Command Reference

Syntax Description

accounting	Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include	Create a new rule with the specified service to include.
exclude	Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service	The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
authentication	Enable or disable user authentication, prompt user for username and password, and verify information with authentication server. When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit. Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service	The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.) If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization. Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization	Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service	The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization. For protocol/port: protocol---the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on). port---the TCP or UDP destination port, or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP the port is not applicable and should not be used. An example port specification follows: aaa authorization include udp/53-1024 inside 0 0 0 0 This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024. Note Specifying a port range may produce unexpected results at the authorization server. PIX Firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted.
inbound	Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound	Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name	Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip	The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask	Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip	The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask	Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
console	Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server. The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet] console command. While the enable option allows three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial or Telnet connections. Telnet access to the PIX Firewall console is available from any internal interface (not the outside interface) and requires previous use of the telnet command. Authentication of the serial console creates a potential dead-lock situation if the authentication server requests are not answered and you need access to the console to attempt diagnosis. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password. The maximum password length for accessing the console is 16 characters.
group_tag	The group tag set with the aaa-server command.

Usage Guidelines

aaa authentication include any outbound 0 0 server
aaa authentication exclude outbound perim_net perim_mask server

10. When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.

Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server.  Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.

Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set.  This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts.  Flushing the cache is of no use.

As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.

aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+

2. The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).

This example enables authentication for connections originated from the inside network to the outside network:

aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+ 

This example enables authentication for connections originated from the inside network to the perimeter network:

aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+

This example enables authentication for connections originated from the outside network to the inside network:

aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+

This example enables authentication for connections originated from the outside network to the perimeter network:

aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+

This example enables authentication for connections originated from the perimeter network to the outside network:

aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+

3. This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+:

nat (inside) 1 10.0.0.0 255.255.255.0
aaa authentication include any outbound 0 0 tacacs+
aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any

4. This example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface:

aaa-server AuthIn protocol tacacs+
aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20
static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224
access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-group acl_out in interface outside
aaa authentication include any inbound 0 0 AuthIn

5. This example enables authorization for DNS lookups from the outside interface:

aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0

6. This example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:

 aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0

This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.

aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0 

Syntax Description

group_tag	An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server.
if_name	The interface name on which the server resides.
host server_ip	The IP address of the TACACS+ or RADIUS server.
key	A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
timeout seconds	A retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds. For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.
protocol auth_protocol	The type of AAA server, either tacacs+ or radius.

Usage Guidelines

The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.

AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 16 tag groups and each group can have up to 16 AAA servers for a total of up to 256 AAA servers.

The aaa command references the tag group.

Note The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS.

If accounting is in effect, the accounting information goes only to the active server.

The default configuration provides these two aaa-server protocols:

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

Note If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration.

Examples

1. This example uses the default protocol tacacs+ with the aaa commands:

aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20
aaa authentication include any outbound 0 0 0 0 TACACS+
aaa authorization include any outbound 0 0 0 0
aaa accounting include any outbound 0 0 0 0 TACACS+
aaa authentication serial console TACACS+

This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.

2. This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections:

aaa-server AuthIn protocol radius
aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20
aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4
aaa-server AuthOut protocol radius
aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15
aaa authentication include any inbound 0 0 0 0 AuthIn
aaa authentication include any outbound 0 0 0 0 AuthOut

3. This example lists the commands that can be used to establish an Xauth crypto map:

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ host 10.0.0.2 secret123 
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+ 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

Syntax Description

acl_name	The name associated with a given access list.
in interface	Filters on inbound packets at the given interface.
interface-name	The name of the network interface.

Usage Guidelines

The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:

%PIX-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group list_name
 

Always use the access-list command with the access-group command.

Note The use of access-group command overrides the conduit and outbound command statements for the specified interface-name.

The no access-group command unbinds the "acl_name" from the interface interface-name.

The show access-group command displays the current access-list bound to the interface(s).

The clear access-group command removes all entries from an access-list indexed by "list-name." If "list-name" is not specified, all access-list command statements are removed from the configuration.

Examples

The following example shows use of the access-group command:

static (inside,outside) 209.165.201.3 10.1.1.3
access-list acl_out permit tcp any host 209.165.201.3 eq 80
access-group acl_out in interface outside
 

The static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.

Syntax Description

acl_name	Name of an access list. You can use either a name or number.
deny	When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound packets unless you specifically permit access. When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit	When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol	Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
src_addr	Address of the network or host from which the packet is being sent. Specify the source address as follows: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-netmask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec. Use host src_addr as an abbreviation for a src_mask of 255.255.255.255. Use host for any host address, even subnetted addresses.
src_mask	Netmask bits (mask) to be applied to src_addr (source address), if the source address is for a network mask. Do not specify a mask if the source address is for a host; if the source address is for a host, use the host parameter before the address; for example: access-list acl_grp permit tcp host 192.168.1.1 any If the source address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore. Remember that you specify a network mask differently than with the Cisco IOS access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the mask; for example: access-list acl_grp permit tcp 192.168.1.0 255.255.255.224 any
dest_addr	IP address of the network or host to which the packet is being sent. There are three ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and netmask of 0.0.0.0 0.0.0.0. This keyword is not recommended for access lists used for IPSec via the crypto map command. Use host dest_addr as an abbreviation for a dest_mask of 255.255.255.255.
dest_mask	Netmask bits (mask) to be applied to dest_addr (destination address), if the destination address is a network mask. Do not specify a dest_mask if the destination address is for a host; if the destination address is for a host, use the host parameter before the address; for example: access-list acl_grp permit tcp any host 192.168.1.1 If the destination address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore. Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the mask; for example: access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224
operator	A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example: access-list acl_out permit tcp any host 209.165.201.1 Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP: access-list acl_out deny tcp any host 209.165.201.1 eq ftp Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024): access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025
	Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535: access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42 Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535: access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10 Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created. access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnet
port	Service(s) you permit to be used while accessing src_addr or dest_addr. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can view valid port numbers online at the following site: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type	[Non-IPSec use only]---Permit or deny access to ICMP message types. Refer to Table 6-1 for a list of message types. Omit this option to mean all ICMP types. In version 5.1, ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.

Usage Guidelines

After you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement.

The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.

Usage Notes

1. The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map command statements referencing the access list are incomplete. To correct the condition, either define other access-list command statements to complete the crypto map command statements or remove the crypto map command statements that pertain to the access-list command statement.

2. The access-list command operates on a first match basis. For access from a higher security level interface to a lower security interface; that is, "outbound" connections, port access is permitted by default. Always permit access first and then deny access afterward. You can view security levels for interfaces with the show nameif command. Because outbound connections are permitted by default, for single or specific denies, you only need add deny statements. If the host entries match, then add deny statements, otherwise use the default (permit) statements. You only need to specify additional permit statements if you need to permit specific hosts and deny everyone else.

For access from a lower security level interface to a higher security level interface; that is, "inbound" connections, port access is denied by default. Always deny access first and permit access afterward. Because inbound connections are denied by default, for single or specific permits, you only need to add permit statements. If the host entries match, then use a permit statement, otherwise use a default (deny) statement. You only need to specify additional deny statements if you need to deny specific hosts and permit everyone else.

%PIX-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group list_name

If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:

access-list 10 permit icmp any any echo-reply
 

And IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.

Using the access-list Command with IPSec

The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists associated with the IPSec crypto map command statement have these primary functions:

• Select outbound traffic to be protected by IPSec (permit = protect).

• Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

• Process inbound traffic to filter out and discard traffic that IPSec protects.

• Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for crypto map command statements with the ipsec-isakmp option.) For a peer's initiated IPSec negotiation to be accepted, it must specify a data flow that is permitted by a crypto access list associated with an ipsec-isakmp crypto map entry.

You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

Syntax Description

if_name	The internal network interface name in which the foreign_ip overlaps.
dnat_ip	An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.
foreign_ip	IP address on the external network that has the same address as a host on the internal network.
netmask	Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.

Usage Guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.

Note You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.

Note If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.

After changing or removing an alias command statement, use the clear xlate command.

There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.

The alias command has two uses which can be summarized in the following ways of reading an alias command statement:

• If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address.

• If the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.

The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.

The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.

Note ActiveX blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command.

Usage Notes

To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note:

alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outside
 

An alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.

Examples

1. In this example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to cisco.com. When inside clients try to access cisco.com, the packets do not go to the firewall because the client thinks 209.165.201.29 is on the local inside network. To correct this, a net alias is created as follows with the alias command:

alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224
 
show alias
alias 192.168.201.0 205.165.201.0 255.255.255.224

When the inside network client 209.165.201.2 connects to cisco.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 209.165.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=209.165.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.

2. In the next example, a web server is on the inside at 10.1.1.11 and a static for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.cisco.com as follows:

www.cisco.com.

IN

A

209.165.201.11

The period at the end of the www.cisco.com. domain name must be included.

The alias command follows:

alias 10.1.1.11 209.165.201.11 255.255.255.255

PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.

The static command statement is as follows:

static (inside,outside) 209.165.201.11 10.1.1.11

The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet

But with the alias command, use this command:

access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7

You can test the DNS entry for the host with the following UNIX nslookup command:

nslookup -type=any www.cisco.com

Syntax Description

if_name	The internal or external interface name specified by the nameif command.
ip_address	Host IP address for the ARP table entry.
mac_address	Hardware MAC address for the ARP table entry; for example, 00e0.1e4e.3d8b.
alias	Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration.
seconds	Duration that an ARP entry can exist in the ARP table before being cleared.

Usage Guidelines

Note You can use the sysopt noproxyarp command to disable proxy-arps on an interface.

Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).

The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.

Examples

The following examples illustrate use of the arp and arp timeout commands:

arp inside 192.168.0.42 00e0.1e4e.2a7c
arp outside 192.168.0.43 00e0.1e4e.3d8b alias
show arp
outside 192.168.0.43 00e0.1e4e.3d8b alias
inside 192.168.0.42 00e0.1e4e.2a7c
 
clear arp inside 192.168.0.42
 
arp timeout 42
show arp timeout
arp timeout 42 seconds
 
no arp timeout
show arp timeout
arp timeout 14400 seconds

Syntax Description

accept	If a user authentication via Telnet is accepted, display the prompt string.
reject	If a user authentication via Telnet is rejected, display the prompt string.
prompt	The AAA challenge prompt string follows this keyword. This keyword is optional for backward compatibility.
string	A string of up to 235 alphanumeric characters. Special characters should not be used; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)

Usage Guidelines

The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication,  HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.

If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.

Note Microsoft Internet Explorer only displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.

Examples

The following example shows how to set the authentication prompt and how users view the prompt:

auth-prompt XYZ Company Firewall Access
 

After this string is added to the configuration, users view:

XYZ Company Firewall Access
User Name:
Password:
 

The prompt keyword can be included or omitted. For example:

auth-prompt prompt Hello There!
 

This command statement is the same as the following:

auth-prompt Hello There!
 

Syntax Description

ca_nickname	The name of the Certification Authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently the PIX Firewall supports only one CA at a time.
fingerprint	A key consisting of alphanumeric characters the PIX Firewall uses to authenticate CA's certificate.
ca | ra	Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command. Some CA systems provide a RA, which the PIX Firewall contacts instead of the CA.
retry_period	Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the firewall retries every 1 minute.
retry_count	Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.
crloptional	Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate Certificate Revocation List (CRL) is not accessible to your PIX Firewall. The default is without crloptional.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
serial	Return the PIX Firewall unit's serial number in the certificate.
ipaddress	Return the PIX Firewall unit's IP address in the certificate.
key	This specifies that one general-purpose RSA key pair will be generated.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ca_ipaddress	The CA's IP address.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Usage Guidelines

The sections that follow describe each ca command.

Note See the section "About CA" in "Configuring IPSec," for more information about this IPSec feature.

Note The PIX Firewall currently only supports the Entrust and VeriSign CAs. The PIX Firewall only supports Entrust VPN Connector, version 4.1 (build 4.1.0.337) and later. VeriSign support is provided through the VeriSign Private Certificate Services (PCS) and the OnSite service, which lets you establish a CA system for issuing digital certificates.

Note If you are using the VeriSign CA, you must use the crloptional parameter with the ca configure command.

Note The lifetime of a certificate and the Certificate Revocation List (CRL) is checked in GMT time. Set the PIX Firewall clock to GMT time to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock.

ca authenticate

In order to authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in some out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.

To view the CA's certificate, use the show ca certificate command.

Note If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.

Examples

In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
 

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 5432
%Error in verifying the received fingerprint. Type help or `?' for a list of
available commands.

ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

Note When using VeriSign as your CA, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the PIX Firewall validates the certificate during main mode, which causes the peer PIX Firewall to fail. This problem occurs because the PIX Firewall is not able to poll the CRL from the VeriSign CA.

Examples

The following example indicates myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 crloptional

ca crl request

A PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (un-expired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent via an ISAKMP exchange. This is because the certificate itself contains the location where the PIX Firewall must query to get the appropriate CRL. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.

Use the ca crl request command only if your CA does not support a RA. A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your firewall.

The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. If your PIX Firewall receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.

If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

The ca crl request command is not saved with the PIX Firewall configuration between reloads.

Examples

ca crl request myca

ca enroll

Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.

The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.

Note This password is not stored anywhere, so you need to remember this password.

If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.

Note When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on hostname. The default identity type for the isakmp identity command is based on address instead of hostname. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command page for information about the isakmp identity address command.

Examples

The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.

ca enroll myca.example.com 1234567890 serial

ca generate rsa

Examples

In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048

Note You cannot generate both special usage and general purpose keys; you can only generate one or the other.

ca identity

Examples

The following example indicates that the CA myca.example.com is declared as the PIX Firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.

ca identity myca.example.com 205.139.94.231 

ca save all

The ca save command itself is not saved with the PIX Firewall configuration between reloads.

To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user is allowed to issue this show command.

ca zeroize rsa

• Use the no ca identity command to manually remove the PIX Firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.

• Ask the CA administrator to revoke your PIX Firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall unit's certificates using the crypto ca enroll command.

show ca mypubkey rsa

Examples

The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command:

show ca mypubkey rsa
 
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Signature Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Encryption Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a
48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98
908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

Syntax Description

hh:mm:ss	The current hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0.
month	The current month expressed as the first three characters of the month; for example, apr for April.
day	The current day of the month; for example, 1.
year	The current year expressed as four digits; for example, 2000.

Usage Guidelines

Usage Notes

static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
conduit permit tcp host 209.165.201.5 eq 1723 any
conduit permit gre host 209.165.201.5 any

In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.

For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.

Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:

rpcinfo -u unix_host_ip_address 150001

Replace unix-_host_ip_address with the IP address of the UNIX host.

8. You can overlay host statics on top of a net static range to further refine what an individual host can access:

static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0
conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp any
static (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0
conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3

In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.

Examples

1. The following commands permit access between an outside UNIX gateway host at 209.165.201.2, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for PIX Firewall with the fixup protocol smtp 25 command. The global address on the PIX Firewall is 209.165.201.1:

static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2 

To disable Mail Guard, enter the following command:

no fixup protocol smtp 25

2. You can set up an inside host to receive H.323 InternetPhone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global addresses on the outside network are referenced via the 209.165.201.0 network address with a 255.255.255.224 mask:

static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0
conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 any
conduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any

3. You can create a web server on the perimeter interface that can be accessed by any outside host as follows:

static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.4 eq 80 any

In this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.

	configure net :
 

Use the write net command to store the configuration in the file.

If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.

Note Many TFTP servers require the configuration file to be world-readable to be accessible.

The configure memory command merges the configuration in Flash memory into the current configuration in RAM.

The show configure command lists the contents of the configuration in Flash memory.

Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:

• If the command on diskette or Flash memory is identical to an existing command in the current configuration, it is ignored.

• If the command on diskette or Flash memory is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the diskette configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration.

• If the command redefines an existing command, the command on diskette or Flash memory overwrites the command in the current configuration in RAM. For example, if you have hostname ram in the current configuration and hostname floppy on diskette, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new host name when that command is read from diskette.

Examples

The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:

configure net 10.1.1.1:/tftp/config/pixconfig
 

The pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.

The following example shows how to configure the PIX Firewall from a diskette:

configure floppy
 

The following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:

configure memory
 

The following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.

Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.

pixfirewall> enable
password: 
pixfirewall# configure terminal
pixfirewall(config)# write terminal
:Saved
 config commands 
:End
 
write memory

If the security associations are manually established, the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations---that were established during the same IKE negotiation---are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.

Note If you make significant changes to IPSec configuration such as access-list or peers, clear [crypto] ipsec sa will not be enough to activate the new configuration. In such case, rebind the crypto map to the interface with the crypto map interface command.

If the PIX Firewall is processing active IPSec traffic, Cisco recommends that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

Note The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.

Examples

The following example clears (and reinitializes if appropriate) all IPSec security associations at the PIX Firewall:

clear crypto ipsec sa
 

clear crypto ipsec sa entry 10.0.0.1 AH 256

show crypto ipsec sa

The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).

Note While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid.

Note Output of the show crypto ipsec sa command lists the PCP protocol. This is a compression protocol that came with the Cisco IOS software code on which the PIX Firewall IPSec implementation is based; however, the PIX Firewall does not support the PCP protocol.

Examples

The following is a sample output for the show crypto ipsec sa command:

show crypto ipsec sa
 
interface: outside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
 
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
interface: inside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
          
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:

Use the no crypto map client authentication command to restore the default value. The extended Xauth feature is not enabled by default.

Note Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.

Note The remote user must be running the Cisco Secure VPN Client, version 1.1.

Examples

The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+ 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

crypto map client configuration address

Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.

The keyword initiate indicates the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates the PIX Firewall will accept requests for IP addresses from any requesting peer.

Note If you use IKE Mode Configuration on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. Cisco IOS Release 12.0.6T and later, supports the IKE Mode Configuration.

Note The crypto map command without a keyword creates an ipsec-isakmp entry by default.

After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.

Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link together definitions of the following:

• What traffic should be protected

• Which IPSec peer(s) the protected traffic can be forwarded to---these are the peers with which a security association can be established

• Which transform sets are acceptable for use with the protected traffic

• How keys and security associations should be used/managed (or what the keys are, if IKE is not used)

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap set transform-set my_t_set1
crypto map mymap set peer 10.0.0.1
 

The following example shows the minimum required crypto map configuration when the security associations are manually established.

crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.5
crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654
crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345
crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

crypto mapipsec-isakmp dynamic

To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.

Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.

Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.

To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use the access-list command to define this access list.

The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)

Note The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access-group command makes that determination.

The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.

During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group.

If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.

The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.

Note IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with the clear [crypto] isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.

Examples

This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set pfs group2

The crypto map's security associations are negotiated according to the global lifetimes.

This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.

If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details.

To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.

To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.

However, shorter lifetimes require more CPU processing time.

The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).

Security associations established using this command do not expire (unlike security associations established using IKE).

The PIX Firewall unit's session keys must match its peer's session keys.

If you change a session key, the security association using the key will be deleted and reinitialized.

Examples

The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.

crypto ipsec transform-set t_set ah-sha-hmac
crypto map mymap 20 ipsec-manual
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set t_set
crypto map mymap 20 set peer 10.0.0.21
crypto map mymap 20 set session-key inbound ah 300 1111111111111111111111111111111111111111
crypto map mymap 20 set session-key outbound ah 300 2222222222222222222222222222222222222222
 

The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set session-key inbound ah 300 9876543210987654321098765432109876543210
crypto map mymap 10 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345
    authenticator 0000111122223333444455556666777788889999
crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd
    authenticator 9999888877776666555544443333222211110000

This command is required for all static and dynamic crypto map entries.

For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.

If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.

The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.

For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.

If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.

Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.

Examples

The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap set peer 10.0.0.1 10.0.0.2
 

In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.

The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.

The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command.

Use of the debug commands can slow down busy networks.

Trace Channel Feature

The debug commands are shared between all Telnet and serial console sessions.

Note The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug icmp trace and debug sqlnet output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug output, which may be unexpected. If you are using the serial console and debug output is not appearing, use the who command to see if a Telnet console session is running.

Additional debug Command Information

Note When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.

Note Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.

Note Use of the debug packet command on a PIX Firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session.

Note To let users ping through the PIX Firewall, add the access-list acl_grp permit icmp anyany command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound.

To stop a debug packet trace command, enter:

no debug packet if_name
 

Replace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.

To stop a debug icmp trace command, enter:

no debug icmp trace

Examples

The following example turns on this command:

debug icmp trace
 

When you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1):

Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2
NO DEBUG ICMP TRACE
ICMP trace off

This example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.

The following is sample output from the show debug command output:

show debug
debug ppp error
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet

The trailing 1 at the end of the debug crypto commands is the debugging level, which is described in the "Syntax Description" section at the start of this command page.

You can debug the contents of packets with the debug packet command:

debug packet inside
--------- PACKET ---------
-- IP --
4.3.2.1 ==>     255.3.2.1
        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x60
        id = 0x3902     flags = 0x0     frag off=0x0
        ttl = 0x20      proto=0x11      chksum = 0x5885
        -- UDP --
                source port = 0x89      dest port = 0x89
                len = 0x4c      checksum = 0xa6a0
        -- DATA --
                00000014:                                     00 01 00 00|
         ....
                00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46| ..
.. EIEPEGEGEFF
                00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43| CC
NFAEDCACACACAC
                00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01| AC
AAA.. ..... ..
                00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00| ..
....\Q......
--------- END OF PACKET ---------

This display lists the information as it appears in a packet.

The following is sample output from the show debug command:

show debug
debug icmp trace off
debug packet off
debug sqlnet off

Usage Guidelines

The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required---press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.

Examples

The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.

pixfirewall> enable
Password: 
pixfirewall# configure terminal
pixfirewall(config)#

You can return the enable password to its original value (press the Enter key at prompt) by entering:

pixfirewall# enable password
pixfirewall# 

Note If you change the password, write it down and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password.

Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.

See also: passwd.

Examples

The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:

pixfirewall> enable
Password:
pixfirewall# enable password w0ttal1fe
pixfirewall# configure terminal
pixfirewall(config)# write terminal
Building configuration...
...
enable password 2oifudsaoid.9ff encrypted
...

The following example shows the use of the encrypted option:

enable password 1234567890123456 encrypted
show enable password
enable password 1234567890123456 encrypted
 
enable password 1234567890123456
show enable password
enable password feCkwUGktTCAgIbD encrypted

Note XDMCP is on by default, but will not complete the session unless the established command is used.

Example:

established tcp 0 6000 to tcp 6000 from tcp 1024-65535
 

Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value:

setenv DISPLAY hostname:displaynumber.screennumber
 

The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.