inside machine (if using TCP, 25 for SMTP, 80 for HTTP, and so on). 0 means match any port. The port values are defined in RFC 1700. If an invalid port range is specified, such as 32-25, a conduit is not established, but an error message is not returned.

udp

Add conduit for incoming UDP connections.

tcp

Add conduit for incoming TCP connections.

ip_address

IP address (host or network) from which to permit incoming connections (0.0.0.0 is any host). The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask of ip_address.


Syntax Description

Usage Guidelines

The conduit command creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from outside the PIX Firewall to access hosts on the inside network. Conduits exist on the static translation slots and can be added with the conduit command. You can remove a conduit with the no conduit command.

You can create conduits for net statics with a single static statement. An example follows:

pixfirewall(config)# static 204.31.17.0 10.1.1.0
pixfirewall(config)# conduit 204.31.17.0 ftp tcp 0 0

This static statement creates the potential for up to 256 statics. The conduit statement grants everyone FTP access.

In addition, you can overlay host statics on top of a net static range to further refine what an individual host can access:

pixfirewall(config)# static 204.31.17.0 10.1.1.0
pixfirewall(config)# conduit 204.31.17.0 ftp tcp 1.2.3.0 0
pixfirewall(config)# static 203.31.17.3 10.1.1.3
pixfirewall(config)# conduit 204.31.17.3 h323 udp 1.2.3.3 255.255.255.255

In this case, the host at 1.2.3.3 has InternetPhone access in addition to its blanket FTP access.


Note   You can have up to 8000 conduits; however, you must have 2MB flash memory to store the configuration. For 512K flash memory, do not exceed 4096 conduits.

Conduits with a port value of 0 count as one conduit, as does port values in a range such as 1234-2234. You can assign up to 65535 access ports for a single conduit.

static statements must be entered in the configuration before conduit statements. If you attempt to enter a conduit before entering a static statement, the message "Cannot locate the xlate" appears.


If a conduit is specified as the example that follows, host 192.168.2.2 can access the inside host that is mapped to the global address 192.168.1.1 on any TCP port:

conduit 192.168.1.1 0 tcp 192.168.2.2 255.255.255.255

When the port is specified as zero, all ports of the specified protocol can be accessed. The same syntax applies for UDP.

If you create a conduit with a port range and then delete one port within the range, the configuration transparently creates two conduit statements. The first statement contains the range of ports up to the port you deleted and the second contains the ports from the deleted port to the end of the range.

See also: no conduit, show conduit.

Example

The following pair of commands enables only SMTP communication between the UNIX gateway host with IP address 10.10.25.10 and an SMTP server on the inside network with IP address 192.168.1.49:

pixfirewall(config)# static 10.10.26.147 192.168.1.49 255.255.255.255
pixfirewall(config)# conduit 10.10.26.147 25 tcp 10.10.25.10 255.255.255.255

To remove the last conduit, enter the no conduit command:

pixfirewall(config)# no conduit 10.10.26.147 25 tcp 10.10.25.10

You can delete one port from a range and the configuration creates two new statements:

pixfirewall(config)# conduit 10.0.42.1 1025-1050 udp 192.168.20.34 255.255.255.255
pixfirewall(config)# no conduit 10.0.42.1 1040
pixfirewall(config)# show conduit 10.0.42.1
conduit 10.0.42.1 1025-1039 udp 192.168.20.34 255.255.255.255
conduit 10.0.42.1 1041-1050 udp 192.168.20.34 255.255.255.255
pixfirewall(config)#

The next example lets network 10.1.1.0 on the inside receive H323 Internet phone calls and allows the outside network 204.30.242.0 to connect inbound via the IDENT ( tcp/113) protocol:

pixfirewall(config)# stat 204.31.17.0 10.1.1.0
pixfirewall(config)# cond 204.31.17.0 h323 tcp 0.0.0.0 0.0.0.0
pixfirewall(config)# cond 204.31.17.0 113 tcp 204.30.242.0 255.255.255.0

The next example lets one FTP server on the inside, 10.1.1.3, be accessed as 204.31.17.3 by the network 260.44.224.x on the outside:

pixfirewall(config)# stat 204.31.17.3 10.1.1.3
pixfirewall(config)# conduit 204.31.17.3 ftp tcp 260.44.224.0 255.255.255.0

The next example lets one web server on the inside, 10.1.1.4, be accessed as 204.31.17.4 by the whole outside Internet:

pixfirewall(config)# stat 204.31.17.4 10.1.1.4
pixfirewall(config)# cond 204.31.17.4 80 tcp 0.0.0.0 0.0.0.0

The last example lets you give everyone FTP and InternetPhone access:

pixfirewall(config)# stat 1.2.3.0 10.1.1.0
pixfirewall(config)# conduit 1.2.3.0 ftp tcp 0 0
pixfirewall(config)# conduit 1.2.3.0 h323 udp 0 0

configure floppy

Merge current configuration with that on floppy disk. (Privileged mode.)

configure floppy

Usage Guidelines

The configure floppy command merges the current running configuration with the configuration stored on floppy disk. This command assumes that the floppy disk was previously created by the write floppy command.

Each statement on floppy disk is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:

If the command on floppy disk is identical to an existing command in the current configuration, it is ignored.

If the command on floppy disk is an additional instance of an existing command, such as if you already have one telnet command for IP address 1.2.3.4 and the floppy disk configuration has a telnet command for 6.7.8.9, then both commands appear in the current configuration.

If the command redefines an existing command, the command on floppy disk overwrites the command in the current configuration in RAM. For example, if you have hostname ram in the current configuration and hostname floppy on floppy disk, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new host name when that command is read from floppy disk.

Example

pixfirewall# configure floppy
pixfirewall# 

configure memory

Merge configuration with that from flash memory. (Privileged mode.)

configure memory

Usage Guidelines

The configure memory command merges the configuration in flash memory into the current configuration in RAM. Each statement in flash memory is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:

If the command in flash memory is identical to an existing command in the current configuration, it is ignored.

If the command in flash memory is an additional instance of an existing command, such as if you already have one telnet command for IP address 1.2.3.4 and the flash memory configuration has a telnet command for 6.7.8.9, then both commands appear in the current configuration.

If the command redefines an existing command, the command in flash memory overwrites the command in the current configuration in RAM. For example, if you have hostname ram in the current configuration and hostname flash in flash memory, the command in the configuration becomes hostname flash and the command line prompt changes to match the new host name when that command is read from flash memory.

Example

pixfirewall# configure memory
pixfirewall# 

configure terminal

Start configuration mode. (Privileged mode.)

configure terminal

Usage Guidelines

The configure terminal command starts configuration mode. Exit configuration mode by pressing ^z. After exiting configuration mode, use write memory to store your changes in flash memory or write floppy to store the configuration on floppy disk. Use the write terminal command to display the current configuration.

Example

pixfirewall# configure terminal
pixfirewall# 

disable

Exit privileged mode and return to unprivileged mode. (Privileged mode.)

disable

Usage Guidelines

The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.

Example

pixfirewall# disable
pixfirewall>

enable

Start privileged mode. (Unprivileged mode.)

enable

Usage Guidelines

The enable command starts privileged mode. PIX Firewall prompts you for your privileged mode password. The default password is no password. Use disable to exit privileged mode. Use enable password to change the password.

Example

pixfirewall> en
Password: 
pixfirewall# co t
pixfirewall(config)#

enable password

Set the privileged mode password. (Privileged mode.)

enable password password

Syntax Description

password

A password of up to 16 alphanumeric characters, which is not case sensitive.
PIX Firewall converts the password to all lowercase.


Usage Guidelines

The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Return key at the Password prompt).


Note   Write down the new password and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password.


Use the passwd command to set the password for HTTP and Telnet access to the PIX Firewall console. The default passwd value is cisco.

See also: passwd.

Example

pixfirewall> en
Password:
pixfirewall# enable password w0ttal1fe
pixfirewall# co t
pixfirewall(config)# write t
Building configuration...
: Saved
:
PIX Version 4.0.n.n
enable password 2oifudsaoid.9ff encrypted
passwd 2jkifsldkaj.23 encrypted
hostname pixfirewall
...

established

Allow return connections based on established connections. (Configuration mode.)

established udp | tcp

Syntax Description

udp

Allow return UDP connections.

tcp

Allow return TCP connections.


Usage Guidelines

The established command lets you debug an application that requires multiple TCP or UDP port connections. This command is only recommended for use with WEB Theatre VXtreme and Microsoft NetShow. PIX Firewall supports other multimedia applications without the need for the established command. These applications include RealAudio, VDO, Xing, VocalTec, H323, and CuSeeMe. PIX Firewall supports these applications using its enhanced multimedia Adaptive Security algorithm which does not in any way compromise security.

While this command is running, all UDP or TCP traffic is permitted between the client and server for the current TCP connection. This command only allows the host to which the inside client is connected to deliver UDP data or make high TCP port connections back to the client.

Ports are allocated above port 1024.

The established command itself does not produce either console or SYSLOG output while running.

Example

pixfirewall(config)# established tcp
Warning: Allowing high port TCP return connections from hosts with established TCP 
connections!
pixfirewall(config)# established udp
Warning: Allowing high port UDP return connections from hosts with established UDP 
connections!
pixfirewall(config)# show established
established udp
established tcp
pixfirewall(config)# no established tcp
pixfirewall(config)# no established udp
pixfirewall(config)# show established
pixfirewall(config)# 

failover

Enable access to the optional failover feature. (Configuration mode.)

failover [active]

Syntax Description

active

Make a PIX Firewall the active unit. Use this command when you need to force control of the connection back to the unit you are accessing, such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the primary unit. Either enter no failover active on the secondary unit to switch service to the primary or failover active on the primary unit.


Usage Guidelines

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.

Failover works by passing control to the secondary unit should the primary unit fail. For Ethernet, failover detection should occur within 15 seconds.

Refer to "Configuring Failover" in Chapter 3 for configuration information.

The failover feature causes the PIX Firewall to ARP for itself every 15 seconds. If this adversely affects your ARP table, you can disable it with the no failover command.

Example

The following output shows that failover is enabled, and that the primary unit state is active:

pixfirewall> show failover
	Failover On
		                                    This host: Primary - Active
                                    		Other host: Secondary - Standby
		                                   Cable status: 0x0 - Normal
		                                   Interface 0
			                                                                                           this host: 	Rx cnt 683 	Uptime 720
			                                                                                            other host: 	Rx cnt 3 	Uptime 0
		                                   Interface 1
			                                                                                            this host: 	Rx cnt 623 	Uptime 720
			                                                                                           other host: 	Rx cnt 3 	Uptime 0

	pixfirewall> show failover
	Failover On
		                                   This host: Secondary - Standby
		                                   Other host: Primary - Active
		                                   Cable status: 0x0 - Normal
		                                   Interface 0
			                                                                                            this host: 		Rx cnt 683	 	Uptime 720
			                                                                                            other host:	 	Rx cnt 3	 	Uptime 0
		                                   Interface 1
			                                                                                            this host: 		Rx cnt 683	 	Uptime 720
			                                                                                            other host: 		Rx cnt 3	 	Uptime 0
	pixfirewall>

global

Define IP address in the global pool. (Configuration mode.)

global global_id ip_address

Syntax Description

global_id

You can specify up to 256 unique ID values. The valid ID numbers can be any positive number up to 2,147,483,647. If there is a single network on the inside of the PIX Firewall, set global_id to 1.

ip_address

One or more IP addresses that the PIX Firewall shares among its connections. Each IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the starting and ending addresses with a dash (-). You can have up to 16384 global IP addresses.

If you specify a single IP address, port address translation occurs on that address.


Usage Guidelines

The global command defines the addresses in the global pool. Global pool addresses must be registered with the NIC; they provide an IP address for each incoming and outgoing connection. Always use the nat command with the global command to assign the global_id values to each network.


Note   If you are using port address translation, specify a single IP address; otherwise, you must specify a range of two or more IP addresses, such as 10.10.26.1-10.10.26.3.


PIX Firewall uses the global addresses to assign a virtual IP address to a connection. When the translation times out (defined by the timeout command), the global address returns to the available pool. If the outside network connects with the Internet, each IP address you specify as a global address must be registered with the NIC. The phrases global network and virtual network are synonymous in this document.

When you assign global addresses from the pool for Private Link, select addresses from the start of global pool range. The PIX Firewall allocates IP addresses from the global pool by starting at the end of the range you specify and working backward.

The maximum is 1 class B network worth of IP addresses; that is, 64516 addresses.

If you are using the same subnet and want to share it between the outside network and the PIX Firewall virtual network, the PIX Firewall causes a proxy-arp for the global pool on the outside network. If you are using global networks that are disjoint from the outside network address, be certain that the networking equipment and computers have a routing table entry for the global network with a next hop of the outside interface of the PIX Firewall.

With the port address translation (PAT) feature, you can have multiple outbound sessions appear to originate from a single IP address. This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. The IP addresses you specify for port address translation cannot be in the global address pool.


Note   Do not use port address translation when multimedia applications need to be run through the firewall. Multimedia applications need access to specific ports and can conflict with port mappings provided by PAT.


Ports are service specifiers inside a UDP or TCP packet. With port address translation enabled, the firewall chooses a unique port number for each outbound connection, thereby permitting many connections to use a single IP address.

When you enter the global command and the "Some globals not created" message appears, some of the addresses you requested could not be assigned to the global pool. The firewall cannot assign either the address 0 or the address 255 to the global pool. Use the show global command to view which IP addresses were created.

Example

pixfirewall(config)# global 1 10.10.10.1-10.10.10.254
pixfirewall(config)# global 1 10.0.0.1
Global 10.0.0.1 will be Port Address Translated
pixfirewall(config)# show global
global 1 10.10.10.1-10.10.10.254
global 1 10.0.0.1
pixfirewall(config)#

groom

Refresh flash memory. (Privileged mode.)

groom

Usage Guidelines

The groom command lets traditional flash memory circuit boards to operate at peak efficiency. PIX Firewall automatically calls this command when flash memory is full; that is, when you try to save your configuration and insufficient memory is available to store it.

In the past, when the firewall wrote to flash memory, the flash memory appended the image to its existing memory. Eventually, the circuit board ran out of memory and caused system failure. With the groom command, the firewall stores the existing configuration in flash memory in RAM and clears the complete memory space. Then it restores the image back into flash memory.

You can either wait until you run out of memory or run it as part of your preventative maintenance schedule, either monthly or every few months, depending on how many times you change the configuration and save it to flash memory.


Note   When you run the groom command, do not interrupt the system because vital information can be lost. Before running this command, save a copy of the configuration on floppy disk and ensure all other console users are not using the unit.


Example

pixfirewall(config)# groom
Grooming flash. This will take a moment. DO NOT INTERRUPT.
pixfirewall(config)#

help

Display help information. (Unprivileged mode.)

help

?

Usage Guidelines

The help or ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a question mark.

When you use the help command, 22 lines display, the listing pauses, and the following prompt appears:

<--- More --->

The More prompt uses the same syntax as the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Example

pixfirewall(config)# age ?
age <minutes>

Help information is available on the core commands (not the show, no, or clear commands) by entering ? at the command prompt:

pixfirewall(config)# ?
aaa	Set Authentication and Authorization parameters
age	Age PIX Private Link keys
alias	Administer Local Address Translations (Dual NAT)
apply	Apply outbound lists
arp	ARP table manipulation
conduit	Add/remove conduits to static translations
configure	Configure from terminal, floppy, or memory
disable	Exit from privileged mode
enable	Modify enable password
established	Allow return connections based on established connections
failover	Administer Failover
global	Enter global network addresses, or designate PAT address
hostname	Change host name
http	Add authorized IP addresses for http access to PIX
interface	Interface configuration
ip	Set ip address for specified interface
kill	Terminate a telnet session
link	Establish an encrypted PIX Private Link
linkpath	Set the network paths for Private Links
lnko	Establish an encrypted PIX Private Link (OLD)
lnkopath	Set the network paths for Private Links (OLD)
mailhost	Add/Remove mailhosts
mtu	Interface MTU configuration
name	Associate a name with an IP address
names	Enable, disable or display IP address to name conversion
nat	Administer Address Translations
outbound	Create outbound lists
passwd	Change Telnet and HTTP console access password
ping	Test connectivity from specified interface to <ip>
radius-server	Configure a RADIUS server
reload	Halt and reload system
rip	Broadcast default route or passive RIP
route	Set the network default router
session	Internal router console
snmp-server	Administer SNMP daemon
static	Reserve a local to global address translation table entry
syslog	Log messages to SYSLOG server
tacacs-server	Configure a TACACS+ server
telnet	Add authorized IP addresses for telnet access to PIX
timeout	Set the maximum idle time for translation and connection slots
who	Show active administration sessions on PIX
write	Write config to flash, floppy, or terminal, or erase the flash
pixfirewall(config)#



hostname

Change the host name in the PIX Firewall command line prompt. (Configuration mode.)

hostname newname

Syntax Description

newname

New host name for the PIX Firewall prompt. This name can be up to
17 alphanumeric characters and is not case sensitive. PIX Firewall converts the host name to all lowercase.


Usage Guidelines

The hostname command changes the host name label on prompts. The default host name is pixfirewall. If you have the optional failover feature, assign host names to both PIX Firewall units. Then if a failure occurs and you Telnet to the IP address, the host name in the prompt verifies that the secondary unit is functioning.

Example

pixfirewall(config)# hostname spinner
spinner(config)# hostname pixfirewall
pixfirewall(config)#

http

Permit inside IP address access to the PIX Firewall console HTML management interface. (Privileged mode.)

http ip_address [netmask]

Syntax Description

ip_address

IP address of systems on the inside of the PIX Firewall that are able to access the PIX Firewall HTML management interface.

netmask

Network mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of ip_address.


Usage Guidelines

The http command lets an IP address access the PIX Firewall console HTML management interface. Use no http or clear http to disable management interface access. Use show http to list the information you entered. Up to 16 HTTP console sessions can be simultaneously active.

When you start the web browser, specify the IP address of the firewall in the Go to field or the Open URL field. You must have previously given the firewall an IP address and default route. In addition, if the computer on which you run the browser is directly connected to the PIX Firewall, the computer must be on the same subnet as the firewall.

If the browser displays an error message stating "Document contains no data," the http command has not been used to give that computer access to the firewall.


Note   You must use the http command for your workstation before you can use the PIX Firewall HTML network browser configuration capability.

The HTTP user name is admin and the default password is cisco. The user name cannot be changed.


Example

pixfirewall(config)# http 192.168.42.42 255.255.255.255
pixfirewall(config)#

interface ethernet

Identify Ethernet board speed and duplex. (Configuration mode.)

interface ethernet inside|outside 10baseT|100baseTX|auto|aui|bnc

Syntax Description

inside

Network interface for inside PIX Firewall network.

outside

Network interface for network outside the PIX Firewall.

10baseT

Set 10Mbit Ethernet and half duplex communications.

100baseTX

Set 100Mbit Ethernet and half duplex communications.

auto

Automatically determine networking speed and set full duplex communications.

aui

Set 10Mbit Ethernet half duplex communications for an AUI cable interface.

bnc

Set 10Mbit Ethernet half duplex communications for a BNC cable interface.


Usage Guidelines

The interface ethernet command identifies the speed and duplex settings of the network interface boards. Refer to Installing Circuit Boards in the PIX Firewall (Document Number 78-3748-03) for information on installing an Ethernet board. Use no interface ethernet to disable access to the network interface. Use show interface ethernet to view information about the interface.

The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.


Note   The aui and bnc options will be obsoleted in a future release.


Example

pixfirewall(config)# int ether in auto
pixfirewall(config)# int ether out auto
pixfirewall(config)# sho in
ethernet outside is up, line protocol is up
  Hardware is i82557 ethernet, address is 00a0.c90a.eb4d
  MTU 1500 bytes, BW 10000 Kbit half duplex
        36 packets input, 2043 bytes, 0 no buffer
        Received 2 broadcasts, 2 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1075 packets output, 70413 bytes, 0 underruns
ethernet inside is up, line protocol is up
  Hardware is i82557 ethernet, address is 00a0.c90a.eb43
  MTU 1500 bytes, BW 10000 Kbit half duplex
        18 packets input, 963 bytes, 0 no buffer
        Received 2 broadcasts, 2 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1056 packets output, 68164 bytes, 0 underruns
pixfirewall(config)#

interface token

Identify Token Ring board speed. (Configuration mode.)

interface token inside|outside [4mbps|16mbps]

Syntax Description

inside

Network interface for inside PIX Firewall network.

outside

Network interface for network outside the PIX Firewall.

4mbps

4 megabytes per second data transfer speed. You can specify this value as just 4.

16mbps

(default) 16 megabytes per second data transfer speed. You can specify this value as just 16.


Usage Guidelines

The interface token command identifies the speed of the Token Ring network interface. Refer to Installing Circuit Boards in the PIX Firewall (Document Number 78-3748-03) for more information on installing a Token Ring board. Use no interface token to disable access to the network interface. Use show interface token to view information about the interface.

You can mix Token Ring and Ethernet interface boards together between the firewall's network interfaces.


Note   A Token Ring board must be present in your system to use this command. If a board is not present, an error message displays.


Example

pixfirewall(config)# int t in 4
pixfirewall(config)# int t out 16
pixfirewall(config)#

ip address

Identify IP address for PIX Firewall. (Configuration mode.)

ip address inside|outside ip_address [netmask]

Syntax Description

inside

Identify the IP address of the inside network interface.

outside

Identify the IP address of the outside network interface.

ip_address

IP address.

netmask

Network mask of ip_address.


Usage Guidelines

The ip address command assigns an IP address to the PIX Firewall. Use the show ip address command to view which addresses are assigned to the inside and outside network interfaces.

Example

pixfirewall(config)# ip a in 192.168.2.1
pixfirewall(config)# ip a out 204.31.17.2
pixfirewall(config)# sho ip
inside ip address 192.168.2.1 mask 255.255.255.255
outside ip address 204.31.17.2 mask 255.255.255.255
pixfirewall(config)# 

kill

Terminate a Telnet session. (Privileged mode.)

kill telnet_id

Syntax Description

telnet_id

Telnet session ID.


Usage Guidelines

The kill command terminates a Telnet session. Use the who command to view the Telnet session ID value. When you kill a Telnet session, PIX Firewall lets any active commands terminate and then drops the connection without warning the user.

See also: show who, telnet.

Example

pixfirewall# show who
2: From 10.10.54.0 
pixfirewall# kill 2
pixfirewall# 

link

Specify Private Link connection to PIX Firewall. (Configuration mode.)

link remote_ip_address key-id key md5

Syntax Description

remote_ip_address

IP address of a remote PIX Firewall running Private Link.

key-id

The key number. Version 4 PIX Firewall supports up to seven Private Link encryption keys. The key_id value can be from 1 to 7.

key

The 56-bit key (up to 14 hexadecimal digits) used to seed the encryption chip. This key must be the same on each host end of an encrypted link. The key consists of hexadecimal numbers; for example, fadebacfadebac. Select a unique key that is difficult to guess. Do not use the examples shown in this document.

md5

Select MD5 encryption. This option puts a digital signature in the AH/ESP header of each packet before being transmitted to the remote Private Link firewall.


Usage Guidelines

The link command creates an encrypted path between version 4 Private Link equipped PIX Firewall units. You can specify up to seven encryption keys for data access between your unit and the remote unit. The key-ID and key values must be the same on each side of the Private Link. Once you specify the same keys on both sides of the connection, the systems alert each other when a new key takes effect. You can use the age command to specify the number of minutes that a key is in effect.

Specify the link command once for each key you want to specify; for example, if you want seven keys, enter the link command in the configuration seven times.

The PIX Firewall Private Link consists of an encryption card and software that permits PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet. This optional feature is available to domestic customer sites.

PIX Firewall allows up to 256 Private Links. At least two PIX Firewall units are required along with the hardware/software option to use this feature.

Refer to "Configuring Private Link" in Chapter 3 for more information.

Example

pixfirewall(config)# interface ethernet inside auto 
pixfirewall(config)# interface ethernet outside auto 
pixfirewall(config)# ip address inside 10.3.1.1 255.255.255.0
pixfirewall(config)# ip address outside 192.168.37.1 255.255.255.0
pixfirewall(config)# global 1 192.168.37.11-192.168.37.254
pixfirewall(config)# nat 1 0.0.0.0
pixfirewall(config)# route inside 0.0.0.0 0.0.0.0 10.3.1.2 1
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.37.2 1
pixfirewall(config)# 	link 192.168.35.1 1 fadebacfadebac
pixfirewall(config)# 	link 192.168.35.1 2 bacfadefadebac
pixfirewall(config)# 	link 192.168.35.1 3 baabaaafadebac
pixfirewall(config)# 	link 192.168.35.1 4 beebeeefadebac
pixfirewall(config)# linkpath 10.1.0.0 255.255.255.0 192.168.35.1

linkpath

Define a Private Link destination IP address. (Configuration mode.)

linkpath dest_net netmask remote_ip

Syntax Description

dest_net

The IP address of the destination network on the inside of the remote
PIX Firewall.

netmask

Specifies a subnet mask to apply to dest_net.

remote_ip

IP address of the remote PIX Firewall's outside network interface.


Usage Guidelines

The linkpath command specifies IP address information for the remote Private Link PIX Firewall. Use show linkpath to view the IP addresses you specify. Use no linkpath to stop access to a Private Link remote firewall. Refer to the link command description for more information about using linkpath.

See also: no linkpath, show linkpath, lnkopath.

Example

pixfirewall(config)# ip addr in 10.3.1.1 255.255.255.0
pixfirewall(config)# ip addr out 192.168.37.1 255.255.255.0
pixfirewall(config)# nat 1 0.0.0.0
pixfirewall(config)# global 1 192.168.37.11-192.168.37.254
pixfirewall(config)# route in 0 0 10.3.1.2 1
pixfirewall(config)# route out 0 0 192.168.37.2 1
pixfirewall(config)# 	link 192.168.35.1 4 beebeeefadebac
pixfirewall(config)# linkpath 10.1.1.0 255.255.255.0 192.168.37.1
pixfirewall(config)# 

In this example, the first two lines set the IP address for the inside and outside interfaces. The nat command translates all outbound connections moving through the firewall. The global command reserves a full Class C address range. The route commands specify default routes for the inside and outside interfaces. The link command specifies the IP address of the remote Private Link firewall. The linkpath command specifies the IP address of the network on the inside of the remote firewall.

This example lets PIX Firewall C access PIX Firewall A in Chapter 3 in the section, "Configuring Private Link."

lnko

Define access to an older version 2 Private Link PIX Firewall. (Configuration mode.)

lnko remote_global key

Syntax Description

remote_global

IP address from the global address pool.

key

The encryption key. Version 2 PIX Firewall supports one Private Link encryption key. The encryption key can be up to 56 bits in length (14 hexadecimal digits); for example, fadebac.


Usage Guidelines

The lnko command defines access to a version 2 Private Link PIX Firewall and specifies an encryption key. The PIX Firewall Private Link consists of an encryption card and software that permits PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet. This optional feature is available to domestic customer sites. Both lnko/lnkopath and link/linkpath combinations can appear in the same configuration.


Note   This command will be obsoleted in a future release.


Use random keys, not those shown in this document.

Refer to the link command description for more information about using lnko.

See also: lnkopath, show lnko.

Example

pixfirewall(config)# interface ethernet in auto 
pixfirewall(config)# interface ethernet out auto 
pixfirewall(config)# ip address in 10.3.1.1 255.255.255.0
pixfirewall(config)# ip address out 192.168.37.1 255.255.255.0
pixfirewall(config)# global 1 192.168.37.11-192.168.37.254
pixfirewall(config)# nat 1 0.0.0.0
pixfirewall(config)# route in 0.0.0.0 0.0.0.0 10.3.1.2 1
pixfirewall(config)# route out 0.0.0.0 0.0.0.0 192.168.37.2 1
pixfirewall(config)# lnko 192.168.36.2 fadebacfadebac
pixfirewall(config)# lnkopath 10.2.0.0 255.255.255.0 192.168.36.2


lnkopath

Specify a version 2 Private Link path to the remote PIX Firewall. (Configuration mode.)

lnkopath dest_net netmask remote_global

Syntax Description

dest_net

The IP address of the destination network on the inside interface of the remote PIX Firewall of a Private Link.

netmask

Specifies a subnet mask to apply to dest_net.

remote_global

IP address in the global pool of the remote PIX Firewall in a Private Link environment.


Usage Guidelines

The lnkopath command sets the network paths for PIX Firewall version 2 Private Link connections.


Note   This command will be obsoleted in a future release.


Use random keys, not those shown in this document.

See also: show lnkopath, lnko.

Example

pixfirewall(config)# interface ethernet in auto 
pixfirewall(config)# interface ethernet out auto 
pixfirewall(config)# ip address in 10.3.1.1 255.255.255.0
pixfirewall(config)# ip address out 192.168.37.1 255.255.255.0
pixfirewall(config)# global 1 192.168.37.11-192.168.37.254
pixfirewall(config)# nat 1 0.0.0.0
pixfirewall(config)# route in 0.0.0.0 0.0.0.0 10.3.1.2 1
pixfirewall(config)# route out 0.0.0.0 0.0.0.0 192.168.37.2 1
pixfirewall(config)# lnko 192.168.36.2 fadebacfadebac
pixfirewall(config)# lnkopath 10.2.0.0 255.255.255.0 192.168.36.2

mailhost

Add or remove mail hosts. (Configuration mode.)

mailhost global_ip local_ip [max_conns] [em_limit]

Syntax Description

global_ip

A registered IP address.

local_ip

The local IP address from the inside network.

max_conns

The maximum mail connections permitted. Set this value to less than or equal to your connection license. Use show actkey to view the maximum number of connections for your firewall.

em_limit

The embryonic mail connection limit.  An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up. The default is 0, which means unlimited connections. The maximum is 65535 and the minimum is 1.  A rule of thumb for the limit is the maximum number of connections on your connection license minus 30%; for example, on a 64-session license, set it to at least 40. Set it lower for slower systems, higher for faster systems.


Usage Guidelines

The mailhost command is a static translation that imposes a security check and translation of the SMTP protocol with PIX Firewall Adaptive Security enroute. The mailhost command limits what outside connections can do to the mail host itself. Only the seven SMTP commands specified in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT) are permitted. Any other commands are treated as NOOP and discarded with OK returned to the sender.

The mailhost command removes the need for an external mail relay in the perimeter network, also known as the DMZ (demilitarized zone), that section of the network outside the firewall but before the Internet. The mailhost command is also known as the Mail Guard feature.

View mail host information with the show mailhost and show xlate commands.


Note   The mailhost command, like static does not require the global_ip address to be in the global pool. It is better if is not.


See also: static, show conn, show actkey, show xlate.

Example

pixfirewall(config)# ip address inside 10.1.1.1 255.0.0.0
pixfirewall(config)# ip address outside 204.31.17.10 255.255.255.0
pixfirewall(config)# global 1 204.31.17.25-204.31.17.27
pixfirewall(config)# mailhost 204.31.17.25 10.1.1.3 10 40
pixfirewall(config)# 

mtu

Specify the MTU (Maximum Transmission Unit) for an interface. (Configuration mode.)

mtu inside|outside  bytes

Syntax Description

inside

Specify outbound MTU value.

outside

Specify inbound MTU value.

bytes

The number of bytes in the MTU in the range of 64 to 65535 bytes. See Usage Guidelines for how to set.


Usage Guidelines

The mtu command sets the size of data sent on a connection. Data larger than the MTU value is fragmented before being sent.

For Ethernet interfaces, the default MTU, 1500 bytes in a block, is sufficient for most applications. For Token Ring, the default is 8192 bytes. The minimum value for bytes is 64 and the maximum is 65535 bytes. RFC 1191 [Mogul and Deering 1990] recommends 1500 bytes for Ethernet, 17914 for 16Mbps Token Ring, and 4464 for 4Mbps Token Ring.

The inside and outside parameters let you indicate the network interface for which you are setting the block size. The no mtu command resets the MTU block size to 1500 for Ethernet interfaces and 8192 for Token Ring. The show mtu command displays the current block size. The show interface command also shows the MTU value.

See also: no mtu, show mtu.

Example

pixfirewall(config)# interface token inside 4mbps
pixfirewall(config)# interface ethernet outside auto
pixfirewall(config)# mtu inside 4464
pixfirewall(config)# show mtu
mtu outside 1500
mtu inside 4464
pixfirewall(config)# 

name

Associate a name with an IP address. (Configuration mode.)

name ip_address name

Syntax Description

ip_address

The IP address of the host being named.

name

The name assigned to the IP address. The maximum name length is 4000 characters. The total length of all strings together cannot exceed 4000 characters. Allowable characters are a to z, A to Z, 0 to 9, - and _. The string cannot start with a number and a dot.


Usage Guidelines

Use the name command to identify a host by a text name. The identifying name you use becomes like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing—it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you need to ensure that the host names either match existing names or you have a map to list the differences.


Note   You must first use the names command before using the name command. To disable displaying name values, use no names.

Only one name can be associated with an IP address.

The maximum name length is 4000 characters. (In other words, you can have one name command with a 4000-character string, or up to 100 with shorter text strings, such as 40 characters each.)
You can have a maximum of 100 name statements in your configuration. The total length of all strings cannot exceed 4000 characters.


See also: names, clear names, no name, no names, show names.

Example

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 204.31.17.33. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name values from displaying. Subsequent use of the names command restores their display.

pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# name 192.168.42.3 pix_inside
pixfirewall(config)# name 204.31.17.33 pix_outside
pixfirewall(config)# ip addr in pix_inside
pixfirewall(config)# ip addr out pix_outside
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# no names
disabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address 192.168.42.3 mask 255.255.255.255
outside ip address 204.31.17.33 mask 255.255.255.255
pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# 

names

Enable name translation throughout configuration. (Configuration mode).

names

Usage Guidelines

The names command enables use of the name command to map text strings to IP addresses.

Use this command first before entering name commands.

See also: name, clear names, no name, no names, show names.

Example

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 204.31.17.33. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name values from displaying. Subsequent use of the names command restores their display.

pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# name 192.168.42.3 pix_inside
pixfirewall(config)# name 204.31.17.33 pix_outside
pixfirewall(config)# ip addr in pix_inside
pixfirewall(config)# ip addr out pix_outside
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# no names
disabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address 192.168.42.3 mask 255.255.255.255
outside ip address 204.31.17.33 mask 255.255.255.255
pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# 

nat

Associate a network with a pool of global IP addresses. (Configuration mode.)

nat global_id ip_address [netmask] [max_conns] [em_limit]

Syntax Description

global_id

Up to 256 global IDs previously specified with the global command. Specify 0 to indicate that no address translation be used with ip_address.

ip_address

IP address of the network to which the global pool pertains.

netmask

Network mask for ip_address. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.

The 0.0.0.0 netmask can be abbreviated as 0.

max_conns

The maximum mail connections permitted. Set this value to less than or equal to your connection license. Use show actkey to view the maximum number of connections for your firewall.

em_limit

The embryonic connection limit. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up. The default is 0, which means unlimited connections. The maximum is 65535 and the minimum is 1. A rule of thumb for the limit is the maximum number of connections on your connection license minus 30%; for example, on a 64-session license, set it to at least 40. Set it lower for slower systems, higher for faster systems.


Usage Guidelines

The nat command lets you specify lists of inside hosts that can use the firewall for address translation. You can specify up to 256 global pools of IP addresses. Use nat 0 to enable the identity feature so that address translation is not performed. Use this feature when you have NIC-registered IP addresses on your inside network that you want to be visible on the outside network.


Note   To specify a connection limit or embryonic limit, you must specify a netmask value.


nat 1 0 means that all outbound connections pass through the PIX Firewall with address translation. This means that the firewall maps whatever address the inside host has to an address in the global pool. The connection then goes off to its respective destination with its origination address being the address from the global pool.

nat 1 1.2.3.0 means that only outbound connections originating from inside host 1.2.3.0 can pass through the firewall to go to their destinations. This group is also translated. If connections are not part of any NAT group, then they are not allowed out through the PIX Firewall. Outbound connections must be specified in a NAT statement.

nat 0 0 means let all inside IP addresses appear on the outside network without translation. They will still be protected by Adaptive Security, just not translated.

nat 0 1.2.3.0 means let those IP addresses in the 1.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat statements appear in the configuration.

See also: global, no nat, show nat.

Example

1 global 1 204.31.17.25-204.31.17.27

2 global 1 204.31.17.28

3 global 3 204.31.18.1-204.31.18.254

4 nat 3 3.3.3.0 255.255.255.0

5 nat 1 10.0.0.0 255.0.0.0

6 outbound 11 deny 3.3.3.3 255.255.255.255 1720

7 outbound 10 deny 0.0.0.0 0.0.0.0 80

8 outbound 10 deny 3.3.3.3 255.255.255.255 java

9 outbound 11 permit 10.1.1.11 255.255.255.255 80

10 apply 10 outgoing_src

11 apply 11 outgoing_src

Lines 1 to 3 create a global pool. Line 2 creates a port address translation address (PAT) that permits up to 16000 hosts to share this IP address.

Lines 4 and 5 specify lists of inside hosts that can use the firewall for address translation.

Lines 6 to 9 create access lists to determine which hosts can access services. In line 6, denies host 3.3.3.3 from accessing H323 (port 1720) services such as MS NetMeeting or Internet Phone. Line 7 denies all hosts from accessing the web (port 80). Line 8 lets host 3.3.3.3 use the web, but denies its users from downloading Java applets.

Line 9 permits host 10.1.1.11 access to the web and to download Java applets. This permit statement outweighs the previous deny regardless of the order in which the statements are entered into the configuration.

Lines 10 and 11 specify that the access lists in lines 6 to 9 pertain to connections started on the inside network to access outside services.


no

Display no commands. (Configuration and privileged modes.)

no

no ?

Example

pixfirewall(config)# no
aaa		Set Authentication and Authorization parameters
alias		Administer Local Address Translations (Dual NAT)
apply		Apply outbound lists
arp		ARP table manipulation
conduit		Add/remove conduits to static translations
established		Allow return connections based on established connections
global		Enter global network addresses, or designate PAT address
http		Add authorized IP addresses for http access to PIX
link		Establish an encrypted PIX Private Link
linkpath		Set the network paths for Private Links
lnko		Establish an encrypted PIX Private Link (OLD)
lnkopath		Set the network paths for Private Links (OLD)
mailhost		Add/Remove mailhosts
mtu		Interface MTU configuration
name		Associate a name with an IP address
names		Enable, disable or display IP address to name conversion
nat		Administer Address Translations
outbound		Create outbound lists
radius-server		Configure a RADIUS server
rip		Broadcast default route or passive RIP
route		Set the network default router
session		Internal router console
snmp-serv	er	Administer SNMP daemon
static		Reserve a local to global address translation table entry
syslog		Log messages to SYSLOG server
tacacs-server		Configure a TACACS+ server
telnet		Add authorized IP addresses for telnet access to PIX
pixfirewall(config)#

no aaa authentication

Disable access to Authentication, Authorization, and Accounting (AAA). (Configuration mode.)

no aaa authentication service inbound|outbound ip_address netmask [tacacs+|radius]

Syntax Description

service

The service to be authenticated. Use any, ftp, http, or telnet. The any value specifies that FTP, HTTP, or Telnet connections be authenticated. (HTTP is the web and only applies to web browsers that can prompt for a user name and password.)

inbound

Authenticate inbound connections.

outbound

Authenticate outbound connections.

ip_address

IP address from which or to which access is authenticated. If you want every system in your network to authenticate to this type of server, use 0.0.0.0 for the IP address. You can specify a network IP address by entering zero in each octet of the host portion of the IP address; for example, for a class C address, code 0 in the last octet, such as 192.168.42.0. The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask of ip_address. Always specify a specific mask value. If you want to limit authentication to a single IP address, use 255 in each octet; for example, 255.255.255.255.

tacacs+

Authenticate using Terminal Access Controller Access Control System (TACACS+).

radius

Authenticate using Remote Authentication Dial-In User Service (RADIUS).


Usage Guidelines

For outside connections, a challenge prompt appears during FTP or Telnet sessions as defined by the type of authentication server.

See also: aaa authentication, show aaa authentication, aaa authorization, radius-server, tacacs-server.

Example

pixfirewall(config)# no aaa authent ftp inb 10.0.0.1 255.255.255.255 tacacs+
pixfirewall(config)# 

no aaa authorization

Disable parameters that restrict a user's network access based on TACACS+ or RADIUS authentication. (Configuration mode.)

no aaa authorization  service inside | outside ip_address netmask

Syntax Description

service

Service on which to authorize, ftp, http, telnet, a port range, or any. Specify a port or port range for FTP, HTTP, or Telnet services that are not on the standard ports for these services. The standard ports are 20 and 21 for FTP, 80 for HTTP, and 23 for Telnet.

inbound

Authorize on inbound connections.

outbound

Authorize on outbound connections.

ip_address

IP address from which or to which access is authorized. If you want every system in your network to authorize to this type of server, use 0.0.0.0 for the IP address. You can specify a network IP address by entering zero in each octet of the host portion of the IP address; for example, for a class C address, code 0 in the last octet, such as 192.168.42.0. The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask of ip_address.  Always specify a specific mask value.  If you want to limit authentication to a single IP address use 255 in each octet; for example, 255.255.255.255.


Usage Guidelines

This command disables access to a service a host can use and what IP address it can access.

See also: aaa authentication, radius-server, tacacs-server.

Example

pixfirewall(config)# no aaa author ftp inb 192.168.42.0 10.0.0.0 
255.255.255.255pixfirewall(config)# 

no alias

Remove dual NAT alias. (Configuration mode.)

no alias inside_net outside_net

Syntax Description

inside_net

IP address on the inside network that is an alias for the outside_net address.

outside_net

IP address on the outside network.


Usage Guidelines

The no alias command removes a previously created alias. Create an alias with the alias command. View the alias statements in the configuration with show alias.

Example

pixfirewall(config)# alias 192.168.42.0 192.168.54.0
pixfirewall(config)# show alias
alias 192.168.42.0 192.168.54.0
pixfirewall(config)# no alias 192.168.42.0 192.168.54.0
pixfirewall(config)# 

no apply

Cancel a previous use of the apply command. (Configuration mode.)

no apply num outgoing_src|outgoing_dest

Syntax Description

num

An access list number previously created with outbound.

outgoing_src

Use if previously specified with the apply command. outgoing_src causes the firewall to examine the source address on packets traversing the PIX Firewall for access list enforcement.

outgoing_dest

Use if previously specified with the apply command. outgoing_dest causes the firewall to examine the destination address on packets traversing the PIX Firewall for access list enforcement.


Usage Guidelines

The no apply command cancels a previous apply statement. All arguments must be specified.

See also: apply, show apply.

Example

pixfirewall(config)# outbound 1 deny 192.168.42.2 255.255.255.255 80
pixfirewall(config)# apply 1 outgoing_src
pixfirewall(config)# show apply
apply 1 outgoing_src
pixfirewall(config)# no apply 1 outgoing_src
pixfirewall(config)# show apply
pixfirewall(config)#

no arp

Erase the contents of the PIX Firewall ARP table. (Configuration mode.)

no arp [inside|outside ip_address]

Syntax Description

inside

PIX Firewall inside network interface ARP table.

outside

PIX Firewall outside network interface ARP table.

ip_address

IP address.


Usage Guidelines

The no arp command clears the non-aliased ARP table entries from the firewall's ARP table. You can only clear alias entries if you specify the IP address.

This command is the same as clear arp.

See also: arp, clear arp, show arp.

Example

This example creates two ARP entries, one regular and the other aliased. Then, the regular entry is cleared with the no arp command. Clearing the alias entry requires specifying the IP address.

pixfirewall# arp inside 192.168.42.3 1000.beee.beee
pixfirewall# arp inside 192.168.42.42 0000.1010.2020 alias
pixfirewall# show arp
                                                        inside 192.168.42.42 0000.1010.2020 alias
                                                        inside 192.168.42.3 1000.beee.beee
pixfirewall# no arp
pixfirewall# show arp
                                                        inside 192.168.42.42 0000.1010.2020 alias
pixfirewall# no arp inside 192.168.42.42
pixfirewall# show arp
pixfirewall# 

no conduit

Remove a conduit. (Configuration mode.)

no conduit global_ip port tcp|udp ip_address netmask

global_ip

The IP address from the global pool to associate this conduit with.

port

Destination port number into which connections are permitted on the inside machine (if using TCP, 25 for SMTP, 80 for http, and so on). 0 means match any port.

tcp

Remove a conduit created for TCP connections.

udp

Remove a conduit created for UDP connections.

ip_address

IP address (host or network) from which to permit incoming connections (0.0.0.0 is any host). The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Network mask.


Syntax Description

Usage Guidelines

The no conduit command removes conduits to static translations. To remove groups of conduits, you must specify the global IP address, the port, and the protocol. You can also delete individual conduits by specifying the IP address and network mask. Use the show conduit command to view which conduits remain.

The conduit command lets you permit connections from outside the PIX Firewall to hosts on the inside network. Conduits exist on the static translation slots and can be added with the conduit command. The conduit command is the recommended method.

Example

pixfirewall(config)# no conduit 192.168.42.0 25 tcp 

no established

Disable return connections based on established connections. (Configuration mode.)

no established udp|tcp

Syntax Description

udp

Allow return UDP connections.

tcp

Allow return TCP connections.


Usage Guidelines

The no established command disables a previous use of the established command.


Example

pixfirewall(config)# established tcp
pixfirewall(config)# show established
established tcp
pixfirewall(config)#

no failover

Turn failover off or force PIX Firewall into standby mode. (Configuration mode.)

no failover [active]

Syntax Description

active

Force the current PIX Firewall into standby mode.


Usage Guidelines

The no failover command without an argument turns the optional failover feature off. With the active argument, no failover forces a PIX Firewall into standby mode. The failover feature works by passing control to a secondary PIX Firewall should the primary unit fail.

Use show failover to view the status of the connection and to determine if the failover cable is connected to both units.

Refer to the description of the failover command for more information on this feature.

See also: failover, show failover.

Example

pixfirewall(config)# no failover
pixfirewall(config)# show failover
Failover Off
          This host: Primary - Active
      ...
pixfirewall(config)# no failover active
pixfirewall(config)# show failover
Failover Off
          This host: Primary - Standby
      ...
pixfirewall(config)# 

no global

Remove IP address from the global pool. (Configuration mode.)

no global global_id [ip_address]

Syntax Description

global_id

An identification number from 1 to 10 that groups global addresses for use by networks on the inside of the PIX Firewall.

ip_address

An IP address or a range of IP addresses previously entered with the global command.


Usage Guidelines

The no global command removes IP addresses from the global pool or from port address translation.


Note   If you remove a port address translation global, you must reboot the PIX Firewall.


Example

pixfirewall(config)# global 1 192.168.42.1-192.168.42.23
Some globals not created
pixfirewall(config)# show global
global 1 192.168.42.1-192.168.42.23
pixfirewall(config)# no global 1
pixfirewall(config)# show global
pixfirewall(config)# 

Note   Refer to the nat command description for a better example of global.


no http

Remove IP address access to the PIX Firewall HTML management interface. (Configuration mode.)

no http ip_address netmask

Syntax Description

ip_address

IP address of systems on the inside of the PIX Firewall that are able to access the PIX Firewall HTML management interface.

netmask

Network mask of ip_address. If you want to limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.


Usage Guidelines

The no http command lets you deny an IP address access to the PIX Firewall HTML management interface. This command is the same as clear http.


Note   If you specify no http without specifying an IP address, all HTTP access stops.


After you enter no http, current HTML sessions can view the pages in the network browser's memory, but if the user tries to reload the configuration interface, the network browser returns an error message and the screen goes blank.

If you immediately re-enter the http command, the network browser restores access to the HTML management interface. Use the reload command in the browser to display the pages.

See also: http, show http, passwd.

Example

pixfirewall(config)# no http 192.168.42.42
pixfirewall(config)# 


no link

Disable Private Link connection. (Configuration mode.)

no link remote_ip_address key-id key

Syntax Description

remote_ip_address

IP address of a PIX Firewall running Private Link.

key-id

The key number. Version 4 PIX Firewall supports up to seven Private Link encryption keys.

key

The 56-bit key (up to 14 hexadecimal digits) used to seed the encryption chip. This key must be the same on each host end of an encrypted link. The key consists of hexadecimal numbers; for example, fadebac. Select a unique key that is difficult to guess.


Usage Guidelines

The no link command disables a Private Link connection. Use show link to view link information. Refer to the description of the link command for more information on Private Link.

Removing the last key removes the link. You can only remove the link if all linkpath statements have already been removed.

See also: link, show link.

Example

pixfirewall(config)# no link 192.168.0.42 1
pixfirewall(config)# 

no linkpath

Disable Private Link destination IP address. (Configuration mode.)

no linkpath dest_net netmask remote_ip

Syntax Description

dest_net

The IP address of the destination network on the inside interface of the remote PIX Firewall of a Private Link.

netmask

Specify a subnet mask to apply to dest_net.

remote_ip

IP address of the remote PIX Firewall's outside network interface.


Usage Guidelines

The no linkpath command disables a Private Link connection to a remote PIX Firewall. Use show linkpath to view connection status. Refer to the description of the link command for more information on Private Link.

Improper use of this command can yield the error message "Path does not exist." This results from the no linkpath command being used for a link not previously created.

See also: link, linkpath.

Example

pixfirewall(config)# no linkpath 192.168.10.1 255.255.255.0 10.0.0.42
pixfirewall(config)# 

no lnko

Disable access to an older version 2 Private Link PIX Firewall. (Configuration mode.)

no lnko remote_global key

Syntax Description

remote_global

IP address from the global address pool.

key

The encryption key. Version 2 PIX Firewall supports one Private Link encryption key. The encryption key can be up to 56 bits in length (14 hexadecimal digits); for example, fadebac121b349.


Usage Guidelines

The no lnko command disables access to a version 2 Private Link PIX Firewall. Use show lnko to view Private Link status. Refer to the description of the link command for more information on Private Link.


Note   This command will be obsoleted in a future release.


Use random key values, not the ones shown in this document.

See also: link, lnko, lnkopath.

Example

pixfirewall(config)# no lnko 16.17.18.19 1a2b3c4dd4c3b2a1
pixfirewall(config)# 

no lnkopath

Disable a version 2 Private Link path to the remote PIX Firewall. (Configuration mode.)

no lnkopath dest_net netmask remote_global

Syntax Description

dest_net

The IP address of the destination network on the inside interface of the remote PIX Firewall of a Private Link.

netmask

Specify a subnet mask to apply to dest_net.

remote_global

IP address in the global pool of the remote PIX Firewall in a Private Link environment.


Usage Guidelines

The no lnkopath command disables the network paths for PIX Firewall version 2 Private Link connections.


Note   This command will be obsoleted in a future release.


See also: show lnkopath, lnko.

Example

pixfirewall(config)# no lnkopath 1.2.3.0 255.255.255.255.0 5.6.7.8
pixfirewall(config)# 

no mailhost

Remove mailhost. (Configuration mode.)

no mailhost

Usage Guidelines

This command clears mailhost entries.

Example

pixfirewall(config)# no mailhost
pixfirewall(config)# 

no mtu

Set MTU (maximum transmission unit) to default values. (Configuration mode.)

no mtu inside|outside

Syntax Descriptions

inside

Reset outbound MTU value.

outside

Reset inbound MTU value.


Usage Guidelines

If the interface is Ethernet, the no mtu command resets the MTU value to 1500 bytes. If the interface is Token Ring, no mtu resets the MTU to 8192 bytes.

Example

pixfirewall(config)# interface token inside 4mbps
pixfirewall(config)# mtu inside 4464
pixfirewall(config)# show mtu
mtu outside 1500
mtu inside 4464
pixfirewall(config)# no mtu inside
pixfirewall(config)# show mtu
mtu outside 1500
mtu inside 8192
pixfirewall(config)# 

no name

Delete a mapping between an IP address and its name. (Configuration mode).

no name ip_address [name]

Syntax Description

ip_address

The IP address associated with name.

name

A name to identify the IP address.


Usage Guidelines

The no name command deletes a name-to-IP address translation.

Example

In the following example, the name facility activates with the names command and then the name command associates http_host_1 with 192.168.42.54. The http_host_1 value is used in an http command and the results displayed with the show http command. The no name command is used delete the name value. Note how in the next show http command only the http_host_1 label is removed, not the http definition itself.

pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# name 192.168.42.54 http_host_1
pixfirewall(config)# http http_host_1
pixfirewall(config)# sho http
	http_host_1 255.255.255.255
pixfirewall(config)# no name 192.168.42.54
pixfirewall(config)# sho http
	192.168.42.54 255.255.255.255
pixfirewall(config)#

no names

Toggle off display of name command values. (Configuration mode).

no names

Usage Guidelines

The no names command disables the name-to-IP address translation.

Use the clear names command to delete all name entries from the configuration.

Example

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 204.31.17.33. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name values from displaying. Subsequent use of the names command restores their display.

pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# name 192.168.42.3 pix_inside
pixfirewall(config)# name 204.31.17.33 pix_outside
pixfirewall(config)# ip addr in pix_inside
pixfirewall(config)# ip addr out pix_outside
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# no names
disabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address 192.168.42.3 mask 255.255.255.255
outside ip address 204.31.17.33 mask 255.255.255.255
pixfirewall(config)# names
enabling IP address to name conversion
pixfirewall(config)# sho ip
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
pixfirewall(config)# 

no nat

Disassociate a network with a pool of IP addresses. (Configuration mode.)

no nat global_id ip_address [netmask]

Syntax Description

global_id

A number in the range of 1 to 10 previously specified with the global command. Specify 0 to indicate that no address translation be used with ip_address.

ip_address

IP address of the network to which the global pool pertains.

netmask

Network mask for ip_address. The 0.0.0.0 value indicates that access is allowed to everyone.


Usage Guidelines

The no nat command disables a previous occurrence of the nat command.

See also: nat, show nat.

Example

pixfirewall(config)# no nat 1
pixfirewall(config)# 

no outbound

Remove an access list previously created with outbound. (Configuration mode.)

no outbound num permit|deny ip_address [netmask [port [-port]]]

Syntax Description

num

A tag number for the access list.

permit

Use if supplied in the outbound command. The permit keyword allows the access list to access the specified IP address and port.

deny

Use if supplied in the outbound command. The deny keyword denies the access list access to the specified IP address and port.

ip_address

The IP address for this access list entry.

netmask

The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire class C address. 0.0.0.0 disables all access.

port

A port or range of ports that the access list is permitted or denied access to.


Usage Guidelines

The no outbound command removes an access list. Use show outbound to view status.

See also: outbound, show outbound.

Example

pixfirewall(config)# no outbound
pixfirewall(config)# 

no radius-server

Remove all RADIUS servers. (Configuration mode.)

no radius-server host ip_address key

Syntax Definition

ip_address

The IP address of the authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts.


Usage Guidelines

Remove one or more RADIUS (Remote Authentication Dial-In User Service) servers.


Note   You must specify all the arguments to delete a single server.


See also: radius-server, show radius-server.

Example

pixfirewall(config)# rad host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# sho rad
radius-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# no rad
pixfirewall(config)# sho rad
pixfirewall(config)#

no rip

Disable RIP updates. (Configuration mode.)

no rip inside|outside default|passive

Syntax Description

inside

Modify RIP behavior on the inside interface.

outside

Modify RIP behavior on the outside interface.

default

Disable the default route broadcast on the specified interface.

passive

Disable passive RIP on either the inside or outside interface.


Usage Guidelines

The no rip command disables PIX Firewall IP routing table updates. The rip command enables IP routing table updates from received RIP (Routing Information Protocol) broadcasts. Use show rip to display the current RIP settings. The no rip command specified without arguments disables all RIP functionality.

Example

The following example disables default route broadcasts on the outside interface:

pixfirewall(config)# no rip outside default
pixfirewall(config)# 

no route

Remove an entry from the routing table. (Configuration mode.)

no route inside|outside dest_net_ip

inside|outside

Specify either the inside or outside.

dest_net_ip

The destination network IP address.


Syntax Description

Usage Guidelines

The no route command lets you remove an entry from the routing table.

Example

pixfirewall(config)# no route inside 192.168.42.0

no session

Suspend console access to an embedded AccessPro router. (Privileged mode.)

no session

Usage Guidelines

The no session command lets you complete a session command activity.

Exit the router console session by entering tilde-dot (~.). Press the tilde key and when you hear a bell sound from your terminal, press the dot key.

While a router console session is occurring, PIX Firewall disables failover because they both require the same interrupts. The no session command re-establishes failover.

See also: session, show session.

Example

This example enables an AccessPro session, starts the session, and then disables it.

pixfirewall(config)# session enable
Session has been enabled.
pixfirewall(config)# session

Warning: FAILOVER has been disabled!!!
Attempting session with embedded router, use ~. to quit!

acpro> ~.

pixfirewall(config)# no session
Session has been disabled
pixfirewall(config)# session
Session is not enabled
pixfirewall(config)# 

no snmp-server

Stop the PIX Firewall from sending SNMP event information. (Configuration mode.)

no snmp-server contact|location text

no snmp-server host ip_address

Syntax Description

contact

Indicate that you are supplying your name or that of the PIX Firewall system administrator.

location

Indicate that you are specifying your PIX Firewall location.

host

Indicate that you are specifying the IP address of the SNMP server.

text

When used with contact, your name or that of the PIX Firewall system administrator. When used with location, your PIX Firewall location. The string can be up to 128 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

ip_address

When used with host, the IP address of the SNMP server.


Usage Guidelines

The no snmp-server command removes a previously specified snmp-server statement from the configuration. Use this command to either erase the information from what SNMP receives or to change an existing statement by clearing it and re-entering it with the snmp-server command.

Using SNMP, you can monitor system events on the PIX Firewall.

Example

The following example changes the name of the SNMP server coordinator to Anita Rodriguez.

pixfirewall(config)# no snmp-server contact
pixfirewall(config)# snmp-server contact ms. anita rodriguez
pixfirewall(config)# 

no static

Disable a permanent mapping between a local IP address and a global IP address. (Configuration mode.)

no static global_ip

Syntax Description

global_ip

A registered IP address.


Usage Guidelines

The no static command disables a permanent mapping (static translation slot) between a local IP address and a global IP address.  A static address is a permanent mapping from a global, registered IP addresses to a local IP address inside the private network. Use show static to view static statements in the configuration.

See also: conduit, show static.

Example

pixfirewall(config)# no static
pixfirewall(config)# 

no syslog

Stop logging SYSLOG messages. (Configuration mode.)

no syslog console

no syslog host ip_address

no syslog output facility.level

Syntax Description

ip_address

SYSLOG host IP address.

facility

Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message. Refer to the syslog output command for more information on the facilities.

level

Message type; sets the level above which PIX Firewall suppresses messages to the SYSLOG hosts. Setting the level to 3, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The levels are:

0 — System unusable

1 — Take immediate action

2 — Critical condition

3 — Error message

4 — Warning message

5 — Normal but significant condition

6 — Informational

7 — Debug message


Usage Guidelines

The no syslog console command disables SYSLOG messages on the console. The no syslog host command disables sending SYSLOG messages to the specified host. The no syslog output command stops sending all SYSLOG messages. The no syslog command is the same as clear syslog.

See also: syslog, show syslog.

Example

pixfirewall(config)# no syslog console
pixfirewall(config)# 

no tacacs-server

Remove all TACACS+ servers. (Configuration mode.)

no tacacs-server host ip_address key

Syntax Definition

ip_address

The IP address of the authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts.


Usage Guidelines

Remove one or more TACACS+ (Terminal Access Controller Access Control System) servers.

See also: tacacs-server, show tacacs-server.


Note   You must specify all the arguments to delete a single server.


Example

pixfirewall(config)# tac host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# sho tac
tacacs-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# no tac
pixfirewall(config)# sho tac
pixfirewall(config)#

no telnet

Disable Telnet access to the PIX Firewall console. (Privileged mode.)

no telnet ip_address [netmask]

Syntax Description

ip_address

The IP address or network of a host that is authorized to access the PIX Firewall Telnet console.

netmask

The netmask for the network ip_address. Use a network IP address to enable access to all in the subnet; for example if you set netmask to 255.255.255.0, all systems in the subnet can access the firewall over Telnet. If you set netmask to 255.255.255.255, only the IP address you specify can access the firewall.


Usage Guidelines

The no telnet command lets you disable access to the PIX Firewall console via Telnet. The show telnet command displays the current list of IP addresses authorized to access the PIX Firewall console. Use the who command to view which IP addresses are currently accessing the firewall. The no telnet command is the same as the clear telnet command.

See also: telnet, who.

Example

pixfirewall(config)# no telnet 192.168.42.2 255.255.255.255
pixfirewall(config)# 

outbound

Create an access list for controlling Internet use. (Configuration mode.)

outbound num permit|deny ip_address [netmask [port[-port]]] [java]

Syntax Description

num

A tag number for the access list.

permit

Allow the access list to access the specified IP address and port.

deny

Deny the access list access to the specified IP address and port.

ip_address

The IP address for this access list entry.

netmask

The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.

port

A port or range of ports that the access list is permitted or denied access to.

java

Block Java applets being downloaded from ip_address depending on use of the apply command. Java applets are permitted by default and do not have to be explicitly permitted.


Usage Guidelines

The outbound command creates an access list that determines how inside IP addresses can access outside activities. Use with the apply command to specify whether an access list applies to the outside network, or to downloading information from a remote source to the inside network. If you do not use apply with an outbound list, the outbound rules are not enforced.

If no outbound lists are specified, the default behavior is to permit outbound traffic from inside hosts provided appropriate globals are provided.

Do not specify more than one outbound statement for the same outbound list because each additional command stays in the configuration.


Note   If you permit access to port 80 (http), this also permits Java applets to be downloaded. You must have a specific deny statement to block Java applets.


The maximum number of outbound access lists is 1000.

See also: apply, show outbound.

Example

The following commands prevent host 192.168.1.49 from accessing the World Wide Web (port 80).

pixfirewall(config)# outbound 11 deny 192.168.1.49 255.255.255.255 80
pixfirewall(config)# apply 11 outgoing_src

If your employees are spending too much time examining GIF images on a particular site with two web servers, you can use the following lines to restrict this access:

pixfirewall(config)# outbound 12 deny 192.168.146.201 255.255.255.255 80
pixfirewall(config)# outbound 12 deny 192.168.146.202 255.255.255.255 80
pixfirewall(config)# apply 12 outgoing_dest

passwd

Set password for Telnet and HTTP access to the firewall console. (Privileged mode.)

passwd password

Syntax Description

password

A password of up to 15 alphanumeric characters, which is not case sensitive.
PIX Firewall converts the password to all lowercase.


Usage Guidelines

The passwd command sets a password for Telnet and HTTP (HTML, Web) access to the firewall console. An empty password is also changed into an encrypted string. The default configuration contains plain text passwords, which you can see with show config. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text.

For this reason, always keep a floppy disk with the plain text password available to boot from in the event the encrypted version is forgotten.

If you downgrade your system to version 3, you must use the encrypted form of the password.


Note   Write down the new password and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again.


See also: enable password.

Example

pixfirewall# passwd watag00s1am
pixfirewall# show passwd
passwd 2KFQnbNIdI,2KYOU encrypted
pixfirewall# 

ping

Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.)

ping inside|outside ip_address

Syntax Description

ip_address

The IP address of a host on the inside or outside networks.


Usage Guidelines

The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that the host exists on the network. If the host is not responding, ping displays "no response received." Use show interface to ensure that the PIX Firewall is connected to the network and has connectivity.


Note   You cannot ping the opposite PIX Firewall interface from your current interface.


Example

The command displays three attempts to reach an IP address:

pixfirewall(config)# ping inside 192.168.42.54
192.168.42.54 response received - nnMs
192.168.42.54 response received - nnMs
192.168.42.54 response received - nnMs

radius-server host

Specify a RADIUS server. (Privileged mode.)

radius-server host ip_address key

Syntax Description

ip_address

The IP address of the authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts. This is a public key between the client and server for encrypting data between them. The key must be the same on both the client and server systems. PIX Firewall changes to lowercase any letters in the key. Spaces are not permitted in the key, but other special characters are.


Usage Guidelines

Specify a RADIUS (Remote Authentication Dial-In User Service) server. Use show radius-server to examine the information. Up to 16 servers are permitted. Servers are used in the order entered in the configuration. If the server is off-line or fails, the next server is checked. This continues until a working server is found.

See also: no radius-server, show radius-server.

Example

pixfirewall(config)# radius-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# show radius-server
radius-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# 

reload

Reboot and reload the configuration. (Privileged mode.)

reload

Usage Guidelines

The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy disk or, if a floppy disk is not present, from flash memory.


Note   You are prompted for confirmation before starting with "Proceed with reload?". Any response other than n causes the reboot to occur.

If a bootable floppy disk is in the PIX Firewall, during installation, you will be prompted to enter an activation key.


Example

pixfirewall# reload
Proceed with reload?  [confirm] y

Rebooting...

rip

Change RIP settings. (Configuration mode.)

rip inside|outside default|passive

Syntax Description

inside

Modify RIP behavior on the inside interface.

outside

Modify RIP behavior on the outside interface.

default

Cause PIX Firewall to broadcast a default route on the inside network.

passive

Enable passive RIP on either the inside or outside interface. The PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables.


Usage Guidelines

The rip passive command enables IP routing table updates from received RIP (Routing Information Protocol) broadcasts. Use show rip to display the current RIP settings. Use no rip to disable PIX Firewall IP routing table updates. The default is to enable IP routing table updates.

Examples

pixfirewall(config)# show rip
rip outside passive
no rip outside default
rip inside passive
no rip inside default
pixfirewall(config)# rip inside default 
pixfirewall(config)# show rip
rip outside passive
no rip outside default
rip inside passive
rip inside default

route

Enter a static route for the specified interface. (Configuration mode.)

route inside|outside dest_net_ip netmask gateway_ip [metric]

Syntax Description

inside|outside

Specify the interface.

dest_net_ip

The destination network IP address. Use 0.0.0.0 to specify a default route.
The 0.0.0.0 IP address can be abbreviated as 0.

netmask

Specify a network mask to apply to dest_net_ip. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

gateway_ip

Specify the IP address of the gateway router (the next hop address for this route).

metric

Specify the number of hops to dest_net_ip. If you are not sure, enter 1. Your network administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if a metric is not specified.


Usage Guidelines

Use the route command to enter static routes for an interface. To enter a default route, set dest_net_ip and netmask to 0.0.0.0. All routes entered using the route command are stored in the configuration when it is saved. Refer to the write command for more information.

Example

pixfirewall(config)# route inside 192.168.42.0 255.255.255.0 192.168.88.1 
pixfirewall(config)# route outside 0 0 10.10.1.1 1

session

Access an embedded AccessPro router console. (Privileged mode.)

session enable


Note   Only use this command if you have an AccessPro router installed in your PIX Firewall.


Syntax Description

enable

Enable the session command for communications with the AccessPro router.


Usage Guidelines

The session command lets you send Cisco IOS commands to an AccessPro router installed in your PIX Firewall. Use COM port 4 on the AccessPro router to communicate with the PIX Firewall.

Exit the router console session by entering tilde-dot (~.). Press the tilde key and when you hear a bell sound from your terminal, press the dot key.

While a router console session is occurring, PIX Firewall disables failover because they both require the same interrupts.

See also: no session, show session.

Example

This example enables an AccessPro session, starts the session, and then disables it.

pixfirewall(config)# session enable
Session has been enabled.
pixfirewall(config)# session

Warning: FAILOVER has been disabled!!!
Attempting session with embedded router, use ~. to quit!

acpro> ~.

pixfirewall(config)# no session
Session has been disabled
pixfirewall(config)# session
Session is not enabled
pixfirewall(config)# 

show

View command information. (Differs by mode.)

show

show ?

Usage Guidelines

The show command without arguments or the show ? command lets you view the names of the show commands and their descriptions.

When you use this command, 22 lines display and the listing pauses with the following prompt:

<--- More --->

The More prompt uses the same syntax as the UNIX more command:

To view another screenful, press the Space bar.

To view the next line, press the Enter key.

To return to the command line, press the q key.

Example

pixfirewall> show
aaa	Set Authentication and Authorization parameters
actkey	Display activation key
age	Age PIX Private Link keys
alias	Administer Local Address Translations (Dual NAT)
apply	Apply outbound lists
arp	ARP table manipulation
blocks	System buffer utilization
conduit	Add/remove conduits to static translations
configure	Configure from terminal, floppy, or memory
conn	Display connection information
established	Allow return connections based on established connections
failover	Administer Failover
global	Enter global network addresses, or designate PAT address
http	Add authorized IP addresses for http access to PIX
hw	Hardware identification
interface	Interface configuration
ip	Set ip address for specified interface
link	Establish an encrypted PIX Private Link
linkpath	Set the network paths for Private Links
lnko	Establish an encrypted PIX Private Link (OLD)
lnkopath	Set the network paths for Private Links (OLD)
mailhost	Add/Remove mailhosts
memory	System memory utilization
mtu	Interface MTU configuration
names	Enable, disable or display IP address to name conversion
nat	Administer Address Translations
outbound	Create outbound lists
passwd	Change Telnet and HTTP console access password
processes	Display processes
radius-server	Configure a RADIUS server
rip	Broadcast default route or passive RIP
route	Set the network default router
session	Internal router console
snmp-server	Administer SNMP daemon
static	Reserve a local to global address translation table entry
syslog	Log messages to SYSLOG server
tacacs-server	Configure a TACACS+ server
telnet	Add authorized IP addresses for telnet access to PIX
timeout	Set the maximum idle time for translation and connection slots
uauth	Display or clear current user authorization information
version	Display PIX system software version and build number
who	Show active administration sessions on PIX
xlate	Display current translation and connection slot information
pixfirewall(config)#

show aaa

Display authentication and authorization configuration statements. (Unprivileged mode.)

show aaa

Usage Guidelines

The show aaa command displays the aaa commands in the configuration.

Example

pixfirewall> show aaa
aaa authentication any outbound 204.31.17.42 255.255.255.255 radius
aaa authorization any outbound 204.31.17.42 255.255.255.255
pixfirewall>

show actkey

Show activation key and number of connection licenses. (Unprivileged mode.)

show actkey

Usage Guidelines

The show actkey command displays the activation key and number of licensed connections for your PIX Firewall. When you install new software, PIX Firewall prompts you for an activation key. Use this command to view the activation key after you have completed the installation. Write this number down in the space that follows so that it is available the next time you upgrade your unit:

Example

pixfirewall> show actkey
Activation Key: 0xfadebacc 0x42424242 0xa1b2c3d4 0xe5f6a1b2
Connections:    16384

show age

Show duration of Private Link key aging. (Unprivileged mode.)

show age

Usage Guidelines

The show age command shows the current length of time that a Private Link key encrypts communications between the local and remote PIX Firewall units. Refer to the link command for more information on Private Link.

Example

pixfirewall> show age
Private Link Key Aging: 10 minutes

show alias

Show dual NAT local address translations. (Unprivileged mode.)

show alias

Usage Guidelines

The show alias command shows the dual NAT local address translations.

Example

pixfirewall> show alias
alias 10.2.3.0 10.4.5.0
pixfirewall> 

show apply

View outbound access list to an IP address. (Unprivileged mode.)

show apply [number outgoing_src|outgoing_dest]

Syntax Description

number

View access lists by an identification number previously created with the outbound command.

outgoing_src

View access lists by the source address on packets traversing the PIX Firewall.

outgoing_dest

View access lists by the destination address on packets traversing the PIX Firewall.


Usage Guidelines

The show apply command lets you view outbound access lists collectively or you can search for lists by number or with the outgoing_src or outgoing_dest keywords.

See also: apply.

Example

pixfirewall> show apply
apply 1 outgoing_src
pixfirewall> 

show arp

Display ARP table. (Unprivileged mode.)

show arp [inside|outside ip_address mac_address alias]

Syntax Description

inside

PIX Firewall inside network interface ARP table.

outside

PIX Firewall outside network interface ARP table.

ip_address

IP address.

mac_address

Hardware MAC address for the ARP table entry.

alias

Permanent ARP entry.


Usage Guidelines

The show arp command without arguments displays all inside and outside network interfaces' ARP tables, aliased or not. show arp inside displays all inside ARPs, aliased or not. show arp inside ip_address displays the IP address if it exists. show arp inside 0 alias displays all aliased ARP entries for the inside network interface ARP table (0 is used as a place holder for wild card). show arp inside 0 mac_address finds and displays the ARP entry that matches the MAC address.

Example

pixfirewall> show arp
	     inside 192.168.89.113 0020.af29.51b0

show arp timeout

Display number of seconds that an ARP entry can remain in the ARP table. (Unprivileged mode.)

show arp timeout

Usage Guidelines

The show arp timeout command lets you view the number of seconds that an ARP entry remains in the ARP table before expiring. Set the duration with the arp command. The default is
14400 seconds (4 hours).

Example

pixfirewall> show arp timeout
arp timeout 14400 seconds

show blocks

Show system buffer utilization. (Unprivileged mode.)

show blocks

Usage Guidelines

The show blocks command lists system buffer utilization.

Example

pixfirewall> show blocks
  SIZE    MAX    LOW    CNT
     4   1600   1598   1600
    80    100     94     97
   256     80     79     80
  1550    800    791    800
 64000     16     16     16

show conduit

Show conduits through firewall for incoming connections. (Unprivileged mode.)

show conduit

Usage Guidelines

The show conduit command output contains the following information:

global_ip

The IP address from the global pool associated with this conduit.

port

Destination port number into which connections are permitted on the inside machine. Port values are defined by RFC 1700.

protocol

tcp or udp.

ip_address

IP address (host or network) from which to permit incoming connections (0.0.0.0 is any host).

netmask

Network mask of ip_address.


Example

pixfirewall> show conduit
conduit 192.168.42.1 80 tcp 10.10.10.1 255.255.255.255

show configure

View configuration in flash memory. (Privileged mode.)

show configure

Usage Guidelines

The show configure command displays the configuration in flash memory. Use write term to view the current configuration in RAM memory.

See also: write term.

Example

pixfirewall# show configure
:  Saved
... config commands ...
:  End

show conn

Display connection information. (Unprivileged mode.)

show conn

Usage Guidelines

The show conn command displays the number of active TCP connections. Refer to Chapter 1, "Connection Licenses" for more information about how applications use TCP connections. You can use show actkey to list the total number of connections in your connection license, or you can derive the value from show conn by adding the "in use" and "remain" values.

Example

pixfirewall> show conn
32 in use, 32 remain, 48 most used
pixfirewall> show actkey
Activation Key: 0x0 0x0 0x0 0x0
Connections:                      64
pixfirewall>

show established

Allow return connections based on established connections. (Configuration mode.)

show established

Usage Guidelines

This command displays the established command statements in the configuration.

Example

pixfirewall(config)# established tcp
pixfirewall(config)# show established
established tcp
pixfirewall(config)#

show failover

Show status of optional failover feature. (Unprivileged mode.)

show failover

Usage Guidelines

The show failover command lists the following information:

Failover status. If on, then the failover command has enabled the feature.

Active or standby modes. One PIX Firewall needs to be in active mode and the other in standby.

Cable status. If the cable is not connected or not a Cisco failover cable, this message provides its status.

Rx cnt. The number of received packets for the current 15 second interval.

Uptime. How long the interface has been active.

See also: failover.

Example

pixfirewall> show failover
Failover On
	          This host: Secondary - Active
	          Other host: Secondary - Standby
	          Cable status: 0x2 - My side not connected
	          Outside Interface
		                    this host: 	      Rx cnt 0 	         Uptime 12975
		                    other host: 	     Rx cnt 0          	Uptime 0
	          Inside Interface
		                    this host: 	      Rx cnt 0 	         Uptime 12975
                    		other host:      	Rx cnt 0 	         Uptime 0
pixfirewall>

show global

View global commands in the configuration. (Unprivileged mode.)

show global

Usage Guidelines

The show global command lists the contents of the global command statements in the configuration.

See also: global.

Example

pixfirewall> show global
global 1 192.168.88.1-192.168.88.7
pixfirewall>

show http

View which IP addresses can access the PIX Firewall HTML management interface. (Unprivileged mode.)

show http

Usage Guidelines

The show http command lists the IP addresses that can access the PIX Firewall HTML management interface.

See also: http.

Example

pixfirewall> show http
	          192.168.89.111 255.255.255.255
	          192.168.89.113 255.255.255.255
pixfirewall>

show hw

Display hardware identification values. (Unprivileged mode.)

show hw

Usage Guidelines

The show hw command lets you view hardware identification information.

Example

pixfirewall> show hw
Hardware ID: 0x52c 0x1bf 19126
pixfirewall>

show interface

View network interface information. (Unprivileged mode.)

show interface

Usage Guidelines

The show interface command lets you view network interface information for both Ethernet and Token Ring depending on which is installed in your PIX Firewall. This is the first command that you should use whenever you are attempting to get connectivity with the rest of your network.

The information in the display is as follows:

"ethernet" (or token-ring) indicates that you have used the interface command to configure the interface. The statement indicates either outside or inside and whether the interface is available ("up") or not available ("down").

"line protocol up" means a working cable is plugged into the network interface. If the message is "line protocol down," either the cable is incorrect or not plugged into the interface connector.

Network interface type and its MAC address. Intel cards start with "i," and 3Com cards with "3c."

MTU (maximum transmission unit): the size in bytes that data can best be sent over the network.

"nn packets input" indicates that packets are being received in the firewall.

"nn packets output" indicates that packets are being sent from the firewall.

Line duplex status: half duplex indicates that the network interface switches back and forth between sending and receiving information; full duplex indicates that the network interface can send or receive information simultaneously.

Line speed: 10baseT is listed as 10000 Kbit; 100baseTX is listed as 100000 Kbit.

Interface problems:

no buffer, the PIX Firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data. If these errors appear, reboot your PIX Firewall.

runts are packets with less information than expected.

giants are packets with more information than expected.

CRC (cyclic redundancy check) are packets containing corrupted data (checksum error).

frame errors are framing errors.

ignored and abort errors are provided for future use, but are not currently checked; the PIX Firewall does not ignore or abort frames.

underruns occur when the PIX Firewall is overwhelmed and cannot get data fast enough to the network interface card. This problem is only noticeable on the Intel network interface cards because data can be sent before a full frame is sent. The 3Com cards only transmit after receiving a full frame.

overruns occur when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.

Example

pixfirewall> show interface 
ethernet outside is up, line protocol is up
  Hardware is i82557 ethernet, address is 00a0.c90a.eb4d
  MTU 1500 bytes, BW 10000 Kbit half duplex
	          798 packets input, 35112 bytes, 0 no buffer
	          Received 0 broadcasts, 0 runts, 0 giants
	          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	          798 packets output, 35112 bytes, 0 underruns
ethernet inside is up, line protocol is up
  Hardware is i82557 ethernet, address is 00a0.c90a.eb43
  MTU 1500 bytes, BW 10000 Kbit half duplex
          1071 packets input, 71410 bytes, 0 no buffer
	          Received 232 broadcasts, 0 runts, 0 giants
	          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	          1071 packets output, 71410 bytes, 0 underruns
pixfirewall>

show ip address

Display the IP address of the PIX Firewall. (Unprivileged mode.)

show ip address

Usage Guidelines

The show ip address command displays the IP address of the PIX Firewall.

Example

pixfirewall> show ip address
inside ip address 1.2.3.4 mask 255.255.255.0
outside ip address 5.6.7.8 mask 255.255.255.0
pixfirewall>

show link

View Private Link remote IP address and interface status. (Unprivileged mode.)

show link

Usage Guidelines

The show link command lets you view the remote Private Link's IP address, each encryption key, and the number of packets sent and transmitted ("nn out, nn in").

Example

pixfirewall> show link

Foreign IP      KeyID   Key
192.168.42.2     1    0x00000000002222 
                       2    0x00000000001111 
                       3    0x00000000003333 
                       4    0x00000000004444  
                              20 out, 20 in
pixfirewall>

show linkpath

View Private Link connection information. (Unprivileged mode.)

show linkpath

Usage Guidelines

The show linkpath command lets you view the IP address of the outside interface on the remote PIX Firewall (Foreign IP), the IP address of the network served by the remote firewall, and the network mask of the foreign network.

Example

pixfirewall> show linkpath
   Foreign IP      Foreign Network               Mask
  192.168.31.33 
                              11.0.0.0        255.0.0.0
pixfirewall>

show lnko

View version 2 Private Link information. (Unprivileged mode.)

show lnko

Usage Guidelines

The show lnko command lets you view the IP of the outside interface on the remote PIX Firewall (Foreign IP), the local IP address, and the encryption key.


Note   This command will be obsoleted in a future release.


See also: lnko, lnkopath.

Example

pixfirewall> show lnko

      Foreign IP        Local IP    Key
      1.2.3.4            5.6.7.8     fadebac
pixfirewall>

show lnkopath

View version 2 Private Link information. (Unprivileged mode.)

show lnkopath

Usage Guidelines

The show lnkopath command lets you view the remote IP address, the remote network address, and the network mask.

See also: lnko, linkopath.

Example

pixfirewall> show lnkopath
        Foreign IP  Foreign Network         Mask
        1.2.3.4      5.6.7.8                   255.255.255.0
pixfirewall>

show mailhost

Show mail host entries. (Unprivileged mode.)

show mailhost

Usage Guidelines

The show mailhost command shows the mail hosts.

Example

pixfirewall> show mailhost
mailhost 192.168.23.1 10.1.42.1 20
pixfirewall> 

show memory

Show system memory utilization. (Unprivileged mode.)

show memory

Usage Guidelines

The show memory command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in PIX Firewall is preallocated and the amount of free memory should never change.

Example

pixfirewall> show memory
nnnnnnnn bytes total, nnnnnnn bytes free
pixfirewall>

show mtu

Display MTU (maximum transmission unit) values. (Unprivileged mode.)

show mtu

Usage Guidelines

Display the MTU values for the outside and inside interfaces. The MTU value sets the size of data sent on a connection. Data larger than the value is fragmented before being sent.

See also: mtu, show interface.

Example

pixfirewall> show mtu
mtu outside 1500
mtu inside 1500
pixfirewall>

show nat

View nat statement information from the configuration. (Unprivileged mode.)

show nat

Usage Guidelines

The show nat command lets you view the contents of the nat statements in the configuration.

See also: nat.

Example

pixfirewall> show nat
nat 1 0.0.0.0 0.0.0.0
pixfirewall>

show outbound

View outbound statement information in configuration. (Unprivileged mode.)

show outbound

Usage Guidelines

The show outbound command lets you view the contents of the previously entered outbound statements in your configuration.

See also: outbound.

Example

pixfirewall> show outbound
outbound   1 permit 192.168.42.1 255.255.255.255 80-80
outbound   2 deny 192.168.42.1 255.255.255.255 80-80
pixfirewall>

show passwd

View the password you entered with the passwd command. (Privileged mode.)

show passwd

Usage Guidelines

The show passwd command displays the encrypted form of the password. This password permits access to the PIX Firewall console with Telnet and to the HTTP configuration facility, which you access with a network browser such as Netscape Navigator.

See also: passwd, enable password, telnet, http, write term.

Example

pixfirewall# passwd moo
pixfirewall# show passwd
passwd 2AwookieMI.NOWY encrypted
pixfirewall#

show processes

Display processes. (Unprivileged mode.)

show processes

Usage Guidelines

The show processes command displays a summary listing of running processes. Processes are lightweight threads requiring only a few instructions to switch. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes used and the total size of the stack, and Process lists the thread's function.

Example

pixfirewall> show processes
       PC         SP     STATE   Runtime        SBASE    Stack Process
8000139e 8024ad00  80005354        940    80249d1c    36/4096 arp_timer
...
pixfirewall>

show rip

View the RIP listening status on your PIX Firewall. (Unprivileged mode.)

show rip

Usage Guidelines

The show rip command lets you view the status of RIP listening on the PIX Firewall. The display contains the following information:

inside

Show RIP configuration on the inside interface.

outside

Show RIP configuration on the outside interface.

default

Cause the PIX Firewall to broadcast a default route to the outside network.

passive

Enable passive RIP on the inside interface. The PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables.


See also: rip.

Example

pixfirewall> show rip
rip outside passive
no rip outside default
rip inside passive
no rip inside default
pixfirewall>

show route

View PIX Firewall routing table. (Unprivileged mode.)

show route

Usage Guidelines

The show route command lets you view the route information.

The output display contains the following information:

inside|outside

The inside or outside interface.

dest_net_ip

The destination network IP address. 0.0.0.0 specifies a default route.

netmask

Specifies a network mask to apply to dest_net_ip. 0.0.0.0 specifies a default route.

gateway_ip

Specifies the IP address of the gateway router (the next hop IP address).

metric

Specifies the number of hops to dest_net_ip.

protocol

Connection protocol.

static_flag

Indicates whether or not route is static.


Example

pixfirewall> show route
             outside 0.0.0.0 0.0.0.0 192.168.42.42 1 OTHER static
             inside 10.0.0.0 255.0.0.0 10.10.41.10 2 RIP 
pixfirewall>

show session

View system information. (Unprivileged mode.)

show session

Usage Guidelines

The show session command lets you view information about an imbedded AccessPro router.

See also: session.

Example

pixfirewall> show session
pixfirewall>

show snmp-server

View PIX Firewall SNMP location, contact, and host information from configuration. (Unprivileged mode.)

show snmp-server

Usage Guidelines

The show snmp-server command lists the following information:

contact

Your name or that of the PIX Firewall system administrator.

location

Your PIX Firewall location.

host

One or more IP addresses of hosts to which SNMP traps are being sent.


See also: snmp-server.

Example

pixfirewall(config)# show snmp-server
pixfirewall(config)# show snmp-server host
snmp-server host 192.168.42.54
pixfirewall(config)# snmp-server contact arthur dent
pixfirewall(config)# snmp-server location building 42, earth
pixfirewall(config)# show snmp-server
snmp-server host 192.168.42.54
snmp-server location building 42, earth
snmp-server contact arthur dent
pixfirewall(config)#

show static

View static information in the configuration. (Unprivileged mode.)

show static

Usage Guidelines

The show static command lets you view the static information you entered in the configuration.

See also: static.

Example

pixfirewall> show static
static 10.1.1.5 192.168.42.2
pixfirewall>

show syslog

View previously sent SYSLOG events. (Unprivileged mode.)

show syslog

Usage Guidelines

The show syslog command displays the current facility and level for SYSLOG messages, whether SYSLOG messages are logged to the to the console, the address of all hosts configured to receive SYSLOG messages, and the contents of the SYSLOG buffer. The SYSLOG buffer is a fixed size and displays the most recent messages. Refer to the description of the syslog output, syslog console, and syslog host commands for more information.

See also: clear syslog, syslog output.

Example

pixfirewall> show syslog
     OUTPUT ON (24.3)
     CONSOLE OFF
     Log Hosts:
          10.10.10.43
<166> 302001 conn start faddr 204.31.17.200 fport 23 gaddr 192.168.42.22 laddri 10.1.1.4
lport 1042
<165> Begin Configuration: reading from terminal
<165> 999 End Configuration: OK

show telnet

View which IP addresses have Telnet access to the PIX Firewall. (Unprivileged mode.)

show telnet

Usage Guidelines

The show telnet command lets you view which IP addresses can access the PIX Firewall with Telnet. Use the who command to view which of these IP addresses are currently using the PIX Firewall.

See also: telnet, who, kill.

Example

pixfirewall> show telnet
            192.168.42.42 255.255.255.255
pixfirewall>

show timeout

Display the maximum idle time for translation and connection slots. (Configuration mode.)

show timeout

Usage Guidelines

The show timeout command lets you view the idle time for connection, translation, UDP, UAUTH, RPC, and H323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. The minimum idle time for both xlate and conn is 5 minutes. TCP connection slots are freed within 60 seconds after a normal connection close sequence.

See also: timeout.

Example

pixfirewall(config)# show timeout
timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
pixfirewall>

show uauth

Display current user authentication and authorization information. (Unprivileged mode).

show uauth

Usage Guidelines

The show uauth command displays all currently authenticated users, the host IP to which they are bound, and, if applicable, any cached IP and port authorization information.

Each user host's IP address has an authorization cache attached to it. If the user attempts to access a service that has been cached from the correct host, the firewall considers it preauthorized and immediately unproxies the connection. This means that once you are authorized to access a web site, for example, the authorization server is not contacted for each of the images as they are loaded (assuming they come from the same IP address). This significantly increases performance and reduces load on the authorization server.

The cache allows up to 16 address and service pairs for each user host.

The output from show uauth displays the user name provided to the authorization server for authentication and authorization purposes, the IP address that the user name is bound to, and whether the user is authenticated only, or has cached services.

Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. The timeout value must be at least 2 minutes. Use clear uauth to delete all authorization caches for all users, which will cause them to have to reauthenticate the next time they create a connection.

Example

pixfirewall(config)# show uauth
user `winifred' from 207.31.17.42 authenticated
user `pollyhedra' from 207.31.17.54 authorized to:
                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001
                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp
user `oakman' from 207.31.17.207 authorized to:
                       port 262.146.153.50/http                                     262.71.177.69/http
pixfirewall(config)#

In this example, user winifred has authenticated with the server but has not completed authorization. User pollyhedra has preauthorized connections to the Telnet, web (HTTP), sendmail, FTP services, and to TCP port 8001 on 192.168.67.33.

User oakman has been browsing the web and is authorized for web browsing to the two sites shown.

show version

View PIX Firewall version. (Unprivileged mode.)

show version

Usage Guidelines

The show version command lets you view the version of your PIX Firewall software.

Example

pixfirewall> show version
PIX Version 4.pv.nnn
pixfirewall>

where: pv is the point release version and nnn is the release number.

show who

Show active HTTP and Telnet administration sessions on PIX Firewall. (Unprivileged mode.)

show who [ip_address]

Syntax Description

ip_address

An optional IP address to limit the listing to one IP address or to a network IP address.


Usage Guidelines

The show who command shows the PIX Firewall tty_id and IP address of each Telnet client currently logged into the PIX Firewall. This command is the same as the who command.

See also: kill, telnet.

Example

pixfirewall# show who
	2: From 192.168.2.2
	1: From 192.168.1.3
	0: On console 
pixfirewall#

show xlate

View translation slot information. (Unprivileged mode.)

show xlate [global_ip] [local_ip]

Syntax Description

global_ip

The registered IP address to be used from the global pool.

local_ip

The local IP address from the inside network.


Usage Guidelines

The show xlate command displays the contents of the translation slots.

Example

In the following example, to make interpretation of the show xlate easier, names are assigned to the IP addresses and line numbers are added in this document. In line 1, the names command enables use of the name facility and in lines 2 and 3, the name commands associate names to the IP addresses.

Lines 5 and 6 shows a translation for a port address translation global whereby inside host 10.10.10.12 is going out to server_12 on port 80 (web access). The PIX Firewall sees a transfer of 2059 bytes.

In lines 7 and 8, the inside host 10.10.10.12 uses FTP to access server_12 on the outside and obtained 216 bytes.

In lines 9 and 10, an outside host server_12 comes into a static conduit on port 80 and is ready to get URL; however, no bytes have transferred yet.

In lines 11 and 12, a host on the inside 3.3.3.3 tries to do WINS names lookup on WINSSERVER on outside at 192.150.49.26.

In lines 15 and 16, an inside host, 10.10.10.13, uses Telnet to access server_12 on the outside and gets 701 bytes.

1 pixfirewall(config)# names

2 pixfirewall(config)# name 192.150.49.12 server_1

3 pixfirewall(config)# name 10.1.1.11 unix-11

4 pixfirewall(config)# sh xlate

5 PAT Global 192.150.49.28(2065) Local 10.10.10.12

6 out server_12:80 in 10.10.10.12:1883 idle 0:00:08 Bytes 2059 flags 0x3036

7 PAT Global 192.150.49.28(2064) Local 10.10.10.12

8 out server_12:21 in 10.10.10.12:1882 idle 0:00:10 Bytes 216 flags 0x3026

9 Global 192.150.49.25 Local 10.1.1.12 static nconns 0 embryonic conns 1

10 out server_12:1466 in 10.1.1.12:80 idle 0:00:07 Bytes 0 flags 0x0

11 Global 192.150.49.26 Local 3.3.3.3 nconns 0 embryonic conns 0

12 out 171.69.74.25:137 in 3.3.3.3:137 idle 0:01:30 flags 0x0

13 Global 192.150.49.27 Local unix-11 nconns 0 embryonic conns 1

14 out 192.168.1.2:23 in unix-11:1986 idle 0:00:46 Bytes 0 flags 0x0

15 PAT Global 192.150.49.28(2067) Local 10.10.10.13

16 out server_12:23 in 10.10.10.13:1884 idle 0:00:01 Bytes 701 flags 0x3005

...

snmp-server

Provide SNMP event information. (Configuration mode.)

snmp-server contact|location text

snmp-server host ip_address

Syntax Description

contact

Indicate that you are supplying your name or that of the PIX Firewall system administrator.

location

Indicate that you are specifying your PIX Firewall location.

host

Indicate that you are specifying an IP address of a host to which SNMP traps should be sent. You can specify a maximum of 5 host IP addresses.

text

When used with contact, specify your name or that of the PIX Firewall system administrator. When used with location, specify your PIX Firewall location. The string can be up to 128 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

ip_address

When used with host, the IP address of a host to which SNMP traps should be sent. You can specify a maximum of 5 host IP addresses.


Usage Guidelines

Use the snmp-server command to identify your name, location, and the host to which SNMP traps should be sent. Refer to Chapter 3 for more information on using SNMP events.

Example

pixfirewall(config)# snmp-server location building 42, sector 54
pixfirewall(config)#

static

Map local IP address to a global IP address. (Configuration mode.)

static global_ip local_ip [max_conns] [em_limit]

Syntax Description

global_ip

A registered IP address. This address cannot be a PAT (port address translation)
IP address.

local_ip

The local IP address from the inside network.

max_conns

The maximum number of TCP connections allowed for this static. Use the show conn command to view how TCP connections are being used in the firewall. For more information about connections, refer to "Connection Licenses" in Chapter 1.

em_limit

The embryonic connection limit.


Usage Guidelines

The static command creates a permanent mapping (static translation slot) between a local IP address and a NIC-registered IP address.  You can create a single mapping or create a range of statics known as net statics.

A static address is a permanent mapping of a registered IP address to a local IP address inside the private network. Static addresses are recommended for internal network service hosts. Use show static to view static statements in the configuration.

Net Statics

You can also create net statics that permit up to 256 statics to be created simultaneously. If both the global_ip and local_ip are network addresses (the host ID is 0), net statics are created for the full number of IP addresses available in the class. Each address is mapped one-to-one between the global and local addresses.

An example net static is:

static 204.31.17.0 10.1.1.0

This statement creates statics that map 204.31.17.1 to 10.1.1.1, 204.31.17.2 to 10.1.1.2, and so on up to the last value for the class type, in this case, 204.31.17.254 to 10.1.1.254


Note   For net statics, the addresses in the range must only be used for static mappings. They cannot also be used for a network interface or a default route.

Do not create a global pool for a net static.

The maximum number of net statics that can be created is 16384.


Regular Statics

An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up. If you do not specify a value, the default is 0, which means unlimited connections; however, 0 cannot be specified. The maximum is 65535 and the minimum
is 1.  A rule of thumb for the limit is the maximum number of connections on your connection license minus 30%; for example, on a 64-session license, set it to at least 40. Set it lower for slower systems, higher for faster systems.

The max_conns option permits access to the service for only the number of users (connections). The max_conns value applies to both inbound and outbound connections so if it is set to 30 and 30 SYN flooders come in, the service itself cannot go out.

As of this release, do not use global before static.

Use the static command before the conduit command.

Use mailhost to specify a static for an SMTP server. The mailhost command is a type of static with special features to prevent attacks from the outside.

See also: conduit, show static.

Example

The example that follows creates a net static and then permits users to call in through H.323 using Intel InternetPhone and MS NetMeeting to 10.1.1.222 using IP address 204.31.17.222 to 10.1.1.188 using IP address 204.31.17.188, and so on.

pixfirewall(config)# static 204.31.17.0 10.1.1.0 8 50
pixfirewall(config)# conduit 204.31.17.0 h323 tcp 0.0.0.0 0.0.0.0

syslog console

View SYSLOG messages on the PIX Firewall console. (Privileged mode.)

syslog console

Usage Guidelines

Displays SYSLOG messages on the console session. If you are using Telnet to access the console, the output displays in the Telnet session. Use no syslog console to stop the display. Refer to the description of syslog output for more information on SYSLOG.

See also: no syslog console.

Example

The following example uses syslog host to specify an inside network host to receive SYSLOG messages, starts SYSLOG with the syslog output command, enables the console to receive SYSLOG messages, and then shows the current SYSLOG status:

pixfirewall(config)# syslog host 192.168.0.99
pixfirewall(config)# syslog out 20.4
pixfirewall(config)# syslog con
pixfirewall(config)# sho sys
    OUTPUT ON (20.4)
    CONSOLE ON
<162> 104001 Secondary: Switching to ACTIVE.
<162> 101003 Secondary: Cable not connected my side.
pixfirewall(config)# 

syslog host

Define which network hosts are sent SYSLOG messages. (Privileged mode.)

syslog host ip_address

Syntax Description

ip_address

The IP address or network of a network host that is authorized to receive SYSLOG messages.


Usage Guidelines

The syslog host command lets you specify up to 16 inside network host IP addresses to which SYSLOG messages are sent. Use no syslog host to remove a host from the receiving list. Use show syslog to view the current hosts. Refer to the description of syslog output for more information on SYSLOG.


Note   Use syslog host before any other syslog command.

The host must be on the inside network or can be on the other side of a Private Link connection.


Example

The following example uses syslog host to specify an inside network host to receive SYSLOG messages, starts SYSLOG with the syslog output command, enables the console to receive SYSLOG messages, and then shows the current SYSLOG status:

pixfirewall(config)# syslog host 192.168.0.99
pixfirewall(config)# syslog out 20.4
pixfirewall(config)# syslog con
pixfirewall(config)# sho sys
    OUTPUT ON (20.4)
    CONSOLE ON
<162> 104001 Secondary: Switching to ACTIVE.
<162> 101003 Secondary: Cable not connected my side.
pixfirewall(config)# 

syslog output

Start sending SYSLOG notification messages. (Privileged mode.)

syslog output facility.level

Syntax Description

facility

Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message.

level

Message type; sets the level above which PIX Firewall suppresses messages to the SYSLOG hosts. Setting the level to 3, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The levels are:

0 — System unusable

1 — Take immediate action

2 — Critical condition

3 — Error message

4 — Warning message

5 — Normal but significant condition

6 — Informational

7 — Debug message


Usage Guidelines

The syslog output command configures the facility and level of SYSLOG messages. The syslog output command starts sending messages to the network.


Note   Before using syslog output, you must first use syslog host to specify which systems receive the messages.

The SYSLOG host must be on the inside network.


PIX Firewall generates SYSLOG messages for system events, such as security alerts and resource depletion. Using a UNIX syslog facility, you can specify which types of SYSLOG messages create email alerts, store in log files, or display on the console of a designated inside network host. Because PIX Firewall shares the eight facilities with other UNIX network devices, syslog output lets you choose the facility that the PIX Firewall marks on each message it sends to the SYSLOG host. Messages are sent to the SYSLOG host over UDP.

To view previously sent messages, use show syslog.

A PC WinSock version of syslogd also works.


Note   You can specify only one syslog output command in your configuration. PIX Firewall sends all messages to the single facility you choose. In addition, PIX Firewall sends SYSLOG messages only to a single file on the receiving system.


Example

pixfirewall(config)# syslog output 20.3
pixfirewall(config)#

tacacs-server host

Specify a TACACS+ server. (Privileged mode.)

tacacs-server host ip_address key

Syntax Description

ip_address

The IP address of an authentication server.

key

An alphanumeric keyword of up to 127 characters defined by what the authentication server accepts. This is a public key between the client and server for encrypting data between them. The key must be the same on both the client and server systems. PIX Firewall changes to lowercase any letters in the key. Spaces are not permitted in the key, but other special characters are.


Usage Guidelines

Specify a TACACS+ (Terminal Access Controller Access Control System) server. Use
show tacacs-server to examine the information. Up to 16 servers are permitted. Servers are used in the order entered in the configuration. If the server is off-line or fails, the next server is checked. This continues until a working server is found.

See also: no tacacs-server, show tacacs-server.

Example

pixfirewall(config)# tacacs-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# show tacacs-server
tacacs-server host 192.168.42.42 whatakey!@#$%^&*
pixfirewall(config)# 

telnet

Allow an inside IP address to configure the PIX Firewall console over Telnet. (Privileged mode.)

telnet ip_address [netmask]

Syntax Description

ip_address

The IP address or network of a host that is authorized to access the PIX Firewall Telnet management interface.

netmask

Network mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of ip_address.


Usage Guidelines

The b command lets you decide who can configure the PIX Firewall from Telnet. Up to 16 hosts or networks are allowed access to the PIX Firewall console with Telnet, 5 simultaneously. The show telnet command displays the current list of IP addresses authorized to access the PIX Firewall. Use no telnet or clear telnet to remove Telnet access from a previously set IP address. Use the who command to view which IP addresses are currently accessing the firewall. Use the kill command to terminate an active Telnet console session.


Note   The default password for Telnet access is cisco.


With Telnet, you can configure the PIX Firewall from the inside network or over Private Link.

To use Telnet to access the console, the following is required:

The Ethernet or Token Ring interface card needs to be connected to the network.

If you are testing Telnet by connecting directly to a computer, use a crossover connector to connect your computer's interface card to the firewall. Then set the IP address of the PC, the firewall IP address, and the default route for the firewall all to the same subnet. This method is useful if you test Telnet and the console from the same system.

The firewall must have an IP address other than the default 0.0.0.0 address.

See also: clear telnet, no telnet, show telnet, show passwd, who.

Examples

pixfirewall(config)# telnet 192.168.1.3 255.255.255.255 
pixfirewall(config)# telnet 192.168.1.4 255.255.255.255
pixfirewall(config)# telnet 192.168.2.0 255.255.255.0
pixfirewall(config)# show telnet
          192.168.1.3 255.255.255.255
          192.168.1.4 255.255.255.255
          192.168.2.0 255.255.255.0
pixfirewall(config)# no telnet 192.168.1.3
pixfirewall(config)# show telnet
          192.168.1.4 255.255.255.255
          192.168.2.0 255.255.255.0
pixfirewall(config)#

timeout

Set the maximum idle time duration. (Configuration mode.)

timeout [xlate [hh:mm:ss]] [conn [hh:mm:ss]] [udp [hh:mm:ss]] [rpc [hh:mm:ss]]
               [
h323 [hh:mm:ss]] [uauth [hh:mm:ss]]

Syntax Description

conn hh:mm:ss

Idle time until a connection slot is freed (default value is
12 hours). Use 0:0:0 for the time value to never time out a connection.

h323 hh:mm:ss

Duration for H323 (Internet Phone) inactivity timer. When this time elapses, the port used by the H323 service closes.

rpc hh:mm:ss

Idle time until an RPC slot is freed.

uauth hh:mm:ss

Duration before authentication and authorization cache times out and user has to reauthenticate next connection.

udp hh:mm:ss

Idle time until a UDP slot is freed.

xlate hh:mm:ss

Idle time until a translation slot is freed (default value is
24 hours).


Usage Guidelines

The timeout command sets the idle time for connection, translation UDP, RPC, and H323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. The minimum idle time for xlate is 5 minutes. TCP connection slots are freed within 30 seconds after a normal connection close sequence.

Use show timeout to display the current timeout settings.


Note   RPC is a very unsecure protocol and should be used with caution.


See also: show timeout.

Examples

pixfirewall(config)# show timeout
timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 
pixfirewall(config)# timeout xlate 5:0:0
pixfirewall(config)# timeout conn 0:0:0
pixfirewall(config)# show timeout
timeout xlate 5:00:00 conn 0:00:00
pixfirewall(config)# timeout xlate 0:10:0 conn 0:5:0
pixfirewall(config)# show timeout
timeout xlate 0:10:00 conn 0:05:00
pixfirewall(config)# timeout xlate 0:0:12345
pixfirewall(config)# show timeout
timeout xlate 3:25:45 conn 0:05:00
pixfirewall(config)#

who

Show active Telnet administration sessions on PIX Firewall. (Unprivileged mode.)

who [ip_address]

Syntax Description

ip_address

An optional IP address to limit the listing to one IP address or to a network IP address.


Usage Guidelines

The who command shows the PIX Firewall tty_id and IP address of each Telnet client currently logged into the PIX Firewall. This command is the same as the show who command.

See also: kill, telnet.

Example

pixfirewall# who
2: From 192.168.2.2
1: From 192.168.1.3
0: On console 
pixfirewall#

write erase

Clear the configuration contents from flash memory. (Privileged mode.)

write erase

Usage Guidelines

The write erase command clears the flash memory configuration. There is no equivalent command to clear the current running configuration, but if the reload command is executed immediately after the write erase command, the PIX Firewall will boot with the default blank configuration. To refresh the flash memory without erasing information, use the groom command.

See also: groom.

Example

pixfirewall# write erase
pixfirewall# reload

write floppy

Store the current configuration on floppy disk. (Privileged mode.)

write floppy

Usage Guidelines

The write floppy command stores the current configuration on floppy disk. The floppy disk must be DOS formatted or a PIX Firewall boot disk. The floppy disk you create can only be read or written by the PIX Firewall. If you use the write floppy command with a floppy disk that is not a PIX Firewall boot disk, do not leave the floppy in the floppy drive because it will prevent the firewall from rebooting in the event of a power failure or system reload. Only one copy of the configuration can be stored on a single floppy disk.

See also: configure floppy.

Example

pixfirewall# write floppy
Building configuration...
[OK]
pixfirewall# 

write memory

Save current configuration in flash memory. (Privileged mode.)

write memory

Usage Guidelines

The write memory command saves the current running configuration to flash memory. Use configure memory to merge the current configuration with the image you saved in flash memory.


Note   Only use this command if a configuration has been created with IP addresses for both network interfaces.


See also: configure memory.

Example

pixfirewall# write memory
Building configuration...
[OK]
pixfirewall# 

write terminal

View current configuration on console. (Privileged mode.)

write terminal

Usage Guidelines

The write terminal commands displays the current running configuration on the terminal (attached to the console or connected via a Telnet connection).

You can also display the configuration stored in flash memory using the show configure command.

See also: configure terminal, show config.

Example

pixfirewall# write terminal
Building configuration...
: Saved
:
PIX Version 4.0.3.220/1000349
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
failover
...