Command Reference

Syntax Description

accounting	Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.
include	Create a new rule with the specified service to include.
exclude	Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.
acctg_service	The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
match acl_name	Specify an access-list command statement name.
authentication	Enable or disable user authentication, prompt user for username and password, and verify information with authentication server. When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit. Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
authen_service	The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.) If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization. Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization	Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.
author_service	The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization. For protocol/port: protocol—the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on). port—the TCP or UDP destination port, or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP the port is not applicable and should not be used. An example port specification follows: aaa authorization include udp/53-1024 inside 0 0 0 0 This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024. Note   Specifying a port range may produce unexpected results at the authorization server. PIX Firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted.
inbound	Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface.
outbound	Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
if_name	Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip	The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask	Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
foreign_ip	The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask	Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
console	Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server. The aaa authentication serial console command lets you require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts. Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command. The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement. Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password. The maximum password length for accessing the console is 16 characters.
group_tag	The group tag set with the aaa-server command.

Usage Guidelines

An example is as follows:

show access-list 
access-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)
show aaa 
aaa authentication match mylist outbound TACACS+ 
 

Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command:

aaa authentication match yourlist outbound tacacs
 

is equal to this command:

aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs
 

The aaa command statement list is order dependent between access_list command statements. If the following command is entered:

aaa authentication match yourlist outbound tacacs
 

after this command:

aaa authentication match mylist outbound TACACS+
 

PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.

Old aaa command configuration and functionality stays the same and is not converted to the access_list format. Hybrid configurations; that is, old configurations combined with the new access_list configuration are not recommended.

Usage Notes

aaa authentication include any outbound 0 0 server
aaa authentication exclude outbound perim_net perim_mask server

10. When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.

  Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server.  Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

  To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.

  Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set.  This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts.  Flushing the cache is of no use.

  As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.

11. Multimedia applications such as CU-SeeMe, InternetPhone, MeetingPoint, and MS Netmeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.

  To avoid interfering with these applications, do not enter blanket outgoing AAA command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.

aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+

2. The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).

  This example enables authentication for connections originated from the inside network to the outside network:

aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+ 

  This example enables authentication for connections originated from the inside network to the perimeter network:

aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+

  This example enables authentication for connections originated from the outside network to the inside network:

aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+

  This example enables authentication for connections originated from the outside network to the perimeter network:

aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+

  This example enables authentication for connections originated from the perimeter network to the outside network:

aaa authentication include any perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+

3. This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+:

nat (inside) 1 10.0.0.0 255.255.255.0
aaa authentication include any outbound 0 0 tacacs+
aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any

4. This example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface:

aaa-server AuthIn protocol tacacs+
aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20
static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224
access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-group acl_out in interface outside
aaa authentication include any inbound 0 0 AuthIn

5. This example enables authorization for DNS lookups from the outside interface:

aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0

6. This example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:

 aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0

  This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.

aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0 

Syntax Description

group_tag	An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server.
if_name	The interface name on which the server resides.
host server_ip	The IP address of the TACACS+ or RADIUS server.
key	A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
timeout seconds	A retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds. For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.
protocol auth_protocol	The type of AAA server, either tacacs+ or radius.

Usage Guidelines

The aaa-server command lets you specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.

AAA server group are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.

The aaa command references the tag group.

Note   The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS.

If accounting is in effect, the accounting information goes only to the active server.

The default configuration provides these two aaa-server protocols:

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

Note   If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration.

Examples

1. This example uses the default protocol tacacs+ with the aaa commands:

aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20
aaa authentication include any outbound 0 0 0 0 TACACS+
aaa authorization include any outbound 0 0 0 0
aaa accounting include any outbound 0 0 0 0 TACACS+
aaa authentication serial console TACACS+

  This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.

2. This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections:

aaa-server AuthIn protocol radius
aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20
aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4
aaa-server AuthOut protocol radius
aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15
aaa authentication include any inbound 0 0 0 0 AuthIn
aaa authentication include any outbound 0 0 0 0 AuthOut

3. This example lists the commands that can be used to establish an Xauth crypto map:

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ host 10.0.0.2 secret123 
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+ 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

  The aaa-server command is used with the crypto map command to establish an authentication association so that VPN Clients are authenticated when they access the PIX Firewall.

  Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto and isakmp commands.

Syntax Description

acl_ID	The name associated with a given access list.
in interface	Filter on inbound packets at the given interface.
interface_name	The name of the network interface.

Usage Guidelines

The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message:

%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID
 

Always use the access-list command with the access-group command.

Note   The use of access-group command overrides the conduit and outbound command statements for the specified interface_name.

The no access-group command unbinds the acl_ID from the interface interface_name.

The show access-group command displays the current access list bound to the interfaces.

The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.

Examples

The following example shows use of the access-group command:

static (inside,outside) 209.165.201.3 10.1.1.3
access-list acl_out permit tcp any host 209.165.201.3 eq 80
access-group acl_out in interface outside
 

The static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.

Syntax Description

acl_ID	Name of an access list. You can use either a name or number.
deny	When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
permit	When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements.
protocol	Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
source_addr	Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command.
source_mask	Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask.
local_addr	Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
local_mask	Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
destination_addr	IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed.
destination_mask	Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask.
remote_addr	IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement.
remote_mask	Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask
operator	A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports; for example: access-list acl_out permit tcp any host 209.165.201.1 Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP: access-list acl_out deny tcp any host 209.165.201.1 eq ftp Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024): access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025 Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535: access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42 Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535: access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10
operator (continued)	Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created. access-list acl_dmz1 deny tcp any host 192.168.1.4 range ftp telnet
port	Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can view valid port numbers online at the following site: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports" in "Introduction," for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
icmp_type	[Non-IPSec use only]—Permit or deny access to ICMP message types. Refer to Table 5-1 for a list of message types. Omit this option to mean all ICMP types. ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored.

Usage Guidelines

Use the following guidelines for specifying a source, local, or destination address:

• Use a 32-bit quantity in four-part, dotted-decimal format.

• Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec.

• Use host address as an abbreviation for a mask of 255.255.255.255.

Use the following guidelines for specifying a network mask:

• Do not specify a mask if the address is for a host; if the destination address is for a host, use the host parameter before the address; for example:

access-list acl_grp permit tcp any host 192.168.1.1 

• If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore.

• Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask; for example:

access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224
 

If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto map command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section). Refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the crypto command.

The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.

The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding access-group command from the configuration.

Note   The aaa, crypto map, and icmp commands make use of the access-list command statements.

The administrator first defines access lists on the PIX Firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then defines each access list in the group profile in CiscoSecure.

After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+.

To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:

access-list eng permit ip any server1 255.255.255.255
access-list eng permit ip any server2 255.255.255.255
access-list eng permit ip any server3 255.255.255.255
access-list eng deny ip any any
 

In this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.

Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.

Note   An access list used for RADIUS authorization does not require an access-group command to bind the statements to an interface.

There is not a radius option to the aaa authorization command.

Follow these steps to enable RADIUS authorization:

Step 2   Create the access-list command statements to specify what services hosts are authorized to use with RADIUS.

Step 3   Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID.

When the PIX Firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells PIX Firewall to use the access-list command statements to determine how RADIUS users are authorized.

Usage Notes

%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID

If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:

access-list 10 permit icmp any any echo-reply
 

And IPSec is enabled such that a crypto map command references the acl_name for this access-list command, then the echo-reply ICMP message type is ignored.

Using the access-list Command with IPSec

The access lists themselves are not specific to IPSec. It is the crypto map command statement referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists associated with the IPSec crypto map command statement have these primary functions:

• Select outbound traffic to be protected by IPSec (permit = protect).

• Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

• Process inbound traffic to filter out and discard traffic that IPSec protects.

• Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for crypto map command statements with the ipsec-isakmp option.) For a peer's initiated IPSec negotiation to be accepted, it must specify a data flow that is permitted by a crypto access list associated with an ipsec-isakmp crypto map entry.

You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same "outbound" IPSec access list. Therefore, the access list's criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

Cisco recommends that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword. See the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for more information.

If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement.

Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.

Examples

The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0
access-group 101 in interface outside
crypto map mymap 10 match address 101
[other crypto map commands]
 

The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:

access-list acl_out permit icmp any any echo-reply
access-group acl_out interface outside
 

Syntax Description

if_name	The internal network interface name in which the foreign_ip overlaps.
dnat_ip	An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.
foreign_ip	IP address on the external network that has the same address as a host on the internal network.
netmask	Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.

Usage Guidelines

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.

Note   You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.

Note   If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.

After changing or removing an alias command statement, use the clear xlate command.

There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.

The alias command has two uses which can be summarized in the following ways of reading an alias command statement:

• If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address.

• If the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.

The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removed all alias commands from the configuration.

The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.

Note   ActiveX blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command.

Usage Notes

To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note:

alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outside
 

An alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.

Examples

1. In this example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the firewall because the client thinks 209.165.201.29 is on the local inside network. To correct this, a net alias is created as follows with the alias command:

alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224
 
show alias
alias 192.168.201.0 205.165.201.0 255.255.255.224

  When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 192.168.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=209.165.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.

2. In the next example, a web server is on the inside at 10.1.1.11 and a static for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:

www.example.com.

IN

A

209.165.201.11

  The period at the end of the www.example.com. domain name must be included.

  The alias command follows:

alias 10.1.1.11 209.165.201.11 255.255.255.255

  PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.

  The static command statement is as follows:

static (inside,outside) 209.165.201.11 10.1.1.11

  The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet

  But with the alias command, use this command:

access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7

  You can test the DNS entry for the host with the following UNIX nslookup command:

nslookup -type=any www.example.com

Syntax Description

if_name	The internal or external interface name specified by the nameif command.
ip_address	Host IP address for the ARP table entry.
mac_address	Hardware MAC address for the ARP table entry; for example, 00e0.1e4e.3d8b.
alias	Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration.
seconds	Duration that an ARP entry can exist in the ARP table before being cleared.

Usage Guidelines

Note   You can use the sysopt noproxyarp command to disable proxy-arps on an interface.

Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is
14,400 seconds (4 hours).

The no arp timeout command sets the timer to its default value. The show arp timeout command displays its current value.

Examples

The following examples illustrate use of the arp and arp timeout commands:

arp inside 192.168.0.42 00e0.1e4e.2a7c
arp outside 192.168.0.43 00e0.1e4e.3d8b alias
show arp
outside 192.168.0.43 00e0.1e4e.3d8b alias
inside 192.168.0.42 00e0.1e4e.2a7c
 
clear arp inside 192.168.0.42
 
arp timeout 42
show arp timeout
arp timeout 42 seconds
 
no arp timeout
show arp timeout
arp timeout 14400 seconds

Syntax Description

accept	If a user authentication via Telnet is accepted, display the prompt string.
reject	If a user authentication via Telnet is rejected, display the prompt string.
prompt	The AAA challenge prompt string follows this keyword. This keyword is optional for backward compatibility.
string	A string of up to 235 alphanumeric characters. Special characters should not be used; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)

Usage Guidelines

The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication,  HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access.

If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.

Note   Microsoft Internet Explorer only displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.

Examples

The following example shows how to set the authentication prompt and how users view the prompt:

auth-prompt XYZ Company Firewall Access
 

After this string is added to the configuration, users view:

XYZ Company Firewall Access
User Name:
Password:
 

The prompt keyword can be included or omitted. For example:

auth-prompt prompt Hello There!
 

This command statement is the same as the following:

auth-prompt Hello There!
 

Syntax Description

hh:mm:ss	The current hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0.
month	The current month expressed as the first three characters of the month; for example, apr for April.
day	The current day of the month; for example, 1.
year	The current year expressed as four digits; for example, 2000.

Usage Guidelines

Usage Notes

1. By default, all ports are denied until explicitly permitted.

2. The conduit command statements are processed in the order entered in the configuration. If you remove a command, it affects the order of all subsequent conduit command statements.

3. To remove all conduit command statements, cut and paste your configuration onto your console computer, edit the configuration on the computer, use the write erase command to clear the current configuration, and then paste the configuration back into the PIX Firewall.

4. If you use PAT (Port Address Translation), you cannot use a conduit command statement using the PAT address to either permit or deny access to ports.

5. Two conduit command statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit command statement for TCP.

static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
conduit permit tcp host 209.165.201.5 eq 1723 any
conduit permit gre host 209.165.201.5 any

  In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.

  For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111.

  Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:

rpcinfo -u unix_host_ip_address 150001

  Replace unix-_host_ip_address with the IP address of the UNIX host.

7. You can overlay host statics on top of a net static range to further refine what an individual host can access:

static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0
conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp any
static (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0
conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3

  In this case, the host at 209.165.202.3 has InternetPhone access in addition to its blanket FTP access.

Examples

1. The following commands permit access between an outside UNIX gateway host at 209.165.201.2, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for PIX Firewall with the fixup protocol smtp 25 command. The global address on the PIX Firewall is 209.165.201.1:

static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2 

  To disable Mail Guard, enter the following command:

no fixup protocol smtp 25

2. You can set up an inside host to receive H.323 InternetPhone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global addresses on the outside network are referenced via the 209.165.201.0 network address with a 255.255.255.224 mask:

static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0
conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 any
conduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any

3. You can create a web server on the perimeter interface that can be accessed by any outside host as follows:

static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0
conduit permit tcp host 209.165.201.4 eq 80 any

  In this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.

	configure net :
 

Use the write net command to store the configuration in the file.

If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same file name on the TFTP server, some TFTP servers will leave some of the original configuration after the first ":end" mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first ":end" mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.

Note   Many TFTP servers require the configuration file to be world-readable to be accessible.

The configure memory command merges the configuration in Flash memory into the current configuration in RAM.

The show configure command lists the contents of the configuration in Flash memory.

Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with these rules:

• If the command on diskette or Flash memory is identical to an existing command in the current configuration, it is ignored.

• If the command on diskette or Flash memory is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the diskette configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration.

• If the command redefines an existing command, the command on diskette or Flash memory overwrites the command in the current configuration in RAM. For example, if you have hostname ram in the current configuration and hostname floppy on diskette, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new host name when that command is read from diskette.

Examples

The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:

configure net 10.1.1.1:/tftp/config/pixconfig
 

The pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder.

The following example shows how to configure the PIX Firewall from a diskette:

configure floppy
 

The following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:

configure memory
 

The following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory.

Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.

pixfirewall> enable
password: 
pixfirewall# configure terminal
pixfirewall(config)# write terminal
:Saved
 config commands 
:End
 
write memory

The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging.

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.

The debug h323 command lets you debug H323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.

Note   The debug h323 command, particularly the debug h323 h225 asn, debug h323 h245 asn, and debug h323 ras asn commands, might delay the sending of messages and cause slower performance in a real-time environment.

The debug commands are shared between all Telnet and serial console sessions.

Note   The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug output, which may be unexpected. If you are using the serial console and debug output is not appearing, use the who command to see if a Telnet console session is running.

Additional debug Command Information

Note   Use of the debug packet command on a PIX Firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session.

Note   To let users ping through the PIX Firewall, add the access-list acl_grp permit icmp anyany command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound.

To stop a debug packet trace command, enter:

no debug packet if_name
 

Replace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name.

To stop a debug icmp trace command, enter:

no debug icmp trace

Examples

The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after turning on the debug dhcpc commands to obtain debugging information:

debug dhcpc packet
debug dhcpc detail
ip address outside dhcp setroute
DHCP:allocate request
DHCP:new entry. add to queue
DHCP:new ip lease str = 0x80ce8a28
DHCP:SDiscover attempt # 1 for entry:
Temp IP addr:0.0.0.0 for peer on Interface:outside
Temp sub net mask:0.0.0.0
   DHCP Lease server:0.0.0.0, state:1 Selecting
   DHCP transaction id:0x8931
   Lease:0 secs, Renewal:0 secs, Rebind:0 secs
   Next timer fires after:2 seconds
   Retry count:1   Client-ID:cisco-0000.0000.0000-outside
 
DHCP:SDiscover:sending 265 byte length DHCP packet
DHCP:SDiscover 265 bytes
DHCP Broadcast to 255.255.255.255 from 0.0.0.0
DHCP client msg received, fip=10.3.2.2, fport=67
DHCP:Received a BOOTREP pkt
DHCP:Scan:Message type:DHCP Offer
DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB
	DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB
DHCP:Scan:Lease Time:259200
DHCP:Scan:Subnet Address Option:255.255.254.0
DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140
DHCP:Scan:Domain Name:example.com
DHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87
DHCP:Scan:Router Address Option:10.3.2.1
DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255
...
 

The following example turns on this command:

debug icmp trace
 

When you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall unit's outside interface (209.165.201.1):

Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2
NO DEBUG ICMP TRACE
ICMP trace off

This example shows that the ICMP packet length is 32 bytes, that the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.

The following is sample output from the show debug command output:

show debug
debug ppp error
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet

The above sample output includes the debug crypto commands. Refer to the debug command page within the "Command Reference" chapter of the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2 for more information about the debug crypto commands.

You can debug the contents of packets with the debug packet command:

debug packet inside
--------- PACKET ---------
-- IP --
4.3.2.1 ==>     255.3.2.1
        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x60
        id = 0x3902     flags = 0x0     frag off=0x0
        ttl = 0x20      proto=0x11      chksum = 0x5885
        -- UDP --
                source port = 0x89      dest port = 0x89
                len = 0x4c      checksum = 0xa6a0
        -- DATA --
                00000014:                                     00 01 00 00|
         ....
                00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 46 46| ..
.. EIEPEGEGEFF
                00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 41 43| CC
NFAEDCACACACAC
                00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 00 01| AC
AAA.. ..... ..
                00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00| ..
....\Q......
--------- END OF PACKET ---------

This display lists the information as it appears in a packet.

The following is sample output from the show debug command:

show debug
debug icmp trace off
debug packet off
debug sqlnet off

Usage Guidelines

The enable command starts privileged mode. The PIX Firewall prompts you for your privileged mode password. By default, a password is not required—press the Enter key at the Password prompt to start privileged mode. Use disable to exit privileged mode. Use enable password to change the password.

Examples

The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.

pixfirewall> enable
Password: 
pixfirewall# configure terminal
pixfirewall(config)#

You can return the enable password to its original value (press the Enter key at prompt) by entering:

pixfirewall# enable password
pixfirewall# 
 

Note   If you change the password, write it down and store it in a manner consistent with your site's security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password.

Use the passwd command to set the password for PIX Firewall Manager and Telnet access to the PIX Firewall console. The default passwd value is cisco.

See also: passwd.

Examples

The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:

pixfirewall> enable
Password:
pixfirewall# enable password w0ttal1fe
pixfirewall# configure terminal
pixfirewall(config)# write terminal
Building configuration...
...
enable password 2oifudsaoid.9ff encrypted
...

The following example shows the use of the encrypted option:

enable password 1234567890123456 encrypted
show enable password
enable password 1234567890123456 encrypted
 
enable password 1234567890123456
show enable password
enable password feCkwUGktTCAgIbD encrypted

Note   XDMCP is on by default, but will not complete the session unless the established command is used.

Example:

established tcp 0 6000 to tcp 6000 from tcp 1024-65535
 

Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value:

setenv DISPLAY hostname:displaynumber.screennumber
 

The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.

When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.

If you reboot the PIX Firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.

As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.

This feature blocks the HTML <object> tag and comments it out within the HTML web page.

Note   The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the filter activex command. If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, PIX Firewall cannot block the tag.

Note   ActiveX blocking does not occur when users access an IP address referenced by the alias command.

Examples

To specify that all outbound connections have ActiveX blocking, use the following command:

filter activex 80 0 0 0 0
 

This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

filter java

The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.

Note   If Java applets are known to be in <object> tags, use the filter activex command to remove them.

Examples

To specify that all outbound connections have Java applet blocking, use the following command:

filter java 80 0 0 0 0
 

This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

filter url

The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.

The allow option to the filter command determines how the PIX Firewall behaves in the event that the Websense server goes offline. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server offline, PIX Firewall stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.

Note   With the allow option set, PIX Firewall now passes control to an alternate server if the Websense server goes offline.

The Websense Server works with the PIX Firewall to deny users from access to web sites based on the company security policy.

Websense protocol version 4 contains the following enhancements:

• URL filtering allows the PIX Firewall to check outgoing URL requests against the policy defined on the Websense server.

• Username logging tracks username, group, and domain name on the Websense server.

• Username lookup enables the PIX Firewall to use the user authentication table to map the host's IP address to the username.

Follow these steps to filter URLs:

Step 2   Enable filtering with the filter command.

Step 3   If needed, improve throughput with the url-cache command. However, this command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command.

Step 4   Use the show url-cache stats and the show perfmon commands to view run information.

Information on Websense is available at the following site:

If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

The port parameter lets you specify the port at which the PIX Firewall listens for FTP traffic. Typically, this value is 21. In addition, the FTP port can now only be in the range of 1 to 1024.

fixup protocol h323

fixup protocol http

Note   If there is a no fixup protocol http command statement in the configuration, the filter url command does not work.

fixup protocol rtsp

The fixup protocol rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.

If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:

fixup protocol rtsp 554
fixup protocol rtsp 8554
 

The following restrictions apply to the fixup protocol rtsp command:

  If using TCP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use TCP for all content. On the PIX Firewall, there is no need to configure the fixup.

  If using UDP mode on the RealPlayer, select the check boxes for Use TCP to Connect to Server and Attempt to use UDP for static content, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement

fixup protocol sip

• SIP: session initiation protocol, RFC 2543

• SDP: Session Description Protocol, RFC 232

fixup protocol smtp

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.

fixup protocol sqlnet

Note   PIX Firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.

Examples

You can add multiple port settings for each protocol with separate commands; for example:

fixup protocol ftp 21
fixup protocol ftp 4254
fixup protocol ftp 9090
 

These commands cause PIX Firewall to listen to the standard FTP port of 21 but also to listen for FTP traffic at ports 4254 and 9090.

The following example enables access to an inside server running Mail Guard:

static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255
access-list acl_out permit tcp host 209.165.201.1 eq smtp any
access-group acl_out in interface outside
fixup protocol smtp 25
 

static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255
access-list acl_out permit tcp host 209.165.201.1 eq smtp any
access-group acl_out in interface outside
no fixup protocol smtp 25
 

In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.

The clear flashfs and flashfs downgrade commands do not affect the configuration stored in Flash memory.

The clear flashfs command is the same as the flashfs downgrade 4.x command.

The show flashfs command displays the size in bytes of each filesystem sector and the current state of the filesystem. The data in each sector is as follows:

• file 0—PIX Firewall binary image, where the .bin file is stored.

• file 1—PIX Firewall configuration data that you can view with the show config command.

• file 2—PIX Firewall datafile that stores IPSec key and certificate information.

• file 3—flashfs downgrade information for the show flashfs command.

Examples

Use the following command to write the filesystem to Flash memory before downgrading to version 5.1:

flashfs downgrade 5.1
 

The following commands display the filesystem sector sizes:

show flashfs
flash file system:version:1magic:0x12345679
file 0: origin:0 length:1794104
file 1: origin: 2095104 length:1496
file 2: origin:0 length:0
file 3: origin: 2096640 length:140
flashfs downgrade 5.1
show flashfs
flash file system:version:0magic:0x0
file 0: origin:0 length:0
file 1: origin:0 length:0
file 2: origin:0 length:0
file 3: origin:0 length:0
 

The origin values are integer multiples of the underlying filesystem sector size.

Syntax Description

enable	Enable Flood Defender.
disable	Disable Flood Defender.

Usage Guidelines

The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources.

When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers.

If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:

1. Timewait

2. FinWait

3. Embryonic

4. Idle

The floodguard command is enabled by default.

Examples

The following example enables the floodguard command and lists the floodguard command statement in the configuration:

floodguard enable
show floodguard
floodguard enable
 

Usage Notes

1. You can enable the PAT (Port Address Translation) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.

2. When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address frees, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT. For example:

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
global (outside) 1 209.165.201.22 netmask 255.255.255.224

3. PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the firewall. Multimedia applications can conflict with port mappings provided by PAT.

4. PAT does not work with the established command.

5. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute.

  However for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:

fixup protocol ftp strict ftp
access-list acl_in permit tcp any any eq ftp
access-group acl_in in interface inside
nat (inside) 1 0 0
global (outside) 1 209.165.201.5 netmask 255.255.255.224
 

6. IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the PIX Firewall is pix.example.com, the PTR record would be:

1.201.165.209.in-addr.arpa. IN PTR pix.example.com.

7. A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT (Port Address Translation). Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.

  For example, PAT is enabled with these commands:

nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 209.165.202.128 netmask 255.255.255.224

  However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.

  To ensure that the inside DNS server can access the root name server, insert the following static command statement:

static (inside,outside) 209.165.202.129 192.168.1.5

  The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.

8. The following example enables PAT using the IP address at the outside interface in global configuration mode:

ip address outside 192.150.49.1
nat (inside) 1 0 0
global (outside) 1 interface

  The interface IP address used for PAT is the address associated with the interface when the xlate is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.

  When PAT is enabled on an interface, there should be no termination of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall's outside interface.

  The following example enables PAT using the IP address at the outside interface in global configuration mode:

ip address outside 192.150.49.1
nat (inside) 1 0 0 
global (outside) 1 interface
 

  The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.

  When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.

  The following example maps hosts on the internal network 10.1.0.0/16 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/16 to global address 209.165.200.225 in global configuration mode.

nat (inside) 1 10.1.0.0 255.255.255.0
nat (inside) 2 10.1.1.1 255.255.255.0
global (outside) 1 192.168.1.1 netmask 255.255.255.0
global (outside) 2 209.165.200.225 netmask 255.255.255.224
 

  The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.

nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 209.165.200.225 netmask 255.255.255.224
global (outside) 1 192.168.1.1 netmask 255.255.255.0

  With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.

Examples

The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
global (outside) 1 209.165.201.12 netmask 255.255.255.224
Global 209.165.201.12 will be Port Address Translated
nat (inside) 1 0 0
clear xlate
 

The next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:

global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240
global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240
nat (perimeter) 1000 0 0

Note   The change of the host name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.

Examples

The following example shows how to change a host name:

pixfirewall(config)# hostname spinner
spinner(config)# hostname pixfirewall
pixfirewall(config)# 

If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed.

Cisco recommends that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.

The syslog message is as follows:

%PIX-3-313001: Denied ICMP type=type, code=code from source_address on interface interface_number

If this message appears, contact the peer's administrator.

Example

1. Deny all ping requests and permit all unreachable messages at the outside interface:

icmp deny any echo-reply outside
icmp permit any unreachable outside

2. Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

icmp permit host 172.16.2.15 echo-reply outside 
icmp permit 171.22.1.0 255.255.255.0 echo-reply outside
icmp permit any unreachable outside

Syntax Description

hardware_id	Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernetn, gb-ethernetn, fddi0 or fddi1, token-ring0, token-ring1, to token-ringn, depending on how many network interfaces are in the firewall.
hardware_speed	Network interface speed (optional). Do not specify a hardware_speed for a FDDI interface. Possible Ethernet values are: 10baset—Set for 10 Mbps Ethernet half duplex communication. 10full—Set for 10 Mbps Ethernet full duplex communication. 100basetx—Set for 100 Mbps Ethernet half duplex communication. 100full—Set for 100 Mbps Ethernet full duplex communication. 1000sxfull—Set for 1000 Mbps Gigabit Ethernet full duplex operation. 1000basesx—Set for 1000 Mbps Gigabit Ethernet half duplex operation. 1000auto—Set for 1000 Mbps Gigabit Ethernet to auto-negotiate full or half duplex. Cisco recommends that you do not use this option to maintain compatibility with switches and other devices in your network. aui—Set 10 for Mbps Ethernet half duplex communication with an AUI cable interface. auto—Set Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card. Cisco recommends that you do not use this option to maintain compatibility with switches and other devices in your network. bnc—Set for 10 Mbps Ethernet half duplex communication with a BNC cable interface. Possible Token Ring values are: 4mbps—4 Mbps data transfer speed. You can specify this as 4. 16mbps—(default) 16 Mbps data transfer speed. You can specify this as 16.
shutdown	Disable an interface.