Command Reference

Terminology

Table 3-1 defines terminology used when describing commands and options affected by the third interface feature:

aaa

Enable, disable, or view TACACS+ or RADIUS user authentication and authorization.

Syntax Description

Usage Guidelines

The aaa command lets you specify that user login credentials be requested for either inbound or outbound connections. This command works with either TACACS+ or RADIUS authentication.

The PIX Firewall interacts with FTP, HTTP (web access), and Telnet to display the credentials prompts for logging into the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree. You can also specify which inside IP address can start outbound connections or to which inside IP address inbound connections are targeted; however, this too must agree with the configuration of the authentication server. Refer to for more information on the command options.

The no aaa authentication command disables user authentication. The show aaa authentication command displays the aaa authentication statements in the configuration.

The aaa authorization command authorizes users' access to services. Only use this command after the aaa authentication command, which determines whether users are authenticated with TACACS+.

You cannot authorize FTP using a web browser's FTP; for example, ftp://ftp.xxx.com, and expect the World Wide Web HTTP authentication screen to display. To enable authorization for web use, but not FTP, use these commands:

aaa authorization http outbound source_ip netmask
aaa authorization telnet outbound source_ip netmask

FTP authorization is only supported for command line FTP clients or ws_ftp (a Windows GUI-based FTP client).

The no aaa authorization command disables user authorization. The show aaa authorization command displays aaa commands in the configuration.

Example

The following example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated.

nat 1 10.0.0.0 255.255.255.0
aaa authentication any outbound 0 0 tacacs+
aaa authentication except outb 10.0.0.42 255.255.255.255 tacacs+ 

The next example permits inbound access to any IP address in the range of 204.31.17.1 through 204.31.17.254. All services are permitted by the conduit command and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles.

static (inside, outside) 204.31.17.0 10.16.1.0 10 60
conduit (inside, outside) 204.31.17.0 0 tcp 10.16.1.0 255.255.255.0
aaa authentication any inbound 0 0 tacacs+

This example demonstrates the show aaa command:

show aaa
aaa authentication any outbound 204.31.17.42 255.255.255.255 tacacs+
aaa authorization any outbound 204.31.17.42 255.255.255.255

The following example demonstrates the use of the aaa authorization command:

aaa authorization any inbound 204.31.17.0 255.255.255.255

Authentication and Authorization Notes

1. The aaa command can only be used with the inside and outside interfaces. All inbound connections are on the outside interface; all outbound connections are on the inside interface.
   
   
2. Use of the aaa authorization command requires a previous use of the aaa authentication command; however, use of the aaa authentication command does not require use of an
   aaa authorization command.
   
   
3. For outside connections, a challenge prompt appears during FTP or Telnet sessions as defined by the type of authentication server.
   
   
4. For outbound connections, first use the nat command to determine which IP addresses can access the firewall. For inbound connections, first use the static and conduit commands to determine which inside IP addresses can be accessed through the firewall from the outside network.
   
   
5. When a host is configured for authentication, all users on the host have to use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that they must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.
   
   
6. The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8-bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).
   
   
7. You can have up to 64 simultaneous authentication or authorization sessions. Up to 256 items are permitted in each list of authentication or authorization addresses. Up to 256 TACACS+ or RADIUS servers are permitted. When a user logs in, the servers are accessed top to bottom, until a server responds.
   
   
8. For each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. Also, for an IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.
   
   
9. The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
   
   
10. The PIX Firewall permits a user up to five chances to log in with Telnet and then if the user name or password still fails, the PIX Firewall drops the connection. If a user enters an incorrect password in FTP or HTTP, the connection is dropped immediately.
    
    
11. The PIX Firewall supports up to 127 characters in the user name and up to 63 in the password.
    
    
12. For the TACACS+ server, if you do not specify a key to the tacacs-server command, no encryption occurs.
    
    
13. Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
    
    
14. Some FTP graphical user interfaces (GUIs) do not display challenge values.
    
    
15. The PIX Firewall does not support at signs (@) in an authentication user name or password. (See note 17 for more information.)
    
    
16. If the user name or password on the authentication database differs from the user name or password on the remote host to which you are using FTP to access, enter the user name and password in these formats:
    

    authentication_user_name@remote_system_user_name
   authentication_password@remote_system_password

1. If you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and user name as shown in note 15 with an additional at (@) sign and password or user name for each daisy-chained system. Users could exceed the 63-character password limit depending on how many units are daisy-chained and password length.
   

alias

Administer overlapping addresses with dual NAT. (Configuration mode.)

Syntax Description

Usage Guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. The no alias command disables a previously set alias statement. The show alias command displays alias statements in the configuration. Refer to for more information on the command options.

The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.

You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 10.1.1.0 204.31.17.0 255.255.255.0 creates aliases for each IP address between 204.31.17.1 and 204.31.17.254.

Example

In this example, an inside network uses IP address 192.9.200.33, which on the Internet belongs to oaks.com. When inside clients try to access oaks.com, the packets do not go to the firewall because the client thinks 192.9.200.33 is on the local inside network. To correct this, a net alias is created as follows:

alias (inside) 192.168.1.0 192.9.200.0
show alias
alias 192.168.1.0 192.9.200.0 255.255.255.0

When client 192.9.200.123 connects to oaks.com, the DNS response is 192.168.1.33. If the PIX Firewall uses 204.31.17.1 through 204.31.17.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=192.9.200.123 and DST=192.168.1.33. The PIX Firewall translates it to SRC=204.31.17.254 and DST=192.9.200.33 on the outside.

apply

Apply, delete, or show outbound access list to IP address. (Configuration mode.)

Syntax Description

Usage Guidelines

The apply command determines what an outbound command statement is denying or permitting. If you set outgoing_src, you can permit or deny outbound connection access to an IP address. If you set outgoing_dest, you can permit or deny access to an outside IP address. Refer to for more information on the command options.

The clear apply and no apply commands are identical and disable a previous use of the apply command in the configuration. The show apply command displays the apply statements in the configuration.

Outbound lists have no effect on conduits which operate on inbound connections.

See also: outbound.

Example

The following commands prevent inside host 192.168.1.49 from accessing the World Wide Web (port 80).

outbound 11 deny 192.168.1.49 255.255.255.255 80
apply (inside) 11 outgoing_src

The following commands illustrate use of the show and clear forms of the command:

show apply
apply (inside) 11 outgoing_src
clear apply (inside) 11 outgoing_src

If your employees are spending too much time examining GIF images on a particular site with two web servers, you can use outgoing_dest to restrict this access:

outbound 12 deny 192.168.146.201 255.255.255.255 80
outbound 12 deny 192.168.146.202 255.255.255.255 80
apply (inside) 12 outgoing_dest

arp

Change or view the PIX Firewall's ARP cache, and set the timeout value. (Configuration mode.)

Syntax Description

Usage Guidelines

The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a node's physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache indicates that the PIX Firewall has network connectivity.

Example

arp inside 192.168.0.42 00:a0:c9:0a:eb:4d
arp outside 192.168.0.43 00:a0:c9:0a:fc:5e alias
show arp
                                                       outside 192.168.0.43 00:a0:c9:0a:eb:4d alias
                                                      inside 192.168.0.42 00:a0:c9:0a:fc:5e

clear arp inside 192.168.0.42

arp timeout 42
show arp timeout
arp timeout 42 seconds

no arp timeout
show arp timeout
arp timeout 14400 seconds

conduit

Add, delete, or show conduits through firewall for incoming connections. (Configuration mode.)

Syntax Description

Usage Guidelines

The conduit command works with a static statement to specify the following:

• Whether or not the static is accessible on another network interface. A static statement without an associated conduit statement is treated by the PIX Firewall as incomplete and therefore not usable for access from any other interface.

• Which services (ports) that incoming connections can use from another interface.

• Whether the service is for a specific protocol.

• Which host or hosts can use the static IP address from the other interface.

Together, a static and conduit statement pair create an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another. static statements must be entered in the configuration before conduit statements. If you attempt to enter a conduit before entering a static statement, the message "Cannot locate the xlate" appears. Refer to for more information on the command options.

You can have up to 8,000 conduits; however, you must have 2 MB flash memory to store the configuration. For 512K flash memory, do not exceed 4,096 conduits.

Use of the conduit command with PPTP protocol, which is a subset of the GRE protocol, requires that you create two conduit statements, both for port 1723, and one for TCP and the other for PPTP. For example:

conduit (inside, outside) global_ip 1723 tcp foreign_ip mask
conduit (inside, outside) global_ip 0 gre foreign_ip mask

static (inside, outside) 204.31.17.0 10.1.1.0
conduit (inside, outside) 204.31.17.0 0 tcp 0 0

static (inside, outside) 204.31.17.0 10.1.1.0
conduit (inside, outside) 204.31.17.0 ftp tcp 1.2.3.0 0
static (inside, outside) 203.31.17.3 10.1.1.3
conduit (inside, outside) 204.31.17.3 h323 udp 1.2.3.3 255.255.255.255

conduit (inside, outside) 192.168.1.1 0 tcp 192.168.2.2 255.255.255.255

Examples

The following pair of commands enables only SMTP communication between the UNIX gateway host with IP address 10.10.25.10 and an SMTP server on the inside network with IP address 192.168.1.49:

static (inside, outside) 10.10.26.147 192.168.1.49 255.255.255.255
conduit (inside, outside) 10.10.26.147 25 tcp 10.10.25.10 255.255.255.255

To remove the last conduit, enter the no conduit command:

no conduit 10.10.26.147 25 tcp 10.10.25.10

You can delete one port from a range and the configuration creates two new statements:

conduit (inside, outside) 10.0.42.1 1025-1050 udp 192.168.20.34 255.255.255.255
no conduit 10.0.42.1 1040
show conduit 10.0.42.1
conduit 10.0.42.1 1025-1039 udp 192.168.20.34 255.255.255.255
conduit 10.0.42.1 1041-1050 udp 192.168.20.34 255.255.255.255

The next example lets network 10.1.1.0 on the inside receive H323 InternetPhone calls and allows the outside network 204.30.242.0 to connect inbound via the IDENT (tcp/113) protocol:

static (inside, outside) 204.31.17.0 10.1.1.0
conduit (inside, outside) 204.31.17.0 h323 tcp 0.0.0.0 0.0.0.0
conduit (inside, outside) 204.31.17.0 113 tcp 204.30.242.0 255.255.255.0

The next example lets one FTP server on the inside, 10.1.1.3, be accessed as 204.31.17.3 by the network 260.44.224.x on the outside:

static (inside, outside) 204.31.17.3 10.1.1.3
conduit (inside, outside) 204.31.17.3 ftp tcp 260.44.224.0 255.255.255.0

The next example lets one web server on the inside, 10.1.1.4, be accessed as 204.31.17.4 by the whole outside Internet:

static (inside, outside) 204.31.17.4 10.1.1.4
conduit (inside, outside) 204.31.17.4 80 tcp 0 0

The next example lets you give everyone FTP and InternetPhone access:

static (inside, outside) 1.2.3.0 10.1.1.0
conduit (inside, outside) 1.2.3.0 ftp tcp 0 0
conduit (inside, outside) 1.2.3.0 h323 udp 0 0

configure

Merge current configuration with that on floppy or flash, start configuration mode, or view current configuration. (Privileged mode.)

Syntax Description

Usage Guidelines

The configure net command merges the current running configuration with a configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ); for example:

	configure net :

Use the write net command to store the configuration in the file.

The configure floppy command merges the current running configuration with the configuration stored on floppy disk. This command assumes that the floppy disk was previously created by the write floppy command.

The configure terminal command starts configuration mode. Exit configuration mode by pressing ^z. After exiting configuration mode, use write memory to store your changes in flash memory or write floppy to store the configuration on floppy disk. Use the write terminal command to display the current configuration.

Example

configure net 10.1.1.1:/tftp/config/pixconfig

configure floppy
configure memory
pixfirewall> enable
password: *****
pixfirewall# configure terminal
show config
:  Saved
... config commands ...
:  End

debug trace

Enable or disable ICMP trace mode. (Configuration mode.)

Syntax Description

Usage Guidelines

The debug command lets you trace ping requests through the PIX Firewall. Use this command during troubleshooting when pings between the internal and external networks do not work. The no debug trace command disables ICMP trace mode. The show debug command displays the current state of tracing.

Example

The following example turns on this command:

debug trace on

When you ping a host from the internal network to the external network, trace output displays on the console indicating the direction of the ping and whether a response is detected, as shown in the following example output:

Inbound ICMP Echo Request (10.0.0.1) 10.0.0.1 <- 204.31.17.2
...

disable

Exit privileged mode and return to unprivileged mode. (Privileged mode.)

Usage Guidelines

The disable command exits privileged mode and returns you to unprivileged mode. Use the enable command to return to privileged mode.

Example

pixfirewall# disable
pixfirewall>

enable

Start privileged mode. (Unprivileged mode.)

Usage Guidelines

The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. The default password is no password. Use disable to exit privileged mode. Use enable password to change the password.

Example

pixfirewall> enable
Password: 
pixfirewall# configure terminal
pixfirewall(config)#

enable password

Set the privileged mode password. (Privileged mode.)

Syntax Description

Usage Guidelines

The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Return key at the Password prompt). The show enable password command lists the encrypted form of the password.

Example

pixfirewall> enable
Password:
pixfirewall# enable password w0ttal1fe
pixfirewall# configure terminal
write terminal
Building configuration...
: Saved
:
PIX Version 4.0.n.n
enable password 2oifudsaoid.9ff encrypted
passwd 2jkifsldkaj.23 encrypted
hostname pixfirewall
...

established

Allow, disallow, or view return connections based on established connections. (Configuration mode.)

Syntax Description

Usage Guidelines

The established command lets you debug an application that requires multiple TCP or UDP port connections. This command is only recommended for use with WEB Theatre VXtreme and Microsoft NetShow. The PIX Firewall supports other multimedia applications without the need for the established command. These applications include RealAudio, VDO, Xing, VocalTec, H323, and CuSeeMe. The PIX Firewall supports these applications using its enhanced multimedia Adaptive Security algorithm which does not in any way compromise security.

The port after permitto pertains to the local ports. The port after permitfrom pertains to the foreign ports. The port after established tcp|udp is the connection that must exist before the returning packets are allowed in.

While this command is running, all UDP or TCP traffic is permitted between the client and server for the current TCP connection. This command only allows the host to which the inside client is connected to deliver UDP data or make high TCP port connections back to the client.

The no established command disables the feature. The show established command shows the established commands in the configuration.

The established command itself does not produce either console or SYSLOG output while running.

Example

The following example occurs when a local host 10.1.1.1 starts a TCP connection from port 2020 to a foreign host 204.31.17.1. The example allows packets from the foreign host 204.31.17.1 of port 4242 back to local host 10.1.1.1 on port 5454:

established tcp 2020 permitto tcp 5454 permitfrom tcp 4242

The next example allows packets from foreign host 204.31.17.1 on any port back to local host 10.1.1.1 on port 5454:

established tcp 2020 permitto tcp 5454

The next example allows packets from foreign host 204.31.17.1, port 4242 back to local host 10.1.1.1 on port 2020:

established tcp P permitfrom tcp D

failover

Change or view access to the optional failover feature. (Configuration mode.)

Syntax Description

Usage Guidelines

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.

Failover works by passing control to the secondary unit should the primary unit fail. For Ethernet, failover detection should occur within 15 seconds.

Refer to "Configuring Failover" in Chapter 2 for configuration information.

The failover feature causes the PIX Firewall to ARP for itself every 15 seconds. If this adversely affects your ARP table, you can disable it with the no failover command.

Example

The following output shows that failover is enabled, and that the primary unit state is active:

show failover
	Failover On
		                                    This host: Primary - Active
                                    		Other host: Secondary - Standby
		                                   Cable status: 0x0 - Normal
                                                                         Outside Interface
			                                                                                           this host: 	Rx cnt 683 	Uptime 720
			                                                                                            other host: 	Rx cnt 3 	Uptime 0
		                                   Inside Interface
			                                                                                            this host: 	Rx cnt 623 	Uptime 720
			                                                                                           other host: 	Rx cnt 3 	Uptime 0
show failover
	Failover On
		                                   This host: Secondary - Standby
		                                   Other host: Primary - Active
		                                   Cable status: 0x0 - Normal
		                                   Outside Interface
			                                                                                            this host: 		Rx cnt 683	 	Uptime 720
			                                                                                            other host:	 	Rx cnt 3	 	Uptime 0
		                                   Inside Interface
			                                                                                            this host: 		Rx cnt 683	 	Uptime 720
			                                                                                            other host: 		Rx cnt 3	 	Uptime 0

global

Create or delete entries from a pool of global addresses. (Configuration mode.)

Syntax Description

Usage Guidelines

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Always use the nat command before the global command to specify which internal addresses are being translated. Put the nat ID number in the global command to define which nat statement can access the global addresses in the pool.

For example, a nat statement is created to permit hosts 10.1.1.1 through 10.1.1.254 to start outbound connections. The nat ID, 1, is added to the global statement to permit the inside hosts access to the pool of global addresses, 204.31.17.1 through 204.31.17.254:

nat (inside) 1 10.1.1.0 255.255.255.0 20 20
global (outside) 1 204.31.17.1-204.31.17.254

Use the no global command to remove access to a nat ID, or to a PAT address or address range within a nat ID. Use the show global command to view the global statements in the configuration.

The PIX Firewall uses the global addresses to assign a virtual IP address to a connection. When the translation times out (defined by the timeout command), the global address returns to the available pool. If the outside network connects with the Internet, each IP address you specify as a global address must be registered with the NIC.

The PIX Firewall allocates global IP addresses from the pool by starting at the end of the range you specify and working backward.

If you are using global networks that are disjoint from the outside network address, be certain that the networking equipment and computers have a routing table entry for the global network with a next hop of the outside interface of the PIX Firewall.

With the port address translation (PAT) feature, you can have multiple outbound sessions appear to originate from a single IP address. This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. The IP addresses you specify for port address translation cannot be in another global address pool.

Ports are service specifiers inside a UDP or TCP packet. With port address translation enabled, the firewall chooses a unique port number for each outbound connection, thereby permitting many connections to use a single IP address.

Example

The following example declares two global pool ranges and a port address translation address. Then the user changes their mind and deletes the second global pool range from 204.31.17.54-204.31.17.55. The show global command displays the global statements in the configuration. Then the nat command permits all inside users to start connections to the outside network. The outbound command permits web access (on the HTTP port) for everyone, but denies it to the host with IP address 10.0.0.42 that contains someone who overuses the web. The apply command specifies that the outbound command works with inside users' ability to start connections to the outside.

nat (inside) 1 0 0
global (outside) 1 204.31.17.1-204.31.17.10
global (outside) 1 204.31.17.42
Global 204.31.17.42 will be Port Address Translated
global (outside) 1 204.31.17.54-204.31.17.55
no global (outside) 1 204.31.17.54-204.31.17.55
show global
global (outside) 1 204.31.17.1-204.31.17.10
global (outside) 1 204.31.17.42-204.31.17.42

outbound 1 permit 0 0 http
outbound 1 deny 10.0.0.42 255.255.255.255 http
apply (inside) 1 outgoing_src

groom

Refresh flash memory. (Privileged mode.)

Usage Guidelines

The groom command lets traditional flash memory circuit boards to operate at peak efficiency. The
PIX Firewall automatically calls this command when flash memory is full; that is, when you try to save your configuration and insufficient memory is available to store it.

In the past, when the firewall wrote to flash memory, the flash memory appended the image to its existing memory. Eventually, the circuit board ran out of memory and caused system failure. With the groom command, the firewall stores the existing configuration in flash memory in RAM and clears the complete memory space. Then it restores the image back into flash memory.

You can either wait until you run out of memory or run it as part of your preventative maintenance schedule, either monthly or every few months, depending on how many times you change the configuration and save it to flash memory.

Example

groom
Grooming flash. This will take a moment. DO NOT INTERRUPT.

help

Display help information. (Unprivileged mode.)

Usage Guidelines

The help or ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a question mark or just the command name and pressing the Enter key.

If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

• To view another screenful, press the Space bar.

• To view the next line, press the Enter key.

• To return to the command line, press the q key.

Example

age ?
age 

Help information is available on the core commands (not the show, no, or clear commands) by entering ? at the command prompt:

?
aaa	Set Authentication and Authorization parameters

...

history

View the last 10 command lines you entered. (Privileged mode.)

Usage Guidelines

The history (or show history) command lists the last 10 command lines you entered. The no history command disables command history.

If you are using a VT100-compatible terminal, such as HyperTerminal with Windows 95 or Windows NT, the up and down arrow keys have the same effect as ^p and ^n. In addition, the left arrow key works as a backspace.

You can use the following commands to edit or view previously entered commands:

• View a previously entered command with ^p or !!

• View a specific command with !number; for example, to view line 9, enter !9

• View the next command with ^n

• Redisplay the line with ^r or ^l

• Erase the current line with ^u

• Erase word to left of cursor with ^w

• Change a word in the line with this syntax: ^old_word^new_word

The command line history consists of 10 lines in a circular buffer. When you enter the 11th command, it replaces the first entered and so on. When you are at the first line in the history and enter ^n, the 10th line appears.

The history command does not count in the command storage area.

Example

pixfirewall(config)0# history
0: configure term
1: static (inside, outside) 1.2.3.4 10.0.0.1
2: static (inside, outside) 1.2.3.3 10.0.0.2
3: conduit (inside, outside) 1.2.3.3 0 tcp 0 0
4: conduit (inside, outside) 1.2.3.3 1 tcp 0 0
5: conduit (inside, outside) 1.2.3.4 2 tcp 0 0
6: pager
7: nat (inside) 1 1.2.3.5
8: nat (perimeter) 2 1.2.3.6
9: global (outside) 1 1.3.4.1-1.3.4.254
pixfirewall(config)0# !5
pixfirewall(config)5# conduit (inside, outside) 1.2.3.4 2 tcp 0 0

hostname

Change the host name in the PIX Firewall command line prompt. (Configuration mode.)

Syntax Description

Usage Guidelines

The hostname command changes the host name label on prompts. The default host name is pixfirewall. If you have the optional failover feature, assign host names to both the PIX Firewall units. Then if a failure occurs and you Telnet to the IP address, the host name in the prompt verifies that the secondary unit is functioning.

Example

hostname spinner
spinner(config)# hostname pixfirewall

interface

Identify network interface speed and duplex. (Configuration mode.)

Syntax Description

Usage Guidelines

The interface command identifies the speed and duplex settings of the network interface boards.
Refer to Installing Circuit Boards in the PIX Firewall for information on installing an interface board. Use show interface to view information about the interface.

The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.

• "ethernet" (or token-ring) indicates that you have used the interface command to configure the interface. The statement indicates either outside or inside and whether the interface is available ("up") or not available ("down").

• "line protocol up" means a working cable is plugged into the network interface. If the message is "line protocol down," either the cable is incorrect or not plugged into the interface connector.

• Network interface type and its MAC address. Intel cards start with "i," and 3Com cards with "3c."

• MTU (maximum transmission unit): the size in bytes that data can best be sent over the network.

• "nn packets input" indicates that packets are being received in the firewall.

• "nn packets output" indicates that packets are being sent from the firewall.

• Line duplex status: half duplex indicates that the network interface switches back and forth between sending and receiving information; full duplex indicates that the network interface can send or receive information simultaneously.

• Line speed: 10baseT is listed as 10000 Kbit; 100baseTX is listed as 100000 Kbit.

• Interface problems:

  • no buffer, the PIX Firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data. If these errors appear, reboot your PIX Firewall.

  • runts are packets with less information than expected.

  • giants are packets with more information than expected.

  • CRC (cyclic redundancy check) are packets containing corrupted data (checksum error).

  • frame errors are framing errors.

  • ignored and abort errors are provided for future use, but are not currently checked; the PIX Firewall does not ignore or abort frames.

  • underruns occur when the PIX Firewall is overwhelmed and cannot get data fast enough to the network interface card. This problem is only noticeable on the Intel network interface cards because data can be sent before a full frame is sent. The 3Com cards only transmit after receiving a full frame.

• overruns occur when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.

Example

The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 perimeter security50
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
show interface
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82557 ethernet, address is 00:a0:c9:3e:68:42
  IP address 204.31.17.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        3975 packets input, 293655 bytes, 0 no buffer
        Received 3975 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        699 packets output, 44736 bytes, 0 underruns
interface ethernet1 "inside" is up, line protocol is up
  Hardware is 3c590 ethernet, address is 00:a0:24:9f:5e:26
  IP address 10.1.1.2, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        58 packets input, 7308 bytes, 0 no buffer
        Received 58 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        699 packets output, 29358 bytes, 0 underruns
interface ethernet2 "perimeter" is up, line protocol is up
  Hardware is 3c590 ethernet, address is 00:a0:24:9f:66:a8
  IP address 204.31.18.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        315 packets input, 25350 bytes, 0 no buffer
        Received 186 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        710 packets output, 29820 bytes, 0 underruns

ip address

Identify the IP address for the PIX Firewall. (Configuration mode.)

Syntax Description

Usage Guidelines

The ip address command assigns an IP address to the PIX Firewall. Use the show ip command to view which addresses are assigned to the network interfaces.

Example

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 perimeter security50
ip address inside 192.168.2.1 255.255.255.0
ip address outside 204.31.17.2 255.255.255.0
ip address perimeter 204.31.18.3 255.255.255.0
show ip address
interface 0: ip address outside 204.31.17.2 mask 255.255.255.0
interface 1: ip address inside 192.168.2.1 mask 255.255.255.0
interface 2: ip address perimeter 204.31.18.3 mask 255.255.255.0

kill

Terminate a Telnet session. (Privileged mode.)

Syntax Description

Usage Guidelines

The kill command terminates a Telnet session. Use the who command to view the Telnet session ID value. When you kill a Telnet session, the PIX Firewall lets any active commands terminate and then drops the connection without warning the user.

See also: show who, telnet.

Example

show who
2: From 10.10.54.0 
kill 2

link / linkpath / age

Specify a Private Link connection to a remote PIX Firewall. (Configuration mode.)

Syntax Description

Usage Guidelines

The link command creates an encrypted path between Version 4 Private Link-equipped PIX Firewall units. You can specify up to seven encryption keys for data access between your unit and the remote unit. The key-ID and key values must be the same on each side of the Private Link. Once you specify the same keys on both sides of the connection, the systems alert each other when a new key takes effect. You can use the age command to specify the number of minutes that a key is in effect.

The PIX Firewall Private Link consists of an encryption card and software that permits the PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet. This optional feature is available to domestic customer sites.

Example

The following example specifies the remote IP address of the Private Link and specifies four keys for access to the remote system, and specifies the IP address of the inside network interface on the remote host.

link 204.31.17.2 1 FadebacFadebac
link 204.31.17.2 2 BacfadeFadebac
link 204.31.17.2 3 BaabaaaFadebac
link 204.31.17.2 4 BeebeeeFadebac
linkpath 10.1.0.0 255.255.255.0 204.31.17.2

Another example follows:

link 204.31.17.42 1 FadeBacBeeBeee
link 204.31.17.42 2 Abcdef42FedcbA
show link
     Foreign IP  KeyID               Key
   204.31.17.42    1    0xfadebacbeebeee
                   2    0xabcdef01fedcba
                          100 out, 100 in

An age example follows:

age 10
show age
Private Link Key Aging: 10 minutes

mailhost

Add or remove mail hosts. (Configuration mode.)

Syntax Description

Usage Guidelines

The mailhost command lets you create an SMTP mail host on an internal secure interface that can be accessed safely from an unprotected or less secure external interface. The mailhost command imposes a security check and translation of the SMTP protocol with the PIX Firewall Adaptive Security enroute. The mailhost command limits what connections from less secure interfaces can do to the mail host itself. Only the seven SMTP commands specified in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT) are permitted. Any other commands are treated as NOOP and discarded with OK returned to the sender. This command creates its own implied conduit.

The mailhost command removes the need for an external mail relay in the perimeter network, also known as the DMZ (demilitarized zone), that section of the network outside the firewall but before the Internet. The mailhost command is also known as the Mail Guard feature.

The identical clear mailhost and no mailhost commands disable access to the SMTP server.

View mail host information with the show mailhost and show xlate commands.

See also: show conn, show xlate.

Example

ip address inside 10.1.1.1 255.0.0.0
ip address outside 204.31.17.10 255.255.255.0
mailhost (inside, outside) 204.31.17.25 10.1.1.3 10 40

mtu

Specify the MTU (maximum transmission unit) for an interface. (Configuration mode.)

Syntax Description

Usage Guidelines

The mtu command sets the size of data sent on a connection. Data larger than the MTU value is fragmented before being sent.

For Ethernet interfaces, the default MTU, 1,500 bytes in a block, is sufficient for most applications. For Token Ring, the default is 8,192 bytes. The minimum value for bytes is 64 and the maximum is 65,535 bytes. RFC 1191 [Mogul and Deering 1990] recommends 1,500 bytes for Ethernet, 17,914 for 16 Mbps Token Ring, and 4,464 for 4 Mbps Token Ring.

The no mtu command resets the MTU block size to 1,500 for Ethernet interfaces and 8,192 for Token Ring. The show mtu command displays the current block size. The show interface command also shows the MTU value.

Example

interface token-ring0 4mbps
interface ethernet0 auto
mtu inside 4464
show mtu
mtu outside 1500
mtu inside 4464

name / names

Associate a name with an IP address. (Configuration mode.)

Syntax Description

Usage Guidelines

Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing--it makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you need to ensure that the host names either match existing names or you have a map to list the differences.

The names command enables use of the name command to map text strings to IP addresses. The clear names and no names commands are the same and disable use of the name text strings. The show names command lists the contents of the name statements in the configuration.

Example

In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 204.31.17.33. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name values from displaying. Subsequent use of the names command restores their display.

names
name 192.168.42.3 pix_inside
name 204.31.17.33 pix_outside
ip address inside pix_inside
ip address outside pix_outside
show ip address
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255
no names
show ip address
inside ip address 192.168.42.3 mask 255.255.255.255
outside ip address 204.31.17.33 mask 255.255.255.255
names
show ip address
inside ip address pix_inside mask 255.255.255.255
outside ip address pix_outside mask 255.255.255.255

nameif

Name interfaces. (Configuration mode).

Syntax Description

Usage Guidelines

The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall or you want to assign names other than inside and outside to the respective interface boards.

The first two interfaces have the default names inside and outside. The inside interface has default security level 100, the outside interface has default security level 0. An interface is always "outside" with respect to another interface that has a higher security level. Packets cannot flow between interfaces that have the same security level.

See also: interface.

Examples

The following example defines four interfaces with the interface command, assigns names and security levels to each with the nameif command:

nameif ethernet0 internet sec0
nameif ethernet1 corporate sec100
nameif ethernet2 dmz1 sec50
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset

The following example shows use of the show nameif command:

show nameif
nameif ethernet0 internet security0
nameif ethernet1 corporate security100
nameif ethernet2 dmz1 security50

nat

Associate a network with a pool of global IP addresses. (Configuration mode.)

Syntax Description

Usage Guidelines

The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Address translation lets your network have any IP addressing scheme and the firewall protects these addresses from visibility on the external network. You can have up to 1,000 nat groups.

You can use the no nat command to remove a nat statement and you can use the show nat command to view nat statements in the current configuration.

You can disable address translation with the nat 0 command. Use this when you have IP addresses that are the same as those used on the external network and you want these addresses to be used for outbound and inbound connections. Adaptive Security remains in effect with nat 0.

The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.

nat 1 0 means that all outbound connections can pass through the PIX Firewall with address translation.

nat 1 1.2.3.0 means that only outbound connections originating from inside host 1.2.3.0 can pass through the firewall to go to their destinations with address translation.

nat 0 0 means let all inside IP addresses appear on the outside network without translation. They will still be protected by Adaptive Security, just not translated.

nat 0 1.2.3.0 means let those IP addresses in the 1.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat statements appear in the configuration.

See also: global, outbound, apply.

Example

1. nat (inside) 1 10.0.0.0 255.0.0.0
   
   
2. nat (inside) 3 3.3.3.0 255.255.255.0
   
   
3. global (outside) 1 204.31.17.25-204.31.17.27
   
   
4. global (outside) 1 204.31.17.28
   
   
5. global (outside) 3 204.31.18.1-204.31.18.254
   
   
6. outbound 11 deny 3.3.3.3 255.255.255.255 1720
   
   
7. outbound 10 deny 0.0.0.0 0.0.0.0 80
   
   
8. outbound 10 deny 3.3.3.3 255.255.255.255 java
   
   
9. outbound 11 permit 10.1.1.11 255.255.255.255 80
   
   
10. apply (inside) 10 outgoing_src
    
    
11. apply (inside) 11 outgoing_src
    

Lines 1 and 2 specify which internal network hosts can start outbound connections and whose addresses are translated between the internal and external network.

Lines 3 to 5 create a pool of global addresses. Line 2 creates a port address translation address (PAT) that permits up to 64,000 hosts to share this IP address.

Lines 6 to 9 create access lists to determine which hosts can access services. In line 6, denies host 3.3.3.3 from accessing H323 (port 1720) services such as MS NetMeeting or InternetPhone. Line 7 denies all hosts from accessing the web (port 80). Line 8 lets host 3.3.3.3 use the web, but denies its users from downloading Java applets.

Line 9 permits host 10.1.1.11 access to the web and to download Java applets. This permit statement outweighs the previous deny regardless of the order in which the statements are entered into the configuration.

Lines 10 and 11 specify that the access lists in lines 6 to 9 pertain to connections started on the inside network to access outside services.

Identity Example

nat (inside) 0 0 0
static (inside, outside) 207.31.17.1 207.31.17.1
conduit (inside, outside) 207.31.17.1 ftp tcp 10.0.0.1 255.255.255.255

outbound

Create an access list for controlling Internet use. (Configuration mode.)

Syntax Description

Usage Guidelines

The outbound command creates an access list that lets you specify the following:

• Whether inside users can create outbound connections

• Whether inside users can access specific outside servers

• What services inside users can use for outbound connections and for accessing outside servers

• Whether outbound connections can execute Java applets on the inside network

The use of an outbound command requires use of the apply command. The apply command lets you specify whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.

Use the no outbound commands to remove the respective outbound statement from the configuration.

If no outbound commands are specified, the default behavior is to permit all outbound traffic and services from inside hosts.

The except option replaces the deny or permit options and lets you create an exception to the outbound command in your configuration that sets up a blanket definition for denying or permitting access.

Do not use the deny, permit, and except options in the same outbound list; this also includes the implied permit in the default mode (listed here for clarity).

The following example demonstrates what NOT to do:

outbound 1 permit 0 0
outbound 1 deny 10.0.0.2 255.255.255.255 23
outbound 1 except 10.0.0.42 255.255.255.255 23
apply (inside) 1 outgoing_src

This set of statements uses the default of permitting all internal hosts to start outbound connections. Because the except option reverses the previous deny, 10.0.0.2 is given Telnet access, and only 10.0.0.42 is actually denied outbound Telnet access.

Do not specify more than one outbound statement for the same outbound list because each additional command stays in the configuration.

The maximum number of outbound access lists is 1000.

See also: apply.

Examples

Controlling Outbound Connections

The following example prevents all inside hosts from starting outbound connections:

outbound 1 deny 0 0 0
apply (inside) 1 outgoing_src

The 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero).

Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created):

outbound 1 permit 0 0 0
apply (inside) 1 outgoing_src

Controlling Inside Hosts' Access to Outbound Services

The following example prevents inside host 192.168.1.49 from accessing the World Wide Web
(port 80):

outbound 11 deny 192.168.1.49 255.255.255.255 80
apply (inside) 11 outgoing_src

Controlling Inside Hosts' Access to Outside Servers

If your employees are spending too much time examining GIF images on a particular site with two web servers, you can use the following example to restrict this access:

outbound 12 deny 192.168.146.201 255.255.255.255 80
outbound 12 deny 192.168.146.202 255.255.255.255 80
apply (outside) 12 outgoing_dest

Preventing Use of Java Applets

The following example prevents all inside users from executing Java applets on the inside network:

outbound 1 deny 0 0 java
apply (inside) 1 outgoing_src

pager

Enable or disable screen paging. (Privileged mode.)

Syntax Definition

Usage Guidelines

The pager lines command lets you specify the number of lines in a page before the More prompt appears. The pager command enables display paging, and no pager disables paging and lets output display completely without interruption. If you set pager lines to some value and want to revert back to the default, enter the pager command without options.

The show pager command displays pager status.

When paging is enabled, the following prompt appears:

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

• To view another screenful, press the Space bar.

• To view the next line, press the Enter key.

To return to the command line, press the q key.

Example

pixfirewall5# pager lines 2
pixfirewall6# ping inside 10.0.0.42
        10.0.0.42 NO response received -- 1010ms
        10.0.0.42 NO response received -- 1000ms
<--- More --->

passwd

Set password for Telnet and HTTP access to the firewall console. (Privileged mode.)

Syntax Description

Usage Guidelines

The passwd command sets a password for Telnet and HTTP (HTML, Web) access to the firewall console. An empty password is also changed into an encrypted string. The default configuration contains plain text passwords, which you can see with show config. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text.

For this reason, always keep a floppy disk with the plain text password available to boot from in the event the encrypted version is forgotten.

If you downgrade your system to version 3, you must use the encrypted form of the password.

See also: enable password.

Example

passwd watag00s1am
show passwd
passwd 2KFQnbNIdI,2KYOU encrypted

ping

Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.)

Syntax Description

Usage Guidelines

The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that the host exists on the network. If the host is not responding, ping displays "no response received." Use show interface to ensure that the PIX Firewall is connected to the network and has connectivity.

Example

The ping command makes three attempts to reach an IP address:

ping inside 192.168.42.54
                                                            192.168.42.54 response received -- 1000Ms
                                                            192.168.42.54 response received -- 1010Ms
                                                            192.168.42.54 response received -- 1040Ms

radius-server host

Specify a RADIUS server. (Privileged mode.)

Syntax Description

Usage Guidelines

Specify a RADIUS (Remote Authentication Dial-In User Service) server. Use show radius-server to view the information. Up to 256 TACACS+ and RADIUS servers are permitted. Servers are used in the order entered in the configuration. If the server is off-line or fails, the next server is checked. This continues until a working server is found. Use no radius-server to disable access to a host.

Without arguments, the clear radius-server command removes access to all RADIUS servers.

RADIUS can be used to authenticate connections but not authorize access to services.

Example

radius-server host 192.168.42.42 whatakey!@#$%^&*
show radius-server
radius-server host 192.168.42.42 whatakey!@#$%^&*

reload

Reboot and reload the configuration. (Privileged mode.)

Usage Guidelines

The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy
disk or, if a floppy disk is not present, from flash memory.

Example

reload
Proceed with reload?  [confirm] y

Rebooting...

rip

Change RIP settings. (Configuration mode.)

Syntax Description

Usage Guidelines

The rip passive command enables IP routing table updates from received RIP (Routing Information Protocol) broadcasts. Use show rip to display the current RIP settings. Use no rip to disable the PIX Firewall IP routing table updates. The default is to enable IP routing table updates.

Examples

show rip
rip outside passive
no rip outside default
rip inside passive
no rip inside default
rip inside default 
show rip
rip outside passive
no rip outside default
rip inside passive
rip inside default

route

Enter a static route for the specified interface. (Configuration mode.)

Syntax Description

Usage Guidelines

Use the route command to enter static routes for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0. All routes entered using the route command are stored in the configuration when it is saved. Refer to the write command for more information about saving the configuration.

Example

route inside 192.168.42.0 255.255.255.0 192.168.88.1 
route outside 0 0 10.10.1.1 1

session

Access an embedded AccessPro router console. (Privileged mode.)

Syntax Description

Usage Guidelines

The session command lets you specify Cisco IOS commands on an AccessPro router console when the router is installed in your PIX Firewall. Use COM port 4 on the AccessPro router to communicate with the PIX Firewall.

Example

This example enables an AccessPro session, starts the session, and then disables it.

session enable
Session has been enabled.
session
Warning: FAILOVER has been disabled!!!
Attempting session with embedded router, use ~. to quit!

acpro> ~.
no session
Session has been disabled
session
Session is not enabled

show

View command information. (Differs by mode.)

Usage Guidelines

The show command without arguments or the show ? command lets you view the names of the show commands and their descriptions. Explanations for each show command are provided on the respective command page for the command itself where appropriate; for example, show arp is described on the arp command page. However, the show commands that do not have a command equivalent are shown in this section.

If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:

<--- More --->

The More prompt uses syntax similar to the UNIX more command:

• To view another screenful, press the Space bar.

• To view the next line, press the Enter key.

• To return to the command line, press the q key.

Example

show
aaa	Set Authentication and Authorization parameters

...

show blocks

Show system buffer utilization. (Privileged mode.)

Usage Guidelines

The show blocks command lists system buffer utilization.

Example

pixfirewall# show blocks
  SIZE    MAX    LOW    CNT
     4   1600   1598   1600
    80    100     94     97
   256     80     79     80
  1550    800    791    800
 64000     16     16     16

show conn

Display connection information. (Privileged mode.)

Usage Guidelines

The show conn command displays the number of active TCP connections. Refer to the section,
"PIX Firewall Connection Licenses" in Chapter 1 for more information about how applications use TCP connections. You can derive the value from show conn by adding the "in use" and "remain" values.

Example

show conn
32 in use, 32 remain, 48 most used

show hw

Display hardware identification values. (Unprivileged mode.)

Usage Guidelines

The show hw command lets you view hardware identification information.

Example

show hw
Hardware ID: 0x52c 0x1bf 19126

show memory

Show system memory utilization. (Privileged mode.)

Usage Guidelines

The show memory command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in the PIX Firewall is preallocated and the amount of free memory should never change.

Example

show memory
nnnnnnnn bytes total, nnnnnnn bytes free

show processes

Display processes. (Privileged mode.)

Usage Guidelines

The show processes command displays a summary listing of running processes. Processes are lightweight threads requiring only a few instructions to switch. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes used and the total size of the stack, and Process lists the thread's function.

Example

show processes
       PC         SP     STATE   Runtime        SBASE    Stack Process
8000139e 8024ad00  80005354        940    80249d1c    36/4096 arp_timer
...

show serial

View the PIX Firewall's serial number. (Privileged mode.)

Usage Guidelines

The show serial command displays the serial number, also known as the BIOS ID.

Example

show serial
Serial Number:  123

snmp-server

Provide SNMP event information. (Configuration mode.)

Syntax Description

Usage Guidelines

Use the snmp-server command to identify your name, location, and the host to which SNMP traps should be sent. Refer to Chapter 2, "Configuring the PIX Firewall" for more information on SNMP events. The clear snmp-server and no snmp-server commands remove the information. The show snmp-server command displays the information.

Example

snmp-server community wallawallabingbang
snmp-server location Building 42, Sector 54
snmp-server contact Sherlock Holmes
snmp-server host 10.1.2.42
show snmp
snmp-server host 10.1.2.42
snmp-server location Building 42, Sector 54
snmp-server contact Sherlock Holmes
snmp-server community WallaWallaBingBang

static

Map local IP address to a global IP address. (Configuration mode.)

Syntax Description

Usage Guidelines

The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. For outbound connections, use static to specify an address in the pool of global addresses that is always used for translation between the local host and the global address. For inbound connections, use static with the conduit command to identify addresses visible on the external network. For inbound connections, do not use a global IP address created with the global command.

You can create a single mapping between the global and local hosts, or create a range of statics known as net statics.

The static command determines the network mask of network statics by the class option or by the number in the first octet of the global IP address. The class option overrides the number in the first octet. This feature lets you change the class of a global IP address; for example, you can use 192.0.0.0 as a Class A address even though its first octet indicates it is a Class C address. Refer to the "Net Statics" section for more information.

If the address is all zeros where the net mask is zero, then the address is a net address.

IP Address Classes

IP address classes are defined as follows:

• Class A-- if the first octet of global_ip is between 1 and 127 (inclusive), the address is a Class A address. In a Class A address, the first octet is the one-byte net address and the last three octets are the host address. For example, 10.4.0.0 is a host IP address. The net address portion is 10.0.0.0, the net mask is 255.0.0.0, and the host address portion is 4.0.0. The address 10.0.0.0
  is a net address.

• Class B-- If the first octet of global_ip is between 128 and 191 (inclusive), the address is a
  Class B address. In a Class B address, the first two octets are the net address and the last two octets are the host address. For example, 172.16.4.0 is a host IP address. The net address portion is 172.16.0.0, the net mask is 255.255.0.0, and the host address portion is 4.0. The address 172.16.0.0 is a net address.

• Class C-- If the first octet of global_ip is 192 or higher, the address is a Class C address. In a
  Class C address, the first three octets are the net address and the last octet is the host address. For example, 192.168.5.6 is a host address. The net address portion is 192.168.5.0, the net mask is 255.255.255.0, and the host portion is 6. The address 192.168.5.0 is a net address.

Class Resolution Examples

If the global_ip address is a net address, then the static is presumed to be a net static, and the net mask is the mask for the global_ip address. The local_ip address must follow the global_ip address; if the global address is a Class B net address, then the local_ip address must also be a net address, using a Class B net mask. For example, the following command is a net static:

	static (inside,outside) 172.16.0.0 172.8.0.0 0 0 

The global_ip is 172.16.0.0. The first octet is 172, and that makes the net mask 255.255.0.0 (a
Class B net mask). When a net mask of 255.255.0.0 is applied to the local_ip address, we find that it is also a net address. It does not matter that the first octet in the local_ip is a Class B address; the only thing that counts is the value of the first octet of the global_ip.

	static (inside, outside) 172.16.0.0 10.8.0.0 0 0 

In this command, the local_ip address, 10.8.0.0, is a Class A address, but the mask is taken from the global_ip address, which is a Class B address, so the net mask is 255.255.0.0. Using that mask, 10.8.0.0 is a net address.

	static (inside,outside) 172.16.0.0 192.168.5.0 0 0 

This command is an error, and is rejected. The global address is a Class B net address. Using a
Class B net mask, the local_ip is a host address, not a net address. It is irrelevant that 192.168.5.0 is a Class C address, as determined by its first octet, 192. It also does not matter that 192.168.5.0, under most conditions, would be considered a Class C network address. What matters is that the global address indicates that static use a Class B net mask. Using that mask, 172.16.0.0 is a net address and 192.168.5.0 is a host address, and PIX Firewall disallows a static command where the global_ip is a host address and local_ip is a net address or vice versa.

Using the class Option

To specify a net mask different than the mask specified by the global_ip address, use the class option. This option overrides the net mask implied by the first octet of the global_ip.

For example, if you have three Class C networks, 10.0.0.0, 10.2.0.0, and 10.3.4.0, and want to create a net static for the first one only, use the following command:

	static (inside,outside) 10.0.0.0 10.0.0.0 0 0 classc 

The class option lets you permit access to some hosts in a network and deny access to others as shown in this example:

static (inside,outside) 10.0.0.0 10.0.0.0 0 0 classc 	
conduit (inside,outside) 10.0.0.0 0 tcp 0 0 	
conduit (inside,outside) 10.0.0.0 0 udp 0 0

Without the classc option, the command would build a static and a conduit for 10.n.n.n; and allow TCP access to both 10.0.0.5 and 10.2.0.3. With the classc option, the command builds a static and a conduit for 10.0.0.n. This then permits outside TCP access to 10.0.0.5, but denies access to 10.2.0.3.

The following usage rules apply:

• The local_ip address must have the same class as the global_ip address; if the global_ip address is a Class B net address, then the local_ip address must also be a net address, using a Class B net mask.

• Subnetting must be on 8-bit boundaries.

• Both the global IP address and local IP address must be network IP addresses and not host addresses.Both the global IP address and local IP address must be network IP addresses and not host addresses.

Use show static to view static statements in the configuration.

If the global_ip and the local_ip are of the same class, static mapping is one-to-one.

If the global_ip and the local_ip are not of the same class; for example, static 172.16.32.0 10.1.0.0 then PIX Firewall maps 172.16.32.n to 10.1.x.n on a first-come, first-serve basis. If both 10.1.1.2 and 10.1.2.2 want to go outbound in that order, 10.1.1.2 will use the global 172.16.32.2 to go out and 10.1.2.2 will be denied. On the other hand, if 10.1.2.2 sends a connection request ahead of 10.1.1.2, 10.1.2.2 will be able to go out using the global 172.16.32.2 and 10.1.1.2 will be denied.

PIX Firewall does not allow the global_ip class to be a smaller class than the local_ip class. That is, a
Class A global_ip cannot be mapped to a Class C local_ip address.

Net Statics

You can also create net statics that permit up to 254 statics to be created simultaneously. If both the global_ip and local_ip are network addresses (the host ID is 0), net statics are created for the full number of IP addresses available in the class. Each address is mapped one-to-one between the global and local addresses.

static (inside, outside) 204.31.17.0 10.1.1.0 classc

Regular Statics

An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up. If you do not specify a value, the default is 0, which means unlimited connections; however, 0 cannot be specified.

The maximum is 65,535 and the minimum is 1. A rule of thumb for the limit is the maximum number of connections on your connection license minus 30%; for example, on a 64-session license, set it to at least 40. Set it lower for slower systems, higher for faster systems.

The max_conns option permits access to the service for only the number of users (connections). The max_conns value applies to BOTH inbound and outbound connections so if it is set to 30 and 30 SYN flooders come in, the service itself cannot go out.

Use the static command before the conduit command.

Use the mailhost command to specify a static for an SMTP server. The mailhost command is a type of static with special features to prevent attacks from the outside.

Example

The example that follows creates a net static and then permits users to call in through H.323 using Intel InternetPhone or MS NetMeeting to 10.1.1.222 using IP address 204.31.17.222 to 10.1.1.188 using
IP address 204.31.17.188, and so on.

static (inside, outside) 204.31.17.0 10.1.1.0 8 50
conduit (inside, outside) 204.31.17.0 h323 tcp 0 0

syslog

Enable SYSLOG message facility. (Privileged mode.)

Syntax Description

Usage Guidelines

The syslog console command displays SYSLOG messages on the console session. If you are using Telnet to access the console, the output displays in the Telnet session. Use no syslog console to stop the display.

The syslog host command lets you specify up to 16 inside network host IP addresses to which SYSLOG messages are sent. Use no syslog host to remove a host from the receiving list.

Use no syslog host to remove a host from the receiving list. Use show syslog to view the current hosts. Refer to the description of syslog output for more information on SYSLOG.

The PIX Firewall generates SYSLOG messages for system events, such as security alerts and resource depletion. Using a UNIX syslog facility, you can specify which types of SYSLOG messages create email alerts, are stored in log files, or display on the console of a designated inside network host.

Example

The following example uses syslog host to specify an inside network host to receive SYSLOG messages, starts SYSLOG with the syslog output command, enables the console to receive SYSLOG messages, and then shows the current SYSLOG status:

syslog host 192.168.0.99
syslog out 20.4
syslog console
show syslog
    OUTPUT ON (20.4)
    CONSOLE ON
<162> 104001 Secondary: Switching to ACTIVE.
<162> 101003 Secondary: Cable not connected my side.

tacacs-server host

Specify a TACACS+ server. (Privileged mode.)

Syntax Description

Usage Guidelines

Specify a TACACS+ (Terminal Access Controller Access Control System) server. Use
show tacacs-server to examine the information. Up to 256 TACACS+ and RADIUS servers are permitted. Servers are used in the order entered in the configuration. If the server is off-line or fails, the next server is checked. This continues until a working server is found.

Example

tacacs-server host 192.168.42.42 whatakey!@#$%^&*
show tacacs-server
tacacs-server host 192.168.42.42 whatakey!@#$%^&*

telnet

Allow an inside IP address access to the PIX Firewall console over Telnet. (Privileged mode.)

Syntax Description

Usage Guidelines

The telnet command lets you decide who can access the PIX Firewall with Telnet. Up to 16 hosts or networks are allowed access to the PIX Firewall console with Telnet, 5 simultaneously. The show telnet command displays the current list of IP addresses authorized to access the PIX Firewall. Use no telnet or clear telnet to remove Telnet access from a previously set IP address. Use the who command to view which IP addresses are currently accessing the firewall. Use the kill command to terminate an active Telnet console session.

With Telnet, you can configure the PIX Firewall from the inside network or over Private Link.

Examples

telnet 192.168.1.3 255.255.255.255 
telnet 192.168.1.4 255.255.255.255
telnet 192.168.2.0 255.255.255.0
show telnet
          192.168.1.3 255.255.255.255
          192.168.1.4 255.255.255.255
          192.168.2.0 255.255.255.0
no telnet 192.168.1.3
show telnet
          192.168.1.4 255.255.255.255
          192.168.2.0 255.255.255.0

tftp-server

Specify the IP address of the TFTP configuration server. (Configuration mode.)

Syntax Description

Usage Guidelines

The tftp-server command lets you specify the IP address of a server that you use to propagate PIX Firewall configuration files to your firewalls. Use tftp-server with the configure net command to read from the configuration or with the write net command to store the configuration in the file you specify.

The contents of the path name you specify in tftp-server are appended to the end of the IP address you specify in the configure net and write net commands. The more of a file and path name specification you provide with the tftp-server command, the less you need to do with the configure net and write net commands. If you specify the full path and filename in tftp-server, the IP address in configure net and write net can be represented with a colon ( : ).

The no tftp server command disables access to the server. The show tftp-server command lists the tftp-server statements in the current configuration.

Example

The following example specifies a TFTP server and then reads the configuration from /pixfirewall/config/test_config:

tftp-server 10.1.1.42 /pixfirewall/config/test_config
...
configure :

timeout

Set the maximum idle time duration. (Configuration mode.)

Syntax Description

Usage Guidelines

The timeout command sets the idle time for connection, translation UDP, RPC, and H323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. The minimum idle time for xlate is 5 minutes. TCP connection slots are freed within 30 seconds after a normal connection close sequence.

Examples

show timeout
timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
timeout xlate 5:0:0
timeout conn 0:0:0
timeout xlate 5:00:00 conn 0:00:00 udp 0:02:00 
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
timeout xlate 0:10:0 conn 0:5:0
show timeout
timeout xlate 0:10:00 conn 0:05:00 udp 0:02:00 
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
timeout xlate 0:0:12345
show timeout
timeout xlate 3:25:45 conn 0:05:00 udp 0:02:00 
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00

uauth (clear and show)

Delete all authorization caches for a user. (Privileged mode).

Usage Guidelines

The clear uauth command deletes all users' authorization caches, which forces all authorized users to have to reauthenticate the next time they create a connection. The show uauth command displays all currently authenticated users, the host IP to which they are bound, and, if applicable, any cached IP and port authorization information.

Each user host's IP address has an authorization cache attached to it. If the user attempts to access a service that has been cached from the correct host, the firewall considers it preauthorized and immediately unproxies the connection. This means that once you are authorized to access a web site, for example, the authorization server is not contacted for each of the images as they are loaded (assuming they come from the same IP address). This significantly increases performance and reduces load on the authorization server.

The cache allows up to 16 address and service pairs for each user host.

The output from show uauth displays the user name provided to the authorization server for authentication and authorization purposes, the IP address that the user name is bound to, and whether the user is authenticated only, or has cached services.

Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. The timeout value must be at least 2 minutes. Use clear uauth to delete all authorization caches for all users, which will cause them to have to reauthenticate the next time they create a connection.

See also: aaa authorization, timeout.

Example

show uauth
user 'winifred' from 207.31.17.42 authenticated
user 'pollyhedra' from 207.31.17.54 authorized to:
                       port 192.168.67.34/telnet                        192.168.67.11/http                                    192.168.67.33/tcp/8001
                                                          192.168.67.56/tcp/25                              192.168.67.42/ftp
user 'oakman' from 207.31.17.207 authorized to:
                       port 262.146.153.50/http                                     262.71.177.69/http

In this example, user winifred has authenticated with the server but has not completed authorization. User pollyhedra has preauthorized connections to the Telnet, web (HTTP), sendmail, FTP services, and to TCP port 8001 on 192.168.67.33.

User oakman has been browsing the web and is authorized for web browsing to the two sites shown.

uptime

Display time since last reboot. (Unprivileged mode.)

Usage Guidelines

The uptime and show uptime commands are identical and display how long the firewall has been operating since its last reboot.

Example

uptime
pixfirewall up 12 hours 24 mins

version

View the PIX Firewall version. (Unprivileged mode.)

Usage Guidelines

The version and show version commands are identical and let you view the version of your PIX Firewall software.

Example

version
PIX Version 4.pv.nnn

where: pv is the point release version and nnn is the release number.

who

Show active Telnet administration sessions on the PIX Firewall. (Unprivileged mode.)

Syntax Description

Usage Guidelines

The who command shows the PIX Firewall tty_id and IP address of each Telnet client currently logged into the PIX Firewall. This command is the same as the show who command.

See also: kill, telnet.

Example

who
2: From 192.168.2.2
1: From 192.168.1.3

write

Store, view, or erase the current configuration. (Privileged mode.)

Syntax Description

Usage Guidelines

The write net command stores the current configuration into a file on a TFTP server elsewhere in the network. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ); for example:

	write net :

Use the configure net command to get the configuration from the file.

The write erase command clears the flash memory configuration. To refresh the flash memory without erasing information, use the groom command.

The write floppy command stores the current configuration on floppy disk. The floppy disk must be DOS formatted or a PIX Firewall boot disk. The floppy disk you create can only be read or written by the PIX Firewall. If you use the write floppy command with a floppy disk that is not a PIX Firewall boot disk, do not leave the floppy in the floppy drive because it will prevent the firewall from rebooting in the event of a power failure or system reload. Only one copy of the configuration can be stored on a single floppy disk.

The write memory command saves the current running configuration to flash memory. Use configure memory to merge the current configuration with the image you saved in flash memory.

Examples

The following example specifies a configuration file on the TFTP server and then stores the configuration in this file:

tftp-server 10.1.1.2 /pixfirewall/config/new_config
write net :

The following example erases the contents of flash memory and reloads the PIX Firewall:

write erase
Erase PIX configuration in flash memory? [confirm] y
reload

The following example saves the configuration on floppy disk:

write floppy
Building configuration...
[OK]

The following example saves the configuration in flash memory:

write memory
Building configuration...
[OK]

The following example displays the configuration:

write terminal
Building configuration...
: Saved
:
...

xlate (clear and show)

View or clear translation slot information. (Privileged mode.)

Syntax Description

Usage Guidelines

The clear xlate command clears the contents of the translation slots. ("xlate" means translation slot.)

The show xlate command displays the contents of the translation slots.

Table 3-1 lists connection slot flags:

Table 3-3 lists translation slot flags:

Example

In the following example, line numbers are added to make interpretation of the output easier.

1. show xlate
   
   
2. Global 11.1.1.1 Local 10.1.1.1 static nconns 0 econns 0 flags s
   
   
3. Global 192.150.49.105 Local 171.69.74.17 static nconns 0 econns 0 flags s
   
   
4. TCP out 192.150.49.12:23 in 171.69.74.17:1330 idle 0:00:18 Bytes 374 flags fFrRIO
   
   
5. UDP out 192.150.49.12:8393 in 171.69.74.17:4574 idle 0:00:30 flags -
   
   
6. UDP out 192.150.49.12:659 in 171.69.74.17:4580 idle 0:00:00 flags -
   
   
7. UDP out 192.150.49.12:111 in 171.69.74.17:4579 idle 0:00:00 flags -
   
   
8. PAT Global 192.150.49.110(2049) Local 171.69.74.17 flags dr
   
   
9. PAT Global 192.150.49.110(2051) Local 171.69.74.17 flags r
   
   
10. TCP out 192.150.49.12:23 in 171.69.74.17:1334 idle 0:00:24 Bytes 374 flags fFrRIO
    
    
11. PAT Global 192.150.49.110(2055) Local 171.69.74.17 flags r
    
    
12. UDP out 192.150.49.12:659 in 171.69.74.17:4604 idle 0:01:30 flags -
    
    
13. PAT Global 192.150.49.110(2054) Local 171.69.74.17 flags r
    
    
14. UDP out 192.150.49.12:111 in 171.69.74.17:4603 idle 0:01:30 flags -
    
    
15. PAT Global 192.150.49.110(2056) Local 171.69.74.17 ICMP id 27606 flags ri
    

Line 1 starts the display. Line 2 shows a static xlate in which no connections have been established. Line 3 shows a global xlate. Lines 4 through 7 show the connection slots for the static xlate in
line 3. Line 4 shows a Telnet (:23-port 23) connection. Line 5 shows a UDP state of a DNS query awaiting a response. 8393 is the DNS ID. Usually DNS queries get answered and closed quickly and do not appear. Lines 6 and 7 show a portmapper (111) and the resulting mountd request (659) built from the portmapper request.

Line 8 shows a port address translation (PAT) IP connection marked to be cleaned up. Lines 9 and 10 show a PAT for a Telnet. Lines 11 through 14 show a PAT from a portmapper and mountd. Line 15 shows a PAT for an ICMP ping.

"nconns" in lines 2 and 3 is the maximum number of TCP connections allowed for this static. Use the show conn command to view how TCP connections are being used in the firewall. For more information about connections, refer to "PIX Firewall Connection Licenses" in Chapter 1.

"econns" is the embryonic connection limit.

"idle" means there is not data on the connection.