CCNA Security (Commands Reference)

Command Name: Mode: Syntax:
aaa accounting connection h323 router(config)#
aaa accounting connection h323 {stop-only | start-stop} radius no aaa accounting connection h323 {stop-only | start-stop} radius Syntax Description:
stoponly Sends a stop accounting notice at the end of the requested user process.
startstop
Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.
radius
Use only the RADIUS security protocol with this command.
Command Description: To define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. Use the no form of this command to disable the use of this accounting method list. Example: router(config)#aaa accounting connection h323 stop-only radius router(config)#aaa accounting connection h323 start-stop radius Misconceptions: none Related commands: aaa accounting aaa authentication aaa new-model
radius-server host tacacs-server host Sample Configurations: aaa new model gw-accounting h323 aaa accounting connection h323 start-stop radius
aaa accounting delay-start router(config)#
aaa accounting delay-start no aaa accounting delay-start Syntax Description: This command has no arguments or keywords. Command Description: To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command. Example: router(config)# aaa accounting delay-start Misconceptions: none Related commands: aaa accounting aaa authentication ppp aaa authorization aaa new-model radius-server host tacacs-server host Sample Configurations: aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop radius aaa accounting delay-start radius-server host 172.16.0.0 non-standard radius-server key rad123
Command Name: Mode: Syntax: aaa accounting nested no aaa accounting nested Syntax Description:
aaa accounting nested router(config)#
This command has no arguments or keywords. Command Description: To specify that NETWORK records be generated, or nested, within EXEC start and stop records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. Use the no form of this command to allow sending records for users with a NULL username. Example: router(config)#aaa accounting nested Misconceptions: none Related commands: aaa accounting Sample Configurations:
aaa accounting resource start-stop group router(config)#
aaa accounting resource method-list start-stop [broadcast] group groupname no aaa accounting resource method-list start-stop [broadcast] group groupname Syntax Description:
method-list Method used for accounting services. Use one of the following options:
default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. string: Character string used to name the list of accounting methods.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname
Specifies the server group to be used for accounting services. The following are valid server group names:
string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.
Command Description: To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command. Usage Guidelines Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate
"call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call. You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records. Example: router(config)#aaa accounting resource default start-stop group radius Misconceptions: none Related commands: aaa accounting start-stop failure Sample Configurations: aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login AOL group radius local authentication ppp default group radius local authorization exec AOL group radius if-authenticated authorization network default group radius if-authenticated accounting exec default start-stop group radius accounting network default start-stop group radius accounting resource default start-stop group radius
aaa accounting resource stop-failure group router(config)#
aaa accounting resource method-list stop-failure [broadcast] group groupname no aaa accounting resource method-list stop-failure [broadcast] group groupname Syntax Description:
method-list Method used for accounting services. Use one of the following options:
default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. string: Character string used to name the list of accounting methods.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname
Group to be used for accounting services. Use one of the following options:
string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.
Command Description: To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.
Example: router(config)# aaa accounting resource default stop-failure group radius
Misconceptions: none Related commands: aaa accounting resource start-stop group Sample Configurations: aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login AOL group radius local authentication ppp default group radius local authorization exec AOL group radius if-authenticated authorization network default group radius if-authenticated accounting exec default start-stop group radius accounting network default start-stop group radius accounting resource default stop-failure group radius
Command Name: aaa accounting send stop-record authentication failure Mode: Syntax: aaa accounting send stop-record authentication failure no aaa accounting send stop-record authentication failure Syntax Description: This command has no arguments or keywords. Command Description: To generate accounting stop records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. Use the no form of this command to stop generating records for users who fail to authenticate at login or during session negotiation. Example: router(config)# aaa accounting send stop-record authentication failure Misconceptions: none Related commands: aaa accounting Sample Configurations: router(config)#
aaa accounting suppress null-username router(config)#
aaa accounting suppress null-username no aaa accounting suppress null-username
Syntax Description: This command has no arguments or keywords. Command Description: To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username global configuration command. Use the no form of this command to allow sending records for users with a NULL username.
Example: router(config)#aaa accounting suppress null-username Misconceptions: none Related commands: aaa accounting Sample Configurations:
aaa accounting update router(config)#
aaa accounting update {[newinfo] [periodic number]} no aaa accounting Syntax Description:
newinfo Causes an interim accounting record to be sent to the accounting server whenever there is new accounting information to report relating to the user in question.
periodic
Causes an interim accounting record to be sent to the accounting server periodically, as defined by the argument number.
number
Integer specifying number of minutes.
Command Description: To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. Use the no form of this command to disable interim accounting updates. Usage Guidelines When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer. When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent. Both of these keywords are mutually exclusive, meaning that whichever keyword is configured last takes precedence over the previous configuration. For example, if you configure aaa accounting update periodic, and then configure aaa accounting update newinfo, all users currently logged in will continue to generate periodic interim accounting records. All new users will generate accounting records based on the newinfo algorithm.
Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network. Example: router(config)# aaa accounting update newinfo Misconceptions: none Related commands: aaa accounting accounting aaa accounting update ppp accounting aaa accounting send stop-record authentication failure aaa dnis map accounting network group accounting (gatekeeper) Sample Configurations:
Command Name: Mode: Syntax
aaa accounting router(config)#
aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stoponly | none} [method1 [method2...] ] no aaa accounting {system | network | exec | commands level} Syntax Description: system Performs accounting for all system-level events not associated with users, such as reloads. Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA. Runs accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. Runs accounting for all commands at the specified privilege level. Specific command level to track for accounting. Valid entries are 0 through 15. Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. Character string used to name the list of accounting methods. Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server. As in start-stop, sends both a start and a stop accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting notice is acknowledged. A stop accounting notice is also sent.
network
exec
connection
commands level default list-name start-stop
wait-start
stop-only none method1 [method2...]
Sends a stop accounting notice at the end of the requested user process. Disables accounting services on this line or interface. At least one of the methods. group radius- uses the list of all RADIUS servers for authentication. group tacacs+- Uses the list of all TACACS+ servers for authentication. group group-name- uses a subset of RADIUS of TACACS+ servers for authentication as defined by the aaa group sever radius or aaa group tacacs+ command.
Command Description: To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting. Example: router(config)#aaa accounting exec start-stop tacacs+ Sets AAA accounting for EXEC processes on the NAS to record the start and stop time of the session against the TACACS+ database. router(config)#aaa accounting network start-stop tacacs+ Sets AAA accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol to record the start and stop time of the session against the TACACS+ database.
Misconceptions: This command can be used with TACACS or extended TACACS. Related commands: aaa authentication ppp aaa authorization aaa new-model
Sample Configurations: aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs enable aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3. enable password 7 15141905172924 ! username admin password 7 094E4F0A1201181D19 ! interface Serial2 ppp authentication pap ! tacacs-server host 10.1.1.4 tacacs-server key ciscosecure ! line con 0 login authentication no_tacacs
aaa dnis map accounting network group router(config)#
aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name no aaa dnis map dnis-number accounting network [none | startstop | stop-only] group server-group-name Syntax Description:
dnisnumber Number of the DNIS.
none
(Optional) Indicates that the defined security server group will not send accounting notices.
start-stop
(Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.)
stop-only
(Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process.
servergroupname
Character string used to name a group of security servers associated in a server group.
Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA accounting), use the aaa dnis map accounting network group command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.
Example: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 accounting network group group1 Misconceptions: none Related commands: aaa dnis map authentication ppp group aaa dnis map enable aaa group server aaa new-model radius-server host Sample Configurations: aaa group server radius isp server 1.0.0.1 server 1.0.0.2 aaa group server tacacs+ isp_customer server 3.0.0.1 aaa dnis map enable aaa dnis map 7777 accounting network start-stop broadcast group isp group isp_customer radius-server host 1.0.0.1 radius-server host 1.0.0.2 radius-server key key_1 tacacs-server host 3.0.0.1 key key_2
aaa session-mib router(config)#
aaa session-mib disconnect no aaa session-mib disconnect Syntax Description:

disconnect Enables authentication, authorization, and accounting (AAA) session MIB disconnect
Command Description: To enable disconnect by using Simple Network Management Protocol (SNMP), use the aaa session-mib global configuration mode command. To disable this function, use the no form of this command. Usage Guidelines Use the aaa session-mib command to terminate authenticated client connections using SNMP. You must enable the disconnect keyword with this command. Otherwise, the network management station cannot perform set operations and disconnect users; it can only poll the table. Example: router(config)#aaa session-mib disconnect Misconceptions: none Related commands: none Sample Configurations:
aaa aaa aaa aaa aaa
new-model authentication ppp default group radius authorization network default group radius accounting network default start-stop group radius session-mib disconnect
Command Name: Mode: Syntax: accounting no accounting Syntax Description:
accounting (gatekeeper) router(config)#
This command has no arguments or keywords. Command Description: To enable the accounting on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting, use the no form of this command. Usage Guidelines Specify a RADIUS server before using the accounting command. Example: The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records: The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records: router(config)#aaa accounting connection start-stop group radius router(config)gatekeeper router(config-gk)accounting Misconceptions: none Related commands: aaa new-model radius-server host radius-server key Sample Configurations:
accounting router(config-line)
accounting {arap | commands level | connection | exec} [default | list-name] no accounting {arap | commands level | connection | exec} [default | list-name] Syntax Description:
arap Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).
commands level
Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.
connection
Enables both CHAP and PAP, and performs PAP authentication before CHAP.
exec
Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.
default
(Optional) The name of the default method list, created with the aaa accounting command.
list-name
(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.
Command Description: To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command. Example: The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10: router(config)#line 10 router(config-line) accounting commands 15 charlie
Misconceptions: none Related commands: aaa accounting Sample Configurations:
Command Name: Mode: Syntax: debug aaa accounting
debug aaa accounting router#
no debug aaa accounting Syntax Description: This command has no arguments or keywords. Command Description: To display information on accountable events as they occur, use the debug aaa accounting privileged EXEC command. To disable debugging output, use the no form of the command. Usage Guidelines The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well. Example: Router# debug aaa accounting Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug radius
debug tacacs show accounting Sample Configurations: Router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
ppp accounting router(config-if)
ppp accounting default no ppp accounting
Syntax Description:
default The name of the method list is created with the aaa accounting command.
Command Description: To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command. Usage Guidelines After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie: router(config)#interface async 4 router(config-if)#encapsulation ppp router(config-if)#ppp accounting charlie Misconceptions: none Related commands: aaa accounting Sample Configurations:
Command Name: Mode: Syntax: show accounting no show accounting Syntax Description:
show accounting router#
This command has no arguments or keywords. Command Description: To step through all active sessions and to print all the accounting records for actively accounted functions, use the show accounting command in EXEC mode. Use the no form of this command to disable viewing and printing accounting records. Usage Guidelines The show accounting command allows you to display the active accountable events on the network. It provides system administrators with a quick look at what is going on, and it also can help collect information in the event of a data loss on the accounting server. The show accounting command displays additional data on the internal state of authentication, authorization, and accounting (AAA) if debug aaa accounting is activated. Example: router#show accounting Misconceptions: none Related commands: aaa accounting show line show users
Sample Configurations: Router# show accounting Active Accounted actions on Interface Serial0:19, User jdoe Priv 1 Task ID 15, Network Accounting record, 00:00:18 Elapsed task_id=15 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:20, User jdoe Priv 1 Task ID 13, Network Accounting record, 00:00:49 Elapsed task_id=13 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:21, User jdoe Priv 1 Task ID 11, Network Accounting record, 00:01:19 Elapsed task_id=11 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:22, User jdoe Priv 1 Task ID 9, Network Accounting record, 00:01:20 Elapsed task_id=9 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 mlp-sess-id=1 protocol=ip addr=9.0.0.2 Active Accounted actions on , User (not logged in) Priv 0 Task ID 1, Resource-management Accounting record, 06:21:47 Elapsed task_id=1 timezone=PDT rm-protocol-version=1.0 service=resource-management protocol=nas-status event=nas-start reason=reload Overall Accounting Traffic Starts Stops Updates Active Drops Exec 0 0 0 0 0 Network 8 4 0 4 0 Connect 0 0 0 0 0 Command 0 0 0 0 0 R-mgmt 1 0 0 1 0 System 0 0 0 0 0 User creates:21, frees:9, Acctinfo mallocs:15, frees:6 Users freed with accounting unaccounted for:0 Queue length:0
aaa authentication arap router(config)#
aaa authentication arap {default | list-name} method1 [method2...] no aaa authentication arap {default | list-name} method1 [method2...]
Syntax Description:
default Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name
Character string used to name the following list of authentication methods tried when a user logs in.
method1 [method2...]
At least one of the keywords described in below.
guest
Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.
auth-guest
Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
local-case
Uses case-sensitive local username authentication.
group radius
Uses the list of all RADIUS servers for authentication.
group tacacs+
Uses the list of all TACACS+ servers for authentication.
group group-name
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
Command Description: To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command. Usage Guidelines The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed. You can only use one of these methods; they are mutually exclusive. Create a list by entering the aaa authentication arap list-name method command, where listname is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Use the more system:running-config command to view currently configured lists of authentication methods. Example: The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none: router(config)#aaa authentication arap MIS-access group tacacs+ none The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified: router(config)#aaa authentication arap default group tacacs+ none
Misconceptions: If the default list is not set, only the local user database is checked. This has the same effect as the following command: aaa authentication arap default local
Related commands: aaa new-model Sample Configurations:
aaa authentication banner router(config)#
aaa authentication banner dstringd no aaa authentication banner Syntax Description: d Any delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string
Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.
Command Description: To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. To remove the banner, use the no form of this command. Usage Guidelines Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login. To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Example: The following example configures a login banner (in this case, the phrase "Unauthorized use is prohibited.") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.) router(config)#aaa authentication banner *Unauthorized use is prohibited.* Misconceptions: none Related commands: aaa authentication fail-message Sample Configurations: aaa new-model aaa authentication banner *Unauthorized use is prohibited.* aaa authentication login default group radius
Command Name:
aaa authentication enable default
Mode: Syntax:
Router(config)#
aaa authentication enable default method1 [method2...] no aaa authentication enable default method1 [method2...]
Syntax Description: method At least one of the keywords described in the table below. enable line none Uses the enable password for authentication. Uses the line password for authentication. Uses no authentication.
group tacacs+ Uses the list of all TACACS+ to provide authentication services. group radius Uses the list of all RADIUS to provide authentication services. group | group-name Command Description: To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name.
Usage Guidelines
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in the table below. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
Example:
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode as shown in this figure.
router(config)#aaa authentication enable default group tacacs+ Misconceptions: The additional methods of authentication are used if the previous method fails. Related commands: aaa authorization aaa new-model enable password Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in
modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! ! end
aaa authentication fail-message router(config)#
aaa authentication fail-message dstringd no aaa authentication fail-message Syntax Description:

d The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
string
Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.
Command Description: To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command. Usage Guidelines Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login. To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. Example: The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character. router(config)#aaa authentication fail-message *Failed login. Try again.*
Misconceptions: none Related commands: aaa authentication banner Sample Configurations: aaa aaa aaa aaa new-model authentication banner *Unauthorized use is prohibited.* authentication fail-message *Failed login. Try again.* authentication login default group radius
aaa authentication login router(config)#
aaa authentication login {default [method2...]
| list-name} method1
no aaa authentication login {default [method2...] Syntax Description:
default listname method
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods activated when a user logs in. At least one of the keywords described in the table: aaa authentication login Methods.
Command Description:
To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. Usage Guidelines The default and optional list names created with the aaa authentication login command are used with the login authentication command. Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MISaccess). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in the table. If no list is specified on an interface with the login authentication command, a default list to be used can be specified with the default keyword followed by the methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods. Table: aaa authentication login Methods Keyword enable krb5 line local none group radius group tacacs+ krb5-telnet group | groupname local-case Description Uses the enable password for authentication. Uses Kerberos 5 for authentication. Uses the line password for authentication. Uses the local username database for authentication. Uses no authentication. Uses the list of all RADIUS to provide authentication services. Uses the list of all TACACS+ to provide authentication services. Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name. Uses case-sensitive local username authentication
Example: Use the aaa authentication login command in global configuration mode as shown below to configure telnet and console lines. router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line Misconceptions: This command cannot be used with TACACS or extended TACACS. Related commands: aaa new-model login authentication
Sample Configurations: aaa new-model !
! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end
aaa authentication nasi router(config)#
aaa authentication nasi {default | list-name} method1 [method2...] no aaa authentication nasi {default | list-name} method1 [method2...] Syntax Description:
default Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.
list-name
Character string used to name the list of authentication methods activated when a user logs in.
method1 [method2...]
At least one of the methods described in below.
Keyword enable
Description Uses the enable password for authentication.
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
local-case
Uses case-sensitive local username authentication.
none
Uses no authentication.
group radius
Uses the list of all RADIUS servers for authentication.
group tacacs+
Uses the list of all TACACS+ servers for authentication.
group groupname
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
Command Description: To specify authentication, authorization, and accounting (AAA) authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi command in global configuration mode. To disable authentication for NASI clients, use the no form of this command. Usage Guidelines The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command. Create a list by entering the aaa authentication nasi command, where list-name is any character string that names the list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described above. To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations. The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods. Example: The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication. router(config)#aaa authentication nasi list1 group tacacs+ enable none
The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified: router(config)#aaa authentication nasi default group tacacs+ enable none Misconceptions: If the default list is not set, only the local user database is selected. This has the same effect as the following command: aaa authentication nasi default local
Related commands: aaa authentication nasi default local Sample Configurations: Sample configuration on the NAS for a DNIS-based exec-VPDN asynchronous call using RADIUS AAA: st-5300-c2#sh run Building configuration... Current configuration: ! version 12.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname st-5300-c2 ! no logging buffered aaa new-model aaa group server radius Exec-VPDN-Login-Servers server 171.69.71.85 auth-port 1645 acct-port 1646 ! aaa authentication login Exec-VPDN-login group Exec-VPDN-LoginServers aaa authentication ppp Exec-VPDN-ppp if-needed group Exec-VPDNLogin-Servers aaa authorization network default group Exec-VPDN-Login-Servers aaa authorization network no_author none aaa dnis map enable
aaa dnis map 56114 authentication login group Exec-VPDN-LoginServers
aaa authentication password-prompt router(config)#
aaa authentication password-prompt text-string no aaa authentication password-prompt text-string Syntax Description:
textstring String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").
Command Description: To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt command in global configuration mode. To return to the default password prompt text, use the no form of this command. Usage Guidelines Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value: username: The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server. The aaa authentication password-prompt command works when RADIUS is used as the login method. The password prompt that is defined in the command will be shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the network access server (NAS) with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt that is defined in the aaa authentication password-prompt command may be used. Example: The following example changes the text for the password prompt:
router(config)#aaa authentication password-prompt "Enter your password now:" Misconceptions: There is no user-defined text-string, and the password prompt appears as "Password." Related commands: aaa authentication username-prompt aaa new-model enable password Sample Configurations:
aaa authentication ppp router(config)#
aaa authentication ppp {default | list-name} method1 [method2...] no aaa authentication ppp {default | list-name} method1 [method2...] Syntax Description: default list-name method1 [method2...] Command Description: To specify one or more AAA authentication methods for use on interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication. Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods tried when a user logs in. At least one of the keywords described in the table below.
Usage Guidelines
The lists created with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. Create a list by entering the aaa authentication ppp list-name method command, where listname is any character Character string used to name the list of authentication methods activated when a user logs in.. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. Up to four methods can be entered. Method keywords are described in table below. The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error. If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.
Table: aaa authentication ppp Methods Keyword if-needed krb5 local-case local group | groupname none Description Does not authenticate if user has already been authenticated on a TTY line Uses Kerberos 5 for authentication (can only be used for PAP authentication) Uses case-sensitive local username authentication Uses the local username database for authentication Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name Uses no authentication
Example: To specify one or more AAA authentication methods for use on serial interfaces running PPP, use the aaa authentication ppp command in global configuration mode as shown below. router(config)#aaa authen ppp default local router(config)#aaa authen ppp dial-in local none Misconceptions: none
Related commands: aaa new-model ppp authentication Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139
memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end
aaa authentication username-prompt router(config)#
aaa authentication username-prompt text-string no aaa authentication username-prompt text-string Syntax Description:
textstring String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").
Command Description: To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt command in global configuration mode. To return to the default username prompt text, use the no form of this command. Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value: Username: Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances. Example: The following example changes the text for the username prompt: router(config)#aaa authentication username-prompt "Enter your name here:" Misconceptions: none Related commands: aaa authentication password-prompt aaa new-model enable password
Sample Configurations:
aaa dnis map authentication login group router(config)#
aaa dnis map dnis-number authentication login group servergroup-name no aaa dnis map dnis-number authentication login group servergroup-name Syntax Description:
dnis-number Number of the DNIS.
server-group-name
Character string used to name a group of security servers associated in a server group.
Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group for the login service (this server group will be used for AAA authentication), use the aaa dnis map authentication login group command in global configuration mode. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group; thus, the server group can process the AAA authentication requests for login service for users dialing into the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping. Example: The following example shows how to map DNIS number 7777 to the RADIUS server group called group1. group1 will use RADIUS server 172.30.0.0 for AAA authentication requests for login service for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 authentication login group group1
Misconceptions: none Related commands: aaa dnis map accounting network group aaa dnis map enable aaa group aaa new-model radius-server host Sample Configurations: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 exit aaa dnis map enable aaa dnis map 7777 authentication login group group1
aaa dnis map authentication ppp group router(config)#
aaa dnis map dnis-number authentication ppp group server-groupname no aaa dnis map dnis-number authentication ppp group servergroup-name Syntax Description:
server-group-name
Character string used to name a group of security servers associated in a server
Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting (AAA) authentication), use the aaa dnis map authentication ppp group command in global configuration mode. To remove the DNIS number from the defined server group, use the no form of this command. This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process authentication requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping. Example: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 authentication ppp group group1 Misconceptions: none
Related commands: aaa dnis map accounting network accounting network group aaa dnis map enable aaa group server aaa new-model radius-server host Sample Configurations: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authentication ppp group group1
aaa pod server router(config)#
aaa pod server [port port number] [auth-type {any | all | session-key}] server-key [encryption-type] string no aaa pod server Syntax Description:
port port number (Optional) Network access server User Datagram Protocol (UDP) port to use for packet of disconnect (POD) requests. Default value is 1700.
auth-type
(Optional) Type of authorization required for disconnecting sessions. If no authentication type is specified, auth-type is the default.
any
(Optional) Session that matches all of the attributes sent in the POD packet is disconnected. The POD packet may contain one or more of four key attributes (user-name, framed-IP-address, session-ID, and session-key).
all
(Optional) Only a session that matches all four key attributes is disconnected. The default is all.
sessionkey
(Optional) Session with a matching session-key attribute is disconnected. All other attributes are ignored.
server-key
Configures the shared-secret text string.
encryptiontype
(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using an encryption algorithm defined by Cisco.
string
Shared-secret text string that is shared between the network access server and the client workstation. This shared-secret string must be the same on both systems.
Command Description: To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server command in global configuration mode. To disable this feature, use the no form of this command. Usage Guidelines To disconnect a session, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type attribute is specified, all three values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:

An h323-conf-id vendor-specific attribute (VSA) with the same content as received from the gateway for this call. An h323-call-origin VSA with the same content as received from the gateway for the leg of interest. A 16-byte Message Digest 5 (MD5) hash value that is carried in the authentication field of the POD request.
Example:
The following example enables POD and sets the secret key to "xyz123":
router(config)#aaa pod server server-key xyz123 Misconceptions: none Related commands: aaa accounting delay-start aaa accounting debug aaa pod radius-server host Sample Configurations: Router# show running-configuration ! aaa authentication login h323 group radius aaa authorization exec h323 group radius aaa accounting update newinfo aaa accounting connection h323 start-stop group radius aaa pod server server-key cisco
aaa session-id common
Command Name: Mode: Syntax: aaa preauth no aaa preauth Syntax Description:
aaa preauth router(config)#
This command has no arguments or keywords. Command Description: To enter authentication, authorization, and accounting (AAA) preauthentication configuration mode, use the aaa preauth command in global configuration mode. To disable preauthentication, use the no form of this command. Usage Guidelines To enter AAA preauthentication configuration mode, use the aaa preauth command. To configure preauthentication, use a combination of the aaa preauth commands: group, clid, ctype, dnis, and dnis bypass. You must configure the group command. You must also configure one or more of the clid, ctype, dnis, or dnis bypass commands. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. You can use the clid, ctype, or dnis commands to define the list of the preauthentication elements. For each preauthentication element, you can also define options such as password (for all the elements, the default password is cisco). If you specify multiple elements, the preauthentication process will be performed on each element according to the order of the elements that you configure with the preauthentication commands. In this case, more than one RADIUS preauthentication profile is returned, but only the last preauthentication profile will be applied to the authentication and authorization later on, if applicable. Example: The following sample enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth
Misconceptions: none
Related commands: dnis (aaa preauthentication) group isdn guard-timer Sample Configurations: The following sample enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: aaa preauth dnis password Ascend-DNIS
aaa processes router(config)#
aaa processes number no aaa processes number Syntax Description:

number Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.
Command Description: To allocate a specific number of background processes to be used to process authentication, authorization, and accounting (AAA) authentication and authorization requests for PPP, use the aaa processes command in global configuration mode. To restore the default value for this command, use the no form of this command. Usage Guidelines Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized. The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time. Example: Ten background processes have been allocated to handle AAA requests for PPP. router(config)# aaa processes 10 Misconceptions: none Related commands:
show ppp queues
Sample Configurations: The following examples shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP. aaa new-model aaa authentication ppp dialins group radius local aaa processes 10 interface 5 encap ppp ppp authentication pap dialins
access-profile router>
access-profile [merge | replace] [ignore-sanity-checks] Syntax Description:

merge (Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface. However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all attribute-value pairs defined in the authentication, authorization, and accounting (AAA) per-user configuration (the user's authorization profile). The resulting authorization attributes of the interface are a combination of the previous and new configurations.
replace
(Optional) This option removes existing ACLs and all other existing authorization attributes for the interface. A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configurations, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.
ignoresanitychecks
(Optional) Enables you to use any AV pairs, whether or not they are valid.
Command Description: To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile command in privileged EXEC mode. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed and ACLs defined in your per-user configuration to be installed. Usage Guidelines Remote users can use this command to activate double authentication for a PPP session. Double authentication must be correctly configured for this command to have the desired effect.
You should use this command when remote users establish a PPP link to gain local network access. After you have been authenticated with CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol), you will have limited authorization. To activate double authentication and gain your appropriate user network authorization, you must open a Telnet session to the network access server and execute the access-profile command. (This command could also be set up as an autocommand, which would eliminate the need to enter the command manually.) This command causes all subsequent network authorizations to be made in your username instead of in the remote host's username. Any changes to the interface caused by this command will stay in effect for as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the router or the interface. The default form of the command, access-profile, causes existing ACLs to be unconfigured (removed), and new ACLs to be installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges. The default form of the command can fail if your per-user configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link. The access-profile merge form of the command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any of the new authorization statements conflict with existing statements, the new statements could "override" the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration. The access-profile replace form of the command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization
Invalid AV pair types

addr addr-pool zonelist tunnel-id ip-addresses x25-addresses frame-relay
source-ip
Example: The following example activates double authentication for a remote user. This example assumes that the access-profile command was not configured as an autocommand. The remote user runs a terminal emulation application to Telnet to the corporate network access server, a Cisco AS5200 universal access server local host named "hqnas." The remote user, named Bob, has the username "BobUser." The following example replaces ACLs on the local host PPP interface. The ACLs previously applied to the interface during PPP authorization are replaced with ACLs defined in the per-user configuration AV pairs. The remote user establishes a Telnet session to the local host and logs in: login: BobUser Password: <welcome> hqnas> access-profile Bob is reauthenticated when he logs in to hqnas, because hqnas is configured for login AAA authentication using the corporate RADIUS server. When Bob enters the access-profile command, he is reauthorized with his per-user configuration privileges. This causes the access lists and filters in his per-user configuration to be applied to the network access server interface. After the reauthorization is complete, Bob is automatically logged out of the Cisco AS5200 local host. Misconceptions: none Related commands: connect telnet Sample Configurations:
arap authentication router(config-line)#
arap authentication {default | list-name} [one-time] no arap authentication {default | list-name}
Syntax Description:
default Default list created with the aaa authentication arap command.
list-name
Indicated list created with the aaa authentication arap command.
one-time
(Optional) Accepts the username and password in the username field.
Command Description: To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of the command Usage Guidelines This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command. Example: The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7: router(config)#line 7 router(config-line)#arap authentication MIS-access
Misconceptions: ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked Related commands: aaa authentication arap Sample Configurations:
clear ip trigger-authentication router#
clear ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication command in privileged EXEC mode. Example: The following example clears the remote host table: router# clear ip trigger-authentication Misconceptions: none Related commands: show ip trigger authentication Sample Configurations: Router# show ip trigger-authentication Trigger-authentication Host Table: Remote Host Time Stamp 172.21.127.114 2940514234 router# clear ip trigger-authentication router# show ip trigger-authentication router#
dnis (aaa preauthentication) router(config-preauth)#
dnis [if-avail | required] [accept-stop] [password string] no dnis [if-avail | required] [accept-stop] [password string] Syntax Description:
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.
required
(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.
accept-stop
(Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element.
password string
(Optional) Password to use in the Access-Request packet. The default is cisco.
Command Description: To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command. You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Example: The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth router(config-preauth)#group radius router(config-preauth)#dnis password Ascend-DNIS Misconceptions: none Related commands: aaa preauth group isdn guard-timer Sample Configurations:
group router(config-preauth)#
group {tacacs+ server-group} no group {tacacs+ server-group} Syntax Description:

tacacs+ Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Command Description: To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command. You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass). Example: The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS: router(config)#aaa preauth router(config-preauth)#group abc123 router(config-preauth)#dnis password aaa-DNIS Misconceptions: none Related commands: aaa preauth dnis (aaa preauthentication)
Sample Configurations: aaa preauth group abc123 dnis password aaa-DNIS
ip trigger-authentication (interface) router(config-if)#
ip trigger-authentication no ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. To turn off automated double authentication at an interface, use the no form of this command. Usage Guidelines Configure this command on the local router or network access server that remote users dial into. Use this command only if the local device has already been configured to provide double authentication and if automated double authentication has been enabled with the ip triggerauthentication (global) command. This command causes double authentication to occur automatically when users dial into the interface. Example: The following example turns on automated double authentication at the ISDN BRI interface BRI0: router(config-if)#ip trigger-authentication Misconceptions: none Related commands: ip trigger-authentication (global) Sample Configurations: interface BRI0
ip trigger-authentication encapsulation ppp ppp authentication chap
ip trigger-authentication (global) router(config)#
ip trigger-authentication [timeout seconds] [port number] no ip trigger-authentication Syntax Description:

timeout seconds (Optional) Specifies how frequently the local device sends a User Datagram Protocol (UDP) packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds. See "The Timeout Keyword" in the Usage Guidelines section for details.
port number
(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500. See "The Port Keyword" in the Usage Guidelines section for details.
Command Description: To enable the automated part of double authentication at a device, use the ip triggerauthentication command in global configuration mode. To disable the automated part of double authentication, use the no form of this command. Usage Guidelines Configure this command on the local device (router or network access server) that remote users dial in to. Use this command only if the local device has already been configured to provide double authentication; this command enables automation of the second authentication of double authentication. The Timeout Keyword During the second authentication stage of double authenticationwhen the remote user is authenticatedthe remote user must send a username and password (or PIN) to the local device. With automated double authentication, the local device sends a UDP packet to the remote user's host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and password (or PIN). If the local device does not receive a valid response to the UDP packet within a timeout period, the local device will send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it receives a response and can authenticate the user.
By default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval. (This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.) The Port Keyword As described in the previous section, the local device sends a UDP packet to the remote user's host to request the user's username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host client software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is used by another application, you should change the port number using the port keyword. If you change the port number you need to change it in both placesboth on the local device and in the remote host client software. Example: The following example globally enables automated double authentication and sets the timeout to 120 seconds: router(config)#ip trigger-authentication timeout 120 Misconceptions: none Related commands: ip trigger-authentication (interface) show ip trigger-authentication Sample Configurations:
login authentication router(config-line)#
login authentication {default | list-name} no login authentication {default | list-name} Syntax Description:
default Uses the default list created with the aaa authentication login command.
list-name
Uses the indicated list created with the aaa authentication login command.
Command Description: To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. To return to the default specified by the aaa authentication login command, use the no form of this command. Usage Guidelines This command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line. Entering the no version of login authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command. Example: The following example specifies that the default AAA authentication is to be used on line 4: router(config)#line 4 router(config-line)login authentication default
The following example specifies that the AAA authentication list called list1 is to be used on line 7: router(config)line 7 router(config-line)login authentication list1 Misconceptions: none
Related commands: aaa authentication login Sample Configurations:
nasi authentication router(config-ling)#
nasi authentication {default | list-name} no nasi authentication {default | list-name} Syntax Description:
default Uses the default list created with the aaa authentication nasi command.
list-name
Uses the list created with the aaa authentication nasi command.
Command Description: To enable authentication, authorization, and accounting (AAA) authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication command in line configuration mode. To return to the default, as specified by the aaa authentication nasi command, use the no form of the command. Usage Guidelines This command is a per-line command used with AAA authentication that specifies the name of a list of authentication methods to try at login. If no list is specified, the default list is used, even if it is not specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument. Caution If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line. Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command. Example: The following example specifies that the default AAA authentication be used on line 4: router(config)#line 4 router(config-line)#nasi authentication default
The following example specifies that the AAA authentication list called list1 be used on line 7: router(config)#line 7 router(config-ling)#nasi authentication list1 Misconceptions: none Related commands: aaa authentication nasi ipx nasi-server enable show ipx nasi connections show ipx spx-protocol Sample Configurations:
ppp authentication router(config-if)#
ppp authentication {protocol1 [protocol2...]} [if-needed] [listname | default] [callin] [one-time] no ppp authentication Syntax Description:
protocol1 [protocol2...] Specify at least one of the keywords described in below.
chap
Enables CHAP on a serial interface.
ms-chap
Enables Microsoft's version of CHAP (MS-CHAP) on a serial interface.
pap
Enables PAP on a serial interface.
if-needed
(Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces.
list-name
(Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.
default
(Optional) The name of the method list is created with the aaa authentication ppp command.
callin
(Optional) Specifies authentication on incoming (received) calls only.
one-time
(Optional) Accepts the username and password in the username field.
To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication command in interface configuration mode. To disable this authentication, use the no form of this command. Usage Guidelines When you enable CHAP or PAP authentication (or both), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match. You can enable CHAP, MS-CHAP, or PAP in any order. If you enable all three methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused. Caution If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface. Example: The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)ppp authentication chap MIS-access Misconceptions: none Related commands: aaa authentication ppp aaa new-model autoselect encapsulation username
Sample Configurations: The following example is a sample NAS configuration for AAA and incoming modem calls: interface Serial0:15 no ip address isdn switch-type primary-net5 isdn incoming-voice modem ! interface Async1 ip address 7.0.0.10 255.0.0.0 encapsulation ppp async default routing async mode interactive no peer default ip address ppp authentication chap ! line 1 modem InOu transport preferred none transport input all autoselect ppp
!
ppp chap hostname router(config-if)#
ppp chap hostname hostname no ppp chap hostname hostname Syntax Description:
hostname The name sent in the CHAP challenge.
Command Description: To create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol (CHAP), use the ppp chap hostname command in interface configuration mode. To disable this function, use the no form of the command. Usage Guidelines The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers. This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication. Example: The following example identifies dialer interface 0 as the dialer rotary group leader and specifies "ppp" as the encapsulation method used by all member interfaces. This example shows that CHAP authentication is used on received calls only and the username ISPCorp will be sent in all CHAP challenges and responses. router(config)#interface dialer 0 router(config-if)#encapsulation ppp router(config-if)#ppp authentication chap callin router(congig-if)#ppp chap hostname ISPCorp Misconceptions: none Related commands:
aaa ppp ppp ppp ppp
authentication ppp authentication chap password chap refuse chap wait
Sample Configurations: The following shows a sample configuration for voice and data on the same B-channel when configuring ISDN. class-map match-all VoIP-RTP match ip dscp ef ! class-map match-all VoIP-SIG match ip dscp af31 ! policy-map voice-and-data class VoIP-RTP priority 40 ! class VoIP-SIG bandwidth 8 ! interface BRI0/0 encapsulation ppp dialer pool-member 1 ppp authentication chap ! interface Dialer1 encapsulation ppp bandwidth 64 ! dialer pool 1 dialer remote-name routerB-dialer1 dialer-group 1 dialer string 12345678 service-policy output voice-and-data ! ppp authentication chap ppp chap hostname routerA-dialer1 ppp chap password cisco ppp multilink ppp multilink fragment-delay 10 ! ppp multilink interleave
! ip rtp header-compression
ppp chap password router(config-if)#
ppp chap password secret no ppp chap password secret Syntax Description:
secret The secret used to compute the response value for any CHAP challenge from an unknown peer.
Command Description: To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol (CHAP) secret password to use in response to challenges from an unknown peer, use the ppp chap password command in interface configuration mode. To disable the PPP CHAP password, use the no form of this command. Usage Guidelines This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface. This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication. Example: The commands in the following example specify ISDN BRI number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#ppp chap password 7 1234567891 Misconceptions: none Related commands:
aaa ppp ppp ppp ppp
authentication ppp authentication chap hostname chap refuse chap wait
Sample Configurations: The following shows a sample configuration for voice and data on the same B-channel when configuring ISDN. class-map match-all VoIP-RTP match ip dscp ef ! class-map match-all VoIP-SIG match ip dscp af31 ! policy-map voice-and-data class VoIP-RTP priority 40 ! class VoIP-SIG bandwidth 8 ! interface BRI0/0 encapsulation ppp dialer pool-member 1 ppp authentication chap ! interface Dialer1 encapsulation ppp bandwidth 64 ! dialer pool 1 dialer remote-name routerB-dialer1 dialer-group 1 dialer string 12345678 service-policy output voice-and-data ! ppp authentication chap ppp chap hostname routerA-dialer1 ppp chap password cisco ppp multilink ppp multilink fragment-delay 10 ! ppp multilink interleave
ppp chap refuse router(config-if)#
ppp chap refuse [callin] no ppp chap refuse [callin] Syntax Description:
callin (Optional) This keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends.
Command Description: To refuse Challenge Handshake Authentication Protocol (CHAP) authentication from peers requesting it, use the ppp chap refuse command in interface configuration mode. To allow CHAP authentication, use the no form of this command. Usage Guidelines This command specifies that CHAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using CHAP will be refused. If the callin keyword is used, CHAP authentication is disabled for incoming calls from the peer, but will still be performed on outgoing calls to the peer. If outbound Password Authentication Protocol (PAP) has been enabled (using the ppp pap sentusername command), PAP will be suggested as the authentication method in the refusal packet. Example: The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables CHAP authentication from occurring if a peer calls in requesting CHAP authentication. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#ppp chap refuse Misconceptions: none
Related commands: aaa authentication ppp ppp authentication ppp chap hostname ppp chap password ppp chap wait Sample Configurations:
ppp chap wait router(config-if)#
ppp chap wait secret no ppp chap wait secret Syntax Description:
secret The secret used to compute the response value for any CHAP challenge from an unknown peer.
Command Description: To specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol (CHAP) authentication until after the peer has authenticated itself to the router, use the ppp chap wait command in interface configuration mode. To allow the router to respond immediately to an authentication challenge, use the no form of this command. Usage Guidelines This command (which is enabled by default) specifies that the router will not authenticate to a peer requesting CHAP authentication until the peer has authenticated itself to the router. The no form of this command specifies that the router will respond immediately to an authentication challenge. Example: The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables the default, meaning that users do not have to wait for peers to complete CHAP authentication before authenticating themselves. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#no ppp chap wait Misconceptions: none Related commands: aaa authentication ppp ppp authentication
ppp chap hostname ppp chap password ppp chap refuse Sample Configurations:
Command Name: Mode: Syntax: ppp pap refuse no ppp pap refuse Syntax Description:
ppp pap refuse router(config-if)#
This command has no arguments or keywords. Command Description: To refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol, use the ppp pap refuse interface configuration command. To disable the refusal, use the no form of this command. This is a per-interface command. Example: The following example shows how to enable the ppp pap command to refuse a peer request for remote authentication: router(config)#interface dialer 0 router(config-if)encapsulation ppp router(config-if)ppp pap refuse Misconceptions: none Related commands: aaa authentication ppp encapsulation ppp ppp authentication ppp pap sent-username Sample Configurations:
ppp pap sent-username router(config-if)#
pap sent-username username password password no ppp pap sent-username Syntax Description:
username Username sent in the PAP authentication request.
password
Password sent in the PAP authentication request.
password
Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
Command Description: To reenable remote Password Authentication Protocol (PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username command in interface configuration mode. To disable remote PAP support, use the no form of this command. Usage Guidelines Use this command to reenable remote PAP support (for example, to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP authentication request. This is a per-interface command. You must configure this command for each interface. Example: The following example identifies dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCorp is the username sent to the peer if the peer requires the router to authenticate with PAP. router(config)#interface dialer0 router(config-if)#encapsulation ppp router(config-if)#ppp authentication chap pap callin router(config-if)#ppp chap hostname ISPCorp
router(config-if)#ppp pap sent username ISPCorp password 7 fjhfeu
Misconceptions: none Related commands: aaa ppp ppp ppp authentication ppp authentication chap hostname chap password
Sample Configurations: crypto isakmp policy 10 authentication pre-share ! crypto isakmp key pre-shared address 10.1.1.5 ! crypto ipsec transform-set strong esp-des esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer 10.1.1.5 set transform-set strong match address 102 ! interface ATM0/0 no ip address atm vc-per-vp 256 no atm ilmi-keepalive pvc 0/35 oam-pvc 0 encapsulation aal5mux ppp Virtual-Template1 ! dsl operating-mode auto no fair-queue crypto map vpn ! interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.0 duplex 100 speed full ! interface Virtual-Template1
ip address 10.1.100.101 255.255.255.0 ppp pap sent-username 2621a password 7 045802150C2E crypto map vpn ! ip classless ! ip route 2.2.2.0 255.255.255.0 10.1.1.5 ip route 10.1.1.0 255.255.255.0 10.1.100.1 ! access-list 102 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 ! end
show ip trigger-authentication router#
show ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To view the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode. Usage Guidelines Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the clear ip trigger-authentication command. You can change the timeout period with the ip trigger-authentication (global) command. Use this command to view the list of remote hosts for which automated double authentication has been attempted. Example: Router# show ip trigger-authentication Misconceptions: none Related commands: clear ip trigger-authentication Sample Configurations: Router# show ip trigger-authentication Trigger-authentication Host Table:
Remote Host 172.21.127.114
Time Stamp 2940514234
Command Name: Mode: Syntax: show ppp queues Syntax Description:
show ppp queues router#
This command has no arguments or keywords. Command Description: To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queues command in privileged EXEC mode. The fields and description are listed below for the command show ppp queues.
Field Description
Proc #
Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.
pid=
Identification number of the background process.
authens=
Number of authentication requests the process has performed.
avg. rtt=
Average delay (in seconds) until the authentication request was completed.
authors=
Number of authorization requests the process has performed.
queue len=
Current queue length.
max len=
Maximum length the queue ever reached.
Usage Guidelines
Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server. This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data. Example: Router# show ppp queues Misconceptions: none Related commands: aaa processes Sample Configurations: Router# show ppp queues Proc #0 pid=73 authens=59 avg. rtt=118s. authors=160 avg. rtt=94s. Proc #1 pid=74 authens=52 avg. rtt=119s. authors=127 avg. rtt=115s. Proc #2 pid=75 authens=69 avg. rtt=130s. authors=80 avg. rtt=122s. Proc #3 pid=76 authens=44 avg. rtt=114s. authors=55 avg. rtt=106s. Proc #4 pid=77 authens=70 avg. rtt=141s. authors=76 avg. rtt=118s. Proc #5 pid=78 authens=64 avg. rtt=131s. authors=97 avg. rtt=113s. Proc #6 pid=79 authens=56 avg. rtt=121s. authors=57 avg. rtt=117s. Proc #7 pid=80 authens=43 avg. rtt=126s. authors=54 avg. rtt=105s. Proc #8 pid=81 authens=139 avg. rtt=141s. authors=120 avg. rtt=122s. Proc #9 pid=82 authens=63 avg. rtt=128s. authors=199 avg. rtt=80s. queue len=0 max len=499
timeout login response router(config-line)#
timeout login response seconds no timeout login response seconds Syntax Description:
seconds Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds.
Command Description: To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. To set the timeout value to 0 seconds, use the no form of this command. Example: The following example changes the login timeout value to 60 seconds: router(config)#line 10 router(config-line)#timeout login response 60 Misconceptions: none Related commands: none Sample Configurations:
aaa authorization config-commands router(config)#
aaa authorization config-commands no aaa authorization config-commands Syntax Description: This command has no arguments or keywords. Command Description: To reestablish the default created when the aaa authorization commands command was issued, use the aaa authorization config-commands command in global configuration mode. To disable authentication, authorization, and accounting (AAA) configuration command authorization, use the no form of this command. Usage Guidelines If aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization. After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands. Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command. Example: The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled: router(config)#aaa new-model router(config)#aaa authorization command 15 group tacacs+ none router(config)#no aaa authorization config-commands Misconceptions:
none Related commands: aaa authorization Sample Configurations: aaa authentication login default none aaa authentication enable default none aaa authentication ppp default group radius aaa authorization config-commands aaa authorization network default local aaa session-id common enable password cisco !
aaa authorization reverse-access router(config)#
aaa authorization reverse-access {group radius | group tacacs+} no aaa authorization reverse-access {group radius | group tacacs+} Syntax Description:
group radius Specifies that the network access server will request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session.
group tacacs+
Specifies that the network access server will request authorization from a TACACS+ security server before allowing a user to establish a reverse Telnet session.
Command Description: To configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session, use the aaa authorization reverseaccess command in global configuration mode. To restore the default value for this command, use the no form of this command. Usage Guidelines Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log in to a network access server (typically through a dialup connection) and then use Telnet to access other network devices from that network access server. There are times, however, when it is necessary to establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the opposite directionfrom inside a network to a network access server on the network periphery to gain access to modems or other devices connected to that network access server. Reverse Telnet is used to provide users with dialout capability by allowing them to open Telnet sessions to modem ports attached to a network access server. It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for example, allow unauthorized users free access to modems where they can trap and divert incoming calls or make outgoing calls to unauthorized destinations. Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet. Typically the user has to provide a username and password to establish either a Telnet or
reverse Telnet session. This command provides an additional (optional) level of security by requiring authorization in addition to authentication. When this command is enabled, reverse Telnet authorization can use RADIUS or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific asynchronous ports, after the user successfully authenticates through the standard Telnet login procedure. Example: router(config)# aaa authorization reverse-access default group tacacs+ Misconceptions: none Related commands: aaa authorization Sample Configurations: The following example causes the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session: aaa new-model aaa authentication login default group tacacs+ aaa authorization reverse-access default group tacacs+ ! tacacs-server host 172.31.255.0 tacacs-server timeout 90 tacacs-server key goaway
aaa authorization router(config)#
aaa authorization {network | exec | commands level | reverseaccess | configuration} {default | list-name} method1 [method2...] no aaa authorization {network | exec | commands level | reverseaccess | configuration} {default | list-name} method1 [method2...]
Syntax Description:
network Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA.
exec
Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.
commands
Runs authorization for all commands at the specified privilege level.
level
Specific command level that should be authorized. Valid entries are 0 through 15.
reverseaccess
Runs authorization for reverse access connections, such as reverse Telnet.
configuration
Downloads the configuration from the AAA server.
default
Uses the listed authorization methods that follow this argument as the default list of methods for authorization.
list-name
Character string used to name the list of authorization methods.
method1
One of the keywords listed below.
[method2...]
Keyword group groupname ifauthenticated None Local krb5-instance
Description Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands. Allows the user to access the requested function if the user is authenticated. No authorization is performed. Uses the local database for authorization. Uses the instance defined by the kerberos instance map command.
Command Description: Use the aaa authorization commands to restrict access to a network. Cisco NAS are configured to perform authorization using the aaa authorization commands. You can configure Cisco Secure ACS to perform authorization tasks with NAS. The per-user security policy determines how authorization is configured. Method lists are specific to the type of authorization being requested. Example:
To set parameters that restrict user access to a network, use the aaa authorization command in global configuration mode as shown below. AAA authorization commands 1 alpha localUses local user name database to authorize the use of all level 1 commands. AAA authorization commands 15 bravo localUses the local database to authorize the use of all level 15 commands. AAA authorization network charlie local noneUses the local database to authorize the use of all network services such as Serial Line Interface Protocol (SLIP), PPP, and ARAP. If the local server is not available, this command performs no authorization, and the user can use all network services. AAA author exec delta ifauthenticatedLets the user run the exec process if the user is already authenticated.
router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none Misconceptions: This command can be used with TACACS or extended TACACS. Related commands:
aaa accounting aaa new-model Sample Configurations:
aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs enable aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3. enable password 7 15141905172924 ! username admin password 7 094E4F0A1201181D19 ! interface Serial2 ppp authentication pap ! tacacs-server host 10.1.1.4 tacacs-server key ciscosecure ! line con 0 login authentication no_tacacs
aaa dnis map authorization network group router(config)#
aaa dnis map dnis-number authorization network group servergroup-name no aaa dnis map dnis-number authorization network group servergroup-name
Syntax Description:
server-group-name
Character string used to name a group of security servers functioning within a server group.
Command Description: To map a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define a AAA server group, and enable DNIS mapping. Example: router(config)# aaa dnis map 7777 authorization network group Misconceptions: none Related commands: aaa new-model
aaa dnis map accounting network group aaa dnis map authentication ppp group aaa dnis map enable aaa group server radius-server host Sample Configurations: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777: ! aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authorization network group group1 !
authorization router(config-line)#
authorization {arap | commands level | exec | reverse-access} [default | list-name] no authorization {arap | commands level | exec | reverse-access} [default | list-name] Syntax Description:
arap Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.
commands
Enables authorization on the selected lines for all commands at the specified privilege level.
level
Specific command level to be authorized. Valid entries are 0 through 15.
exec
Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.
reverseaccess
Enables authorization to determine if the user is allowed reverse access privileges.
default
(Optional) The name of the default method list, created with the aaa authorization command.
list-name
(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.
Command Description: To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined
lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines. Example: The following example enables command authorization (for level 15) using the method list named charlie on line 10: router(config)#line 10 router(config-line)#authorization commands 15 charlie Misconceptions: none Related commands: aaa authorization Sample Configurations:
ppp authorization router(config-if)
ppp authorization [default | list-name] no ppp authorization
Syntax Description:
default (Optional) The name of the method list is created with the aaa authorization command.
listname
Command Description: To enable authentication, authorization, and accounting (AAA) authorization on the selected interface, use the ppp authorization command in interface configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables authorization on asynchronous interface 4 and uses the method list named charlie: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)#ppp authorization charlie Misconceptions: none Related commands:
aaa authorization
Sample Configurations: Named Method List Configuration Example aaa new-model aaa authentication login admins local aaa authentication ppp dialins group radius local aaa authorization network scoobee group radius local aaa accounting network charley start-stop group radius username root password ALongPassword radius-server host Alcatraz radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting charley
username router(config)#
username name {nopassword | password password | password encryption-type encrypted-password} username name password secret username name [access-class number] username name [autocommand command] username name [callback-dialstring telephone-number] username name [callback-rotary rotary-group-number] username name [callback-line [tty] line-number [ending-linenumber]] username name dnis username name [nocallback-verify] username name [noescape] [nohangup] username name [privilege level] username name user-maxlinks number Syntax Description:
name Host name, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
nopassword
No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
password
Specifies a possibly encrypted password for this username.
password
Password a user enters.
encryption-type
Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.
encryptedpassword
Encrypted password a user enters.
password
Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
secret
For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.
access-class
(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.
number
(Optional) Access list number.
autocommand
(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
command
(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
callbackdialstring
(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.
telephonenumber
(Optional) For asynchronous callback only: telephone number to pass to the DCE device.
callback-rotary
(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.
rotary-groupnumber
(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.
callback-line
(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.
tty
(Optional) For asynchronous callback only: standard asynchronous line.
line-number
(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.
ending-linenumber
(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.
dnis
Do not require password when obtained via DNIS.
nocallbackverify
(Optional) Authentication not required for EXEC callback on the specified line.
noescape
(Optional) Prevents a user from using an escape character on the host to which that user is connected.
nohangup
(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.
privilege
(Optional) Sets the privilege level for the user.
level
(Optional) Number between 0 and 15 that specifies the privilege level for the user.
user-maxlinks
Limit the user's number of inbound links.
number
User-maxlinks limit for inbound links.
Command Description: To establish a username-based authentication system, use the username command in global configuration mode. Example: router(config)#username admin password 7 15100A0F0F6A2F2B2721 router(config)#username isgroup password 7 000B070E01494B02002E5E router(config)#username remotes password 7 1059060B0E120009090139 Misconceptions: none Related commands: aaa accounting suppress null-username aaa authentication username-prompt ppp pap sent-username Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139
Command Name:
aaa authentication enable default
Mode: Syntax:
Router(config)#
aaa authentication enable default method1 [method2...] no aaa authentication enable default method1 [method2...]
Syntax Description: method At least one of the keywords described in the table below.
Command Description: To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
Usage Guidelines
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in the table below. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods. Table: aaa authentication enable Default Methods Keyword enable line none group tacacs+ group radius Description Uses the enable password for authentication. Uses the line password for authentication. Uses no authentication. Uses the list of all TACACS+ to provide authentication services. Uses the list of all RADIUS to provide authentication services.
group | groupname Example:
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name.
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode as shown in this figure.
router(config)#aaa authentication enable default group tacacs+ Misconceptions: The additional methods of authentication are used if the previous method fails. Related commands: aaa authorization aaa new-model enable password Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501
login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! ! end
aaa authentication login router(config)#
aaa authentication login {default [method2...]
no aaa authentication login {default [method2...] Syntax Description:
default listname method
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods activated when a user logs in. At least one of the keywords described in the table: aaa authentication login Methods.
To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. Usage Guidelines The default and optional list names created with the aaa authentication login command are used with the login authentication command. Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MISaccess). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in the table. If no list is specified on an interface with the login authentication command, a default list to be used can be specified with the default keyword followed by the methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods. Table: aaa authentication login Methods Keyword enable krb5 line local none group radius group tacacs+ krb5-telnet group | groupname local-case Description Uses the enable password for authentication. Uses Kerberos 5 for authentication. Uses the line password for authentication. Uses the local username database for authentication. Uses no authentication. Uses the list of all RADIUS to provide authentication services. Uses the list of all TACACS+ to provide authentication services. Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name. Uses case-sensitive local username authentication
Example: Use the aaa authentication login command in global configuration mode as shown below to configure telnet and console lines. router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line Misconceptions: This command cannot be used with TACACS or extended TACACS. Related commands: aaa new-model login authentication
Sample Configurations: aaa new-model !
! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end
aaa authentication ppp router(config)#
aaa authentication ppp {default | list-name} method1 [method2...] no aaa authentication ppp {default | list-name} method1 [method2...] Syntax Description: default list-name method1 [method2...] Command Description: To specify one or more AAA authentication methods for use on interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication. Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods tried when a user logs in. At least one of the keywords described in the table below.
Usage Guidelines
The lists created with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. Create a list by entering the aaa authentication ppp list-name method command, where listname is any character Character string used to name the list of authentication methods activated when a user logs in.. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. Up to four methods can be entered. Method keywords are described in table below. The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error. If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.
Table: aaa authentication ppp Methods Keyword if-needed krb5 local-case local group | groupname none Description Does not authenticate if user has already been authenticated on a TTY line Uses Kerberos 5 for authentication (can only be used for PAP authentication) Uses case-sensitive local username authentication Uses the local username database for authentication Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name Uses no authentication
Example: To specify one or more AAA authentication methods for use on serial interfaces running PPP, use the aaa authentication ppp command in global configuration mode as shown below. router(config)#aaa authen ppp default local router(config)#aaa authen ppp dial-in local none Misconceptions: none
Related commands: aaa new-model ppp authentication Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139
memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end
aaa authorization router(config)#
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] no aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
Syntax Description: auth-proxy network exec commands config-commands configuration ipmobile level reverse-access default list-name method1 [method2...] Command Description: Use the aaa authorization commands to restrict access to a network. Cisco NAS are configured to perform authorization using the aaa authorization commands. You can configure Cisco Secure ACS to perform authorization tasks with NAS. The per-user security policy determines how authorization is configured. Method keywords are described in the table below. For Authentication Proxy Services. Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. Runs authorization to determine if the user is allowed to run an EXEC shell. Runs authorization for all commands at the specified privilege level. For configuration mode commands. Downloads the configuration from the AAA server. For Mobile IP services. Specific command level that should be authorized. Valid entries are 0 through 15. Runs authorization for reverse access connections, such as reverse Telnet. Uses the listed authorization methods that follow this argument as the default list of methods for authorization. Character string used to name the list of authorization methods. One of the keywords listed in the table below.
Table: AAA Authorization Methods Keyword group groupname Description Uses a subset of RADIUS or TACACS+ servers forauthentication as defined by the aaa group server radiusor aaa group server tacacs+ commands.
if-authenticated Allows the user to access the requested function if the user is authenticated. No authorization is performed. None Local krb5-instance Uses the local database for authorization. Uses the instance defined by the kerberos instance map command.
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization: Example:
To set parameters that restrict user access to a network, use the aaa authorization command in global configuration mode as shown below. AAA authorization commands 1 alpha localUses local user name database to authorize the use of all level 1 commands. AAA authorization commands 15 bravo localUses the local database to authorize the use of all level 15 commands. AAA authorization network charlie local noneUses the local database to authorize the use of all network services such as Serial Line Interface Protocol (SLIP), PPP, and ARAP. If the local server is not available, this command performs no authorization, and the user can use all network services. AAA author exec delta ifauthenticatedLets the user run the exec process if the user is already authenticated.
router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none Misconceptions: This command can be used with TACACS or extended TACACS. Related commands: aaa accounting aaa new-model Sample Configurations:
Command name: Mode: Syntax:
aaa new-model router(config)# aaa new-model no aaa new-model
Syntax Description: This command has no arguments or keywords Command Description: To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable the AAA access control model. Example: The following example initializes AAA: router (config) #aaa new-model Misconceptions: None
Related Commands: aaa accounting aaa aunthentication arap aaa authentication enable default aaa authentication login aaa authentication ppp aaa authorization Sample Configuration: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139
Command Name: Mode: Syntax: debug aaa accounting no debug aaa accounting Syntax Description:
debug aaa accounting router#
This command has no arguments or keywords. Command Description: Use this command to trouble shoot problems and to display information on accountable events as they occur, use the debug aaa accounting privileged exec command as shown in the figure. Use the no debug aaa accounting form of the command to disable this debug mode. The sample configuration shows output from the debug aaa accounting command. The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command enables you to display the active accountable events on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss on the accounting server. The show accounting command displays additional data on the internal state of the AAA security system if debug aaa accounting active as well. Example: router# debug aaa accounting Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug aaa accounting
Actual debug output
router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
debug aaa authentication router# debug aaa authentication no debug aaa authentication
Syntax Description: This command has no arguments or keywords. Command Description:

Use this command to troubleshoot problems and to display information on AAA/TACACS+ authentication, use the debug aaa authentication privileged exec command as shown in the figure. Use the no debug aaa authentication form of the command to disable this debug mode.
Example: router# debug aaa authentication Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug aaa accounting Sample Configurations: Actual debug output
router# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
Command Name: Mode: Syntax: debug aaa authorization no debug aaa authorization Syntax Description:
debug aaa authorization router#
This command has no arguments or keywords. Command Description: Use this command to troubleshoot problems and to display information on AAA/TACACS+ authorization, use the debug aaa authorization privileged exec command. Use the no debug aaa authorization form of the command to disable this debug mode. The sample configuration shows the output from the debug aaa authorization command where an exec authorization for user carrel is performed: On the first line, the username carrel is authorized. On the second and third lines, the attribute value (AV) pairs are authorized. The debug output displays a line for each AV pair that is authenticated. The display indicates the authorization method used. The final line in the display indicates the status of the authorization process, which, in this case, has failed.
The aaa authorization command causes a request packet containing a series of AV pairs to be sent to the TACACS daemon as part of the authorization process. The daemon responds in one of the following three ways: Accepts the request as is. Makes changes to the request. Refuses the request, thereby refusing authorization.
The AV pairs associated with the debug aaa authorization command that may appear in the debug output are described as follows: service=arapAuthorization for the ARA protocol is being requested. service=shellAuthorization for exec startup and command authorization is being requested. service=pppAuthorization for PPP is being requested. service=slipAuthorization for SLIP is being requested. protocol=lcpAuthorization for LCP is being requested (lower layer of PPP).
protocol=ipUsed with service=slip and service=slip to indicate which protocol layer is being authorized. protocol=ipxUsed with service=ppp to indicate which protocol layer is being authorized. protocol=atalkUsed with service=ppp or service=arap to indicate which protocol layer is being authorized. protocol=vinesUsed with service=ppp for VINES over PPP. protocol=unknownUsed for undefined or unsupported conditions. cmd=xUsed with service=shell, if cmd=NULL, this is an authorization request to start an exec. If cmd is not NULL, this is a command authorization request and will contain the name of the command being authorized. For example, cmd=telnet. cmd-arg=xUsed with service=shell. When performing command authorization, the name of the command is given by a cmd=x pair for each argument listed. For example, cmd-arg=archie.sura.net. acl=xUsed with service=shell and service=arap. For ARA, this pair contains an access list number. For service=shell, this pair contains an access class number. For example, acl=2. inacl=xUsed with service=ppp and protocol=ip. Contains an IP input access list for SLIP or PPP/IP. For example, inacl=2. outacl=xUsed with service=ppp and protocol=ip. Contains an IP output access list for SLIP or PPP/IP. For example, outacl=4. addr=xUsed with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=172.30.23.11. routing=xUsed with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false. For example, routing=true. timeout=xUsed with service=arap. The number of minutes before an ARA session disconnects. For example, timeout=60. autocmd=xUsed with service=shell and cmd=NULL. Specifies an autocommand to be executed at exec startup. For example, autocmd=telnet yxz.com. noescape=xUsed with service=shell and cmd=NULL. Specifies a noescape option to the username configuration command. Can be either true or false. For example, noescape=true. nohangup=xUsed with service=shell and cmd=NULL. Specifies a nohangup option to the username configuration command. Can be either true or false. For example, nohangup=false. priv-lvl=xUsed with service=shell and cmd=NULL. Specifies the current privilege level for command authorization as a number from 0 to 15. For example, priv-lvl=15. zonelist=xUsed with service=arap. Specifies an AppleTalk zonelist for ARA. For example, zonelist=5. addr-pool=xUsed with service=ppp and protocol=ip. Specifies the name of a local pool from which to get the address of the remote host.
Example: router# debug aaa authorization Misconceptions: Related commands: debug aaa authentication debug aaa authorization debug aaa accounting Sample Configurations: Actual debug output none
router# debug aaa authorization 2:23:21: AAA/AUTHOR (0): user='carrel' 2:23:21: AAA/AUTHOR (0): send AV service=shell 2:23:21: AAA/AUTHOR (0): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Method=TACACS+ 2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL
aaa dnis map authorization network group router(config)#
aaa dnis map dnis-number authorization network group servergroup-name no aaa dnis map dnis-number authorization network group servergroup-name Syntax Description:
server-group-name
Character string used to name a group of security servers functioning within a server group.
Command Description: To map a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define a AAA server group, and enable DNIS mapping. Example: router(config)#aaa dnis map 7777 authorization network group group1 Misconceptions: none
Related commands:
aaa new-model aaa dnis map accounting network group aaa dnis map authentication ppp group aaa dnis map enable aaa group server radius-server host
Sample Configurations: The following sample configuration maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authorization network group group1
authorization router(config-line)#
authorization {arap | commands level | exec | reverse-access} [default | list-name] no authorization {arap | commands level | exec | reverse-access} [default | list-name] Syntax Description:
arap Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.
commands
Enables authorization on the selected lines for all commands at the specified privilege level.
level
Specific command level to be authorized. Valid entries are 0 through 15.
exec
Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.
reverseaccess
Enables authorization to determine if the user is allowed reverse access privileges.
default
(Optional) The name of the default method list, created with the aaa authorization command.
list-name
Command Description: To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined
lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines. Example: The following example enables command authorization (for level 15) using the method list named charlie on line 10: router(config)#line 10 router(config-line)#authorization commands 15 charlie Misconceptions: none Related commands: aaa authorization Sample Configurations:
Command Name: Mode: Syntax: clear kerberos creds Syntax Description:
clear kerberos creds router#
This command has no arguments or keywords. Command Description: To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode. Example: router#clear kerberos creds Misconceptions: none Related commands: show kerberos creds Sample Configurations: router# show kerberos creds Default Principal: chet@cisco.com Valid Starting Expires Service Principal 18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM router# clear kerberos creds router# show kerberos creds No Kerberos credentials. router#
kerberos clients mandatory router(config)#
kerberos clients mandatory no kerberos clients mandatory Syntax Description: This command has no arguments or keywords. Command Description: To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command. Example: The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server: router(config)#kerberos clients mandatory Misconceptions: none Related commands: kerberos credentials forward Sample Configurations:
kerberos credentials forward router(config)#
kerberos credentials forward no kerberos credentials forward Syntax Description: This command has no arguments or keywords. Command Description: To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command. Example: The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication: router(config)#kerberos credentials forward Misconceptions: none
Related commands: connect rlogin rsh telnet Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5 aaa authentication login console none
aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin kerberos local-realm CISCO.COM kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward !
kerberos instance map router(config)#
kerberos instance map instance privilege-level no kerberos instance map instance Syntax Description:
instance Name of a Kerberos instance.
privilegelevel
The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.
Command Description: To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command. Use this command to create user instances with access to administrative commands. Example: The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm: router(config)#kerberos instance map admin 15 Misconceptions: none Related commands: aaa authorization Sample Configurations: aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none
aaa authentication ppp default krb5 local aaa authorization exec default krb5-instance enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin ip domain-name cisco.com ip name-server 192.168.0.0 kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos instance map admin 15 kerberos instance map restricted 3 kerberos credentials forward clock timezone PST -8 clock summer-time PDT recurring
kerberos local-realm router(config)#
kerberos local-realm kerberos-realm no kerberos local-realm Syntax Description:

kerberosrealm The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.
Command Description: To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command. Usage Guidelines The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm. Example: The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM: router(config)#kerberos local-realm EXAMPLE.COM Misconceptions: none Related commands: kerberos kerberos kerberos kerberos kerberos preauth realm server srvtab entty srvtab remote
aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none aaa authentication ppp default krb5 local aaa authorization exec default krb5-instance enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin ip domain-name cisco.com ip name-server 192.168.0.0 kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos instance map admin 15 kerberos instance map restricted 3 kerberos credentials forward clock timezone PST -8 clock summer-time PDT recurring
kerberos preauth router(config)#
kerberos preauth [encrypted-unix-timestamp | encrypted-kerberostimestamp | none] no kerberos preauth Syntax Description:

encrypted-unixtimestamp (Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
encrypted-kerberostimestamp
(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.
none
(Optional) Do not use Kerberos preauthentication.
Command Description: To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command. Usage Guidelines It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option. The no form of this command is equivalent to using the none keyword. Example: The following example enables Kerberos preauthentication: router(config)#kerberos preauth encrypted-unix-timestamp Misconceptions: none
Related commands: kerberos kerberos kerberos kerberos local-realm server srvtab entry srvtab remote
kerberos realm router(config)#
kerberos realm {dns-domain | host} kerberos-realm no kerberos realm {dns-domain | host} kerberos-realm Syntax Description:
dns-domain Name of a DNS domain or host.
host
Name of a DNS host.
kerberos-realm
Name of the Kerberos realm to which the specified domain or host belongs
Command Description: To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command. Usage Guidelines DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters. Example: The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM: router(config)#kerberos realm .example.com EXAMPLE.COM Misconceptions: none
Related commands: kerberos kerberos kerberos kerberos local-realm server srvtab entry srvtab remote
Command Name: Mode:
kerberos server router(config)#
Syntax: kerberos server kerberos-realm {hostname | ip-address} [portnumber] no kerberos server kerberos-realm {hostname | ip-address} Syntax Description:
kerberosrealm Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
hostname
Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).
ip-address
IP address of the host functioning as the Kerberos server for the specified Kerberos realm.
port-number
(Optional) Port that the key distribution center (KDC) monitors (defaults to 88).
Command Description: To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command. Example: The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM: router(config)#kerberos server EXAMPLE.COM 192.168.47.66 Misconceptions: none Related commands: kerberos local-realm
kerberos server kerberos srvtab entry kerberos srvtab remote
Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5 aaa authentication login console none aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin kerberos local-realm CISCO.COM kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward
kerberos srvtab entry router(config)#
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type key-length encryptedkeytab no kerberos srvtab entry kerberos-principal principal-type Syntax Description:
principal A service on the router.
principal-type
Version of the Kerberos SRVTAB.
timestamp
Number representing the date and time the SRVTAB entry was created.
key-version number
Version of the encryption key format.
key-type
Type of encryption used.
key-length
Length, in bytes, of the encryption key.
encryptedkeytab
Secret key the router shares with the key distribution center (KDC). It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.
Command Description: To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command. Usage Guidelines When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running
configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM. If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entryp. Password = "goaway" User-Service-Type = Shell-User cisco-avpair = "raccess:port#1=site1/tty2" An empty "raccess:port#1=nasname1/tty2" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "raccess:port#1=nasname1/tty2" clause exists, the user is denied access to any port for reverse Telnet. For more information about configuring RADIUS, refer to the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide. Example: router(config)Tkerberos srvtab entry host/chet2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin Misconceptions: none Related commands: none Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin
kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward
ppp authorization router(config-if)
ppp authorization [default | list-name] no ppp authorization
Syntax Description:
default (Optional) The name of the method list is created with the aaa authorization command.
listname
Command Description: To enable authentication, authorization, and accounting (AAA) authorization on the selected interface, use the ppp authorization command in interface configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables authorization on asynchronous interface 4 and uses the method list named charlie: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)#ppp authorization charlie Misconceptions: none Related commands:
aaa authorization
Sample Configurations: Named Method List Configuration Example aaa new-model aaa authentication login admins local aaa authentication ppp dialins group radius local aaa authorization network scoobee group radius local aaa accounting network charley start-stop group radius username root password ALongPassword radius-server host Alcatraz radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting charley
aaa attribute router(config-aaa-user)#
aaa attribute {clid | dnis} attribute-value no aaa attribute {clid | dnis} attribute-value Syntax Description:
clid Adds CLID attribute values to the user profile.
dnis
Adds DNIS attribute values to the user profile.
attribute-value
Specifies a name for CLID or DNIS attribute values.
Command Description: To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidlines Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record. Example: The following example shows how to add CLID and DNIS attribute values to the user profile "cat": router(config)#aaa user profile cat router(config-aaa-user)#aaa attribute clid clidval router(config-aaa-user)#aaa attribute dnis dnisval Misconceptions:
none Related commands: aaa user profile test aaa group Sample Configurations:
aaa group server radius router(config)#
aaa group server radius group-name no aaa group server radius group-name Syntax Description:
group-name Character string used to name the group of servers.
Command Description: To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command. Usage Guidelines The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service. A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts. Example: router(config)#aaa group server radius radgroup1 Misconceptions: none Related commands: aaa accounting aaa authentication login aaa authorization aaa new-model radius-server host Sample Configurations:
The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers: aaa group server radius radgroup1 server 1.1.1.1 auth-port 1700 acct-port 1701 server 2.2.2.2 auth-port 1702 acct-port 1703 server 3.3.3.3 auth-port 1705 acct-port 1706
aaa nas port extended router(config)#
aaa nas port extended no aaa nas port extended Syntax Description: This command has no arguments or keywords. Command Description: To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. To display no extended field information, use the no form of this command. Usage Guidelines On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NASPort attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command. The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent. Example: router(config)#aaa nas port extended Misconceptions: none Related commands:
radius-server extended-portnames radius-server vsa send Sample Configurations: aaa new-model aaa authentication login CONSOLE none aaa authentication login RADIUS_LIST group radius aaa authentication login TAC_PLUS group tacacs+ enable aaa authentication login V.120 none aaa authentication enable default enable group tacacs+ aaa authentication ppp RADIUS_LIST if-needed group radius aaa authorization exec RADIUS_LIST group radius if-authenticated aaa authorization exec V.120 none aaa authorization network default group radius if-authenticated aaa authorization network RADIUS_LIST if-authenticated group radius aaa authorization network V.120 group radius if-authenticated aaa accounting suppress null-username aaa accounting exec default start-stop group radius aaa accounting commands 0 default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting system default start-stop group radius aaa preauth dnis password Cisco-DNIS aaa nas port extended
aaa user profile router(config)#
aaa user profile profile-name no aaa user profile profile-name Syntax Description:
profile-name Character string used to name the user profile.
Command Description: To create an authentication, authorization, and accounting (AAA) named user profile, use the aaa user profile command in global configuration mode. To remove a user profile from the configuration, use the no form of this command. Usage Guidelines Use the aaa user profile command to create a AAA user profile. Used in conjunction with the aaa attribute command, which adds calling line identification (CLID) and dialed number identification service (DNIS) attribute values, the user profile can be associated with the record that is sent to the RADIUS server (via the test aaa group command), which provides the RADIUS server with access to CLID or DNIS attribute information when the server receives a RADIUS record. Example: router(config)#aaa user profile prfl1 Misconceptions: none Related commands: aaa attribute test aaa group Sample Configurations: The following example shows how to configure a dnis = dnisvalue user profile named "prfl1":
aaa user profile prfl1 aaa attribute dnis aaa attribute dnis dnisvalue no aaa attribute clid
accounting (server-group) router(config-sg radius)#
accounting [accept | reject] listname Syntax Description:

accept (Optional) Indicates that all attributes will be rejected except for required attributes and the attributes specified in the listname.
reject
(Optional) Indicates that all attributes will be accepted except for the attributes specified in the listname.
listname
Defines the given name for the accept or reject list.
Command Description: To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode. Usage Guidelines An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data. Only one filter per server group may be used for RADIUS accounting. Note The listname argument must be the same as the listname argument defined in the radiusserver attribute list, which is used with the radius-server attribute 11 direction default command to add to an accept or reject list. Example: Router(config-sg radius)#accounting accept usage-only Misconceptions: none
Related commands:
aaa group server radius aaa new-model aaa authentication aaa authorization authorization (server-group) radius-server attribute 11 direction default radius-server attribute list Sample Configurations: The following example shows how to specify the accept list "usage-only" for RADIUS accounting: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 accounting accept usage-only ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list usage-only attribute 1,40,42-43,46
Command Name: Mode:
attribute (server-group) router(config-sg radius)#
Syntax: attribute value1 [value2 [value3]...] no attribute value1 [value2 [value3]...] Syntax Description:
value1 [value2 [value3]...] Specifies which attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56 to 59. At least one attribute
Command Description: To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command. Usage Guidelines Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the NAS from receiving and processing unwanted attributes for authorization or accounting. The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:
For authorization: 6 (Service-Type) 7 (Framed-Protocol) For accounting:

o o o o o o
4 (NAS-IP-Address) 40 (Acct-Status-Type) 41 (Acct-Delay-Time) 44 (Acct-Session-ID)
Example: router(config-sg radius)#attribute

12,217,6-10,13
router(config-sg radius)#attribute
64-69,218
Related commands: accounting (server-group) authorication (server-group) radius-server attribute list Sample Configurations: The following example shows how to add attributes 12, 217, 6 to 10, 13, 64 to 69, and 218 to the list name "standard": radius-server attribute list standard attribute 12,217,6-10,13 attribute 64-69,218
Command Name: Mode:
authorization (server-group) router(config-sg radius)#
Syntax: authorization [accept | reject] listname Syntax Description:

accept (Optional) Indicates that all attributes will be rejected except for required attributes and the attributes specified in the listname.
reject
(Optional) Indicates that all attributes will be accepted except for the attributes specified in the listname.
listname
Defines the given name for the accept or reject list.
Command Description: To specify an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server, use the authorization command in server-group configuration mode. Usage Guidelines An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes. Only one filter per server group may be used for RADIUS authorization. Note The listname argument must be the same as the listname argument defined in the radiusserver attribute list, which is used with the radius-server attribute 11 direction default command to add to an accept or reject list. Example: router(config-sg radius)# Misconceptions: none Related commands:
authorization accept min-author
aaa group server radius aaa new-model aaa authentication ppp aaa authorization accounting (server-group) radius-server attribute 11 direction default radius-server attribute list Sample Configurations: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 authorization accept min-author ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list min-author attribute 6-7
call guard-timer router(config-controller)#
call guard-timer milliseconds [on-expiry {accept | reject}] no call guard-timer milliseconds [on-expiry {accept | reject}] Syntax Description:
milliseconds Specifies the number of milliseconds to wait for a response from the RADIUS server.
on-expiry accept
(Optional) Accepts the call if a response is not received from the RADIUS server within the specified time.
on-expiry reject
(Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.
Command Description: To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer controller configuration command. To remove the call guard-timer command from your configuration file, use the no form of this command. Example: router(config-controller)# call guard-timer 20000 on-expiry accept Misconceptions: none Related commands: aaa preauth Sample Configurations:
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires. controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 call guard-timer 20000 on-expiry accept aaa preauth group radius dnis required
clid router(config-preauth)#
clid [if-avail | required] [accept-stop] [password password] no clid [if-avail | required] [accept-stop] [password password] Syntax Description:
required
accept-stop
(Optional) Prevents subsequent preauthentication elements such as ctype or dnis from being tried once preauthentication has succeeded for a call element.
password password
(Optional) Defines the password for the preauthentication element.
Command Description: To preauthenticate calls on the basis of the Calling Line Identification (CLID) number, use the clid authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the clid command from your configuration, use the no form of this command.\ Usage Guidelines You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. Example:
The following example specifies that incoming calls be preauthenticated on the basis of the CLID number: router(config-preauth)#aaa preauth router(config-preauth)#group radius router(config-preauth)#clid required Misconceptions: none Related commands: ctype dnis (AAA preauthentication configuration) dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations:
ctype router(config-preauth)#
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120] no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120] Syntax Description:
required
accept-stop
(Optional) Prevents subsequent preauthentication elements such as clid or dnis from being tried once preauthentication has succeeded for a call element.
password password
(Optional) Defines the password for the preauthentication element.
digital
(Optional) Specifies "digital" as the call type for preauthentication.
speech
(Optional) Specifies "speech" as the call type for preauthentication.
v.110
(Optional) Specifies "v.110" as the call type for preauthentication.
v.120
(Optional) Specifies "v.120" as the call type for preauthentication.
Command Description: To preauthenticate calls on the basis of the call type, use the ctype authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the ctype command from your configuration, use the no form of this command.
Usage Guidelines You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 13 shows the call types that you may use in the preauthentication profile. Table 13 Preauthentication Call Types Call Type String ISDN Bearer Capabilities Unrestricted digital, restricted digital. digital speech v.110 v.120 Example: The following example specifies that incoming calls be preauthenticated on the basis of the call type: router(config-preauth)#aaa preauth router(config-preauth)#group radius router(config-preauth)#ctype required Misconceptions: none Related commands: clid dnis (AAA preauthentication configuration) dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations: Speech, 3.1 kHz audio, 7 kHz audio. Anything with V.110 user information layer. Anything with V.120 user information layer.
Command Name: Mode: Syntax: deadtime minutes no deadtime Syntax Description:

minutes
deadtime router(config-sg radius)#
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Command Description: To configure deadtime within the context of RADIUS server groups, use the deadtime server group configuration command. To set deadtime to 0, use the no form of this command. Usage Guidelines Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group. Example: router(config-sg radius)#deadtime Misconceptions: none Related commands: radius-server deadtime Sample Configurations: aaa group server radius group1 server 1.1.1.1 auth-port 1645 acct-port 1646 server 2.2.2.2 auth-port 2000 acct-port 2001 deadtime 1
1
dialer aaa router(config-line)
dialer aaa suffix string password string no dialer aaa password suffix string password string Syntax Description:
suffix string Defines a suffix for authentication.
password string
Defines a nondefault password for authentication.
Command Description: To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command. Usage Guidelines This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dialout functionality. With this command, you can specify suffix, password, or both. If you do not specify a password, the default password will be "cisco." Example: This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco." interface dialer1 dialer aaa dialer aaa suffix @ciscoDoD password cisco Misconceptions: none Related commands: accept dialout dialer congestion-threshold
dial vpdn Sample Configurations:
dnis (aaa preauthentication) router(config-preauth)#
dnis [if-avail | required] [accept-stop] [password string] no dnis [if-avail | required] [accept-stop] [password string] Syntax Description:
required
accept-stop
(Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element.
password string
(Optional) Password to use in the Access-Request packet. The default is cisco.
Command Description: To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command. You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Example: The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth router(config-preauth)#group radius router(config-preauth)#dnis password Ascend-DNIS Misconceptions: none Related commands: clid ctype dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations:
Command Name: Mode: Syntax Description:
dnis bypass (aaa preauthentication) router(config-preauth)#
dnis bypass {dnis-group-name} no dnis bypass {dnis-group-name} Syntax Description

dnis-group-name Name of the defined DNIS group.
Command Description: To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass AAA preauthentication configuration command. To remove the dnis bypass command from your configuration, use the no form of this command. Usage Guidelines Before using this command, you must first create a DNIS group with the dialer dnis group command. Example: router(config-preauth)#dnis bypass hawaii Misconceptions: none Related Commands: dialer dnis group dnis (AAA preauthentication configuration) Sample Configuration: The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii: aaa preauth group radius
dnis required dnis bypass hawaii dialer dnis group hawaii number 12345 number 12346

group server-group no group server-group
group (AAA preauthentication configuration) router(config-preauth)#
Syntax Description:
server-group Specifies a AAA RADIUS server group.
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group AAA preauthentication configuration command. To remove the group command from your configuration, use the no form of this command. Usage Guidelines You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode. You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass). Example: router(config-preauth)#group maestro Misconceptions: none Related commands: aaa group server radius clid ctype dnis (aaa preauthentication configuration) dnis bypass (aaa preauthentication configuration)
Sample Configurations: aaa group server radius maestro server 1.1.1.1 server 2.2.2.2 server 3.3.3.3 ! aaa preauth group maestro dnis required
ip radius source-interface router(config)#
ip radius source-interface subinterface-name no ip radius source-interface
Syntax Description:
subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.
Command Description: To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command. Usage Guidelines Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses. This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address. The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state. Example: The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2
Related commands: ip tacacs source-interface ip telnet source-interface ip tftp source-interface Sample Configurations:
radius-server attribute 188 format non-standard router(config)#
radius-server attribute 188 format non-standard no radius-server attribute 188 format non-standard Syntax Description: This command has no arguments or keywords. Command Description: To send the number of remaining links in the multilink bundle in the accounting-request packet, use the radius-server attribute 188 format non-standard global configuration command. To disable the sending of the number of links in the multilink bundle in the accounting-request packet, use the no form of this command. Use this command to send attribute 188 in accounting "start" and "stop" records. Example: The following example shows a configuration that sends RADIUS attribute 188 in accountingrequest packets: router(config)#radius-server attribute 188 format non-standard Misconceptions: RADIUS attribute 188 is not sent in accounting "start" and "stop" records. Related commands: none Sample Configurations:
radius-server attribute 32 include-in-access-req router(config)#
radius-server attribute 32 include-in-access-req [format] no radius-server attribute 32 include-in-access-req Syntax Description:

format (Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).
Command Description: To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req global configuration command. To disable sending RADIUS attribute 32, use the no form of this command. Usage Guidelines Using the radius-server attribute 32 include-in-access-req makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default. Example: The following example shows a configuration that sends RADIUS attribute 32 in the accessrequest with the format configured to identify a Cisco NAS: router(config)#radius-server attribute 32 include-in-access-req format cisco %h.%d %i ! The following string will be sent in attribute 32 (NASIdentifier). "cisco router.nlab.cisco.com 10.0.1.67" Misconceptions: none Related commands:
none Sample Configurations:
radius-server attribute 44 extend-with-addr router(config)#
radius-server attribute 44 extend-with-addr no radius-server attribute 44 extend-with-addr Syntax Description: This command has no arguments or keywords. Command Description: To add the accounting IP address before the existing session ID, use the radius-server attribute 44 extend-with-addr command in global configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidelines The radius-server attribute 44 extend-with-addr command adds Acct-Session-Id (attribute 44) before the existing session ID (NAS-IP-Address). When multiple network access servers (NAS) are being processed by one offload server, enable this command on all NASs and the offload server to ensure a common and unique session ID. Note This command should be enabled only when offload servers are used. Example: router(config)# radius-server attribute 44 extend-with-addr Misconceptions: none Related commands: radius-server attribute 44 include-in-access-req radius-server attribute 44 sync-with-client Sample Configurations:
The following example shows how to configure unique session IDs among NASs:
aaa new-model aaa authentication ppp default group radius
radius-server host 10.100.1.34 radius-server attribute 44 extend-with-addr
radius-server attribute 44 include-in-access-req no radius-server attribute 44 include-in-access-req Syntax Description: This command has no arguments or keywords. Command Description: To send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req global configuration command. To remove this command from your configuration, use the no form of this command. Usage Guidelines There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one. Example: router(config)#radius-server attribute 44 include-in-access-req Misconceptions: none Related commands: none Sample Configurations: The following example shows a configuration that sends RADIUS attribute 44 in access-request packets: aaa new-model aaa authentication ppp default group radius radius-server host 10.100.1.34 radius-server attribute 44 include-in-access-req
radius-server attribute 44 sync-with-client router(config)#
radius-server attribute 44 sync-with-client no radius-server attribute 44 sync-with-client Syntax Description: This command has no arguments or keywords. Command Description: To configure the offload server to synchronize accounting session information with the network access server (NAS) clients, use the radius-server attribute 44 sync-with-client command in global configuration mode. To disable this functionality, use the no form of this command. Usage Guidelines Use the radius-server attribute 44 sync-with-client command to allow the offload server to synchronize accounting session information with the NAS clients. The NAS-IP-Address, the Acct-Session-Id, and the Class attribute are transmitted from the client to the offload server via Layer 2 Forwarding (L2F) options. Example: The following example shows how to configure the offload server to synchronize accounting session information with the NAS clients: router(config)#radius-server attribute 44 sync-with-client Misconceptions: none Related commands: radius-server attribute 44 extend-with-addr radius-server attribute 44 include-in-access-req Sample Configurations:
radius-server attribute 55 include-in-acct-req router(config)#
radius-server attribute 55 include-in-acct-req no radius-server attribute 55 include-in-acct-req Syntax Description: This command has no arguments or keywords. Command Description: To send the RADIUS attribute 55 (Event-Timestamp) in accounting packets, use the radiusserver attribute 55 include-in-acct-req command in global configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidelines Use the radius-server attribute 55 include-in-acct-req command to send RADIUS attribute 55 (Event-Timestamp) in accounting packets. The Event-Timestamp attribute records the time that the event occurred on the NAS; the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC. Note Before the Event-Timestamp attribute can be sent in accounting packets, you must configure the clock on the router. (For information on setting the clock on your router, refer to section "Performing Basic System Management" in the chapter "System Management " of the Cisco IOS Configuration Fundamentals Configuration Guide.) To avoid configuring the clock on the router every time the router is reloaded, you can enable the clock calendar-valid command. (For information on this command, refer to the chapter "Basic System Management Commands" in the Cisco IOS Configuration Fundamentals Command Reference. Example: The following example shows how to enable your router to send the Event-Timestamp attribute in accounting packets. (To see whether the Event-Timestamp was successfully enabled, use the debug radius command.) router(config)#radius-server attribute 55 include-in-acct-req Misconceptions: none
Related commands: clock calendar-valid clock set Sample Configurations: radius-server host 192.168.254.100 auth-port 1645 acct-port 1646 timeout 10 retransmit 3 key cisco radius-server retransmit 3 radius-server attribute 44 include-in-access-req radius-server attribute 55 include-in-acct-req call rsvp-sync ! mgcp profile default ! dial-peer cor custom !! gatekeeper shutdown ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco !
end
radius-server attribute 69 clear router(config)#
radius-server attribute 69 clear no radius-server attribute 69 clear Syntax Description: This command has no arguments or keywords. Command Description: To receive none encrypted tunnel passwords in attribute 69 (Tunnel-Password), use the radiusserver attribute 69 clear global configuration command. To disable this feature and receive encrypted tunnel passwords, use the no form of this command. Usage Guidelines Use the radius-server attribute 69 clear command to receive nonencrypted tunnel passwords, which are sent in RADIUS attribute 69 (Tunnel-Password). This command allows tunnel passwords to be sent in a "string" encapsulated format, rather than the standard tag/salt/string format, which enables the encrypted tunnel password. Some RADIUS servers do not encrypt Tunnel-Password; however the current NAS (network access server) implementation will decrypt a non-encrypted password that causes authorization failures. Because nonencrypted tunnel passwords can be sent in attribute 69, the NAS will no longer decrypt tunnel passwords. Note Once this command is enabled, all tunnel passwords received will be nonencrypted until the command is manually disabled. Example: The following example shows how to enable attribute 69 to receive nonencrypted tunnel passwords. (To see whether the Tunnel-Password process is successful, use the debug radius command.) router(config)#radius-server attribute 69 clear Misconceptions: RADIUS attribute 69 is not sent and encrypted tunnel passwords are sent. Related commands:
radius-server attribute 8 include-in-access-req no radius-server attribute 8 include-in-access-req Syntax Description: This command has no arguments or keywords. Command Description: To send the IP address of a user to the RADIUS server in the access request, use the radiusserver attribute 8 include-in-access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command. Usage Guidelines Using the radius-server attribute 8 include-in-access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication. When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information. As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server. After the RADIUS server receives the user information from the NAS, it has two options:
If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The address defined in the user profile is returned to the NAS.
If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the NAS, and the same address is returned to the NAS.
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and "stop" packets will also include the same IP address as in attribute 8. Note Configuring the NAS to send the host IP address in the RADIUS access request assumes that the login host is configured to request an IP address from the NAS server. It also assumes that the login host is configured to accept an IP address from the NAS. In addition, the NAS must be configured with a pool of network addresses at the interface supporting the login hosts.
Example: router(config)# radius-server attribute 8 include-in-access-req Misconceptions: none Related commands: none Sample Configurations: aaa new-model aaa authentication login default group radius aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost
radius-server attribute list router(config)#
radius-server attribute list listname Syntax Description:

listname Specifies a name for an accept or reject list.
Command Description: To define an accept or reject list name, use the radius-server attribute list command in global configuration mode. Usage Guidelines A user may configure an accept or reject list with a selection of attributes on the network access server (NAS) for authorization or accounting so that unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the radius-server attribute 11 direction default command, which adds attributes to an accept or reject list. Note The listname argument must be the same as the listname argument defined in the accounting or authorization configuration command. Example: router(config)#radius-server attribute list bad-author Misconceptions: none Related commands: aaa group server radius accounting (server-group) radius-server attribute 11 direction default authorization (server-group) radius-server host
Sample Configurations: The following example shows how to configure the reject list "bad-author" for RADIUS authorization and accept list "usage-only" for RADIUS accounting: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 authorization reject bad-author accounting accept usage-only ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list usage-only attribute 1,40,42-43,46 ! radius-server attribute list bad-author attribute 22,27-28,56-59
Command Name: Mode: Syntax: Syntax Description:
radius-server attribute nas-port extended router(config)#
Command Description: The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nasport format command in this chapter for more information.
Example:
Misconceptions:
Related commands:
radius-server attribute nas-port format router(config)#
radius-server attribute nas-port format format no radius-server attribute nas-port format format Syntax Description:
format NAS-Port format. Possible values for the format argument are as follows: aStandard NAS-Port format bExtended NAS-Port format cShelf-slot NAS-Port format dPPP extended NAS-Port format
Command Description: To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format global configuration command. If the no form of this command is used, attribute 5 (NAS-Port) will no longer be sent to the RADIUS server. Usage Guidelines The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5). The following NAS-Port formats are supported:
Standard NAS-Port formatThis 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software. Extended NAS-Port formatThe standard NAS-Port attribute field is expanded to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface that is undergoing authentication. Shelf-slot NAS-Port formatThis 16-bit NAS-Port format supports expanded hardware models requiring shelf and slot entries.
PPP extended NAS-Port formatThis NAS-Port format uses 32 bits to indicate the interface, VPI, and VCI for PPP over ATM and PPPoE over ATM, and the interface and VLAN ID for PPPoE over IEEE 802.1Q VLANs.
Example: In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format: router(config)#radius-server host 172.31.5.96 auth-port 1645 acct-port 1646 router(config)#radius-server attribute nas-port format d Misconceptions: none Related commands: vpdn aaa attribute nas-port vpdn-nas Sample Configurations: ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication
radius-server challenge-noecho router(config)#
radius-server challenge-noecho no radius-server challenge-noecho Syntax Description: This command has no arguments or keywords. Command Description: To prevent user responses to Access-Challenge packets from being displayed on the screen, use the radius-server challenge-noecho global configuration command. To return to the default condition, use the no form of this command. Usage Guidelines This command applies to all users. When the radius-server challenge-noecho command is configured, user responses to Access-Challenge packets are not displayed unless the Prompt attribute in the user profile is set to echo on the RADIUS server. The Prompt attribute in a user profile overrides the radius-server challenge-noecho command for the individual user Example: The following example stops all user responses from displaying on the screen: router(config)#radius-server challenge-noecho Misconceptions: none Related commands: none Sample Configurations:
radius-server configure-nas router(config)#
radius-server configure-nas no radius-server configure-nas Syntax Description: This command has no arguments or keywords. Command Description: To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode. To discontinue the query of the RADIUS server, use the no form of this command. Usage Guidelines Use the radius-server configure-nas command to have the Cisco router query the vendorproprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server. Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running-config nvram:startupconfig command. Example: The following example shows how to tell the Cisco router or access server to query the vendorproprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up: router(config)#radius-server configure-nas Misconceptions: none
Related commands: radius-server host non-standard Sample Configurations: #ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication
radius-server deadtime router(config)#
radius-server deadtime minutes no radius-server deadtime Syntax Description:

minutes Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Command Description: To improve RADIUS response times when some servers might be unavailable, use the radiusserver deadtime command in global configuration mode to cause the unavailable servers to be skipped immediately. To set dead-time to 0, use the no form of this command. Usage Guidelines Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead." Example: The following example specifies five minutes deadtime for RADIUS servers that fail to respond to authentication requests: router(config)#radius-server deadtime 5 Misconceptions: none Related commands: deadtime (server-group configuration) radius-server host radius-server retransmit radius-server timeout
Sample Configurations: ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication
radius-server directed-request router(config)#
radius-server directed-request [restricted] no radius-server directed-request [restricted]
Syntax Description:
restricted (Optional) Prevents the user from being sent to a secondary server if the specified server is not available.
Command Description: To allow users logging into a Cisco netword access server (NAS) to select a RADIUS server for authentication, use the radius-server directed-request global configuration command. To disable the directed-request feature, use the no form of this command. Usage Guidelines The radius-server directed-request command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with this command enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server. Disabling the radius-server directed-request command causes the whole string, both before and after the "@" symbol, to be sent to the default RADIUS server. The router queries the list of servers, starting with the first one in the list. It sends the whole string, and accepts the first response that it gets from the server. Use the radius-server directed-request restricted command to limit the user to the RADIUS server identified as part of the username. The no radius-server directed-request command causes the entire username string to be passed to the default RADIUS server. Example: router(config)#radius-server directed-request Misconceptions:
none Related commands: none Sample Configurations: The following example verifies that the RADIUS server is selected based on the directed request: aaa new-model aaa authentication login default radius radius-server host 192.168.1.1 radius-server host 172.16.56.103 radius-server host 172.31.40.1 radius-server directed-request
radius-server extended-portnames router(config)#
Syntax Description:
Command Description: The radius-server extended-portnames command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command. Example:
Misconceptions:
Related commands:
radius-server host non-standard router(config)#
radius-server host {hostname | ip-address} non-standard no radius-server host {hostname | ip-address} non-standard Syntax Description:
hostname DNS name of the RADIUS server host.
ip-address
IP address of the RADIUS server host.
Command Description: To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command in global configuration mode. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. To delete the specified vendor-proprietary RADIUS host, use the no form of this command. Usage Guidelines The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command. Example: The following example specifies a vendor-proprietary RADIUS server host named alcatraz: router(config)#radius-server host alcatraz non-standard Misconceptions: none Related commands: radius-server configure-nas
radius-server host Sample Configurations:
radius-server host router(config)#
radius-server host {hostname | ip-address} [auth-port portnumber] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}] no radius-server host {hostname | ip-address}
Syntax Description:
hostname Domain Name System (DNS) name of the RADIUS server host.
ip-address
IP address of the RADIUS server host.
auth-port
(Optional) Specifies the UDP destination port for authentication requests.
portnumber
(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.
acct-port
(Optional) Specifies the UDP destination port for accounting requests.
portnumber
(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.
timeout
(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.
seconds
(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.
retransmit
(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the
radius-server retransmit command.
retries
(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.
key
(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
string
(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
alias
(Optional) Allows up to eight aliases per line for any given RADIUS server.
Command Description: To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command. Usage Guidelines You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them. If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host. Example: The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication: router(config)#radius-server host host1
The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1: router(config)#radius-server host host1 auth-port 1612 acct-port 1616 Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line. The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server: router(config)#radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123 To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting: router(config)#radius-server host host1.example.com auth-port 0 router(config)#radius-server host host2.example.com acct-port 0 The following example specifies four aliases on the RADIUS server with IP address 172.1.1.1: router(config)#radius-server host 172.1.1.1 acct-port 1645 authport 1646 router(config)#radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1 Misconceptions: none Related commands: aaa accounting aaa authentication ppp aaa authorization ppp ppp authentication radius-server key radius-server retransmit radius-server timeout username
Sample Configurations: The following example shows how to configure the NAS to send static route download requests to the servers specified by the method list named "foo": aaa new-model aaa group server radius rad1 server 2.2.2.2 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac1 server 3.3.3.3 ! aaa authorization configuration default group radius aaa authorization configuration foo group rad1 group tac1 aaa route download 1 authorization foo tacacs-server host 3.3.3.3 tacacs-server key cisco tacacs-server administration ! radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key cisco
radius-server key router(config)#
radius-server key {0 string | 7 string | string} no radius-server key Syntax Description:

0 string Specifies that an unencrypted key will follow. The unencrypted (cleartext) shared key.
7 string
Specifies that a hidden key will follow. The hidden shared key.
string
The unencrypted (cleartext) shared key.
Command Description: To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command. Usage Guidlines After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radiusserver key command. Note Specify a RADIUS key after you issue the aaa new-model command. The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. Example: The following example sets the authentication and encryption key to "dare to go":
router(config)#radius-server key dare to go The following example sets the authentication and encryption key to "anykey." The 7 specifies that a hidden key will follow. router(config)#service password-encryption router(config)#radius-server key 7 anykey After you save your configuration and use the show-running config command, an encrypted key will be displayed as follows: show running-config ! ! radius-server key 7 19283103834782sda !The leading 7 indicates that the following text is encrypted. Misconceptions: none Related commands: aaa accounting aaa authentication ppp ppp ppp authentication radius-server host service password-encryption username Sample Configurations: The following example shows how to configure the NAS to send static route download requests to the servers specified by the method list named "foo": aaa new-model aaa group server radius rad1 server 2.2.2.2 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac1 server 3.3.3.3 ! aaa authorization configuration default group radius aaa authorization configuration foo group rad1 group tac1 aaa route download 1 authorization foo tacacs-server host 3.3.3.3 tacacs-server key cisco
tacacs-server administration ! radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key cisco
radius-server optional-passwords router(config)#
radius-server optional-passwords no radius-server optional-passwords Syntax Description: This command has no arguments or keywords. Command Description: To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords command in global configuration mode. To restore the default, use the no form of this command. Usage Guidelines When the user enters the login name, the login request is transmitted with the name and a zerolength password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature. Example: The following example configures the first login to not require RADIUS verification: router(config)#radius-server optional-passwords Misconceptions: none Related commands: none Sample Configurations:
radius-server retransmit router(config)#
radius-server retransmit retries no radius-server retransmit Syntax Description:

retries Maximum number of retransmission attempts. The default is 3 attempts.
Command Description: To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command. The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count. Example: The following example specifies a retransmit counter value of five times: router(config)#radius-server retransmit 5 Misconceptions: none Related commands: none Sample Configurations: The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1. aaa new-model aaa authentication login default group radius
aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost
radius-server timeout router(config)#
radius-server timeout seconds no radius-server timeout Syntax Description:

seconds Number that specifies the timeout interval, in seconds. The default is 5 seconds.
Command Description: To set the interval for which a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command. Example: The following example changes the interval timer to 10 seconds: router(config)#radius-server timeout 10 Misconceptions: none Related commands: radius-server host radius-server key Sample Configurations:
radius-server unique-ident router(config)#
radius-server unique-ident number no radius-server unique-ident number+1 Syntax Description:

number Acct-Session-Id string
Command Description: To assign a unique accounting session identification (Acct-Session-Id), use the radius-server unique-ident command in global configuration mode. To disable this command, use the no form of this command. Usage Guidlines Use the radius-server unique-ident command to ensure that RADIUS Acct-Session-IDs are unique across Cisco IOS boots. After the router parses this command, radius-server uniqueident n+1 is written to RAM; thereafter, the Acct-Session-ID attribute will have its higher order eight bits set to n+1 in all accounting records. After the router is reloaded, it will parse the radius-server unique-ident n+1 command, and the radius-server unique-ident n+2 will be written to NVRAM. Thus, the Cisco IOS configuration is automatically written to NVRAM after the router reboots. Note radius-server unique-ident 255 has the same functionality as radius-server unique-ident 0; thus, radius-server unique-ident 1 is written to NVRAM when either number (255 or 0) is used. Example: The following example shows how to define the Acct-Session-Id to 1. In this example, the AcctSession-ID begins as "acct-session-id = 01000008," but after enabling this command and rebooting the router, the Acct-Session-ID becomes "acct-session-id = 02000008" because the value increments by one and is updated in the system configuration. router(config)#radius-server unique-ident 1 Misconceptions: none
Related commands: none Sample Configurations:
radius-server vsa send router(config)#
radius-server vsa send [accounting | authentication] no radius-server vsa send [accounting | authentication] Syntax Description:
accounting (Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes.
authentication
(Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.
Command Description: To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send command in global configuration mode. To restore the default, use the no form of this command. Usage Guidelines The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radiusserver vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendortype 1, which is named "cisco-avpair." The value is a string with the following format: protocol : attribute sep value *
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional
attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment): cisco-avpair= "ip:addr-pool=first" The following example causes a "NAS Prompt" user to have immediate access to EXEC commands. cisco-avpair= "shell:priv-lvl=15" Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service (RADIUS). Example: The following example configures the network access server to recognize and use vendorspecific accounting attributes: router(config)#radius-server vsa send accounting Misconceptions: none Related commands: aaa nas port extended Sample Configurations: radius-server radius-server radius-server radius-server radius-server radius-server radius-server radius-server radius-server host 10.6.20.60 auth-port 1708 acct-port 1709 host 10.6.20.60 auth-port 1704 acct-port 1705 host 10.6.20.60 auth-port 1698 acct-port 1699 host 10.6.43.255 auth-port 1645 acct-port 1646 host 10.6.37.10 auth-port 1645 acct-port 1646 retransmit 3 key cisco vsa send accounting vsa send authentication
server (radius) router(config-sg-radius)#
server ip-address [auth-port port-number] [acct-port portnumber] no server ip-address [auth-port port-number] [acct-port portnumber] Syntax Description:
ip-address IP address of the RADIUS server host.
auth-port port-number
(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.
acct-port port-number
(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.
Command Description: To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command. Usage Guidelines Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords. When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same servicefor example, accountingthe second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide
accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.) Example: router(config-sg-radius)#server 172.20.0.1 auth-port 2000 acctport 2001 Misconceptions: none Related commands: aaa group server aaa new-model radius-server host Sample Configurations: aaa new-model aaa authentication ppp default group group1 aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
show aaa attributes router>
show aaa attributes [protocol radius] Syntax Description:

protocol radius (Optional) Displays the mapping between a RADIUS attribute and a AAA attribute name and number.
Command Description: To display the mapping between an authentication, authorization, and accounting (AAA) attribute number and the corresponding AAA attribute name, use the show aaa attributes command in EXEC configuration mode. Example: router>show aaa attributes Misconceptions: none Related commands: none Sample Configurations: The following example is sample output for the show aaa attributes command. In this example, all RADIUS attributes that have been enabled are displayed. router# show aaa attributes protocol radius AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Protocol:RADIUS Non-Standard Type=195 Name=Ascend-Disconnect-Cau Format=Enum Cisco VSA Type=1 Name=Cisco AVpair Format=String Type=2 Name=Acct-Status-Type Format=Enum Protocol:RADIUS IETF Type=40 Name=Acct-Status-Type Format=Enum
Type=3 Name=acl Format=Ulong Protocol:RADIUS IETF Type=11 Name=Filter-Id Format=Binary Type=4 Name=addr Format=IPv4 Address Protocol:RADIUS IETF Type=8 Name=Framed-IP-Address Format=IPv4 Addre Type=5 Name=addr-pool Format=String Protocol:RADIUS Non-Standard Type=218 Name=Ascend-IP-Pool Format=Ulong Type=6 Name=asyncmap Format=Ulong Protocol:RADIUS Non-Standard Type=212 Name=Ascend-Asyncmap Format=Ulong Type=7 Name=Authentic Format=Enum Protocol:RADIUS IETF Type=45 Name=Authentic Format=Enum Type=8 Name=autocmd Format=String
show radius statistics router>
show radius statistics Syntax Description: This command has no arguments or keywords. Command Description: To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics EXEC command. The show radius statistics Field Descriptions are listed below.
Auth. Acct. Both Statistics for authentication packets. Statistics for accounting packets. Combined statistics for authentication and accounting packets.
Maximum inQ Maximum number of entries allowed in the queue, that holds the RADIUS messages not length yet sent. Maximum waitQ length Maximum number of entries allowed in the queue, that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum Maximum number of entries allowed in the queue, that holds the messages that have doneQ length received a response and will be forwarded to the code that is waiting for the messages. Total responses seen Packets with responses Packets without responses Average response delay Number of RADIUS responses seen from the server. In addition to the expected packets, this includes repeated packets and packets that do not have a matching message in the waitQ. Number of packets that received a response from the RADIUS server.
Number of packets that never received a response from any RADIUS server.
Average time from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this is not included in the average.
Maximum response delay Number of RADIUS timeouts Duplicate ID detects
Maximum delay observed while gathering average response delay information.
Number of times a server did not respond, and the RADIUS server re-sent the packet.
RADIUS has a maximum of 255 unique IDs. In some instances there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If it is determined that this does not match, the duplicate ID detect counter is increased.
Example: router# show radius statistics Misconceptions: none Related commands: radius-server host radius-server retransmit radius-server timeout Sample Configurations: The following example is sample output for the show radius statistics command: router# show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 1 Maximum doneQ length: NA NA 1 Total responses seen: 3 0 3 Packets with responses: 3 0 3 Packets without responses: 0 0 0 Average response delay(ms): 5006 0 5006 Maximum response delay(ms): 15008 0 15008 Number of Radius timeouts: 3 0 3
Duplicate ID detects: 0 0 0
test aaa group router#
test aaa group {group-name | radius} username password new-code [profile profile-name] Syntax Description:
group-name Subset of RADIUS servers that are used as defined by the server group group-name.
radius
Uses RADIUS servers for authentication.
username
Specifies a name for the user.
password
Character string that specifies the password.
new-code
The code path through the new code, which supports a CLID or DNIS user profile association with a RADIUS server.
profile profilename
(Optional) Identifies the user profile specified in the aaa user profile command. To associate a user profile with the RADIUS server, the user profile name must be identified.
Command Description: To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode. Example: router# test aaa group radius user1 pass new-code profile prfl1 Misconceptions: none
Related commands: aaa attribute aaa user profile Sample Configurations: The following sample shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command: aaa user profile prfl1 aaa attribute dnis aaa attribute dnis dnisvalue no aaa attribute clid ! Attribute not found. aaa attribute clid clidvalue no aaa attribute clid exit ! test aaa group radius user1 pass new-code profile prfl1
vpdn aaa attribute nas-port vpdn-nas router(config)#
vpdn aaa attribute nas-port vpdn-nas no vpdn aaa attribute nas-port vpdn-nas Syntax Description: This command has no arguments or keywords. Command Description: To enable the L2TP network server (LNS) to send PPP extended NAS-Port format values from the L2TP access concentrator (LAC) to the RADIUS server for accounting, use the vpdn aaa attribute nas-port vpdn-nas global configuration command. To prevent the LNS from sending PPP extended NAS-Port format values, use the no form of this command. Usage Guidelines The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to the RADIUS server when PPP over ATM, PPP over Ethernet (PPPoE) over ATM, or PPPoE over 802.1Q VLANs is used. The vpdn aaa attribute nas-port vpdn-nas command should be configured on the LNS only. The radius-server attribute nas-port format command with the d keyword must also be configured on the LNS and the L2TP access concentrator (LAC), and the LAC and LNS must both be Cisco routers. Example: router(config)# vpdn aaa attribute nas-port vpdn-nas Misconceptions: The LNS will not send PPP extended NAS-Port format values to the RADIUS server by default. Related commands: radius-server attribute nas-port format Sample Configurations:
In the following example, the LNS is configured to recognize and forward PPP extended NASPort format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the LAC for this configuration to be effective. vpdn enable no vpdn logging ! vpdn-group L2TP-tunnel accept-dialin protocol l2tp virtual-template 1 terminate-from hostname lac1 local name lns1 ! aaa new-model aaa authentication ppp default local group radius aaa authorization network default local group radius aaa accounting network default start-stop group radius radius-server host 171.79.79.76 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute nas-port format d radius-server key lns123 ! vpdn aaa attribute nas-port vpdn-nas
aaa group server tacacs+

To group different server hosts into distinct lists and distinct methods, use the aaa group server tacacs+ command in global configuration mode. To remove a server group from the configuration list, use the no form of this command. aaa group server tacacs+ group-name no aaa group server tacacs+ group-name
Syntax Description
tacacs+ Uses only the TACACS+ server hosts.
group-name
Character string used to name the group of servers.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release 12.0(5)T Modification This command was introduced.
Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service. A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction
with a global server host list. The server group lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers: aaa group server tacacs+ tacgroup1 server 1.1.1.1 server 2.2.2.2 server 3.3.3.3
Related Commands
Command aaa accounting Description Enables AAA accounting of requested services for billing or security.
aaa authentication login
Enables AAA accounting of requested services for billing or security purposes.
aaa authorization
Sets parameters that restrict user access to a network.
aaa new-model
Enables the AAA access control model.
tacacs-server host
Specifies a TACACS+ host.
ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command. ip tacacs source-interface subinterface-name no ip tacacs source-interface
Syntax Description
subinterface-name Name of the interface that TACACS+ uses for all of its outgoing packets.
Defaults
Command Modes
Command History
Release 10.0 Modification This command was introduced.
Usage Guidelines
Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses. This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address. The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets: ip tacacs source-interface s2
Related Commands
Command ip radius sourceinterface Description Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip telnet sourceinterface
Allows a user to select an address of an interface as the source address for Telnet connections.
ip tftp sourceinterface
Allows a user to select the interface whose address will be used as the source address for TFTP connections.
server (TACACS+)
To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command. server ip-address no server ip-address
Syntax Description
ip-address IP address of the selected server.
Defaults
Command Modes
TACACS+ group server configuration
Command History
Usage Guidelines
You must configure the aaa group server tacacs command before configuring this command. Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.
Examples
The following example shows server host entries configured for the RADIUS server: aaa new-model
aaa authentication ppp default group g1 aaa group server tacacs+ g1 server 1.0.0.1 server 2.0.0.1 tacacs-server host 1.0.0.1 tacacs-server host 2.0.0.1
Related Commands
Command aaa new-model Description Enables the AAA access control model.
aaa server group
Groups different server hosts into distinct lists and distinct methods.
tacacs-server host
Specifies a RADIUS server host.
show tacacs
To display statistics for a TACACS+ server, use the show tacacs command in EXEC configuration mode. show tacacs
Syntax Description
This command has no arguments or keywords.
Defaults
Command Modes
EXEC
Command History
Examples
The following example is sample output for the show tacacs command:
Router# show tacacs Tacacs+ Server : 172.19.192.80/49 Socket opens: 3 Socket closes: 3 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 7 Total Packets Recv: 7 Expected Replies: 0 No current connection
Table 18 describes the significant fields shown in the display.
Table 18: show tacacs Field Descriptions
Field Tacacs+ Server
Description IP address of the TACACS+ server.
Socket opens
Number of successful TCP socket connections to the TACACS+ server.
Socket closes
Number of successfully closed TCP socket attempts.
Socket aborts
Number of premature TCP socket closures to the TACACS+ server; that is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors
Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts
Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent
Number of packets sent to the TACACS+ server.
Total Packets Recv
Number of packets received from the TACACS+ server.
Expected replies
Number of outstanding replies from the TACACS+ server.
Related Commands
Command tacacs-server host Description Specifies a TACACS+ host.
tacacs-server directed-request
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command. tacacs-server directed-request [restricted] [no-truncate] no tacacs-server directed-request
Syntax Description
restricted (Optional) Restrict queries to directed request servers only.
no-truncate
(Optional) Do not truncate the @hostname from the username.
Defaults
Enabled
Command Modes
Command History
Usage Guidelines
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server. Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it. With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected. Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.
Examples
The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:
no tacacs-server directed-request
tacacs-server host
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command. tacacs-server host hostname [port integer] [timeout integer] [key string] no tacacs-server host hostname
Syntax Description
hostname Name or IP address of the host.
port
(Optional) Specify a server port number. This option overrides the default, which is port 49.
integer
(Optional) Port number of the server. Valid port numbers range from 1 to 65535.
timeout
(Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
integer
(Optional) Integer value, in seconds, of the timeout interval.
key
(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
string
(Optional) Character string specifying authentication and encryption key.
Defaults
No TACACS+ host is specified.
Command Modes
Command History
Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, and key options only when running a AAA/TACACS+ server. Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
Examples
The following example specifies a TACACS+ host named Sea_Change:
tacacs-server host Sea_Change
The following example specifies that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure port 51 timeout 3 key a_secret
Related Commands
Command aaa authentication
Description Specify or enable AAA authentication.
aaa authorization
aaa accounting
Enables AAA accounting of requested services for billing or security.
ppp
Starts an asynchronous connection using PPP.
slip
Starts a serial connection to a remote host using SLIP.
tacacs-server key
Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command. tacacs-server key key no tacacs-server key [key]
Syntax Description
key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.
Defaults
Command Modes
Command History
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command. The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
tacacs-server key dare to go
Related Commands
Command aaa new-model Description Enables the AAA access control model.
tacacs-server host
Specifies a TACACS+ host.
access-enable router>
access-enable [host] [timeout minutes] Syntax Description:

host (Optional) Tells the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network.
timeout minutes
(Optional) Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently. We recommend that this value equal the idle timeout set for the WAN connection.
Command Description: To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command. Usage Guidelines This command enables the lock-and-key access feature. You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session. Use the autocommand command with the access-enable command to cause the access-enable command to execute when a user opens a Telnet session into the router. Example: The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted. router(config)#autocommand access-enable host timeout 2 Misconceptions:
none Related commands: access-list (IP extended) autocommand show ip accounting Sample Configurations: This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface. interface ethernet0 ip address 172.18.23.9 255.255.255.0 ip access-group 101 in access-list 101 permit tcp any host 172.18.21.2 eq telnet access-list 101 dynamic mytestlist timeout 120 permit ip any any line vty 0 login local autocommand access-enable timeout 5
access-list dynamic-extend router(config)#
access-list dynamic-extend no access-list dynamic-extend Syntax Description: This command has no arguments or keywords. Command Description: To allow the absolute timer of the dynamic access control list (ACL) to be extended an additional six minutes, use the access-list dynamic-extend command in global configuration mode. To disable this functionality, use the no form of this command. Usage Guidelines When you try to create a Telnet session to the router to re-authenticate yourself by using the lock-and-key function, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes. The router must already be configured with the lock-and-key feature, and you must configure the extension before the ACL expires. Example: router(config)# access-list dynamic-extend Misconceptions: none Related commands: none Sample Configurations:
access-template router#
access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes] Syntax Description:
access-listnumber (Optional) Number of the dynamic access list.
name
(Optional) Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
dynamicname
(Optional) Name of a dynamic access list.
source
(Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.
destination
(Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.
timeout minutes
(Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.
Command Description: To manually place a temporary access list entry on a router to which you are connected, use the access-template privileged EXEC command. Usage Guidlines This command provides a way to enable the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session. Example: The following example enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded. router#access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2 Misconceptions: none Related commands: access-list (IP extended) autocommand clear access-template show ip accounting Sample Configurations:
clear access-template router#
clear access-template [access-list-number | name] [dynamic-name] [source] [destination] Syntax Description:

access-listnumber (Optional) Number of the dynamic access list from which the entry is to be deleted.
name
(Optional) Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
dynamicname
(Optional) Name of the dynamic access list from which the entry is to be deleted.
source
(Optional) Source address in a temporary access list entry to be deleted.
destination
(Optional) Destination address in a temporary access list entry to be deleted.
Command Description: To manually clear a temporary access list entry from a dynamic access list, use the clear accesstemplate privileged EXEC command. Example: The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor: router#clear access-template vendor 172.20.1.12 Misconceptions: none
Related commands: access-list (IP extended) access-template show ip accounting Sample Configurations:
Command Name: Mode: Syntax: evaluate name no evaluate name Syntax Description:
name
evaluate router(config-ext-nacl)#
The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.
Command Description: To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command. Usage Guidlines This command is used to achieve reflexive filtering, a form of session filtering. Before this command will work, you must define the reflexive access list using the permit (reflexive) command. This command nests a reflexive access list within an extended named IP access list. If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.) This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated. As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the
extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated. Example: router(config-ext-nacl)#evaluate tcptraffic Misconceptions: none Related commands: ip access-list ip reflexive-list timeout permit (reflexive) Sample Configurations: The following ample shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic. If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions. interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic
ip reflexive-list timeout router(config)#
ip reflexive-list timeout seconds no ip reflexive-list timeout Syntax Description:

seconds Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 2,147,483. The default is 300 seconds.
Command Description: To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command. Usage Guidelines This command is used with reflexive filtering, a form of session filtering. This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period). With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed. The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command. This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered. Example:
The following example sets the global timeout period for reflexive access list entries to 120 seconds: ip reflexive-list timeout 120 Misconceptions: none Related commands: evaluate ip access-list permit (reflexive) Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 ! ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic
permit (reflexive) router(config-ext-nacl)#
permit protocol source source-wildcard destination destinationwildcard reflect name [timeout seconds] no permit protocol source-wildcard destination destinationwildcard reflect name
Syntax Description:
protocol Name or number of an IP protocol. It can be one of the keywords gre, icmp, ip, ipinip, nos, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol, Transmission Control Protocol, and User Datagram Protocol), use the keyword ip.
source
Number of the network or host from which the packet is being sent. There are three other ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
sourcewildcard
Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination
Number of the network or host to which the packet is being sent. There are three other ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-
wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
destinationwildcard
Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
reflect
Identifies this access list as a reflexive access list.
name
Specifies the name of the reflexive access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. The name can be up to 64 characters long.
timeout seconds
(Optional) Specifies the number of seconds to wait (when no session traffic is being detected) before entries expire in this reflexive access list. Use a positive integer from 0 32 to 2 -1. If not specified, the number of seconds defaults to the global timeout value.
Command Description: To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permit command in access-list configuration mode. To delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols are defined), use the no form of this command. Usage Guidelines This command is used to achieve reflexive filtering, a form of session filtering. For this command to work, you must also nest the reflexive access list using the evaluate command. This command creates a reflexive access list and triggers the creation of entries in the same reflexive access list. This command must be an entry (condition statement) in an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to outbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to inbound traffic. IP sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the extended named IP access list, the packet is also evaluated against this reflexive permit entry. As with all access list entries, the order of entries is important, because they are evaluated in sequential order. When an IP packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs. If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered). The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating the packet belongs to a session in progress). The temporary entry specifies criteria that permits traffic into your network only for the same session. Characteristics of Reflexive Access List Entries This command enables the creation of temporary entries in the same reflexive access list that was defined by this command. The temporary entries are created when a packet exiting your network matches the protocol specified in this command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:

The entry is a permit entry. The entry specifies the same IP upper-layer protocol as the original triggering packet. The entry specifies the same source and destination addresses as the original triggering packet, except the addresses are swapped. If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except the port numbers are swapped. If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: the temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).
The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.
IP traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IP packet matches the entry, the packet will be forwarded into your network. The entry will expire (be removed) after the last packet of the session is matched. If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire. Example: The following example defines a reflexive access list tcptraffic, in an outbound access list that permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic and denies all ICMP traffic. This example is for an external interface (an interface connecting to an external network). First, the interface is defined and the access list is applied to the interface for outbound traffic. router(config)#interface Serial 1 router(config-if)#ip access-group outboundfilters out Next, the outbound access list is defined and the reflexive access list tcptraffic is created with a reflexive permit entry. router(config)ip access-list extended outboundfilters router(config-ext-nacl)# permit tcp any any reflect tcptraffic Misconceptions: If this command is not configured, no reflexive access lists will exist, and no session filtering will occur. If this command is configured without specifying a timeout value, entries in this reflexive access list will expire after the global timeout period. Related commands: evaluate ip access-list ip reflexive-list timeout Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 !
ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic
absolute router(config-time-range)#
absolute [start time date] [end time date] no absolute Syntax Description:
start time date (Optional) Absolute time and date that the permit or deny statement of the associated access list starts going into effect. The time is expressed in 24-hour notation, in the form of hours:minutes. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. The date is expressed in the format day month year. The minimum start is 00:00 1 January 1993. If no start time and date are specified, the permit or deny statement is in effect immediately.
end time date
(Optional) Absolute time and date that the permit or deny statement of the associated access list is no longer in effect. Same time and date format as described for the start keyword. The end time and date must be after the start time and date. The maximum end time is 23:59 31 December 2035. If no end time and date are specified, the associated permit or deny statement is in effect indefinitely.
Command Description: To specify an absolute time when a time range is in effect, use the absolute time-range configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines Time ranges are used by IP and IPX extended access lists. Time ranges are applied to the permit or deny statements found in these access lists. The absolute command is one way to specify when a time range is in effect. Another way is to specify a periodic length of time with the periodic command. Use either of these commands after the time-range command, which enables time-range configuration mode and specifies a name for the time range. Only one absolute entry is allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic items are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. Note All time specifications are interpreted as local time. To ensure that the time range entries take effect at the desired times, the software clock should be synchronized using the Network Time Protocol (NTP), or some other authoritative time source.
Example: The following example configures an access list named northeast, which references a time range named xyz. The access list and time range together permit traffic on Ethernet interface 0 starting at noon on January 1, 2001 and going forever. time-range xyz absolute start 12:00 1 January 2001 ! ip access-list extended northeast permit ip any any time-range xyz ! interface ethernet 0 ip access-group northeast in The following example permits UDP traffic until noon on December 31, 2000. After that time, UDP traffic is no longer allowed out Ethernet interface 0. time-range abc absolute end 12:00 31 December 2000 ! ip access-list extended northeast permit udp any any time-range abc ! interface ethernet 0 ip access-group northeast out The following example permits UDP traffic out Ethernet interface 0 on weekends only, from 8:00 a.m. on January 1, 1999 to 6:00 p.m. on December 31, 2001: time-range test absolute start 8:00 1 January 1999 end 18:00 31 December 2001 periodic weekends 00:00 to 23:59 ! ip access-list extended northeast permit udp any any time-range test ! interface ethernet 0 ip access-group northeast out Misconceptions: none Related commands: deny
periodic permit time-range Sample Configurations:
periodic router(config-time-range)#
periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm no periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm Syntax Description:
days-ofthe-week The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument can be any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: dailyMonday through Sunday weekdaysMonday through Friday weekendSaturday and Sunday
If the ending days of the week are the same as the starting days of the week, they can be omitted.
hh:mm
The first occurrence of this argument is the starting hours:minutes that the associated time range is in effect. The second occurrence is the ending hours:minutes the associated statement is in effect. The hours:minutes are expressed in a 24-hour clock. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
to
Entry of the to keyword is required to complete the range "from start-time to end-time."
Command Description: To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic time-range configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines For Cisco IOS Release 12.2, IP and Internetwork Packet Exchange (IPX) extended access lists are the only functions that can use time ranges. For further information on using these functions,
refer to the Release 12.2 Cisco IOS IP Configuration Guide and the Release 12.2 Cisco IOS AppleTalk and Novell IPX Configuration Guide. The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command. If the end days-of-the-week value is the same as the start value, they can be omitted. If a time-range command has both absolute and periodic values specified, then the periodic items are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. Note All time specifications are taken as local time. To ensure that the time range entries take effect at the desired times, you should synchronize the system software clock using Network Time Protocol (NTP). Example: The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.: time-range no-http periodic weekdays 8:00 to 18:00 ! ip access-list extended strict deny tcp any any eq http time-range no-http ! interface ethernet 0 ip access-group strict in The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.: time-range testing periodic Monday Tuesday Friday 9:00 to 17:00 ! ip access-list extended legal permit tcp any any eq telnet time-range testing ! interface ethernet 0 ip access-group legal in Misconceptions: none
Related commands: absolute access-list (extended deny (IP) permit (IP) time-range Sample Configurations:
time-range router(config)#
time-range time-range-name no time-range time-range-name Syntax Description:

time-rangename Desired name for the time range. The name cannot contain a space or quotation mark, and must begin with a letter.
Command Description: To enable time-range configuration mode and define time ranges for functions (such as extended access lists), use the time-range global configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines The time-range entries are identified by a name, which is referred to by one or more other configuration commands. Multiple time ranges can occur in a single access list or other feature. Note For Cisco IOS Release 12.2, IP and Internetwork Packet Exchange (IPX) extended access lists are the only functions that can use time-ranges. For further information on using these functions, see the Release 12.2 Cisco IOS IP Configuration Guide and the Release 12.2 Cisco IOS AppleTalk and Novell IPX Configuration Guide. After the time-range command, use the periodic time-range configuration command, the absolute time-range configuration command, or some combination of them to define when the feature is in effect. Multiple periodic commands are allowed in a time range; only one absolute command is allowed. Example: router(config)# time-range no-http router(config-time-range)#periodic weekdays 8:00 to 18:00 Misconceptions: none
Related commands: absolute ip access-list periodic permit ip Sample Configurations: The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m. The example allows UDP traffic on Saturday and Sunday from noon to midnight only. time-range no-http periodic weekdays 8:00 to 18:00 ! time-range udp-yes periodic weekend 12:00 to 24:00 ! ip access-list extended strict deny tcp any any eq http time-range no-http permit udp any any time-range udp-yes ! interface ethernet 0 ip access-group strict in
access-list compiled router(config)#
access-list compiled no access-list compiled Syntax Description: This command has no arguments or keywords. Command Description: To enable the Turbo Access Control Lists (Turbo ACL) feature, use the access-list compiled command in global configuration mode. To disable the Turbo ACL feature, use the no form of this command. Usage Guidelines By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, normal ACL processing is enabled, and no ACL acceleration occurs. When the Turbo ACL feature is enabled using the access-list compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs. Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompilation of that ACL. When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation. Example: The following example enables the Turbo ACL feature: router(config)#access-list compiled Misconceptions: none Related commands:
show access-list compiled router#
show access-list compiled Syntax Description: This command has no arguments or keywords. Command Description: To display a table showing Turbo Access Control Lists (ACLs), use the show access-list compiled privileged EXEC command. Example: router# show access-list compiled Misconceptions: none Related commands: access-list compiled access-list (extended) access-list (standard) clear access-list counters clear access-temp ip access-list show ip access-list Sample Configurations: Router# show access-list compiled Compiled ACL statistics: 12 ACLs loaded, 12 compiled tables ACL State Tables Entries Config Fragment Redundant Memory 1 Operational 1 2 1 0 0 1Kb 2 Operational 1 3 2 0 0 1Kb 3 Operational 1 4 3 0 0 1Kb 4 Operational 1 3 2 0 0 1Kb 5 Operational 1 5 4 0 0 1Kb 9 Operational 1 3 2 0 0 1Kb
20 Operational 1 9 8 0 0 1Kb 21 Operational 1 5 4 0 0 1Kb 101 Operational 1 15 9 7 2 1Kb 102 Operational 1 13 6 6 0 1Kb 120 Operational 1 2 1 0 0 1Kb 199 Operational 1 4 3 0 0 1Kb First level lookup tables: Block Use Rows Columns Memory used 0 TOS/Protocol 6/16 12/16 66048 1 IP Source (MS) 10/16 12/16 66048 2 IP Source (LS) 27/32 12/16 132096 3 IP Dest (MS) 3/16 12/16 66048 4 IP Dest (LS) 9/16 12/16 66048 5 TCP/UDP Port 1/16 12/16 66048 6 TCP/UDP Dest Port 3/16 12/16 66048 7 TCP Flags/Fragment 3/16 12/16 66048
access-class router(config-line)#
access-class access-list-number {in | out} no access-class access-list-number {in | out} Syntax Description:
access-listnumber Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in
Restricts incoming connections between a particular Cisco device and the addresses in the access list.
out
Restricts outgoing connections between a particular Cisco device and the addresses in the access list.
Command Description: To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command. Usage Guidelines Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them. To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number. Example: The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router: router(config)#access-list 12 permit 192.89.55.0 0.0.0.255 router(config-line)#line 1 5 router(config-line)#access-class 12 in
The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5: router(config)#access-list 10 permit 36.0.0.0 0.255.255.255 router(config-line)#line 1 5 router(config-line)#access-class 10 out Misconceptions: none Related commands: show line Sample Configurations: access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list echo access-list access-list nntp access-list ntp access-list access-list access-list access-list access-list access-list access-list no cdp run ! line con 0 1 permit 192.168.1.10 101 deny ip 127.0.0.0 0.255.255.255 any log 101 deny ip 255.0.0.0 0.255.255.255 any log 101 deny ip 224.0.0.0 7.255.255.255 any log 101 deny ip host 0.0.0.0 any log 101 deny ip 192.168.1.0 0.0.0.255 any log 101 deny ip 10.0.0.0 0.255.255.255 any log 101 deny udp any any eq snmp 101 permit tcp any 192.168.1.0 0.0.0.255 established 101 permit tcp any host 192.168.1.3 eq smtp 101 permit tcp any host 192.168.1.3 eq www 101 permit tcp any host 192.168.1.3 eq 443 101 permit tcp any host 192.168.1.3 eq ftp 101 permit tcp any host 192.168.1.3 gt 1023 101 permit icmp any 192.168.1.0 0.0.0.255 echo-reply 101 permit icmp any host 172.16.1.1 echo-reply 101 permit icmp host 192.168.255.2 host 172.16.1.1 101 permit udp any host 192.168.1.3 eq domain 101 permit tcp host 192.168.255.2 host 192.168.1.3 eq 101 permit udp host 192.168.255.2 host 192.168.1.3 eq 101 101 101 101 101 102 102 deny icmp any host 192.168.1.1 echo log deny tcp any host 192.168.1.1 eq telnet log deny tcp any host 172.16.1.1 eq telnet log deny tcp any host 192.168.1.2 eq telnet log deny ip any any log permit ip 192.168.1.0 0.0.0.255 any deny ip any any log
exec-timeout 0 0 logging synchronous login local transport input none line aux 0 no exec login local line vty 0 4 access-class 1 in login local ! end
access-list router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source sourcewildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range timerange-name] [fragments] no access-list access-list-number
Internet Control Message Protocol (ICMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source sourcewildcard destination destination-wildcard [icmp-type [icmpcode] | icmp-message] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] Internet Group Management Protocol (IGMP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source sourcewildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [timerange time-range-name] [fragments] Transmission Control Protocol (TCP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source sourcewildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] User Datagram Protocol (UDP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source sourcewildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
Syntax Description:
access-listnumber
Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
dynamic dynamic-name
(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes
(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
protocol
Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard
Wildcard bits to be applied to source. Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be considered a match to this access list entry. There are three alternative ways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Place1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0.64 would be valid.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
destinationwildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the
prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
log-input
(Optional) Includes the input interface and source MAC address or VC in the logging output.
time-range time-rangename
(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, SYN or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly.
Command Description: To define an extended IP access list, use the extended version of the access-list command in global configuration mode. To remove the access list, use the no form of this command. Usage Guidelines You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the type of service (ToS) value, or the precedence of the packet. Note After a numbered access list is created, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list. The following is a list of precedence names:
critical flash flash-override immediate internet network priority routine
The following is a list of ToS names:

max-reliability max-throughput min-delay min-monetary-cost normal
The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big
parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable
The following is a list of IGMP message names:

dvmrp host-query host-report pim trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp chargen daytime discard domain echo finger ftp ftp-data gopher hostname irc klogin kshell lpd nntp pop2 pop3
smtp sunrpc syslog tacacs-ds talk telnet time uucp whois www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff bootpc bootps discard dnsix domain echo mobile-ip nameserver netbios-dgm netbios-ns ntp rip snmp snmptrap sunrpc syslog tacacs-ds talk tftp time who xdmcp
Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... Then..
...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,
For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.
For an access list entry containing Layer 3 and Layer 4 information: The entry is applied to nonfragmented packets and initial fragments. o If the entry is a permit statement, the packet or fragment is permitted. o If the entry is a deny statement, the packet or fragment is denied. The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and o If the entry is a permit statement, the noninitial fragment is permitted. o If the entry is a deny statement, the next access-list entry is processed.
Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
...the fragments keyword, and assuming all of the access-list entry information matches,
The access-list entry is applied only to noninitial fragments.
Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicates that the packet belongs to an existing connection. access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface serial 0 ip access-group 102 in The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets: access-list established access-list access-list access-list access-list access-list 102 permit tcp any 128.88.0.0 0.0.255.255 102 102 102 102 102 permit permit permit permit permit tcp any host 128.88.1.2 eq smtp tcp any any eq domain udp any any eq domain icmp any any echo icmp any any echo-reply
The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists. Prefix or mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0): access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 The following example uses a time range to deny HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.: time-range no-http periodic weekdays 8:00 to 18:00 ! access-list 101 deny tcp any any eq http time-range no-http ! interface ethernet 0 ip access-group 101 in
Misconceptions: An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Related commands: access-class access-list remark clear access-template deny
distribute-list in distribute-list out ip access-group ip accesrs-list ip access-list log-update ip accounting logging console permit remark show access-lists show ip access-list time-range Sample Configurations:
access-list (IP standard) router(config)#
access-list access-list-number {deny | permit} source [sourcewildcard] [log] no access-list access-list-number Syntax Description:
accesslistnumber Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
deny
permit
source
Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
sourcewildcard
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate the logging messages to appear when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
Command Description: To define a standard IP access list, use the standard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command. Usage Guidelines Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list. You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. Use the show access-lists EXEC command to display the contents of all access lists. Use the show ip access-list EXEC command to display the contents of one access list. Example: The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected. router(config)#access-list 1 permit 192.5.34.0 0.0.0.255 router(config)#access-list 1 permit 128.88.0.0 0.0.255.255 router(config)#access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied) The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected. router(config)#access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect: router(config)#access-list 2 permit 36.48.0.3 router(config)#access-list 2 permit 36.48.0.3 0.0.0.0 Misconceptions: The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything. Related commands:
access-class access-list (IP extended) access-list remark deny (IP) distribute-list in (IP) distribute-list out (IP) ip access-group ip access-list log-update logging console permit (IP) remark (IP) show access-lists show ip access-list Sample Configurations:
access-list remark router(config)#
access-list access-list-number remark remark no access-list access-list-number remark remark Syntax Description:
access-list-number Number of an IP access list.
remark
Comment that describes the access list entry, up to 100 characters long.
Command Description: To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark command in global configuration mode. To remove the remark, use the no form of this command. Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated. If you want to write a comment about an entry in a named access list, use the remark command. Example: router(config)#access-list 1 remark Permit only Jones workstation through router(config)#access-list 1 remark Do not allow Smith workstation through Misconceptions: none Related commands: access-list (IP extended) access-list (IP standrard) ip access-list remark
Sample Configurations: In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.69.2.88 remark Do not allow Smith workstation through deny 171.69.3.13
clear access-list counters router#
clear access-list counters {access-list-number | access-listname} Syntax Description:

access-listnumber Access list number of the access list for which to clear the counters.
access-listname
Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
Command Description: To clear the counters of an access list, use the clear access-list counters command in privileged EXEC mode. Usage Guidelines Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0. Example: The following example clears the counters for access list 101: router# clear access-list counters 101 Misconceptions: none Related commands: show access-lists Sample Configurations:
deny (ip) router(config-ext-nacl)#
deny source [source-wildcard] no deny source [source-wildcard] deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] no deny protocol source source-wildcard destination destination-wildcard
Internet Control Message Protocol (ICMP)
deny icmp source source-wildcard destination destinationwildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
deny igmp source source-wildcard destination destinationwildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range timerange-name] [fragments] Syntax Description:
source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard
Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol
Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.
destination
destinationwildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type
icmp-code
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the
section "Usage Guidelines" of the access-list (IP extended) command.
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
Command Description: To set conditions for a named IP access list, use the deny command in access-list configuration mode.To remove a deny condition from an access list, use the no form of this command. Usage Guidelines Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list. The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect. Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... ...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches, Then.. For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.
Note The access-list entry is applied only to noninitial fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list
entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments. Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy
routing will occur as intended.
Example: router(config-ext-nacl)#deny 192.5.34.0 0.0.0.255 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) ip access-group ip access-list ip access-list log-update permit (IP) remark show ip access-list time-range Sample Configurations: The following example sets a deny condition for a standard access list named Internetfilter: ip access-list standard Internetfilter deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
Command Name: Mode:
distribute-list in router(config)# router(config-router-af)#
Syntax: distribute-list {access-list-number | prefix prefix-list-name} in [interface-type interface-number] no distribute-list {access-list-number | prefix prefix-listname} in [interface-type interface-number] Syntax Description:
access-listnumber Standard IP access list number. The list defines which networks are to be received and which are to be suppressed in routing updates.
prefix prefixlist-name
Name of a prefix list. The list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching the network prefix to the prefixes in the list.
in
Applies the access list to incoming routing updates.
interface-type
(Optional) Interface type.
interfacenumber
(Optional) Interface number on which the access list should be applied to incoming updates. If no interface is specified, the access list will be applied to all incoming updates.
Command Description: To filter networks received in updates, use the distribute-list in command in address family or router configuration mode. To disable this function, use the no form of this command. Usage Guidelines This command is not supported in Intermediate Sytem-to-Intermediate System (IS-IS) or Open Shortest Path First (OSPF). Using a prefix list allows filtering based upon the prefix length, making it possible to filter either on the prefix list, the gateway, or both for incoming updates.
Do not use both the access-list-number and prefix-list-name arguments with the distribute-list in command. Note To suppress networks from being advertised in updates, use the distribute-list out command. Example: router(config)# distribute-list 1 in router(config-router-af)#distribute-list 1 in Misconceptions: none Related commands: access-list (IP extended) address-family ipv4 address-family vpnv4 clear ip prefix-list distribute-list out ip prefix-list ip prefix-list description ip prefix-list sequence-number redistribute (IP) show ip bgp regexp Sample Configurations: In the following router configuration mode example, the BGP routing process accepts only two networksnetwork 0.0.0.0 and network 10.108.0.0: access-list 1 permit 0.0.0.0 access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router bgp network 10.108.0.0 distribute-list 1 in
In the following address family configuration mode example, the process accepts only two networksnetwork 0.0.0.0 and network 10.108.0.0: access-list 1 permit 0.0.0.0 access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router bgp
address-family ipv4 multicast network 10.108.0.0 distribute-list 1 in In the following example, the BGP routing process accepts only networks with prefixes that match those in the prefix list named firstlist on the Ethernet interface 0: router bgp distribute-list prefix firstlist in ethernet 0
Command Name: Mode:
distribute-list out router(config)# router(config-router-af)#
Syntax: distribute-list {access-list-number | prefix prefix-list-name} out [interface-name | routing-process | as-number] no distribute-list {access-list-number | prefix prefix-listname} out [interface-name | routing-process | as-number] Syntax Description:
access-listnumber Standard IP access list number. The list defines which networks are to be received and which are to be suppressed in routing updates.
prefix prefixlist-name
Name of a prefix list. The list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching the network prefix to the prefixes in the list.
out
Applies the access list to outgoing routing updates.
interfacename
(Optional) Name of a particular interface.
routingprocess
(Optional) Name of a particular routing process, or the keyword static or connected.
as-number
(Optional) Autonomous system number.
Command Description: To suppress networks from being advertised in updates, use the distribute-list out command in address family or router configuration mode. To disable this function, use the no form of this command. Usage Guidelines
When redistributing networks, a routing process name can be specified as an optional trailing argument to the distribute-list command. Specifying an argument causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-list command without a process name argument will be applied. Addresses not specified in the distribute-list command will not be advertised in outgoing routing updates. Do not use both the prefix-list and access-list-name arguments with the distribute-list out command. Note To filter networks received in updates, use the distribute-list in command. Example: router(config)#distribute-list 1 out router(config-router-af)# distribute-list 1 out Misconceptions: none Related commands: access-list (IP extended) address-family ipv4 address-family vpnv4 clear ip prefix-list distribute-list in ip prefix-list ip prefix-list description ip prefix-list sequence-number redistribute (IP) show ip bgp regexp Sample Configurations: The following router configuration mode sample causes only one network (network 10.108.0.0) to be advertised by a RIP routing process: access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router rip network 10.108.0.0 distribute-list 1 out The following address family configuration mode sample causes only one network (network 10.108.0.0) to be advertised by a process:
access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router rip address-family ipv4 unicast network 10.108.0.0 distribute-list 1 out In the following sample, access list 1 is applied to outgoing routing updates, and Intermediate Sytem-to-Intermediate System (IS-IS) is enabled on Ethernet interface 0. Only network 10.131.101.0 will be advertised in outgoing IS-IS routing updates. router isis redistribute ospf 109 distribute-list 1 out interface Ethernet 0 ip router isis access-list 1 permit 10.131.101.0 0.0.0.255 In the following sample, the BGP routing process advertises only networks with prefixes that match those in the prefix list named firstlist on the Ethernet interface 0: router bgp distribute-list prefix firstlist out ethernet 0
dynamic router(config-ext-nacl)#
dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destinationwildcard [precedence precedence] [tos tos] [log] [fragments] no dynamic dynamic-name Internet Control Message Protocol (ICMP) dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments] Internet Group Management Protocol (IGMP) dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments] Transmission Control Protocol (TCP) dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments] User Datagram Protocol (UDP) dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments] Syntax Description:
dynamic-name Identifies this access list as a dynamic access list.
timeout minutes
(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently.
deny
permit
protocol
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
sourcewildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
destinationwildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
icmp-type
icmp-code
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator
port
established
fragments
Command Description: To define a named dynamic IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command. Usage Guidelines
You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the ToS value, or the precedence of the packet. Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list. The following is a list of precedence names:

critical flash flash-override immediate internet network priority routine
The following is a list of ToS names:

max-reliability max-throughput min-delay min-monetary-cost normal
The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable
host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable
The following is a list of IGMP message names:

dvmrp host-query host-report pim trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp chargen
daytime discard domain echo finger ftp ftp-data gopher hostname irc klogin kshell lpd nntp pop2 pop3 smtp sunrpc syslog tacacs-ds talk telnet time uucp whois www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff bootpc bootps discard dns dnsix echo mobile-ip nameserver netbios-dgm netbios-ns ntp rip snmp snmptrap
sunrpc syslog tacacs-ds talk tftp time who xdmcp
Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
...the fragments keyword, and assuming all of the access-list
Note
The access-list entry is applied only to noninitial
entry information matches,
fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: router(config-ext-nacl)#dynamic testlist timeout 5 Misconceptions: An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement. Related commands: clear access-template distribute-list in (IP)
distribute-list out (IP) ip access-group ip access-list ip access-list log-update logging console show access-lists show ip access-list Sample Configurations: The following sample defines a dynamic access list named washington: ip access-group washington in ! ip access-list extended washington dynamic testlist timeout 5 permit ip any any permit tcp any host 185.302.21.2 eq 23
ip access-group router(config-if)#
ip access-group {access-list-number | access-list-name}{in | out} no ip access-group {access-list-number | access-list-name}{in | out}
Syntax Description:
access-listnumber Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
access-list-name
Name of an IP access list as specified by an ip access-list command.
in
Filters on inbound packets.
out
Filters on outbound packets.
Command Description: To control access to an interface, use the ip access-group command in interface configuration mode. To remove the specified access group, use the no form of this command. Usage Guidelines Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message. For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.
If the specified access list does not exist, all packets are passed. When you enable outbound access lists, you automatically disable autonomous switching for that interface. When you enable input access lists on any CBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exceptionan SSE configured with simple access lists can still switch packets, on output only). Example: The following example applies list 101 on packets outbound from Ethernet interface 0: router(config)#interface ethernet 0 router(config-if)#ip access-group 101 out Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) ip access-list show access-lists Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 ! ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic
ip access-list log-update router(config)#
ip access-list log-update threshold number-of-matches no ip access-list log-update Syntax Description:

number-ofmatches Threshold number of packets necessary to match an access list before a log message is generated. The range is 0 to 2147483647. There is no default number of matches.
Command Description: To set the threshold number of packets that generate a log message if they match an access list, use the ip access-list log-update command in global configuration mode. To remove the threshold, use the no form of this command. Usage Guidelines Log messages are generated if you have specified the log keyword in the access-list (IP standard), access-list (IP extended), deny (IP), dynamic, or permit command. Log messages provide information about the packets that are permitted or denied by an access list. By default, log messages appear at the console. (The level of messages logged to the console is controlled by the logging console command.) The log message includes the access list number, whether the packet was permitted or denied, and other information. By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval. However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals. Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 is not recommended because the volume of log messages could overwhelm the system. Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so the cache is emptied at the end of 5 minutes, regardless of the count of messages in the cache.
Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified. If the syslog server is not directly connected to a LAN that the router shares, any intermediate router might drop the log messages because they are UDP (unreliable) messages. Example: The following example enables logging whenever the 1000th packet matches an access list entry: router(config)#ip access-list log-update threshold 1000 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) deny (IP) dynamic logging console permit Sample Configurations:
ip access-list router(config)#
ip access-list {standard | extended} access-list-name no ip access-list {standard | extended} access-list-name
Syntax Description:
standard Specifies a standard IP access list.
extended
Specifies an extended IP access list.
access-listname
Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.
Command Description: To define an IP access list by name, use the ip access-list command in global configuration mode. To remove a named IP access list, use the no form of this command. Usage Guidelines Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands. Specifying the standard or extended keyword with the ip access-list command determines the prompt you get when you enter access-list configuration mode. Use the ip access-group command to apply the access list to an interface. Named access lists are not compatible with Cisco IOS releases prior to Release 11.2. Example: router(config)# ip access-list standard Internetfilter Misconceptions:
none Related commands: access list (IP extended) access list (IP standard) access-list remark deny (IP) ip access-group permit (IP) remark show ip access-list Sample Configurations: ip access-list standard Internetfilter permit 192.5.34.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
ip accounting router(config-if)
ip accounting [access-violations] no ip accounting [access-violations] Syntax Description:

accessviolations (Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.
Command Description: To enable IP accounting on an interface, use the ip accounting command in interface configuration mode. To disable IP accounting, use the no form of this command. Usage Guidelines The ip accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics. If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations. To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP standard) command. Statistics are accurate even if IP fast switching or IP access lists are being used on the interface. IP accounting disables autonomous switching and SSE switching on the interface. Example: The following example enables IP accounting on Ethernet interface 0: router(config)#interface ethernet 0 router(config-if)#ip accounting
Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) Sample Configurations:
permit router(config-ext-nacl)#
permit source [source-wildcard] no permit source [source-wildcard] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Internet Control Message Protocol (ICMP) permit icmp source source-wildcard destination destinationwildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Internet Group Management Protocol (IGMP) permit igmp source source-wildcard destination destinationwildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Transmission Control Protocol (TCP) permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] User Datagram Protocol UDP) permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range timerange-name] [fragments] Syntax Description:
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol
destination
destinationwildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type
icmp-code
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage
Guidelines" of the access-list (IP extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
operator
port
established
fragments
Command Description: To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command. Usage Guidelines Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect. Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
The access-list entry is applied only to noninitial fragments.
Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next
access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments. Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: The following example sets conditions for a standard access list named Internetfilter: router(config-ext-nacl)# permit 128.88.0.0 0.0.255.255 router(config-ext-nacl)# permit 36.0.0.0 0.255.255.255 Misconceptions: none Related commands: deny (IP) ip access-group ip access-list ip access-list log-update show ip access-list time-range Sample Configurations:
ip access-list standard Internetfilter deny 192.5.34.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255
Command Name: Mode:
remark router(config)# router(config-ext-nacl)#
Syntax: remark remark no remark remark Syntax Description:

remark Comment that describes the access list entry, up to 100 characters long.
Command Description: To write a helpful comment (remark) for an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command. Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated. If you want to write a comment about an entry in a numbered IP access list, use the access-list remark command. Example: In the following example, the Jones subnet is not allowed to use outbound Telnet: router(config)#ip access-list extended telnetting router(config-ext-nacl)#remark Do not allow Jones subnet to telnet out router(config-ext-nacl)#deny tcp host 171.69.2.88 any eq telnet Misconceptions: none Related commands: access-list remark deny (IP) ip access-list permit (IP)
show access-lists router#
show access-lists [access-list-number | access-list-name] Syntax Description:

access-listnumber (Optional) Number of the access list to display. The system displays all access lists by default.
access-list-name
(Optional) Name of the IP access list to display.
Command Description: To display the contents of current access lists, use the show access-lists privileged EXEC command. Example: router# show access-lists router# show access-lists 101 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) clear access-list counters clear access-template ip access-list show access-lists Sample Configurations: The following is sample output from the show access-lists command when access list 101 is specified: Router# show access-lists 101
Extended IP access list 101 permit tcp host 198.92.32.130 any established (4304 matches) check=5 permit udp host 198.92.32.130 any eq domain (129 matches) permit icmp host 198.92.32.130 any permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023 permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches) permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp permit udp host 198.92.32.130 host 171.68.225.190 eq syslog permit udp host 198.92.32.130 host 171.68.225.126 eq syslog deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255 deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1 deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255 deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255 deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255 The following is sample output from the show access-lists command when the Turbo Access Control List (ACL) feature is configured on all of the following access lists. router# show access-lists Standard IP access list 1 (Compiled) deny any Standard IP access list 2 (Compiled) deny 192.168.0.0, wildcard bits 0.0.0.255 permit any Standard IP access list 3 (Compiled) deny 0.0.0.0 deny 192.168.0.1, wildcard bits 0.0.0.255 permit any Standard IP access list 4 (Compiled) permit 0.0.0.0 permit 192.168.0.2, wildcard bits 0.0.0.255
show ip access-list router#
show ip access-list [access-list-number | access-list-name] Syntax Description:

access-list-number (Optional) Number of the IP access list to display.
access-list-name
(Optional) Name of the IP access list to display.
Command Description: To display the contents of all current IP access lists, use the show ip access-list privileged EXEC command. Usage Guidelines The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list. Example: router# show ip access-list router# show ip access-list Internetfilter Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) clear access-list counters clear access-template ip access-list show access-lists Sample Configurations:
The following is sample output from the show ip access-list command when all access lists are requested: router# show ip access-list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain The following is sample output from the show ip access-list command when the name of a specific access list is requested: router# show ip access-list Internetfilter Extended IP access list Internetfilter permit tcp any 171.69.0.0 0.0.255.255 eq telnet deny tcp any any deny udp any 171.69.0.0 0.0.255.255 lt 1024 deny ip any any log
clear ip auth-proxy cache router#
clear ip auth-proxy cache {* | host-ip-address} Syntax Description:

* Clears all authentication proxy entries, including user profiles and dynamic access lists.
host-ipaddress
Clears the authentication proxy entry, including user profiles and dynamic access lists, for the specified host.
Command Description: To clear authentication proxy entries from the router, use the clear ip auth-proxy cache command in privileged EXEC mode. Example: The following example deletes all authentication proxy entries: router#clear ip auth-proxy cache * The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5: router#clear ip auth-proxy cache 192.168.4.5 Misconceptions: none Related commands: show ip auth-proxy Sample Configurations:
debug ip auth-proxy router#
debug ip auth-proxy {ftp | function-trace | http | objectcreation | object-deletion | tcp | telnet | timer} Syntax Description:
ftp Displays FTP events related to the authentication proxy.
function-trace
Displays the authentication proxy functions.
http
Displays HTTP events related to the authentication proxy.
object-creation
Displays additional entries to the authentication proxy cache.
object-deletion
Displays deletion of cache entries for the authentication proxy.
tcp
Displays TCP events related to the authentication proxy.
telnet
Displays Telnet-related authentication proxy events.
timer
Displays authentication proxy timer-related events.
Command Description: To display the authentication proxy configuration information on the router, use the debug ip auth-proxy command in privileged EXEC mode. Example: The following examples illustrates the output of the debug ip auth-proxy command. In these examples, debugging is on for object creations, object deletions, HTTP, and TCP.
In this example, the client host at 192.168.201.1 is attempting to make an HTTP connection to the web server located at 192.168.21.1. The HTTP debugging information is on for the authentication proxy. The output shows that the router is setting up an authentication proxy entry for the login request: 00:11:10: AUTH-PROXY creates info: cliaddr - 192.168.21.1, cliport - 36583 seraddr - 192.168.201.1, serport - 80 ip-addr 192.168.21.1 pak-addr 0.0.0.0 Following a successful login attempt, the debugging information shows the authentication proxy entries created for the client. In this example, the client is authorized for SMTP (port 25), FTP data (port 20), FTP control (port 21), and Telnet (port 23) traffic. The dynamic ACL entries are included in the display. 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61AD60CC 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 6151C908 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61A40B88 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61879550 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY OBJ_CREATE:acl item 61AD60CC OBJ_CREATE:create acl wrapper 6151C7C8 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [25] OBJ_CREATE:acl item 6151C908 OBJ_CREATE:create acl wrapper 6187A060 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [20] OBJ_CREATE:acl item 61A40B88 OBJ_CREATE:create acl wrapper 6187A0D4 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [21] OBJ_CREATE:acl item 61879550 OBJ_CREATE:create acl wrapper 61879644 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [23]
The next example shows the debug output following a clear ip auth-proxy cache command to clear the authentication entries from the router. The dynamic ACL entries are removed from the router. 00:12:36:AUTH-PROXY OBJ_DELETE:delete 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6151C7C8 -- acl item 61AD60CC 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6187A060 -- acl item 6151C908 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6187A0D4 -- acl item 61A40B88 auth_proxy cache 61AD6298 create acl wrapper create acl wrapper create acl wrapper
00:12:36:AUTH-PROXY OBJ_DELETE:delete create acl wrapper 61879644 -- acl item 61879550 The following example shows the timer information for a dynamic ACL entry. All times are expressed in milliseconds. The first laststart is the time that the ACL entry is created relative to the startup time of the router. The lastref is the time of the last packet to hit the dynamic ACL relative to the startup time of the router. The exptime is the next expected expiration time for the dynamic ACL. The delta indicates the remaining time before the dynamic ACL expires. After the timer expires, the debugging information includes a message indicating that the ACL and associated authentication proxy information for the client have been removed. 00:19:51:first laststart 1191112 00:20:51:AUTH-PROXY:delta 54220 lastref 1245332 exptime 1251112 00:21:45:AUTH-PROXY:ACL and cache are removed Misconceptions: none Related commands: none Sample Configurations:
ip auth-proxy (interface configuration) router(config-if)#
ip auth-proxy auth-proxy-name no ip auth-proxy auth-proxy-name Syntax Description:

authproxyname Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.
Command Description: To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy command in interface configuration mode. To remove the authentication proxy rules, use the no form of this command. Usage Guidelines Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface. Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface. Example: router(config-if)#ip auth-proxy HQ_users Misconceptions: none Related commands: ip auth-proxy name
Sample Configurations: The following example configures interface Ethernet0 with the HQ_users rule: interface e0 ip address 172.21.127.210 255.255.255.0 ip access-group 111 in ip auth-proxy HQ_users ip nat inside
ip auth-proxy auth-proxy-banner router(config)#
ip auth-proxy auth-proxy-banner [banner-text] no ip auth-proxy auth-proxy-banner [banner-text] Syntax Description:

bannertext (Optional) Specifies a text string to replace the default banner, which is the name of the router. The text string should be written in the following format: "C banner-text C," where "C" is a delimiting character.
Command Description: To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in global configuration mode. To disable display of the banner, use the no form of this command. Usage Guidelines The ip auth-proxy auth-proxy-banner command allows users to configure one of two possible options:
The ip auth-proxy auth-proxy-banner command is enabled. In this scenario, the administrator has not supplied any text. Thus, a default banner that states the following: "Cisco Systems, <router's hostname> Authentication" will be displayed in the authentication proxy login page. This scenario is most commonly used.
The ip auth-proxy auth-proxy-banner command with the banner-text argument is enabled. In this scenario, the administrator can supply multiline text that will be converted to HTML by the auth-proxy parser code. Thus, only the multiline text will displayed in the authentication proxy login page. You will not see the default banner, "Cisco Systems, <router's hostname> Authentication."
Example: The following example causes the router name to be displayed in the authentication proxy login page:
router(config)#ip auth-proxy auth-proxy-banner The following example shows how to specify the custom banner "whozat" to be displayed in the authentication proxy login page: router(config)#ip auth-proxy auth-proxy-banner ^Cwhozat^C Misconceptions: none Related commands: ip auth-proxy name Sample Configurations:
ip auth-proxy name router(config)#
ip auth-proxy name auth-proxy-name http [list {acl | acl-name}] [auth-cache-time min] no ip auth-proxy name auth-proxy-name Syntax Description:
authproxyname Associates a name with an authentication proxy rule. Enter a name of up to 16 alphanumeric characters.
http
Specifies the protocol that triggers the authentication proxy. The only supported protocol is HTTP.
list {acl | acl-name}
(Optional) Specifies a standard (1-99), extended (1-199), or named access list to use with the authentication proxy. With this option, the authentication proxy is applied only to those hosts in the access list. If no list is specified, all connections initiating HTTP traffic arriving at the interface are subject to authentication.
authcachetime min
(Optional) Overrides the global authentication proxy cache timer for a specific authentication proxy name, offering more control over timeout values. Enter a value in the range 1 to 2,147,483,647. The default value is equal to the value set with the ip authproxy auth-cache-time command.
Command Description: To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command. Usage Guidelines This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command. Use the auth-cache-time option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication
cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted. Use the list option to associate a set of specific IP addresses or a named ACL with the ip authproxy name command. Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces. Note You must use the aaa authorization auth-proxy command together with the ip authproxy name command. Together these commands set up the authorization policy to be retrieved by the firewall. Refer to the aaa authorization auth-proxy command for more information. Example: The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication. router(config)#ip auth-proxy name HQ_users http The following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10: router(config)#access-list 10 192.168.7.0 0.0.0.255 router(config)#ip auth-proxy name Mfg_users http list 10 The following example sets the timeout value for Mfg_users to 30 minutes: router(config)#access-list 15 any router(config)#ip auth-proxy name Mfg_users http auth-cache-time 30 list 15 The following example disables the Mfg_users rule: router(config)#no ip auth-proxy name Mfg_users The following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration: router(config)#no ip auth-proxy Misconceptions:
none Related commands: aaa authorization ip auth-proxy ip auth-proxy (interface configuration) show ip auth-proxy
ip auth-proxy router(config)#
ip auth-proxy auth-cache-time min no ip auth-proxy auth-cache-time Syntax Description:

authcache-time min Specifies the length of time in minutes that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. Enter a value in the range 1 to 2,147,483,647. The default value is 60 minutes.
Command Description: To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity), use the ip auth-proxy command in global configuration mode. To set the default value, use the no form of this command. Usage Guidelines Use this command to set the global idle timeout value for the authentication proxy. You must set the auth-cache-time timeout min option to a higher value than the idle timeout of any Contextbased Access Control (CBAC) protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile. Example: The following example sets the authorization cache timeout to 30 minutes: router(config)#ip auth-proxy auth-cache-time 30 Misconceptions: none Related commands: ip auth-proxy name
show ip auth-proxy Sample Configurations:
show ip auth-proxy router(config)#
show ip auth-proxy {cache | configuration} Syntax Description:

cache Display the current list of the authentication proxy entries.
configuration
Display the running authentication proxy configuration.
Command Description: To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode. Usage Guidelines Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful. Use the configuration keyword to display all authentication proxy rules configured on the router. Example: The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy: router# show ip auth-proxy cache Authentication Proxy Cache Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB\ The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the
rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule. router# show ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name pxy http list not specified auth-cache-time 30 minutes
Misconceptions: none Related commands: clear ip auth-proxy cache ip auth-proxy ip auth-proxy (interface configuration) ip auth-proxy name Sample Configurations:
debug ip inspect router#
debug ip inspect {function-trace | object-creation | objectdeletion | events | timers | protocol | detailed} no debug ip inspect detailed Syntax Description:
functiontrace Displays messages about software functions called by CBAC.
objectcreation
Display messages about software objects being created by CBAC. Object creation corresponds to the beginning of CBAC-inspected sessions.
objectdeletion
Displays messages about software objects being deleted by CBAC. Object deletion corresponds to the closing of CBAC-inspected sessions.
events
Displays messages about CBAC software events, including information about CBAC packet processing.
timers
Displays messages about CBAC timer events such as when a CBAC idle timeout is reached.
protocol
Displays messages about CBAC-inspected protocol events, including details about the packets of the protocol. Below is a list of protocol keywords. Transport-layer protocols TCP UDP Application-layer protocols CU-SeeMe FTP commands and responses cuseeme ftp-cmd tcp udp
FTP tokens (enables tracing of the FTP tokens parsed) ftp-tokens H.323 (version 1 and version 2) HTTP Microsoft NetShow UNIX r-commands (rlogin, rexec, rsh) RealAudio RPC RTSP SMTP SQL*Net StreamWorks TFTP VDOLive h323 http netshow rcmd realaudio rpc rtsp smtp sqlnet streamworks tftp vdolive
detailed
Causes detailed information to be displayed for all the other enabled CBAC debugging. Use this form of the command in conjunction with other CBAC debugging commands.
Command Description: To display messages about Context-Based Access Control (CBAC) events, use the debug ip inspect command in privileged EXEC mode. The no form of this command disables debugging output. Example: debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events
debug ip inspect timers debug ip inspect tcp debug ip inspect detailed Misconceptions: none Related commands: none Sample Configurations: The following is sample output from the debug ip inspect function-trace command:
*Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: CBAC FUNC: insp_inspection CBAC FUNC: insp_pre_process_sync CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41 CBAC FUNC: insp_find_pregen_session CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_get_irc_of_idb CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_create_sis CBAC FUNC: insp_inc_halfopen_sis CBAC FUNC: insp_link_session_to_hash_table CBAC FUNC: insp_inspect_pak CBAC FUNC: insp_l4_inspection CBAC FUNC: insp_process_tcp_seg CBAC FUNC: insp_listen_state CBAC FUNC: insp_ensure_return_traffic CBAC FUNC: insp_add_acl_item CBAC FUNC: insp_ensure_return_traffic CBAC FUNC: insp_add_acl_item CBAC FUNC: insp_process_syn_packet CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41 CBAC FUNC: insp_create_tcp_host_entry CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC FUNC: insp_dec_halfopen_sis CBAC FUNC: insp_remove_sis_from_host_entry CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41
This output shows the functions called by CBAC as a session is inspected. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect object-creation and debug ip inspect object-deletion command: *Mar 2 01:18:30: CBAC OBJ_CREATE: *Mar 2 01:18:30: CBAC OBJ_CREATE: acl item 25A3634 *Mar 2 01:18:30: CBAC OBJ_CREATE: *Mar 2 01:18:30: CBAC OBJ_DELETE: *Mar 2 01:18:30: CBAC OBJ_CREATE: 10.0.0.1 bucket 31 *Mar 2 01:18:30: CBAC OBJ_DELETE: *Mar 2 01:18:30: CBAC OBJ_DELETE: 25A36FC -- acl item 25A3634 *Mar 2 01:18:31: CBAC OBJ_DELETE: 10.0.0.1 create pre-gen sis 25A3574 create acl wrapper 25A36FC -create sis 25C1CC4 delete pre-gen sis 25A3574 create host entry 25A3574 addr delete sis 25C1CC4 delete create acl wrapper delete host entry 25A3574 addr
The following is sample output from the debug ip inspect object-creation, debug ip inspect object-deletion, and debug ip inspect events commands: *Mar 2 01:18:51: CBAC OBJ_CREATE: create pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create acl wrapper 25A36FC -acl item 25A3634 *Mar 2 01:18:51: CBAC 10.1.0.1 Port [1:65535] *Mar 2 01:18:51: CBAC Dst 10.0.0.1 Port [46406:46406] *Mar 2 01:18:51: CBAC Pre-gen sis 25A3574 created: 10.1.0.1[1:65535] 30.0.0.1[46406:46406] *Mar 2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4 *Mar 2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20) responder_addr (30.0.0.1:46406) initiator_alt_addr (40.0.0.1:20) responder_alt_addr (10.0.0.1:46406) *Mar 2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1 The following is sample output from the debug ip inspect timers command: *Mar 2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574 *Mar 2 01:19:15: CBAC Timer Start: Pre-gen sis 25A3574 Timer: 25A35D8 Time: 30000 milisecs
*Mar 2 01:19:15: CBAC Timer *Mar 2 01:19:15: CBAC Timer 25A35D8 *Mar 2 01:19:15: CBAC Timer Time: 30000 milisecs *Mar 2 01:19:15: CBAC Timer Time: 3600000 milisecs *Mar 2 01:19:15: CBAC Timer Time: 5000 milisecs *Mar 2 01:19:15: CBAC Timer
Init Leaf: sis 25C1CC4 Stop: Pre-gen sis 25A3574 Timer: Start: sis 25C1CC4 Timer: 25C1D5C Start: sis 25C1CC4 Timer: 25C1D5C Start: sis 25C1CC4 Timer: 25C1D5C Stop: sis 25C1CC4 Timer: 25C1D5C
The following is sample output from the debug ip inspect tcp command: *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30) (10.0.0. 1:46409) <= (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062 seq 4200176247(15) (10.0.0. 1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) => (10.0.0.1:46411) *Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0) (10.1.0.1:20) <= (10.0.0.1:46411) This sample shows TCP packets being processed, and lists the corresponding acknowledge (ACK) packet numbers and sequence (SEQ) numbers. The number of data bytes in the TCP packet is shown in parenthesesfor example, (22). For each packet shown, the addresses and port numbers are shown separated by a colon. For example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP port number of 21. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect tcp and debug ip inspect detailed commands: *Mar 2 01:20:58: CBAC* Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp
*Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76,proto=6 *Mar 2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160 seq 4200176262(22) (30.0.0.1:46409) => (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP seq 4200176262(22) Flags: ACK 4223720160 PSH *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet 2541E38 (30.0.0.1:46409) (40.0.0.1:21) bytes 22 ftp *Mar 2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223 720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* Bump up: inspection requires the packet in the process path(30.0.0.1) (40.0.0.1) *Mar 2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76, proto=6
ip inspect alert off router(config)#
ip inspect alert-off no ip inspect alert-off Syntax Description: This command has no arguments or keywords. Command Description: To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert off command in global configuration mode. To enable CBAC alert messages, use the no form of this command. Example: router(config)#ip inspect alert-off Misconceptions: By default alert messages are displayed. Related commands: none Sample Configurations:
ip inspect audit trail router(config)#
ip inspect audit trail no ip inspect audit trail Syntax Description: This command has no arguments or keywords. Command Description: To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit trail command in global configuration mode. To turn off CBAC audit trail message, use the no form of this command. Example: The following example turns on CBAC audit trail messages: router(config)#ip inspect audit trail Afterward, audit trail messages such as the following are displayed: %FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes %FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address. Misconceptions: none Related commands: none Sample Configurations:
Command Name:` Mode: Syntax:
ip inspect dns-timeout router(config)#
ip inspect dns-timeout seconds no ip inspect dns-timeout Syntax Description:

seconds Specifies the length of time in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5 seconds.
Command Description: To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command. Usage Guidelines When the software detects a valid User Datagram Protocol packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session. If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session. The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC. The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command. Example: The following example sets the DNS idle timeout to 30 seconds: router(config)#ip inspect dns-timeout 30 The following example sets the DNS idle timeout back to the default (5 seconds): router(config)#no ip inspect dns-timeout
Misconceptions: none Related commands: none Sample Configurations:
ip inspect hashtable router(config)#
ip inspect hashtable number no ip inspect hashtable number Syntax Description:

number Size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192; the default value is 1024.
Command Description: To change the size of the session hash table, use the ip inspect hashtable command in global configuration mode. To restore the size of the session hash table to the default, use the no form of this command. Usage Guidelines Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance. Note You should increase the hash table size when the total number of sessions running through the context-based access control (CBAC) router is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table. Example: The following example shows how to change the size of the session hash table to 2048 buckets: router(config)#ip inspect hashtable 2048 Misconceptions: none
ip inspect max-incomplete high router(config)#
ip inspect max-incomplete high number no ip inspect max-incomplete high Syntax Description:

number Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions
Command Description: To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example:
The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: router(config)#ip inspect max-incomplete high 900 router(config)#ip inspect max-incomplete low 800 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete low one-minute high one-minute low tcp max-incomplete host
ip inspect max-incomplete low router(config)#
ip inspect max-incomplete low number no ip inspect max-incomplete low Syntax Description:

number Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.
Command Description: To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example:
The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: router(config)#ip inspect max-incomplete high 900 router(config)#ip inspect max-incomplete low 800 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high one-minute high one-minute low tcp max-incomplete host
ip inspect name router(config)#
ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] no ip inspect name [inspection-name protocol] HTTP Inspection Syntax ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only) no ip inspect name inspection-name protocol (removes the inspection rule for a protocol) RPC Inspection Syntax ip inspect name inspection-name rpc program-number number [waittime minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (RPC protocol only) no ip inspect name inspection-name protocol (removes the inspection rule for a protocol) Fragment Inspection Syntax ip inspect name inspection-name fragment [max number timeout seconds] no ip inspect name inspection-name fragment (removes fragment inspection for a rule) Syntax Description:
inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16 character limit.
protocol
Protocol keywords are listed below. TCP tcp
UDP udp Application-Layer Protocols keywords Protocol CU-SeeMe FTP Java H.323 Microsoft NetShow Keyword cuseeme ftp http h323 netshow
UNIX R commands (rlogin, rexec, rsh) rcmd RealAudio RPC SMTP SQL*Net StreamWorks TFTP VDOLive realaudio rpc smtp sqlnet streamworks tftp vdolive
alert {on | off}
(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.
audit-trail {on | off}
(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command.
http
(Optional) Specifies the HTTP protocol for Java applet blocking. This command is used only to enable Java inspection. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspectionname http command, all Java applets will be blocked.
timeout seconds
(Optional) To override the global TCP or User Datagram Protocol idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global Domain Name System timeout.
java-list accesslist
(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.
rpc programnumber number
Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.
wait-time minutes
(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.
fragment
Specifies fragment inspection for the named rule.
max number
(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.
timeout seconds (fragmentation)
(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second. If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.
To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command. Usage Guidelines To define a set of inspection rules, enter this command for each protocol that you want Contextbased Access Control (CBAC) to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16 charatcer limit. Define either one or two sets of rules per interfaceyou can define one set to examine both inbound and outbound traffic; or you can define two sets: one for outbound traffic and one for inbound traffic. To define a single set of inspection rules, configure inspection for all the desired applicationlayer protocols, and for TCP or UDP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols. In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained. TCP and UDP Inspection You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet. Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for File Transfer Protocol, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant. With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface. Application-Layer Protocol Inspection
In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state. Java, H.323, RPC, and SMTP, and SQL*Net inspection have additional information, described in the next four sections. Java Inspection Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile." Note Before you configure Java inspection, you must configure a numbered standard access list that defines "friendly" and "hostile" external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked. Caution CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.
H.323 Inspection If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification. RPC Inspection RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall. SMTP Inspection
SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out. An illegal command is any command except for the following legal commands:

DATA EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML VRFY
Use of the timeout Keyword If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface that the set of inspection rules is applied to. If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout. If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation. IP Fragmentation Inspection CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets. Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Non-initial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments are discarded.
Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact. Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded. Example: The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted. router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip inspect inspect inspect inspect inspect inspect inspect name name name name name name name myrules myrules myrules myrules myrules myrules myrules tcp udp audit-trail on cuseeme ftp timeout 120 rpc program-number 100003 rpc program-number 100005 rpc program-number 100021
The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named myname. In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly. router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip inspect inspect inspect inspect inspect inspect name name name name name name myrules myrules myrules myrules myrules myrules tcp udp audit-trail on cuseeme ftp timeout 120 rpc program-number 100003 rpc program-number 100005
router(config)#ip inspect name myrules rpc program-number 100021 router(config)#ip inspect name myrules fragment max 100 timeout 4 Misconceptions: No inspection rules are defined until you define them using this command. Related commands: ip inspect ip inspect audit trail ip inspect alert-off Sample Configurations:
ip inspect one-minute high router(config)#
ip inspect one-minute high number no ip inspect one-minute high Syntax Description:

number Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions.
Command Description: To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute. When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.) The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example: The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting
half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute: router(config)#ip inspect one-minute high 1000 router(config)#ip inspect one-minute low 950 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect one-minute low max-incomplete high max-incomplete low tcp max-incomplete host
ip inspect one-minute low router(config)#
ip inspect one-minute low number no ip inspect one-minute low Syntax Description:

number Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.
Command Description: To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute. When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.) The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example: The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting
half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute: router(config)#ip inspect one-minute high 1000 router(config)#ip inspect one-minute low 950 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high max-incomplete low one-minute high tcp max-incomplete host
ip inspect tcp finwait-time router(config)#
ip inspect tcp finwait-time seconds no ip inspect tcp finwait-time Syntax Description:

seconds Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. The default is 5 seconds.
Command Description: To define how long a TCP session will still be managed after the firewall detects a FINexchange, use the ip inspect tcp finwait-time command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command. Usage Guidelines When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session. Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close. The global value specified for this timeout applies to all TCP sessions inspected by CBAC. The timeout set with this command is referred to as the "finwait" timeout. Note If the -n option is used with rsh, and the commands being executed do not produce output before the "finwait" timeout, the session will be dropped and no further output will be seen. Example: The following example changes the "finwait" timeout to 10 seconds: router(config)#ip inspect tcp finwait-time 10 The following example changes the "finwait" timeout back to the default (5 seconds): router(config)#no ip inspect tcp finwait-time
ip inspect tcp idle-time router(config)#
ip inspect tcp idle-time seconds no ip inspect tcp idle-time Syntax Description:

seconds Specifies the length of time, in seconds, for which a TCP session will still be managed while there is no activity. The default is 3600 seconds (1 hour).
Command Description: To specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity), use the ip inspect tcp idle-time command in global configuration mode. To reset the timeout to the default of 3600 seconds (1 hour), use the no form of this command. Usage Guidelines When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session. If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session. The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command. Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. Example: The following example sets the global TCP idle timeout to 1800 seconds (30 minutes): router(config)#ip inspect tcp idle-time 1800
The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour): router(config)#no ip inspect tcp idle-time Misconceptions: none Related commands: none Sample Configurations:
ip inspect tcp max-incomplete host router(config)#
ip inspect tcp max-incomplete host number block-time minutes no ip inspect tcp max-incomplete host Syntax Description:
number Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. The default is 50 half-open sessions.
blocktime
Specifies blocking of connection initiation to a host.
minutes
Specifies how long the software will continue to delete new connection requests to the host. The default is 0 minutes.
Command Description: To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host command in global configuration mode. To reset the threshold and blocking time to the default values, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state. Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:
If the block-time minutes timeout is 0 (the default): The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
If the block-time minutes timeout is greater than 0: The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.
The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends. The global values specified for the threshold and blocking time apply to all TCP connections inspected by Context-based Access Control (CBAC). Example: The following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes (120 seconds): router(config)#ip inspect tcp max-incomplete host 40 block-time 120 The following example resets the defaults (50 half-open sessions and 0 seconds): router(config)#no ip inspect tcp max-incomplete host Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high max-incomplete low one-minute high one-minute low
ip inspect tcp synwait-time router(config)#
ip inspect tcp synwait-time seconds no ip inspect tcp synwait-time Syntax Description:

seconds Specifies how long, in seconds, the software will wait for a TCP session to reach the established state before dropping the session. The default is 30 seconds.
Command Description: To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command. Usage Guidelines Use this command to define how long Cisco IOS software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected. The global value specified for this timeout applies to all TCP sessions inspected by Contextbased Access Control (CBAC). Example: The following example changes the "synwait" timeout to 20 seconds: router(config)#ip inspect tcp synwait-time 20 The following example changes the "synwait" timeout back to the default (30 seconds): router(config)#no ip inspect tcp synwait-time Misconceptions: none Related commands:
ip inspect udp idle-time router(config)#
ip inspect udp idle-time seconds no ip inspect udp idle-time Syntax Description:

seconds Specifies the length of time a UDP "session" will still be managed while there is no activity. The default is 30 seconds.
Command Description: To specify the User Datagram Protocol idle timeout (the length of time for which a UDP "session" will still be managed while there is no activity), use the ip inspect udp idle-time command in global configuration model. To reset the timeout to the default of 30 seconds, use the no form of this command. Usage Guidelines When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet. If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session. The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name command. Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. Example:
The following example sets the global UDP idle timeout to 120 seconds (2 minutes): router(config)#ip inspect udp idle-time 120 The following example sets the global UDP idle timeout back to the default of 30 seconds: router(config)#no ip inspect udp idle-time Misconceptions: none Related commands: none Sample Configurations:
ip inspect router(config-if)#
ip inspect inspection-name {in | out} no ip inspect inspection-name {in | out} Syntax Description:
inspection-name Identifies which set of inspection rules to apply.
in
Applies the inspection rules to inbound traffic.
out
Applies the inspection rules to outbound traffic.
Command Description: To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. To remove the set of rules from the interface, use the no form of this command. Usage Guidelines Use this command to apply a set of inspection rules to an interface. Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic. If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet. If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet. Example:
The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session. router(config)#interface serial0 router(config-if)#ip inspect outboundrules out Misconceptions: If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC. Related commands: ip inspect name Sample Configurations: ip inspect name myfw ftp timeout 3600 ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw tftp timeout 3600 ! interface Ethernet0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 111 in ip inspect myfw out ! access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 111 permit icmp any 10.1.1.0 0.0.0.255
Command Name: Mode: Syntax: no ip inspect Syntax Description:
no ip inspect router(config)#
This command has no arguments or keywords. Command Description: To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect command in global configuration mode. Note The no in inspect command removes all CBAC configuration entries and resets all CBAC global timeouts and thresholds to the defaults. All existing sessions are deleted and their associated access lists are removed. Example: The following example turns off CBAC at a firewall: router(config)#no ip inspect Misconceptions: none Related commands: none Sample Configurations:
show ip inspect router#
show ip inspect {name inspection-name | config | interfaces | session [detail] | all} Syntax Description:
name inspectionname Displays the configured inspection rule with the name inspection-name.
config
Displays the complete CBAC inspection configuration.
interfaces
Displays interface configuration with respect to applied inspection rules and access lists.
session [detail]
Displays existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown.
all
Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.
Command Description: To view Context-based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode. Example: router# show ip inspect name myinspectionrule router# show ip inspect config router# show ip inspect interfaces
router# show ip inspect sessions router# show ip inspect sessions detail router# show ip inspect all Misconceptions: none Related commands: none Sample Configurations: The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured: Inspection Rule Configuration Inspection name myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol. The following is sample output for the show ip inspect config command: Session audit trail is disabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 The output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.
The following is sample output for the show ip inspect interfaces command: Interface Configuration Interface Ethernet0 Inbound inspection rule is myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set The following is sample output for the show ip inspect sessions command: Established Sessions Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN The output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session. The following is sample output for the show ip inspect sessions detail command: Established Sessions Session 25A335C (40.0.0.1:20)=>(30.0.0.1:46069) ftp-data SIS_OPEN Created 00:00:07, Last heard 00:00:00 Bytes sent (initiator:responder) [0:3416064] acl created 1 Inbound access-list 111 applied to interface Ethernet1 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Created 00:01:34, Last heard 00:00:07 Bytes sent (initiator:responder) [196:616] acl created 1 Inbound access-list 111 applied to interface Ethernet1 The output includes times, number of bytes sent, and which access list is applied. The following is sample output for the show ip inspect all command: Session audit trail is disabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec Inspection Rule Configuration Inspection name all tcp timeout 3600 udp timeout 30 ftp timeout 3600 Interface Configuration Interface Ethernet0 Inbound inspection rule is all tcp timeout 3600 udp timeout 30 ftp timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN
banner exec router(config)#
banner exec d message d no banner exec Syntax Description:

d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.
message
Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. Tokens are described below.
Command Description: To specify and enable a message to be displayed when an EXEC process is created (an EXEC banner), use the banner exec global configuration command. To delete the existing EXEC banner, use the no form of this command. Usage Guidelines This command specifies a message to be displayed when an EXEC process is created (a line is activated, or an incoming connection is made to a vty). Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to a router, the message-of-the-day (MOTD) banner appears first, followed by the login banner and prompts. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To disable the EXEC banner on a particular line or lines, use the no exec-banner line configuration command. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner exec Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name for the router. $(domain) $(line) Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.
$(line-desc) Displays the description attached to the line.
Example: The following example sets an EXEC banner that uses tokens. The percent sign (%) is used as a delimiting character. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Router(config)# banner exec % Enter TEXT message. End with the character '%'. Session activated on line $(line), $(line-desc). Enter commands at the prompt. % When a user logs on to the system, the following output is displayed: User Access Verification Username: joeuser Password: <password> Session activated on line 50, vty default line. Enter commands at the prompt. Router> Misconceptions: none Related commands: banner incoming banner login banner motd banner slip-ppp exec-banner Sample Configurations:
banner incoming router(config)#
banner incoming d message d no banner incoming Syntax Description:

message
Command Description: To define and enable a banner to be displayed when there is an incoming connection to a terminal line from a host on the network, use the banner incoming global configuration command. To delete the incoming connection banner, use the no form of this command. Usage Guidelines Follow the banner incoming command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. An incoming connection is one initiated from the network side of the router. Incoming connections are also called reverse Telnet sessions. These sessions can display MOTD banners and incoming banners, but they do not display EXEC banners. Use the no motd-banner line configuration command to disable the MOTD banner for reverse Telnet sessions on asynchronous lines. When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, before the login prompt. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. Incoming banners cannot be suppressed. If you do not want the incoming banner to appear, you must delete it with the no banner incoming command.
To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner incoming Tokens
Example: The following example sets an incoming connection banner. The pound sign (#) is used as a delimiting character. Router# banner incoming # This is the Reuses router. # The following example sets an incoming connection banner that uses several tokens. The percent sign (%) is used as a delimiting character. banner incoming % Enter TEXT message. End with the character '%'. You have entered $(hostname).$(domain) on line $(line) ($(linedesc)) % When the incoming connection banner is executed, the user will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variable. You have entered darkstar.ourdomain.com on line 5 (Dialin Modem) Misconceptions: none Related commands: banner banner banner banner exec login motd slip-ppp
darkstar(config)#
banner login router(config)#
banner login d message d no banner login Syntax Description:

message
Command Description: To define and enable a customized banner to be displayed before the username and password login prompts, use the banner login global configuration command. To disable the login banner, use no form of this command. Usage Guidelines Follow the banner login command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, followed by the login banner and prompts. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner login Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name for the router.
$(domain) $(line)
Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.
Example: The following example sets a login banner. Double quotes (") are used as the delimiting character. Router# banner login " Access for authorized users only. Please enter your username and password. " The following example sets a login banner that uses several tokens. The percent sign (%) is used as the delimiting character. darkstar(config)# banner login % Enter TEXT message. End with the character '%'. You have entered $(hostname).$(domain) on line $(line) ($(linedesc)) % When the login banner is executed, the user will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variable. You have entered darkstar.ourdomain.com on line 5 (Dialin Modem) Misconceptions: none Related commands: banner banner banner banner exec incoming motd slip-ppp
banner motd router(config)#
banner motd d message d no banner motd Syntax Description:

message
Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable.
Command Description: To define and enable a message-of-the-day (MOTD) banner, use the banner motd global configuration command. To delete the MOTD banner, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. This MOTD banner is displayed to all terminals connected and is useful for sending messages that affect all users (such as impending system shutdowns). Use the no exec-banner or no motdbanner command to disable the MOTD banner on a line. The no exec-banner command also disables the EXEC banner on the line. When a user connects to the router, the MOTD banner appears before the login prompt. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner motd Tokens
Example: The following example configures an MOTD banner. The pound sign (#) is used as a delimiting character. Router# banner motd # Building power will be off from 7:00 AM until 9:00 AM this coming Tuesday. # The following example configures an MOTD banner with a token. The percent sign (%) is used as a delimiting character. darkstar(config)# banner motd % Enter TEXT message. End with the character '%'. Notice: all routers in $(domain) will be upgraded beginning April 20 % When the MOTD banner is executed, the user will see the following. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Notice: all routers in ourdomain.com will be upgraded beginning April 20 Misconceptions: none Related commands: banner exec banner incoming banner login banner slip-ppp motd-banner Sample Configurations:
banner slip-ppp router(config)#
banner slip-ppp d message d no banner slip-ppp Syntax Description:

message
Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable.
Command Description: To customize the banner that is displayed when a SLIP or PPP connection is made, use the banner slip-ppp global configuration command. To restore the default SLIP or PPP banner, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Use this command to define a custom SLIP or PPP connection message. This is useful when legacy client applications require a specialized connection string. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the routers host name, IP address, encapsulation type, and MTU size. The banner tokens are described below. Banner slip-ppp Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name of the router. $(domain) $(peer-ip) Displays the domain name of the router. Displays the IP address of the peer machine.
$(gate-ip) $(encap)
Displays the IP address of the gateway machine. Displays the encapsulation type (SLIP, PPP, and so on).
$(encap-alt) Displays the encapsulation type as SL/IP instead of SLIP. $(mtu) Displays the Maximum Transmission Unit (MTU) size.
Example: The following example sets the SLIP/PPP banner using several tokens and the percent sign (%) as the delimiting character: Router(config)# banner slip-ppp % Enter TEXT message. End with the character '%'. Starting $(encap) connection from $(gate-ip) to $(peer-ip) using a maximum packet size of $(mtu) bytes... % The new SLIP/PPP banner will now be displayed when the slip EXEC command is used. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Router# slip Starting SLIP connection from 172.16.69.96 to 192.168.1.200 using a maximum packet size of 1500 bytes... Misconceptions: none Related commands: banner exec banner incoming banner motd slip ppp Sample Configurations:
clear tcp router#
clear tcp {line line-number | local hostname port remote hostname port | tcb address} Syntax Description:
line line-number Line number of the TCP connection to clear.
local hostname port remote hostname port
Host name of the local router and port and host name of the remote router and port of the TCP connection to clear.
tcb address
Transmission Control Block (TCB) address of the TCP connection to clear. The TCB address is an internal identifier for the endpoint.
Command Description: To clear a TCP connection, use the clear tcp privileged EXEC command. Usage Guidelines The clear tcp command is particularly useful for clearing hung TCP connections. The clear tcp line line-number command terminates the TCP connection on the specified tty line. Additionally, all TCP sessions initiated from that tty line are terminated. The clear tcp local hostname port remote hostname port command terminates the specific TCP connection identified by the host name and port pair of the local and remote router. The clear tcp tcb address command terminates the specific TCP connection identified by the TCB address. Example: The following example clears a TCP connection using its tty line number. The show tcp command displays the line number (tty2) that is used in the clear tcp command. Router# show tcp
tty2, virtual tty from host router20.cisco.com Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 171.69.233.7, Local port: 23 Foreign host: 171.69.61.75, Foreign port: 1058 Enqueued packets for retransmit: 0, input: 0, saved: 0 Event Timers (current time is 0x36144): Timer Starts Wakeups Next Retrans 4 0 0x0 TimeWait 0 0 0x0 AckHold 7 4 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 iss: 4151109680 snduna: 4151109752 sndnxt: 4151109752 sndwnd: 24576 irs: 1249472001 rcvnxt: 1249472032 rcvwnd: 4258 delrcvwnd: 30 SRTT: 710 ms, RTTO: 4442 ms, RTV: 1511 ms, KRTT: 0 ms minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 300 ms Router# clear tcp line 2 [confirm] [OK] The following example clears a TCP connection by specifying its local router host name and port and its remote router host name and port. The show tcp brief command displays the local (Local Address) and remote (Foreign Address) host names and ports to use in the clear tcp command. Router# show tcp brief TCB Local Address Foreign Address (state) 60A34E9C router1.cisco.com.23 router20.cisco.1055 ESTAB Router# clear tcp local router1 23 remote router20 1055 [confirm] [OK] The following example clears a TCP connection using its TCB address. The show tcp brief command displays the TCB address to use in the clear tcp command. Router# show tcp brief TCB Local Address Foreign Address (state) 60B75E48 router1.cisco.com.23 router20.cisco.1054 ESTAB Router# clear tcp tcb 60B75E48 [confirm] [OK] Misconceptions: none Related commands:
show tcp show tcp brief Sample Configurations:
Command Name: Mode: Syntax: exec no exec Syntax Description:
exec router(config-line)#
This command has no arguments or keywords. Command Description: To allow an EXEC process on a line, use the exec line configuration command. To turn off the EXEC process for the specified line, use the no form of this command. Usage Guidelines When you want to allow an outgoing connection only for a line, use the no exec command. When a user tries to Telnet to a line with the no exec command configured, the user will get no response when pressing the Return key at the login screen. Example: The following example turns off the EXEC process on line 7. You might want to do this on the auxiliary port if the attached device (for example, the control port of a rack of modems) sends unsolicited data. If this happens, an EXEC process starts, which makes the line unavailable. router(config)#line 7 router(config-line)#no exec Misconceptions: none Related commands: none Sample Configurations:
Command Name: Mode: Syntax: exec-banner no exec-banner Syntax Description:
exec-banner router(config-line)#
This command has no arguments or keywords. Command Description: To reenable the display of EXEC and message-of-the-day (MOTD) banners on the specified line or lines, use the exec-banner line configuration command. To suppress the banners on the specified line or lines, use the no form of this command. Usage Guidelines This command determines whether the router will display the EXEC banner and the message-ofthe-day (MOTD) banner when an EXEC session is created. These banners are defined with the banner exec and banner motd global configuration commands. By default, these banner are enabled on all lines. Disable the EXEC and MOTD banners using the no exec-banner command. This command has no effect on the incoming banner, which is controlled by the banner incoming command.
The MOTD banners can also be disabled by the no motd-banner line configuration command, which disables MOTD banners on a line. If the no exec-banner command is configured on a line, the MOTD banner will be disabled regardless of whether the motd-banner command is enabled or disabled.
For reverse Telnet connections, the EXEC banner is never displayed. Instead, the incoming banner is displayed. The MOTD banner is displayed by default, but it is disabled if either the no exec-banner command or no motd-banner command is configured. Example: The following example suppresses the EXEC and MOTD banners on virtual terminal lines 0 to 4: router(config)#line vty 0 4 router(config-line)#no exec-banner Misconceptions: none
Related commands: banner exec banner incoming banner motd motd-banner Sample Configurations:
exec-timeout router(config-line)#
exec-timeout minutes [seconds] no exec-timeout Syntax Description:

minutes Integer that specifies the number of minutes.
seconds
(Optional) Additional time intervals in seconds.
Command Description: To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command. Usage Guidelines If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. To specify no timeout, enter the exec-timeout 0 0 command. Example: The following example sets a time interval of 2 minutes, 30 seconds: router(config)#line console router(config-line)#exec-timeout 2 30 The following example sets a time interval of 10 seconds: router(config)#line console router(config-line)#exec-timeout 0 10 Misconceptions:
none
Command Name: Mode: Syntax: lock Syntax Description:
lock router>
This command has no arguments or keywords. Command Description: To configure a temporary password on a line, use the lock EXEC command. Usage Guidelines You can prevent access to your session while keeping your connection open by setting up a temporary password. To lock access to the terminal, perform the following steps: Step 1 Enter the lock command. The system prompts you for a password. Step 2 Enter a password, which can be any arbitrary string. The system will prompt you to confirm the password. The screen then clears and displays the message "Locked." Step 3 To regain access to your sessions, reenter the password. The Cisco IOS software honors session timeouts on a locked lines. You must clear the line to remove this feature. The system administrator must set the line up to allow use of the temporary locking feature by using the lockable line configuration command. Example: Router(config-line)# lockable Router(config-line)# ^Z Router# copy system:running-config nvram:startup-config Building configuration... OK Router# lock Password: <password> Again: <password> Locked Password: <password> Router# Misconceptions:
none Related commands: lockable login (EXEC) Sample Configurations:
menu clear-screen router(config)#
menu menu-name clear-screen Syntax Description:

menu-name Name of the menu this command should be applied to.
Command Description: To clear the terminal screen before displaying a menu, use the menu clear-screen global configuration command. Usage Guidelines This command uses a terminal-independent mechanism based on termcap entries defined in the router and the configured terminal type for the user. This command allows the same menu to be used on multiple types of terminals instead of having terminal-specific strings embedded within menu titles. If the termcap entry does not contain a clear string, the menu system enters 24 new lines, causing all existing text to scroll off the top of the terminal screen. Example: In the following example, the terminal screen is cleared before displaying the menu named Access1: router(config)#menu Access1 clear-screen Misconceptions: none
Related commands: menu menu menu menu menu menu (EXEC) command default line-mode options prompt
menu single-space menu status-line menu text menu title no menu Sample Configurations:
menu command router(config)#
menu menu-name command menu-item {command | menu-exit} Syntax Description:

menuname Name of the menu. You can specify a maximum of 20 characters.
menuitem
Number, character, or string used as the key for the item. The key is displayed to the left of the menu item text. You can specify a maximum of 18 menu entries. When the tenth item is added to the menu, the line-mode and single-space options are activated automatically.
command
Command to issue when the user selects an item.
menuexit
Provides a way for menu users to return to a higher-level menu or exit the menu system.
Command Description: To specify underlying commands for user menus, use the menu command global configuration command. Usage Guidelines Use this command to assign actions to items in a menu. Use the menu text global configuration command to assign text to items. These commands must use the same menu name and menu selection key. The menu command command has a special keyword for the command argument, menu-exit, that is available only within menus. It is used to exit a submenu and return to the previous menu level, or to exit the menu altogether and return to the EXEC command prompt. You can create submenus that are opened by selecting entries in another menu. Use the menu EXEC command as the command for the submenu item. Note If you nest too many levels of menus, the system prints an error message on the terminal and returns to the previous menu level.
When a menu allows connections (their normal use), the command for an entry activating the connection should contain a resume command, or the line should be configured to prevent users from escaping their sessions with the escape-char none command. Otherwise, when they escape from a connection and return to the menu, there will be no way to resume the session and it will sit idle until the user logs out. Specifying the resume command as the action that is performed for a selected menu entry permits a user to resume a named connection or connect using the specified name, if there is no active connection by that name. As an option, you can also supply the connect string needed to connect initially. When you do not supply this connect string, the command uses the specified connection name. You can also use the resume/next command, which resumes the next connection in the user's list of connections. This function allows you to create a single menu entry that steps through all of the user's connections. Note A menu should not contain any exit paths that leave users in an unfamiliar interface environment. When a particular line should always display a menu, that line can be configured with an autocommand line configuration command. Menus can be run on a per-user basis by defining a similar autocommand command for that local username. Example: In the following example, the commands to be issued when the menu user selects option 1, 2, or 3 are specified for the menu named Access1: router(config)#menu Access1 command 1 tn3270 vms.cisco.com router(config)#menu Access1 command 2 rlogin unix.cisco.com router(config)#menu Access1 command 3 menu-exit The following example allows a menu user to exit a menu by entering Exit at the menu prompt: router(config)#menu Access1 text Exit Exit menu Access1 command Exit menu-exit Misconceptions: none Related commands: autocommand menu (EXEC) menu clear-screen menu default
menu menu menu menu menu menu menu
line-mode options prompt single-space status-line text title
menu default router(config)#
menu menu-name default menu-item Syntax Description:

menu-name Name of the menu. You can specify a maximum of 20 characters.
menu-item
Number, character, or string key of the item to use as the default.
Command Description: To specify the menu item to use as the default, use the menu default global configuration command. Usage Guidelines Use this command to specify which menu entry is used when the user presses Enter without specifying an item. The menu entries are defined by the menu command and menu text global configuration commands. Example: In the following example, the menu user exits the menu when pressing Enter without selecting an item: router(config)#menu Access1 9 text Exit the menu router(cofnig)#menu Access1 9 command menu-exit router(config)#menu Access1 default 9 Misconceptions: none Related commands: menu menu menu menu (EXEC) command prompt text
menu title Sample Configurations:
menu line-mode router(config)#
menu menu-name line-mode Syntax Description:

Command Description: To require the user to press Enter after specifying an item, use the menu line-mode global configuration command. Usage Guidelines In a menu of nine or fewer items, you ordinarily select a menu item by entering the item number. In line mode, you select a menu entry by entering the item number and pressing Enter. Line mode allows you to backspace over the selected number and enter another number before pressing Enter to issue the command. This option is activated automatically when more than nine menu items are defined but also can be configured explicitly for menus of nine or fewer items. In order to use strings as keys for items, the menu line-mode command must be configured. Example: In the following example, the line-mode option is enabled for the menu named Access1: router(config)#menu Access1 line-mode Misconceptions: none Related commands: menu menu menu menu (EXEC) clear-screen command default
menu menu menu menu menu
options prompt single-space status-line text
menu options router(config)#
menu menu-name options menu-item {login | pause} Syntax Description:

menu-name The name of the menu. You can specify a maximum of 20 characters.
menu-item
Number, character, or string key of the item affected by the option.
login
Requires a login before issuing the command.
pause
Pauses after the command is entered before redrawing the menu.
Command Description: To set options for items in user menus, use the menu options global configuration command. Usage Guidelines Use the menu command and menu text global configuration commands to define a menu entry. Example: In the following example, a login is required before issuing the command specified by menu entry 3 of the menu named Access1: router(config)#menu Access1 options 3 login Misconceptions: none Related commands: menu (EXEC) menu clear-screen menu command
menu menu menu menu menu menu menu
default line-mode prompt single-space status-line text title
menu prompt router(config)#
menu menu-name prompt d prompt d Syntax Description:

A delimiting character that marks the beginning and end of a title. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), and tilde (~). ^C is reserved for special use and should not be used in the text of the title.
prompt
Prompt string for the menu.
Command Description: To specify the prompt for a user menu, use the menu prompt global configuration command. Usage Guidelines Press Enter after entering the first delimiter. The router will prompt you for the text of the prompt. Enter the text followed by the delimiter, and press Enter. Use the menu command and menu text commands to define the menu selections. Example: In the following example, the prompt for the menu named Access1 is configured as "Select an item.": Router(config)# menu Access1 prompt / Enter TEXT message. End with the character '/'. Select an item. / Router(config)# Misconceptions: none
Related commands: menu menu menu menu menu (EXEC) command default text title
menu single-space router(config)#
menu menu-name single-space Syntax Description:

Command Description: To display menu items single-spaced rather than double-spaced, use the menu single-space global configuration command. Usage Guidelines When more than nine menu items are defined, the menu is displayed single-spaced. To configure the menus with nine or fewer items to display single-spaced, use this command. Example: In the following example, single-spaced menu items are displayed for the menu named Access1: router(config)#menu Access1 single-space Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt status-line text title
menu status-line router(config)#
menu menu-name status-line Syntax Description:
menu-name
Name of the menu this command should be applied to.
Command Description: To display a line of status information about the current user at the top of a menu, use the menu status-line global configuration command. Usage Guidelines This command displays the status information at the top of the screen before the menu title is displayed. This status line includes the router's host name, the user's line number, and the current terminal type and keymap type (if any). Example: In the following example, status information is enabled for the menu named Access1: router(config)#menu Access1 status-line Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt single-space text
menu title Sample Configurations:
menu text router(config)#
menu menu-name text menu-item menu-text Syntax Description:

menuitem
Number, character, or string used as the key for the item. The key is displayed to the left of the menu item text. You can specify a maximum of 18 menu items. When the tenth item is added to the menu, the menu line-mode and menu single-space commands are activated automatically.
menutext
Text of the menu item.
Command Description: To specify the text of a menu item in a user menu, use the menu text global configuration command. Usage Guidelines Use this command to assign text to items in a menu. Use the menu command command to assign actions to items. These commands must use the same menu name and menu selection key. You can specify a maximum of 18 items in a menu. Example: In the following example, the descriptive text for the three entries is specified for options 1, 2, and 3 in the menu named Access1: router(config)#menu Access1 text 1 IBM Information Systems router(config)#menu Access1 text 2 UNIX Internet Access router(config)#menu Access1 text 3 Exit menu system Misconceptions:
none Related commands: menu menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt single-space status-line title
menu title router(config)#
menu menu-name title d menu-title d Syntax Description:

A delimiting character that marks the beginning and end of a title. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), and tilde (~). ^C is reserved for special use and should not be used in the text of the title.
menutitle
Lines of text to appear at the top of the menu.
Command Description: To create a title (banner) for a user menu, use the menu title global configuration command. Usage Guidelines The menu title command must use the same menu name used with the menu text and menu command commands used to create a menu. You can position the title of the menu horizontally by preceding the title text with blank characters. You can also add lines of space above and below the title by pressing Enter. Follow the title keyword with one or more blank characters and a delimiting character of your choice. Then enter one or more lines of text, ending the title with the same delimiting character. You cannot use the delimiting character within the text of the message. When you are configuring from a terminal and are attempting to include special control characters, such as a screen-clearing string, you must use Ctrl-V before the special control characters so that they are accepted as part of the title string. The string ^[[H^[[J is an escape string used by many VT100-compatible terminals to clear the screen. To use a special string, you must enter Ctrl-V before each escape character.
You also can use the menu clear-screen global configuration command to clear the screen before displaying menus and submenus, instead of embedding a terminal-specific string in the menu title. The menu clear-screen command allows the same menu to be used on different types of terminals. Example: In the following example, the title that will be displayed is specified when the menu named Access1 is invoked. Press Enter after the second slash (/) to display the prompt. Router(config)# menu Access1 title Enter TEXT message. End with the character '/'. Welcome to Access1 Internet Services. Type a number to select an option; Type 9 to exit the menu. / Router(config)# Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command line-mode options prompt single-space status-line text
Command Name: Mode: Syntax: motd-banner no motd-banner Syntax Description:
motd-banner router(config)#
This command has no arguments or keywords. Command Description: To enable the display of message-of-the-day (MOTD) banners on the specified line or lines, use the motd-banner line configuration command. To suppress the MOTD banners on the specified line or lines, use the no form of this command. Usage Guidelines This command determines whether the router will display the MOTD banner when an EXEC session is created on the specified line or lines. The MOTD banner is defined with the banner motd global configuration command. By default, the MOTD banner is enabled on all lines. Disable the MOTD banner on specific lines using the no motd-banner line configuration command. The MOTD banners can also be disabled by the no exec-banner line configuration command, which disables both MOTD banners and EXEC banners on a line. If the no exec-banner command is configured on a line, the MOTD banner will be disabled regardless of whether the motd-banner command is enabled or disabled. For reverse Telnet connections, the EXEC banner is never displayed. Instead, the incoming banner is displayed. The MOTD banner is displayed by default, but it is disabled if either the no exec-banner command or no motd-banner command is configured. Example: The following example suppresses the MOTD banner on vty lines 0 through 4: router(config)#line vty 0 4 router(config-line)#no motd-banner Misconceptions: none
Related commands: banner exec banner incoming banner motd motd-banner Sample Configurations:
Command Name: Mode: Syntax: name-connection Syntax Description:
name-connection router>
This command has no arguments or keywords. Command Description: To assign a logical name to a connection, use the name-connection user EXEC command. Usage Guidelines This command can be useful for keeping track of multiple connections. You are prompted for the connection number and name to assign. The where command displays a list of the assigned logical connection names. Example: The following example assigns the logical name blue to the connection: Router> where Conn Host Address Byte Idle Conn Name * 1 doc-2509 172.30.162.131 0 0 doc-2509 Router> name-connection Connection number: 1 Enter logical name: blue Connection 1 to doc-2509 will be named "BLUE" [confirm] Misconceptions: none Related commands: where Sample Configurations:
Command Name: Mode: Syntax: no menu menu-name Syntax Description:

menu-name
no menu router(config)#
Name of the menu to delete from the configuration file.
Command Description: To delete a user menu from the configuration file, use the no menu global configuration command. Usage Guidelines Use this command to remove any menu commands for a particular menu from the configuration file. As with all global configuration commands, this command will only effect the startup configuration file when you save the running configuration using the copy running-config startup-config EXEC command. Example: The following example deletes the menu named Access1: router(config)#no menu Access1 Misconceptions: none Related commands: menu menu menu menu menu (EXEC) command prompt text title
Command Name: Mode Syntax:
refuse-message router(config-line)#
refuse-message d message d no refuse-message Syntax Description:

d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the message.
message
Message text.
Command Description: To define and enable a line-in-use message, use the refuse-message line configuration command. To disable the message, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. You cannot use the delimiting character within the text of the message. When you define a message using this command, the Cisco IOS software performs the following steps: 1. Accepts the connection. 2. Prints the custom message. 3. Clears the connection. Example: In the following example, line 5 is configured with a line-in-use message, and the user is instructed to try again later: router(config)#line 5 router(config-line)#refuse-message /The dial-out modem is currently in use.
Please try again later./ Misconceptions: none Related commands: none Sample Configurations:
send router#
send {line-number | * | aux number | console number | tty number | vty number} Syntax Description:
line-number Line number to which the message will be sent.
Sends a message to all lines.
aux number
Sends a message to the specified AUX port.
console number
Sends a message to the specified console port.
tty number
Sends a message to the specified asynchronous line.
vty number
Sends a message to the specified virtual asynchronous line.
Command Description: To send messages to one or all terminal lines, use the send privileged EXEC command. Usage Guidelines After entering this command, the system prompts for the message to be sent, which can be up to 500 characters long. Enter Ctrl-Z to end the message. Enter Ctrl-C to abort this command. Example: The following example sends a message to all lines: 2509# send * Enter message, end with CTRL/Z; abort with CTRL/C: The system 2509 will be shut down in 10 minutes for repairs.^Z Send message? [confirm]
2509# *** *** *** Message from tty0 to all terminals: *** The system 2509 will be shut down in 10 minutes for repairs. 2509# Misconceptions: none Related commands: none Sample Configurations:
service linenumber router(config)#
service linenumber no service linenumber Syntax Description: This command has no arguments or keywords. Command Description: To configure the Cisco IOS software to display line number information after the EXEC or incoming banner, use the service linenumber global configuration command. To disable this function, use the no form of this command. Usage Guidelines With the service linenumber command, you can have the Cisco IOS software display the host name, line number, and location each time an EXEC process is started, or an incoming connection is made. The line number banner appears immediately after the EXEC banner or incoming banner. This feature is useful for tracking problems with modems, because the host and line for the modem connection are listed. Modem type information can also be included. Example: In the following example, a user Telnets to Router2 before and after the service linenumber command is enabled. The second time, information about the line is displayed after the banner. Router1> telnet Router2 Trying Router2 (172.30.162.131)... Open Welcome to Router2. User Access Verification Password: Router2> enable Password: Router2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)# service linenumber Router2(config)# end Router2# logout [Connection to Router2 closed by foreign host] Router1> telnet Router2 Trying Router2 (172.30.162.131)... Open
Welcome to Router2. Router2 line 10 User Access Verification Password: Router2> Misconceptions: none Related commands: show users Sample Configurations:
vacant-message router(config-line)#
vacant-message [d message d] no vacant-message Syntax Description:

d (Optional) Delimiting character that marks the beginning and end of the vacant-message. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), or tilde (~). ^C is reserved for special use and should not be used in the message.
message
(Optional) Vacant terminal message.
Command Description: To display an idle terminal message, use the vacant-message line configuration command. To remove the default vacant message or any other vacant message that may have been set, use the no form of this command. Usage Guidelines This command enables the banner to be displayed on the screen of an idle terminal. The vacantmessage command without any arguments restores the default message. Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Note For a rotary group, you need to define only the message for the first line in the group. Example: The following example turns on the system banner and displays this message: router(config)#line 0 router(config-line)#vacant-message # Welcome to Cisco Systems, Inc. Press Return to get started.
Command Name: Mode: Syntax: clear crypto sa
clear crypto sa router#
clear crypto sa peer {ip-address | peer-name} clear crypto sa map map-name clear crypto sa entry destination-address protocol spi clear crypto sa counters Syntax Description:
peer Deletes any IPSec security associations for the specified peer.
ip-address
Specifies a remote peer's IP address.
peer-name
Specifies a remote peer's name as the fully qualified domain name, for example remotepeer.example.com.
map
Deletes any IPSec security associations for the named crypto map set.
map-name
Specifies the name of a crypto map set.
entry
Deletes the IPSec security association with the specified address, protocol, and SPI.
destinationaddress
Specifies the IP address of your peer or the remote peer.
protocol
Specifies either the Encapsulation Security Protocol or Authentication Header.
spi
Specifies an SPI (found by displaying the security association database).
crypto dynamic-map router(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num no crypto dynamic-map dynamic-map-name [dynamic-seq-num] Syntax Description:
dynamic-map-name Specifies the name of the dynamic crypto map set.
dynamic-seq-num
Specifies the number of the dynamic crypto map entry
Command Description: To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map global configuration command. To delete a dynamic crypto map set or entry, use the no form of this command. Usage Guidelines Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.) When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map. The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.) If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results
of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed. Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected. The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional. Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface. You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map. To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set. For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.) For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs). Note Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected. Example: router(config)#crypto map mymap 10 ipsec-isakmp router(config)#crypto map mymap 20 ipsec-isakmp
router(config)#crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap router(config)#crypto dynamic-map mydynamicmap 10 Misconceptions: none Related commands: crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto dynamic-map show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2 set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto ipsec security-association lifetime router(config)#
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} no crypto ipsec security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).
kilobytes kilobytes
Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
Command Description: To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of this command. Usage Guidelines IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lirfetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached. If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations,
but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details. To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed. To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key. Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry). How These Lifetimes Work The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour). router#crypto ipsec security-association lifetime seconds 2700 router#crypto ipsec security-association lifetime kilobytes 2304000 Misconceptions:
none Related commands: set security-association lifetime show crypto ipsec security-association lifetime Sample Configurations:
crypto ipsec transform-set router(config)#
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] no crypto ipsec transform-set transform-set-name Syntax Description:
transform-setname Specifies the name of the transform set to create (or modify).
transform1 transform2 transform3
Specifies up to three "transforms." These transforms define the IPSec security protocols and algorithms. Accepted transform values are described in the "Usage Guidelines" section.
Command Description: To define a transform setan acceptable combination of security protocols and algorithmsuse the crypto ipsec transform-set global configuration command. To delete a transform set, use the no form of the command. Usage Guidelines A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec security associations. When IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. Before a transform set can be included in a crypto map entry it must be defined using this command.
A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The table below lists the acceptable transform combination selections for the AH and ESP protocols. Table 22: Allowed Transform Combinations
Transform type AH Transform (Pick up to one.) Transform ah-md5-hmac ah-sha-hmac ah-sha-hmac AH with the SHA (HMAC variant) authentication algorithm AH with the SHA (HMAC variant) authentication algorithm Description AH with the MD5 (HMAC variant) authentication algorithm
ESP Encryption Transform (Pick up to one.)
esp-des esp-3des esp-null
ESP with the 56-bit DES encryption algorithm ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) Null encryption algorithm
ESP Authentication Transform (Pick up to one.)
esp-md5hmac esp-shahmac
ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm
IP Compression Transform (Pick
comp-lzs
IP compression with the LZS algorithm.
up to one.)
Examples of acceptable transform combinations are:

ah-md5-hmac esp-des esp-3des and esp-md5-hmac ah-sha-hmac and esp-des and esp-sha-hmac comp-lzs
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set. IPSec Protocols: Encapsulation Security Protocol and Authentication Header Both the Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols implement security services for IPSec. ESP provides packet encryption and optional data authentication and anti-replay services. AH provides data authentication and anti-replay services. ESP encapsulates the protected dataeither a full IP datagram r(or only the payload)with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description. Selecting Appropriate Transforms The following tips may help you select transforms that are appropriate for your situation:

If you want to provide data confidentiality, include an ESP encryption transform. If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set. If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower. Note that some transforms might not be supported by the IPSec peer. In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:

esp-des and esp-sha-hmac ah-sha-hmac and esp-des and esp-sha-hmac
The Crypto Transform Configuration Mode After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions. Changing Existing Transforms If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Example: The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms. router(config)#crypto ipsec transform-set newer esp-3des espsha-hmac router(config)#crypto ipsec transform-set older ah-rfc-1828 esprfc1829
Misconceptions: none Related commands: mode (IPSec) set transform-set show crypto ipsec transform-set Sample Configurations:
crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set mypolicy esp-des esp-md5-hmac ! crypto dynamic-map dyna 10 set transform-set mypolicy ! crypto map test 10 ipsec-isakmp dynamic dyna
Command Name: Mode: Syntax: crypto map map-name
crypto map (interface IPSec) router(config-if)#
no crypto map [map-name] Syntax Description:

mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.
Command Description: To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. To remove the crypto map set from the interface, use the no form of this command. Usage Guidelines Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of cisco, ipsec-isakmp, and ipsec-manual crypto map entries. Example: The following example assigns crypto map set "mymap" to the S0 interface. When traffic passes through S0, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association will be established per that crypto map entry's configuration (if no security association or connection already exists). router(config)#interface S0 router(config-if)#crypto map mymap
Misconceptions: none Related commands: crypto map (global IPSec) crypto map local-address show crypto map (IPSec) Sample Configurations: ! interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast duplex auto speed auto crypto map mymap !
crypto map local-address router(config)#
crypto map map-name local-address interface-id no crypto map map-name local-address Syntax Description:
mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
interfaceid
The identifying interface that should be used by the router to identify itself to remote peers. If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
Command Description: To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address global configuration command. To remove this command from the configuration, use the no form of this command. Usage Guidelines If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler. This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces. If applying the same crypto map set to more than one interface, the default behavior is as follows:
Each interface will have its own security association database.
The IP address of the local interface will be used as the local address for IPSec traffic originating from/destined to that interface.
However, if you use a local-address for that crypto map set, it has multiple effects:
Only one IPSec security association database will be established and shared for traffic through both interfaces. The IP address of the specified interface will be used as the local address for IPSec (and IKE) traffic originating from or destined to that interface.
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down. Example: The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0. router(config)#interface S0 router(config-if)#crypto map mymap router(config)#interface S1 router(config-if)#crypto map mymap router(config)#crypto map mymap local-address loopback0 Misconceptions: none Related commands: crypto map (interface IPSec) Sample Configurations:
crypto map (global IPSec) router(config)#
crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-mapname] [discover] no crypto map map-name [seq-num] Syntax Description:
map-name The name that identifies the crypto map set. This is the name assigned when the crypto map was created.
seq-num
The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.
ipsecmanual
Indicates that Internet Key Exchange will not be used to establish the IP Security security associations for protecting the traffic specified by this crypto map entry.
ipsecisakmp
Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic
(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.
dynamicmap-name
(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
discover
(Optional) Enables peer discovery. By default, peer discovery is not enabled.
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command. Usage Guidelines Use this command to create a new crypto map entry or to modify an existing crypto map entry. Once a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, once a map entry has been created as ipsec-isakmp, you cannot change it to ipsec-manual or cisco; you must delete and reenter the map entry. After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command. What Crypto Maps Are For Crypto maps provide two functions: (1) filtering and classifying traffic to be protected and (2) defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic. IPSec crypto maps link together definitions of the following:

What traffic should be protected Which IPSec peers the protected traffic can be forwarded tothese are the peers with which a security association can be established Which transform sets are acceptable for use with the protected traffic How keys and security associations should be used or managed (or what the keys are, if IKE is not used)
Multiple Crypto Map Entries with the Same map-name Form a Crypto Map Set A crypto map set is a collection of crypto map entries, each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num. The seq-num Argument The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map
entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority. For example, imagine that there is a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named mymap is applied to interface Serial 0. When traffic passes through the Serial 0 interface, the traffic is evaluated first for mymap 10. If the traffic matches a permit entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec security associations when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.) Dynamic Crypto Maps Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps. You should make crypto map entries which reference dynamic map sets the lowest priority map entries, so that inbound security association negotiations requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set. To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set. Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (IPSec global configuration) command using the dynamic keyword. Tunnel Endpoint Discovery Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With Tunnel Endpoint Discovery, the initiating router can dynamically determine an IPSec peer for secure IPSec communications. Dynamic Tunnel Endpoint Discovery allows IPSec to scale to large networks by reducing multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations: crypto map mymap 10 ipsec-isakmp
match address 101 set transform-set my_t_set1 set peer 10.0.0.1 The following example shows the minimum required crypto map configuration when the security associations are manually established: crypto transform-set someset ah-md5-hmac esp-des crypto map mymap 10 ipsec-manual match address 102 set transform-set someset set peer 10.0.0.5 set session-key inbound ah 256 98765432109876549876543210987654 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc set session-key inbound esp 256 cipher 0123456789012345 set session-key outbound esp 256 cipher abcdefabcdefabcd The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set. Crypto map "mymap 10" allows security associations to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102. Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped. crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2
set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3 The following example configures Tunnel Endpoint Discovery on a Cisco router: crypto map testtag 10 ipsec-isakmp dynamic dmap discover Misconceptions: none Related commands: crypto dynamic-map crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations:
match address (IPSec) router(config-crypto-map)#
match address [access-list-id | name] no match address [access-list-id | name] Syntax Description:
accesslist-id (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.
name
(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.
Command Description: To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. To remove the extended access list from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended. Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands. The extended access list specified with this command will be used by IPSec to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.) Note that the crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination. The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic
matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.) In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.) router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 router(config-crypto-map)#set peer 10.0.0.1 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66
crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache
mode (IPSec) router(cfg-crypto-tran)#
mode [tunnel | transport] no mode Syntax Description:

tunnel | transport (Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.
Command Description: To change the mode for a transform set, use the mode crypto transform configuration command. To reset the mode to the default value of tunnel mode, use the no form of the command. Usage Guidelines Use this command to change the mode specified for the transform. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode). If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode. After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined. If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode. If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries which specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details.
Tunnel Mode With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination. Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints. Transport Mode With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec. Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode. Example: The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers. router(config)#crypto ipsec transform-set newer esp-des esp-shahmac router(cfg-crypto-tran)#mode transport router(cfg-crypto-tran)#exit Misconceptions: none Related commands: rcrypto ipsec transform-set Sample Configurations:
Command Name: Mode:
set peer (IPSec) router(config-crypto-map)#
Syntax: set peer {hostname | ip-address} no set peer {hostname | ip-address} Syntax Description:
hostname Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).
ipaddress
Specifies the IPSec peer by its IP address.
Command Description: To specify an IP Security peer in a crypto map entry, use the set peer crypto map configuration command. To remove an IPSec peer from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to specify an IPSec peer for a crypto map. This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown). For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list. For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer. You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command. Example:
router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 Misconceptions: none Related commands: crypto dynramic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2
Command Name: Mode:
set pfs router(config-crypto-map)#
Syntax: set pfs [group1 | group2] no set pfs Syntax Description:

group1 (Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2
(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
Command Description: To specify that IP Security should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS it will accept any offer of PFS from the peer. PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could be also compromised.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.) The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1. Example: The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10": router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set pfs group2 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set security-association level per-host set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations: ! crypto ipsec profile foo-profile set transform-set foo-transforms set pfs group2 !
set security-association level per-host router(config-crypto-map)#
set security-association level per-host no set security-association level per-host Syntax Description: This command has no arguments or keywords. Command Description: To specify that separate IP Security security associations should be requested for each source/destination host pair, use the set security-association level per-host crypto map configuration command. To specify that one security association should be requested for each crypto map access list permit entry, use the no form of this command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map entries. When you use this command, you need to specify that a separate security association should be used for each source/destination host pair. Normally, within a given crypto map, IPSec will attempt to request security associations at the granularity specified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A and subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP protocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected traffic between these two subnets would use the same security association. This command causes IPSec to request separate security associations for each source/destination host pair. In this case, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to request a separate security association. With this command, one security association would be requested to protect traffic between host A and host B, and a different security association would be requested to protect traffic between host A and host C. The access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the access list entry specifies protocols and ports, these values are applied when establishing the unique security associations.
Use this command with care, as multiple streams between given subnets can rapidly consume system resources. Example: The following example shows what happens with an access list entry of permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 and a per-host level:
A packet from 1.1.1.1 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.1. A packet from 1.1.1.1 to 2.2.2.2 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.2. A packet from 1.1.1.2 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.2 host 2.2.2.1.
Without the per-host level, any of the above packets will initiate a single security association request originated via permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255. Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations:
set security-association lifetime router(config-crypto-map)#
set security-association lifetime {seconds seconds | kilobytes kilobytes} no set security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring.
kilobytes kilobytes
Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires.
Command Description: To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime crypto map configuration command. To reset a crypto map entry's lifetime value to the global value, use the no form of this command. Usage Guidelines This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries. IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry has lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail. To change the timed lifetime, use the set security-association lifetime seconds form of the command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed. To change the traffic-volume lifetime, use the set security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key. Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes need more CPU processing time. The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry). How These Lifetimes Work Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the seconds time out or after the kilobytes amount of traffic is passed. A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to
the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes). router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set security-association lifetime seconds 2700 Misconceptions: none Related commands: crypto dynamic-map crypto ipsec security-association lifetime crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set transform-set show crypto map (IPSec) Sample Configurations:
set session-key router(config-crypto-map)#
set session-key {inbound | outbound} ah spi hex-key-string set session-key {inbound | outbound} esp spi cipher hex-keystring [authenticator hex-key-string] no set session-key {inbound | outbound} ah no set session-key {inbound | outbound} esp Syntax Description:
inbound Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound
Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah
Sets the IPSec session key for the Authentication Header protocol. Use when the crypto map entry's transform set includes an AH transform.
esp
Sets the IPSec session key for the Encapsulation Security Protocol. Use when the crypto map entry's transform set includes an ESP transform.
spi
Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the router if inbound, the peer if outbound.
hex-key-string
Specifies the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. If the crypto map's transform set includes a DES algorithm, specify at least 8 bytes per
key. If the crypto map's transform set includes an MD5 algorithm, specify at least 16 bytes per key. If the crypto map's transform set includes an SHA algorithm, specify 20 bytes per key. Keys longer than the above sizes are simply truncated.
cipher
Indicates that the key string is to be used with the ESP encryption transform.
authenticator
(Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
Command Description: To manually specify the IP Security session keys within a crypto map entry, use the set sessionkey crypto map configuration command. This command is only available for ipsec-manual crypto map entries. To remove IPSec session keys from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case of ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically established via the IKE negotiation.) If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic. When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI assignment with your peer's operator, making certain that the same SPI is not used more than once for the same destination address/protocol combination. Security associations established via this command do not expire (unlike security associations established via IKE). Session keys at one peer must match the session keys at the remote peer.
If you change a session key, the security association using the key will be deleted and reinitialized. Example: The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol. crypto ipsec transform-set t_set ah-sha-hmac ! crypto map mymap 20 ipsec-manual match address 102 set transform-set t_set set peer 10.0.0.21 set session-key inbound ah 300 1111111111111111111111111111111111111111 set session-key outbound ah 300 2222222222222222222222222222222222222222 The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords. crypto ipsec transform-set someset ah-sha-hmac esp-des esp-shahmac ! crypto map mymap 10 ipsec-manual match address 101 set transform-set someset set peer 10.0.0.1 set session-key inbound ah 300 9876543210987654321098765432109876543210 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc set session-key inbound esp 300 cipher 0123456789012345 authenticator 0000111122223333444455556666777788889999 set session-key outbound esp 300 cipher abcdefabcdefabcd authenticator 9999888877776666555544443333222211110000 Misconceptions: none Related commands:
crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set transform-set show crypto map (IPSec) Sample Configurations:
set transform-set router(config-crypto-map)#
set transform-set transform-set-name [transform-setname2...transform-set-name6] no set transform-set Syntax Description:

transform-setname Name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to 6 transform sets.
Command Description: To specify which transform sets can be used with the crypto map entry, use the set transformset crypto map configuration command. To remove all transform sets from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static and dynamic crypto map entries. Use this command to specify which transform sets to include in a crypto map entry. For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first. If the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches one of the transform sets specified in the crypto map entry. The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic. If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command. Example: The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.) router(config)#crypto ipsec transform-set my_t_set1 esp-des espsha-hmac router(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac ! router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 my_t_set2 router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets. Misconceptions: none Related commands: none Sample Configurations: crypto isakmp policy 1
hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66 crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache
show crypto dynamic-map router#
show crypto dynamic-map [tag map-name] Syntax Description:

tag map-name (Optional) Displays only the crypto dynamic map set with the specified map-name.
Command Description: To view a dynamic crypto map set, use the show crypto dynamic-map privileged EXEC command. Example: router# show crypto dynamic-map Misconceptions: none Related commands: none Sample Configurations: Router# show crypto dynamic-map
Crypto Map Template"dyn1" 10 Extended IP access list 152 access-list 152 permit ip source: addr = 172.21.114.67/0.0.0.0 dest: addr = 0.0.0.0/255.255.255.255 Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ tauth, t1, }
show crypto ipsec sa router#
show crypto ipsec sa [map map-name | address | identity] [detail] Syntax Description:
map mapname (Optional) Displays any existing security associations created for the crypto map set named map-name.
address
(Optional) Displays the all existing security associations, sorted by the destination address (either the local address or the address of the IP Security remote peer) and then by protocol (Authentication Header or Encapsulation Security Protocol).
identity
(Optional) Displays only the flow information. It does not show the security association information.
detail
(Optional) Displays detailed error counters. (The default is the high level send/receive error counters.)
Command Description: To view the settings used by current security associations, use the show crypto ipsec sa privileged EXEC command. Usage Guidelines If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound). Example:
router# show crypto ipsec sa
Related commands: none Sample Configurations: router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y
outbound ah sas: interface: Tunnel0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas:
Command Name: lifetime Mode: Syntax:
show crypto ipsec security-association
router#
show crypto ipsec security-association lifetime Syntax Description: This command has no arguments or keywords. Command Description: To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime privileged EXEC command. Example: router# show crypto ipsec security-association lifetime Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec security-association lifetime Security-association lifetime: 4608000 kilobytes/120 seconds
show crypto ipsec transform-set router#
show crypto ipsec transform-set [tag transform-set-name] Syntax Description:

tag transform-setname (Optional) Displays only the transform sets with the specified transform-setname.
Command Description: To view the configured transform sets, use the show crypto ipsec transform-set privileged EXEC command. Example: router# show crypto ipsec transform-set Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac will negotiate = { Tunnel, }, Transform set combined-des-md5: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t1: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t100: { ah-sha-hmac } will negotiate = { Transport, }, } }
Transform set t2: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-des } will negotiate = { Tunnel, },
show crypto map router#
show crypto map [interface interface | tag map-name] Syntax Description:

interface interface (Optional) Displays only the crypto map set applied to the specified interface.
tag map-name
(Optional) Displays only the crypto map set with the specified map-name.
Command Description: To view the crypto map configuration, use the show crypto map privileged EXEC command. Example: router# show crypto map Misconceptions: none Related commands: none Sample Configurations: router# show crypto map
Crypto Map: "router-alice" idb: Ethernet0 local address: 172.21.114.123 Crypto Map "router-alice" 10 ipsec-isakmp Peer = 172.21.114.67 Extended IP access list 141 access-list 141 permit ip source: addr = 172.21.114.123/0.0.0.0
dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ t1, }
debug aaa accounting

To display information on accountable events as they occur, use the debug aaa accounting privileged EXEC command. To disable debugging output, use the no form of the command. debug aaa accounting no debug aaa accounting
Syntax Description
Usage Guidelines
The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocolspecific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well.
Examples
The following is sample output from the debug aaa accounting command:
Router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
Related Commands
Command debug aaa Description Displays information on accountable events as
authentication
they occur.
debug aaa authorization
Displays information on AAA/TACACS+ authorization.
debug radius
Displays information associated with the RADIUS.
debug tacacs
Displays information associated with the TACACS.
debug aaa authentication

To display information on AAA/Terminal Access Controller Access Control System Plus (TACACS+) authentication, use the debug aaa authentication privileged EXEC command. To disable debugging command, use the no form of the command. debug aaa authentication no debug aaa authentication
Syntax Description
Usage Guidelines
Use this command to learn the methods of authentication being used and the results of these methods.
Examples
The following is sample output from the debug aaa authentication command. A single EXEC login that uses the "default" method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.
Router# debug aaa authentication 6:50:12: AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='172.31.60.15' authen_type=1 service=1 priv=1 6:50:12: AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN 6:50:12: AAA/AUTHEN/START (0): using "default" list 6:50:12: AAA/AUTHEN/START (50996740): Method=TACACS+ 6:50:12: TAC+ (50996740): received authen response status = GETUSER 6:50:12: AAA/AUTHEN (50996740): status = GETUSER 6:50:15: AAA/AUTHEN/CONT (50996740): continue_login 6:50:15: AAA/AUTHEN (50996740): status = GETUSER 6:50:15: AAA/AUTHEN (50996740): Method=TACACS+ 6:50:15: TAC+: send AUTHEN/CONT packet 6:50:15: TAC+ (50996740): received authen response status = GETPASS 6:50:15: AAA/AUTHEN (50996740): status = GETPASS 6:50:20: AAA/AUTHEN/CONT (50996740): continue_login 6:50:20: AAA/AUTHEN (50996740): status = GETPASS 6:50:20: AAA/AUTHEN (50996740): Method=TACACS+ 6:50:20: TAC+: send AUTHEN/CONT packet 6:50:20: TAC+ (50996740): received authen response status = PASS 6:50:20: AAA/AUTHEN (50996740): status = PASS

To display information on AAA/TACACS+ authorization, use the debug aaa authorization privileged EXEC command. To disable debugging output, use the no form of the command. debug aaa authorization no debug aaa authorization
Syntax Description
Usage Guidelines
Use this command to learn the methods of authorization being used and the results of these methods.
Examples
The following is sample output from the debug aaa authorization command. In this display, an EXEC authorization for user "carrel" is performed. On the first line, the username is authorized. On the second and third lines, the attribute value (AV) pairs are authorized. The debug output displays a line for each AV pair that is authenticated. Next, the display indicates the authorization method used. The final line in the display indicates the status of the authorization process, which, in this case, has failed.
Router# debug aaa authorization 2:23:21: AAA/AUTHOR (0): user='carrel' 2:23:21: AAA/AUTHOR (0): send AV service=shell 2:23:21: AAA/AUTHOR (0): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Method=TACACS+ 2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL
The aaa authorization command causes a request packet containing a series of AV pairs to be sent to the TACACS daemon as part of the authorization process. The daemon responds in one of the following three ways:

Accepts the request as is Makes changes to the request Refuses the request, thereby refusing authorization
Table 4 describes AV pairs associated with the debug aaa authorization command that may show up in the debug output. Table 4 Attribute Value Pairs for Authorization
Attribute Value Description service=arap Authorization for the ARA protocol is being requested. service=shell Authorization for EXEC startup and command authorization is being requested. Authorization for PPP is being requested. Authorization for SLIP is being requested. Authorization for LCP is being requested (lower layer of PPP). Used with service=slip and service=slip to indicate which protocol layer is being authorized. Used with service=ppp to indicate which protocol layer is being authorized. Used with service=ppp or service=arap to indicate which protocol layer is being authorized. Used with service=ppp for VINES over PPP.
service=ppp service=slip protocol=lcp
protocol=ip
protocol=ipx
protocol=atalk
protocol=vines
protocol=unknown Used for undefined or unsupported conditions. cmd=x Used with service=shell, if cmd=NULL, this is an authorization request to start an EXEC. If cmd is not NULL, this is a command authorization request and will contain the name of the command being authorized. For example, cmd=telnet. Used with service=shell. When performing command authorization, the name of the command is given by a cmd=x pair for each argument listed. For example, cmdarg=archie.sura.net. Used with service=shell and service=arap. For ARA, this pair contains an access list number. For service=shell, this pair contains an access class number. For example, acl=2. Used with service=ppp and protocol=ip. Contains an IP input
cmd-arg=x
acl=x
inacl=x
access list for SLIP or PPP/IP. For example, inacl=2. outacl=x Used with service=ppp and protocol=ip. Contains an IP output access list for SLIP or PPP/IP. For example, outacl=4. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=172.30.23.11. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false. For example, routing=true. Used with service=arap. The number of minutes before an ARA session disconnects. For example, timeout=60. Used with service=shell and cmd=NULL. Specifies an autocommand to be executed at EXEC startup. For example, autocmd=telnet yxz.com. Used with service=shell and cmd=NULL. Specifies a noescape option to the username configuration command. Can be either true or false. For example, noescape=true. Used with service=shell and cmd=NULL. Specifies a nohangup option to the username configuration command. Can be either true or false. For example, nohangup=false. Used with service=shell and cmd=NULL. Specifies the current privilege level for command authorization as a number from 0 to 15. For example, priv-lvl=15. Used with service=arap. Specifies an AppleTalk zonelist for ARA. For example, zonelist=5. Used with service=ppp and protocol=ip. Specifies the name of a local pool from which to get the address of the remote host.
addr=x
routing=x
timeout=x
autocmd=x
noescape=x
nohangup=x
priv-lvl=x
zonelist=x
addr-pool=x
debug aaa pod

To display debug messages related to POD packets, use the debug aaa pod privileged EXEC command. To disable debugging output, use the no form of this command. debug aaa pod no debug aaa pod
Syntax Description
This command has no keywords or arguments.
Defaults
Debugging for POD packets is not enabled.
Command History
Examples
The following example shows output from a successful POD request when the show debug command is used.
Router# debug aaa pod AAA POD packet processing debugging is on Router# show debug General OS: AAA POD packet processing debugging is on Router# *Jul 9 16:04:32.271:POD:10.100.1.34 request queued *Jul 9 16:04:32.271:POD:10.100.1.34 user 0.0.0.0 sessid 0x0 key 0xA5AFA004 *Jul 9 16:04:32.271:POD: Line User IDB Session Id Key *Jul 9 16:04:32.271:POD:Skip Se0:21 meklund 0.0.0.0 0x0 0x0 *Jul 9 16:04:32.271:POD:KILL Se0:22 meklund 0.0.0.0 0x60000020 0xA5AFA004 *Jul 9 16:04:32.271:POD:Sending ACK to 10.100.1.34/1812 --Interface Se0:22 was killed because the pod request contained a key of 0xA5AFA004 and pod was configured with the command aaa pod server port 1812 auth-type any server-key mykey
Related Commands
Command Description
aaa pod server
Enables the POD feature.
debug arp
To display information on Address Resolution Protocol (ARP) transactions, use the debug arp privileged EXEC command. The no form of this command disables debugging output. debug arp no debug arp
Syntax Description
Usage Guidelines
Use this command when some nodes on a TCP/IP network are responding, but others are not. It shows whether the router is sending ARP packets and whether it is receiving ARP packets.
Examples
The following is sample output from the debug arp command:
Router# debug arp IP ARP: sent req 172.16.22.7 0000.0c01.e117, dst 172.16.22.96 0000.0000.0000 IP ARP: rcvd rep 172.16.22.96 0800.2010.b908, dst 172.16.22.7 IP ARP: rcvd req 172.16.6.10 0000.0c00.6fa2, dst 172.16.6.62 IP ARP: rep filtered 172.16.22.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffff IP ARP: rep filtered 172.16.9.7 0000.0c00.6b31, dst 172.16.22.7 0800.2010.b908
In the output, each line of output represents an ARP packet that the router sent or received. Explanations for the individual lines of output follow. The first line indicates that the router at IP address 172.16.22.7 and MAC address 0000.0c01.e117 sent an ARP request for the MAC address of the host at 172.16.22.96. The series of zeros (0000.0000.0000) following this address indicate that the router is currently unaware of the MAC address.
IP ARP: sent req 172.16.22.7 0000.0c01.e117, dst 172.16.22.96 0000.0000.0000
The second line indicates that the router at IP address 172.16.22.7 receives a reply from the host at 172.16.22.96 indicating that its MAC address is 0800.2010.b908:
IP ARP: rcvd rep 172.16.22.96 0800.2010.b908, dst 172.16.22.7
The third line indicates that the router receives an ARP request from the host at 172.16.6.10 requesting the MAC address for the host at 172.16.6.62:
IP ARP: rcvd req 172.16.6.10 0000.0c00.6fa2, dst 172.16.6.62
The fourth line indicates that another host on the network attempted to send the router an ARP reply for its own address. The router ignores meaningless replies. Usually, meaningless replies happen if a bridge is being run in parallel with the router and is allowing ARP to be bridged. This condition indicates a network misconfiguration.
IP ARP: rep filtered 172.16.22.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffff
The fifth line indicates that another host on the network attempted to inform the router that it is on network 172.16.9.7, but the router does not know that the network is attached to a different router interface. The remote host (probably a PC or an X terminal) is misconfigured. If the router were to install this entry, it would deny service to the real machine on the proper cable.
IP ARP: rep filtered 172.16.9.7 0000.0c00.6b31, dst 172.16.22.7 0800.2010.b908
debug cdp ip
To enable debug output for the IP routing information that is carried and processed by the Cisco Discovery Protocol (CDP), use the debug cdp ip privileged EXEC command. The no form of this command disables debugging output. debug cdp ip no debug cdp ip
Syntax Description
Usage Guidelines
CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco routers. You can use the debug cdp ip command to determine the IP network prefixes CDP is advertising and whether CDP is correctly receiving this information from neighboring routers. Use the debug cdp ip command with the debug ip routing command to debug problems that occur when on-demand routing (ODR) routes are not installed in the routing table at a hub router. You can also use the debug cdp ip command with the debug cdp packet and debug cdp adjacency commands along with encapsulation-specific debug commands to debug problems that occur in the receipt of CDP IP information.
Examples
The following is sample output from the debug cdp ip command. This example shows the transmission of IP-specific information in a CDP update. In this case, three network prefixes are being sent, each with a different network mask.
Router# CDP-IP: CDP-IP: CDP-IP: debug cdp ip Writing prefix 172.1.69.232.112/28 Writing prefix 172.19.89.0/24 Writing prefix 11.0.0.0/8
In addition to these messages, you might see the following messages:
This message indicates that CDP is attempting to install the prefix 172.16.1.0/24 into the IP routing table:
CDP-IP: Updating prefix 172.16.1.0/24 in routing table
This message indicates a protocol error occurred during an attempt to decode an incoming CDP packet:
CDP-IP: IP TLV length (3) invalid
This message indicates the receipt of the IP prefix 172.16.1.0/24 from a CDP neighbor connected via Ethernet interface 0/0. The neighbor IP address is 10.0.01.
CDP-IP: Reading prefix 172.16.1.0/24 source 10.0.0.1 via Ethernet0/0
Related Commands
Command debug ip routing Description Displays information on RIP routing table updates and route cache updates.
debug crypto engine accelerator logs

To enable logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag, use the debug crypto engine accelerator logs privileged EXEC command. debug crypto engine accelerator logs no debug crypto engine accelerator logs
Syntax Description
Defaults
The logging of commands sent from the VPN module driver to the VPN module hardware is disabled.
Command History
Release 12.1(1)XC Modification This command was introduced on the Cisco 1720 and Cisco 1750 routers.
Usage Guidelines
Use the debug crypto engine accelerator logs command when encryption traffic is sent to the router and a problem with the encryption module is suspected. This command is intended only for Cisco TAC personnel to collect debugging information.
Examples
The command debug crypto engine accelerator logs uses a debug flag to log commands and associated parameters sent from the VPN module driver to the VPN module hardware as follows:
Router# debug crypto engine accelerator logs encryption module logs debugging is on
Related Commands
Command crypto engine accelerator
Description Enables or disables the crypto engine accelerator if it exists.
show crypto engine accelerator logs
Prints information about the last 32 CGX Library packet processing commands, and associated parameters sent from the VPN module driver to the VPN module hardware.
show crypto engine accelerator sadatabase
Prints active (in-use) entries in the platform-specific VPN module database.
show crypto engine configuration
Displays the Cisco IOS crypto engine of your router.
debug crypto engine

To display debug messages about crypto engines, which perform encryption and decryption, use the debug crypto engine privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto engine no debug crypto engine
Syntax Description
Command History
Usage Guidelines
Use the debug crypto engine command to display information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. The crypto engine is the actual mechanism that performs encryption and decryption. A crypto engine can be software or a hardware accelerator. Some platforms can have multiple crypto engines; therefore, the router will have multiple hardware accelerators.
Examples
The following is sample output from the debug crypto engine command. The first sample output shows messages from a router that successfully generates RSA keys. The second sample output shows messages from a router that decrypts the RSA key during Internet Key Exchange (IKE) negotiation.
Router# debug crypto engine 00:25:13:CryptoEngine0:generate key pair 00:25:13:CryptoEngine0:CRYPTO_GEN_KEY_PAIR 00:25:13:CRYPTO_ENGINE:key process suspended and continued 00:25:14:CRYPTO_ENGINE:key process suspended and continuedcr Router# debug crypto engine 00:27:45:%SYS-5-CONFIG_I:Configured from console by console 00:27:51:CryptoEngine0:generate alg parameter 00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0 00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0
00:27:51:CryptoEngine0:generate alg parameter 00:27:52:CryptoEngine0:calculate pkey hmac for conn id 0 00:27:52:CryptoEngine0:create ISAKMP SKEYID for conn id 1 00:27:52:Crypto engine 0:RSA decrypt with public key 00:27:52:CryptoEngine0:CRYPTO_RSA_PUB_DECRYPT 00:27:52:CryptoEngine0:generate hmac context for conn id 1 00:27:52:CryptoEngine0:generate hmac context for conn id 1 00:27:52:Crypto engine 0:RSA encrypt with private key 00:27:52:CryptoEngine0:CRYPTO_RSA_PRIV_ENCRYPT 00:27:53:CryptoEngine0:clear dh number for conn id 1 00:27:53:CryptoEngine0:generate hmac context for conn id 1 00:27:53:validate proposal 0 00:27:53:validate proposal request 0 00:27:54:CryptoEngine0:generate hmac context for conn id 1 00:27:54:CryptoEngine0:generate hmac context for conn id 1 00:27:54:ipsec allocate flow 0 00:27:54:ipsec allocate flow 0
Related Commands
Command crypto key generate rsa Description Generates RSA key pairs.
debug crypto ipsec

To display IPSec events, use the debug crypto ipsec privileged EXEC command. The no form of this command disables debugging output. debug crypto ipsec no debug crypto ipsec
Syntax Description
Examples
The following is sample output from the debug crypto ipsec command. In this example, security associations (SAs) have been successfully established.
Router# debug crypto ipsec
IPSec requests SAs between 172.21.114.123 and 172.21.114.67, on behalf of the permit ip host 172.21.114.123 host 172.21.114.67 command. It prefers to use the transform set esp-des w/esp-md5-hmac, but it will also consider ah-shahmac.
00:24:30: IPSEC(sa_request): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 00:24:30: IPSEC(sa_request): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1)., protocol= AH, transform= ah-sha-hmac , lifedur= 120s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.
IKE asks for SPIs from IPSec. For inbound security associations, IPSec controls its own SPI space.
00:24:34: IPSEC(key_engine): got a queue event... 00:24:34: IPSEC(spi_response): getting spi 302974012ld for SA from 172.21.114.67 to 172.21.114.123 for prot 3 00:24:34: IPSEC(spi_response): getting spi 525075940ld for SA from 172.21.114.67 to 172.21.114.123 for prot 2
IKE will ask IPSec if it accepts the SA proposal. In this case, it will be the one sent by the local IPSec in the first place:
00:24:34: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
After the proposal is accepted, IKE finishes the negotiations, generates the keying material, and then notifies IPSec of the new security associations (one security association for each direction).
00:24:35: IPSEC(key_engine): got a queue event...
The following output pertains to the inbound SA. The conn_id value references an entry in the crypto engine connection table.
00:24:35: IPSEC(initialize_sas): , (key eng. msg.) dest= 172.21.114.123, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.67, dest_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000 kb, spi= 0x120F043C(302974012), conn_id= 29, keysize= 0, flags= 0x4
The following output pertains to the outbound SA:

00:24:35: IPSEC(initialize_sas): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x38914A4(59315364), conn_id= 30, keysize= 0, flags= 0x4
IPSec now installs the SA information into its SA database.

00:24:35: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.123, sa_prot= 50, sa_spi= 0x120F043C(302974012), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 29 00:24:35: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.67, sa_prot= 50, sa_spi= 0x38914A4(59315364), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 30
The following is sample output for the debug crypto ipsec command as seen on the peer router. In this example, IKE asks IPSec if it will accept an SA proposal. Although the peer sent two proposals, IPSec accepted the first proposal.
00:26:15: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IKE asks for SPIs.

00:26:15: IPSEC(key_engine): got a queue event... 00:26:15: IPSEC(spi_response): getting spi 59315364ld for SA from 172.21.114.123 to 172.21.114.67 for prot 3
IKE does the remaining processing, completing the negotiation and generating keys. It then tells IPSec about the new SAs.
00:26:15: IPSEC(key_engine): got a queue event...
The following output pertains to the inbound SA:

00:26:15: IPSEC(initialize_sas): , (key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1), _proxy= 172.21.114.123/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x38914A4(59315364), conn_id= 25, keysize= 0, flags= 0x4
The following output pertains to the outbound SA:

00:26:15: IPSEC(initialize_sas): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.67, dest= 172.21.114.123, _proxy= 172.21.114.67/0.0.0.0/0/0 (type=1), dest_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x120F043C(302974012), conn_id= 26, keysize= 0, flags= 0x4
IPSec now installs the SA information into its SA database:

00:26:15: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.67, sa_prot= 50, sa_spi= 0x38914A4(59315364), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 25 00:26:15: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.123, sa_prot= 50, sa_spi= 0x120F043C(302974012), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 26
debug crypto isakmp

To display messages about IKE events, use the debug crypto isakmp privileged EXEC command. The no form of this command disables debugging output. debug crypto isakmp no debug crypto isakmp
Syntax Description
Examples
The following is sample output from the debug crypto isakmp command for an IKE peer that initiates an IKE negotiation. First, IKE negotiates its own security association (SA), checking for a matching IKE policy:
Router# debug crypto isakmp 20:26:58: ISAKMP (8): beginning Main Mode exchange 20:26:58: ISAKMP (8): processing SA payload. message ID = 0 20:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy 20:26:58: ISAKMP: encryption DES-CBC 20:26:58: ISAKMP: hash SHA 20:26:58: ISAKMP: default group 1 20:26:58: ISAKMP: auth pre-share 20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0
IKE has found a matching policy. Next, the IKE SA is used by each peer to authenticate the other peer:
20:26:58: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP (8): (8): (8): (8): (8): (8): (8): SA is doing pre-shared key authentication processing KE payload. message ID = 0 processing NONCE payload. message ID = 0 SKEYID state generated processing ID payload. message ID = 0 processing HASH payload. message ID = 0 SA has been authenticated
Next, IKE negotiates to set up the IPSec SA by searching for a matching transform set:
20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 767162845 ISAKMP (8): processing SA payload. message ID = 767162845 ISAKMP (8): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 600 ISAKMP: SA life type in kilobytes
20:26:59: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 20:26:59: ISAKMP: authenticator is HMAC-MD5 20:26:59: ISAKMP (8): atts are acceptable.
A matching IPSec transform set has been found at the two peers. Now the IPSec SA can be created (one SA is created for each direction):
20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 155.0.0.1 20:26:59: 20:26:59: 20:26:59: 20:26:59: 155.0.0.2 20:26:59: 20:26:59: 20:26:59: ISAKMP (8): processing NONCE payload. message ID = 767162845 ISAKMP (8): processing ID payload. message ID = 767162845 ISAKMP (8): processing ID payload. message ID = 767162845 ISAKMP (8): Creating IPSec SAs inbound SA from 155.0.0.2 to 155.0.0.1 (proxy 155.0.0.2 to ) has spi 454886490 and conn_id 9 and flags 4 lifetime of 600 seconds lifetime of 4608000 kilobytes outbound SA from 155.0.0.1 to 155.0.0.2 (proxy 155.0.0.1 to ) has spi 75506225 and conn_id 10 and flags 4 lifetime of 600 seconds lifetime of 4608000 kilobytes
debug crypto key-exchange

To show Digital Signature Standard (DSS) public key exchange messages, use the debug crypto key-exchange privileged EXEC command. The no form of this command disables debugging output. debug crypto key-exchange no debug crypto key-exchange
Syntax Description
Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through DSS public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever received a message with a DSS signature knows exactly who sent the message. If the process of exchanging DSS public keys with a peer router by means of the config crypto key-exchange command is not successful, try to exchange DSS public keys again after enabling the debug crypto key-exchange command to help you diagnose the problem.
Examples
The following is sample output from the debug crypto key-exchange command. The first shows output from the initiating router in a key exchange. The second shows output from the passive router in a key exchange. The number of bytes received should match the number of bytes sent from the initiating side, although the number of messages can be different.
Router# debug crypto key-exchange CRYPTO-KE: Sent 4 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 64 bytes. Router# debug crypto key-exchange CRYPTO-KE: Received 4 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 49 bytes. CRYPTO-KE: Received 15 bytes.
Related Commands
Command debug crypto sesmgmt
Description Displays connection setup messages and their flow through the router.
debug crypto pki messages

To display debug messages for the details of the interaction (message dump) between the certification authority (CA) and the router, use the debug crypto pki messages privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto pki messages no debug crypto pki messages
Syntax Description
Defaults
Disabled
Command History
Usage Guidelines
Use the debug crypto pki messages command to display messages about the actual data being sent and received during public key infrastructure (PKI) transactions. You can also use the show crypto ca certificates command to display information about your certificate.
Examples
The following example is sample output for the debug crypto pki messages command:
Router# debug crypto pki messages Fingerprint: 2CFC6265 77BA6496 3AEFCB50 29BC2BF2 00:48:23:Write out pkcs#10 content:274 00:48:23:30 82 01 0E 30 81 B9 02 01 00 30 22 31 20 00:48:23:48 86 F7 0D 01 09 02 16 11 70 6B 69 2D 33 00:48:23:63 6F 2E 63 6F 6D 30 5C 30 0D 06 09 2A 86 00:48:23:01 05 00 03 4B 00 30 48 02 41 00 DD 2C C6 00:48:23:11 E2 81 95 01 6A 80 34 25 10 C4 5F 3D 8B 00:48:23:6C 2D 65 4C B6 A6 B0 02 1C B2 84 C1 C8 AC
30 36 48 35 33 A4
1E 61 86 A5 1C 28
06 2E F7 3F 19 6E
09 63 0D 0F 50 EF
2A 69 01 97 FD 9D
86 73 01 6C 91 3B
00:48:23:30 98 CB 36 A2 47 4E 7E 6F C9 3E 00:48:23:A0 32 30 10 06 09 2A 86 48 86 F7 00:48:23:30 1E 06 09 2A 86 48 86 F7 0D 01 00:48:23:0B 06 03 55 1D 0F 04 04 03 02 05 00:48:23:F7 0D 01 01 04 05 00 03 41 00 2C 00:48:23:5C FD AE 52 8F 2C 13 95 9E 9D 8B 00:48:23:63 27 A3 AC 6D 74 EB 69 E3 06 E9 00:48:23:BE 90 57 02 F2 75 8E 0F 16 60 10 00:48:23:Enveloped Data ... 00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 00:48:23:31 80 30 82 01 0F 02 01 00 30 78 00:48:23:04 06 13 02 55 53 31 0B 30 09 06 00:48:23:13 30 11 06 03 55 04 07 13 0A 53 00:48:23:31 15 30 13 06 03 55 04 0A 13 0C 00:48:23:74 65 6D 31 0E 30 0C 06 03 55 04 00:48:23:Signed Data 1382 bytes 00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 00:48:23:31 0E 30 0C 06 08 2A 86 48 86 F7 00:48:23:2A 86 48 86 F7 0D 01 07 01 A0 80 00:48:23:02 55 53 31 0B 30 09 06 03 55 04 00:48:23:33 34 5A 17 0D 31 30 31 31 31 35 00:48:23:31 20 30 1E 06 09 2A 86 48 86 F7 00:48:23:2D 33 36 61 2E 63 69 73 63 6F 2E 00:48:23:2A 86 48 86 F7 0D 01 01 01 05 00 00:48:23:2C C6 35 A5 3F 0F 97 6C 11 E2 81 00:48:23:3D 8B 33 1C 19 50 FD 91 6C 2D 65 00:48:23:86 F7 0D 01 01 01 05 00 04 40 C6 00:48:23:15 F7 3E 15 6D 71 E1 D0 13 2B 14 00:48:23:EF C2 D6 CB 91 39 19 F8 44 68 0E 00:48:23:3F EC C6 04 A5 D9 7C B1 56 47 3F 00:48:23:00 00 00:48:24:Received pki message:1778 types 00:48:24:30 82 06 EE 06 09 2A 86 48 86 F7 00:48:24:82 06 DB 02 01 01 31 0E 30 0C 06 00:48:24:05 00 30 82 04 C5 06 09 2A 86 48 00:48:24:B6 04 82 04 B2 30 82 04 AE 06 09 00:48:24:0E 61 85 48 B1 DA 3D 73 F1 4B D8 00:48:24:17 3D 03 19 B3 8F 06 8B FE FB B1 00:48:24:78 DD 27 BA 28 2F 85 09 F0 61 74 00:48:24:71 AF 87 D2 72 75 B7 F7 89 6F E4 00:48:24:05 54 6F 06 75 72 8A AF 54 A6 EF 00:48:24:CB 26 80 8D DC 89 77 57 1E D5 7A 00:48:24:Verified signed data 1202 bytes: 00:48:24:30 82 04 AE 06 09 2A 86 48 86 F7 00:48:24:82 04 9B 02 01 00 31 81 9F 30 81 00:48:24:20 30 1E 06 09 2A 86 48 86 F7 0D 00:48:24:33 36 61 2E 63 69 73 63 6F 2E 63 00:48:24:E2 55 65 DE DB 23 91 D7 60 53 96 00:48:24:2E EB 9B 0D 75 EC 8E AF C0 9C 62 00:48:24:AB 83 32 89 3E 5B A9 9F A9 9A 6D 00:48:24:FA 5A FC F3 31 98 2B 8E 55 71 C4 00:48:24:19 E3 1A C3 F5 ED 4D 81 1F 6F 34 00:48:24:EA 2B A8 D4 32 53 A7 86 50 71 5E 00:48:24:AB 7A 2A 07 C0 7E C1 A7 12 31 33 00:48:24:57 70 2D 0B F5 C8 A7 FC FE 40 74 00:48:24:FF 6F 7B E6 74 E2 F5 A1 9A C8 3C 00:48:24:ED F3 00:48:24:Decrypted enveloped content: 00:48:24:30 82 03 C8 06 09 2A 86 48 86 F7 00:48:24:82 03 B5 02 01 01 31 00 30 0B 06
B8 0D 09 A0 FD A4 E4 6F 07 30 03 61 43 0B 07 0D 24 08 31 0D 63 03 95 4C 24 64 C5 5B
26 01 0E 30 88 C9 9F BE 03 6A 55 6E 69 13 02 02 80 13 38 01 6F 4B 01 B6 36 1B B5 D4
BE 09 31 0D 2C 48 0A 2B A0 31 04 74 73 05 A0 05 04 02 35 09 6D 00 6A A6 D6 0C 84 93
15 07 11 06 8A 32 A8
02 31 14 09 13 84 FB
03 03 0F 2A B6 BF 20
01 13 30 86 81 05 F0
00 01 0D 48 88 03 02
01 63 30 86 EA 49 03
80 0B 08 61 63 49 80 05 82 43 34 02 30 30 80 B0 D5 0F 18 00
30 30 13 20 6F 50 30 00 02 41 33 16 5C 48 34 02 A6 96 8B 00
80 09 02 43 20 49 80 30 75 31 34 11 30 02 25 1C 92 BF 2D 00
02 06 43 72 53 53 02 80 30 13 5A 70 0D 41 10 B2 80 F9 A4 00
01 03 41 75 79 55 01 06 80 30 30 6B 06 00 C4 84 5D 2E B1 00
00 55 31 7A 73 31 01 09 06 11 22 69 09 DD 5F C1 E5 05 CD 00
0D 08 86 2A 5E CE 0F E7 70 37 0D 9C 01 6F 64 78 3A F6 35 2A AB E8 23
01 2A F7 86 03 D4 0F 57 2D 86 01 02 09 6D BE 29 87 BF E2 64 94 EB DB
07 86 0D 48 6E 4C 92 84 15 BE 07 01 02 02 F2 E0 E2 CE 00 BE E0 9C 4A
02 48 01 86 F3 4D F0 76 6C 44 03 00 16 20 30 97 71 45 B3 4B 3B 82 90
A0 86 07 F7 E5 1B C8 53 B7 F8 A0 30 11 34 A7 00 16 CA 93 B1 A2 77 BE
82 F7 01 0D 72 81 C7 0B 30 66 82 46 70 45 8B EA C9 A5 DD 72 68 DE 4A
06 0D A0 01 5D CF 5B 50 91 60 04 30 6B 45 1B 84 C1 47 A0 AB 17 A4 94
DF 02 82 07 D7 59 96 8A 1C
30 05 04 03 17 B7 E7 B9 00
9F 22 69 41 D9 80 E4 40 6A 8C DE FA EB
30 31 2D 44 EB DD DB 9B 74 DA CE 75 8B
0D 01 07 02 A0 82 03 B9 30 09 2A 86 48 86 F7 0D 01 07
00:48:24:01 A0 82 03 9D 30 82 03 99 30 82 03 43 A0 03 02 01 02 02 0A 00:48:24:70 45 B3 F6 00 00 00 00 01 23 30 0D 06 09 2A 86 48 86 F7 0D 000:48:24:35 35 32 32 5A 30 22 31 20 30 1E 06 09 2A 86 48 86 F7 0D 01 00:48:24:09 02 13 11 70 6B 69 2D 33 36 61 2E 63 69 73 63 6F 2E 63 6F 00:48:24:6D 30 5C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00:48:24:00 30 48 02 41 00 DD 2C C6 35 A5 3F 0F 97 6C 11 E2 81 95 01 00:48:24:6A 80 34 25 10 C4 5F 3D 8B 33 1C 19 50 FD 91 6C 2D 65 4C B6 00:48:24:63 6F 2E 63 6F 6D 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F 6D 73 00:48:24:63 61 2D 72 6F 6F 74 5F 6D 73 63 61 2D 72 6F 6F 74 2E 63 72 00:48:24:74 30 41 06 08 2B 06 01 05 05 07 30 02 86 35 66 69 6C 65 3A 00:48:24:2F 2F 5C 5C 6D 73 63 61 2D 72 6F 6F 74 5C 43 65 72 74 45 6E 00:48:24:72 6F 6C 6C 5C 6D 73 63 61 2D 72 6F 6F 74 5F 6D 73 63 61 2D 00:48:24:72 6F 6F 74 2E 63 72 74 30 0D 06 09 2A 86 48 86 F7 0D 01 01 00:48:24:05 05 00 03 41 00 56 30 AD 99 1F FA 0D 1A C3 3D 71 2A DB A0 00:48:24:48 C5 EB C8 D4 FE 62 49 9C 69 5D E4 80 77 19 3E 07 B8 2B 4F 00:48:24:9A D7 72 A7 26 25 61 AE 5B 1C B5 7B 4C 18 CA 17 C3 D0 76 84 00:48:24:75 41 92 74 5E A4 E8 9E 09 60 31 00 00:48:24:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority
Related Commands
Command crypto ca enroll Description Obtains the certificate of your router from the CA.
debug crypto pki transactions
Displays debug messages for the trace of interaction (message type) between the CA and the router.
show crypto ca certificates
Displays information about your certificate, the certificate of the CA, and any RA certificates.
debug crypto pki transactions

To display debug messages for the trace of interaction (message type) between the certification authority (CA) and the router, use the debug crypto pki transactions privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto pki transactions no debug crypto pki transactions
Syntax Description
Defaults
Disabled
Command History
Usage Guidelines
Use the debug crypto pki transactions command to display debug messages pertaining to public key infrastructure (PKI) certificates. The messages will show status information during certificate enrollment and verification. You can also use the show crypto ca certificates command to display information about your certificate.
Examples
The following example, which authenticates and enrolls a CA, contains sample output for the debug crypto pki transactions command:
Router(config)# crypto ca authenticate msca Certificate has the following attributes: Fingerprint:A5DE3C51 AD8B0207 B60BED6D 9356FB00 % Do you accept this certificate? [yes/no]:y Router# debug crypto pki transactions 00:44:00:CRYPTO_PKI:Sending CA Certificate Request: GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP/1.0
00:44:00:CRYPTO_PKI:http connection opened 00:44:01:CRYPTO_PKI:HTTP response header: HTTP/1.1 200 OK Server:Microsoft-IIS/5.0 Date:Fri, 17 Nov 2000 18:50:59 GMT Content-Length:2693 Content-Type:application/x-x509-ca-ra-cert Content-Type indicates we have received CA and RA certificates. 00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status 00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status 00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US 00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US 00:44:01:CRYPTO_PKI:transaction GetCACert completed 00:44:01:CRYPTO_PKI:CA certificate received. 00:44:01:CRYPTO_PKI:CA certificate received. Router(config)# crypto ca enroll msca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will be:Router.cisco.com % Include the router serial number in the subject name? [yes/no]:n % Include an IP address in the subject name? [yes/no]:n Request certificate from CA? [yes/no]:y % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. Router(config)# Fingerprint: 2CFC6265 77BA6496 3AEFCB50 29BC2BF2 00:44:29:CRYPTO_PKI:transaction PKCSReq completed 00:44:29:CRYPTO_PKI:status: 00:44:29:CRYPTO_PKI:http connection opened 00:44:29:CRYPTO_PKI: received msg of 1924 bytes 00:44:29:CRYPTO_PKI:HTTP response header: HTTP/1.1 200 OK Server:Microsoft-IIS/5.0 Date:Fri, 17 Nov 2000 18:51:28 GMT Content-Length:1778 Content-Type:application/x-pki-message 00:44:29:CRYPTO_PKI:signed attr:pki-message-type: 00:44:29:13 01 33 00:44:29:CRYPTO_PKI:signed attr:pki-status: 00:44:29:13 01 30 00:44:29:CRYPTO_PKI:signed attr:pki-recipient-nonce: 00:44:29:04 10 B4 C8 2A 12 9C 8A 2A 4A E1 E5 15 DE 22 C2 B4 FD 00:44:29:CRYPTO_PKI:signed attr:pki-transaction-id: 00:44:29:13 20 34 45 45 41 44 42 36 33 38 43 33 42 42 45 44 45 39 46 00:44:29:34 38 44 33 45 36 39 33 45 33 43 37 45 39 00:44:29:CRYPTO_PKI:status = 100:certificate is granted 00:44:29:CRYPTO__PKI:All enrollment requests completed. 00:44:29:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority
Related Commands
Command crypto ca authenticate
Description Authenticates the CA (by getting the certificate of the CA).
crypto ca enroll
Obtains the certificate of your router from the CA.
debug crypto pki messages
Displays debug messages for details of the interaction (message dump) between the CA and the router.
show crypto ca certificates
Displays information about your certificate, the certificate of the CA, and any RA certificates.
debug crypto sesmgmt

To show connection setup messages and their flow through the router, use the debug crypto sesmgmt privileged EXEC command. The no form of this command disables debugging output. debug crypto sesmgmt no debug crypto sesmgmt
Syntax Description
Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through DSS public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever receives a message with a DSS signature knows exactly who sent the message. When connections are not completing, use the debug crypto sesmgmt command to follow the progress of connection messages as a first step in diagnosing the problem. You see a record of each connection message as the router discovers it, and can track its progress through the necessary signing, verifying, and encryption session setup operations. Other significant connection setup events, such as the pregeneration of Diffie-Hellman public numbers, are also shown. For information on Diffie-Hellman public numbers, refer to the Security Configuration Guide. Also use the show crypto connections command to display additional information on connections.
Examples
The following is sample output from the debug crypto sesmgmt command. The first shows messages from a router that initiates a successful connection. The second shows messages from a router that receives a connection.
Router# debug crypto sesmgmt CRYPTO: Dequeued a message: Inititate_Connection CRYPTO: DH gen phase 1 status for conn_id 2 slot 0:OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162 CRYPTO-SDU: send_nnc_req: NNC Echo Request sent CRYPTO: Dequeued a message: CRM CRYPTO: DH gen phase 2 status for conn_id 2 slot 0:OK
CRYPTO: Verify done. Status=OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162 CRYPTO-SDU: recv_nnc_rpy: NNC Echo Confirm sent CRYPTO: Create encryption key for conn_id 2 slot 0:OK CRYPTO: Replacing -2 in crypto maps with 2 (slot 0) Router# debug crypto sesmgmt CRYPTO: Dequeued a message: CIM CRYPTO: Verify done. Status=OK CRYPTO: DH gen phase 1 status for conn_id 1 slot 0:OK CRYPTO: DH gen phase 2 status for conn_id 1 slot 0:OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.162, d=172.21.114.163 CRYPTO-SDU: act_on_nnc_req: NNC Echo Reply sent CRYPTO: Create encryption key for conn_id 1 slot 0:OK CRYPTO: Replacing -2 in crypto maps with 1 (slot 0) CRYPTO: Dequeued a message: CCM CRYPTO: Verify done. Status=OK
Related Commands
Command debug crypto key-exchange Description Displays DSS public key exchange messages.
debug dhcp
To display debugging information about the Dynamic Host Configuration Protocol (DHCP) client activities and to monitor the status of DHCP packets, use the debug dhcp command in privileged EXEC mode. The no form of this command disables debugging output. debug dhcp [detail] no debug dhcp [detail]
Syntax Description
detail (Optional) Displays additional debug information.
Usage Guidelines
You can also use the debug dhcp command to monitor the subnet allocation and releasing for on-demand address pools. For debugging purposes, the debug dhcp detail command provides the most useful information such as the lease entry structure of the client and the state transitions of the lease entry. The debug output shows the scanned option values from received DHCP messages that are replies to a router request. The values of the op, htype, hlen, hops, server identifier option, xid, secs, flags, ciaddr, yiaddr, siaddr, and giaddr fields of the DHCP packet are shown in addition to the length of the options field.
Examples
The following examples show and explain some of the typical debug messages you might see when using the debug dhcp detail command. The following example shows the debug output when a DHCP client sends out a DHCPDISCOVER broadcast message to find its local DHCP server:
Router# debug dhcp detail 00:07:16:DHCP:DHCP client process started:10 00:07:16:RAC:Starting DHCP discover on Ethernet2 00:07:16:DHCP:Try 1 to acquire address for Ethernet2 00:07:16:%SYS-5-CONFIG_I:Configured from console by console 00:07:19:DHCP:Shutting down from get_netinfo() 00:07:19:DHCP:Attempting to shutdown DHCP Client 00:07:21:DHCP:allocate request 00:07:21:DHCP:new entry. add to queue 00:07:21:DHCP:SDiscover attempt # 1 for entry:
The first seven lines of the following output show the current values stored in the lease entry structure for the client:
00:07:21:Temp IP addr:0.0.0.0 for peer on Interface:Ethernet2 00:07:21:Temp sub net mask:0.0.0.0 00:07:21: DHCP Lease server:0.0.0.0, state:1 Selecting 00:07:21: DHCP transaction id:582 00:07:21: Lease:0 secs, Renewal:0 secs, Rebind:0 secs 00:07:21: Next timer fires after:00:00:03 00:07:21: Retry count:1 Client-ID:cisco-0010.7b6e.afd8-Et2 00:07:21:DHCP:SDiscover:sending 308 byte length DHCP packet 00:07:21:DHCP:SDiscover 308 bytes 00:07:21: B'cast on Ethernet2 interface from 0.0.0.0
The following example shows the offered addresses and parameters sent to the DHCP client by the DHCP server via a DHCPOFFER message. The messages containing the field "Scan" indicate the options that were scanned from the received BOOTP packet and the corresponding values.
00:07:23:DHCP:Received a BOOTREP pkt 00:07:23:DHCP:Scan:Message type:DHCP Offer 00:07:23:DHCP:Scan:Server ID Option:10.1.1.1 = A010101 00:07:23:DHCP:Scan:Lease Time:180 00:07:23:DHCP:Scan:Renewal time:90 00:07:23:DHCP:Scan:Rebind time:157 00:07:23:DHCP:Scan:Subnet Address Option:255.255.255.0
The following debug output shows selected fields in the received BOOTP packet:
00:07:23:DHCP:rcvd pkt source:10.1.1.1, destination: 255.255.255.255 00:07:23: UDP sport:43, dport:44, length:308 00:07:23: DHCP op:2, htype:1, hlen:6, hops:0 00:07:23: DHCP server identifier:10.1.1.1 00:07:23: xid:582, secs:0, flags:8000 00:07:23: client:0.0.0.0, your:10.1.1.2 00:07:23: srvr: 0.0.0.0, gw:0.0.0.0 00:07:23: options block length:60 00:07:23:DHCP Offer Message Offered Address:10.1.1.2 00:07:23:DHCP:Lease Seconds:180 Renewal secs: 90 Rebind secs:157 00:07:23:DHCP:Server ID Option:10.1.1.1 00:07:23:DHCP:offer received from 10.1.1.1
The following example shows the debug output when the DHCP client sends out a DHCPREQUEST broadcast message to the DHCP server to accept the offered parameters:
00:07:23:DHCP:SRequest attempt # 1 for entry: 00:07:23:Temp IP addr:10.1.1.2 for peer on Interface:Ethernet2 00:07:23:Temp sub net mask:255.255.255.0 00:07:23: DHCP Lease server:10.1.1.1, state:2 Requesting 00:07:23: DHCP transaction id:582 00:07:23: Lease:180 secs, Renewal:0 secs, Rebind:0 secs 00:07:23: Next timer fires after:00:00:02 00:07:23: Retry count:1 Client-ID:cisco-0010.7b6e.afd8-Et2 00:07:23:DHCP:SRequest- Server ID option:10.1.1.1 00:07:23:DHCP:SRequest- Requested IP addr option:10.1.1.2 00:07:23:DHCP:SRequest placed lease len option:180 00:07:23:DHCP:SRequest:326 bytes 00:07:23:DHCP:SRequest:326 bytes 00:07:23: B'cast on Ethernet2 interface from 0.0.0.0
The following example shows the debug output when the DHCP server sends a DHCPACK message to the client with the full set of configuration parameters:
00:07:23:DHCP:Received a BOOTREP pkt 00:07:23:DHCP:Scan:Message type:DHCP Ack 00:07:23:DHCP:Scan:Server ID Option:10.1.1.1 = A010101 00:07:23:DHCP:Scan:Lease Time:180 00:07:23:DHCP:Scan:Renewal time:90 00:07:23:DHCP:Scan:Rebind time:157 00:07:23:DHCP:Scan:Subnet Address Option:255.255.255.0 00:07:23:DHCP:rcvd pkt source:10.1.1.1, destination: 255.255.255.255 00:07:23: UDP sport:43, dport:44, length:308 00:07:23: DHCP op:2, htype:1, hlen:6, hops:0 00:07:23: DHCP server identifier:10.1.1.1 00:07:23: xid:582, secs:0, flags:8000 00:07:23: client:0.0.0.0, your:10.1.1.2 00:07:23: srvr: 0.0.0.0, gw:0.0.0.0 00:07:23: options block length:60 00:07:23:DHCP Ack Messag 00:07:23:DHCP:Lease Seconds:180 Renewal secs: 90 Rebind secs:157 00:07:23:DHCP:Server ID Option:10.1.1.1Interface Ethernet2 assigned DHCP address 10.1.1.2, mask 255.255.255.0 00:07:26:DHCP Client Pooling:***Allocated IP address:10.1.1.2 00:07:26:Allocated IP address = 10.1.1.2 255.255.255.0
Most fields are self-explanatory; however, fields that may need further explanation are described in Table 37. Table 37 debug dhcp Command Field Descriptions Fields DHCP:Scan:Subnet Address Option:255.255.255.0 Description Subnet mask option (option 1).
DHCP server identifier:1.1.1.1 Value of the DHCP server id option (option 54). Note that this is not the same as the siaddr field, which is the server IP address. srvr:0.0.0.0, gw:0.0.0.0 srvr is the value of the siaddr field. gw is the value of the giaddr field.
Related Commands
Command debug ip dhcp server Description Enables DHCP server debugging.
show dhcp lease
Displays DHCP addresses leased from a server.
debug eigrp packet

To display general debugging information, use the debug eigrp packet privileged EXEC command. The no form of this command disables debugging output. debug eigrp packet no debug eigrp packet
Syntax Description
Usage Guidelines
If a communication session is closing when it should not be, an end-to-end connection problem can be the cause. The debug eigrp packet command is useful for analyzing the messages traveling between the local and remote hosts.
Examples
The following is sample output from the debug eigrp packet command:
Router# debug eigrp packet EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Received UPDATE on Ethernet0/1 from AS 109, Flags 0x1, Seq 1, Ack 0 EIGRP: Sending HELLO/ACK on Ethernet0/1 to AS 109, Flags 0x0, Seq 0, Ack 1 EIGRP: Sending HELLO/ACK on Ethernet0/1 to AS 109, Flags 0x0, Seq 0, Ack 1 EIGRP: Received UPDATE on Ethernet0/1 from AS 109, Flags 0x0, Seq 2, Ack 0
192.195.78.24, 192.195.78.24, 192.195.78.24, 192.195.78.24,
The output shows transmission and receipt of Enhanced IGRP packets. These packet types may be hello, update, request, query, or reply packets. The sequence and acknowledgment numbers used by the Enhanced IGRP reliable transport algorithm are shown in the output. Where applicable, the networklayer address of the neighboring router is also included. Table 44 describes the significant fields shown in the display.
Table 44 debug eigrp packet Field Descriptions
Field
Description
EIGRP: Enhanced IGRP packet. AS n Flags nxn Autonomous system number. A flag of 1 means the sending router is indicating to the receiving router that this is the first packet it has sent to the receiver. A flag of 2 is a multicast that should be conditionally received by routers that have the conditionally receive (CR) bit set. This bit gets set when the sender of the multicast has previously sent a sequence packet explicitly telling it to set the CR bit. HELLO Hello packets are the neighbor discovery packets. They are used to determine whether neighbors are still alive. As long as neighbors receive the hello packets the router is sending, the neighbors validate the router and any routing information sent. If neighbors lose the hello packets, the receiving neighbors invalidate any routing information previously sent. Neighbors also send hello packets.
debug errors
To display errors, use the debug errors privileged EXEC command. The no form of this command disables debugging output. debug errors no debug errors
Syntax Description
Examples
The following is sample output from the debug errors command:
Router# debug errors (2/0): Encapsulation error, link=7, host=836CA86D. (4/0): VCD#7 failed to echo OAM. 4 tries
The first line of output indicates that a packet was routed to the interface, but no static map was set up to route that packet to the proper virtual circuit. The second line of output shows that an OAM F5 (virtual circuit) cell error occurred.
debug events
To display events, use the debug events privileged EXEC command. The no form of this command disables debugging output. debug events no debug events
Syntax Description
Usage Guidelines
This command displays events that occur on the interface processor and is useful for diagnosing problems in an network. It provides an overall picture of the stability of the network. In a stable network, the debug events command does not return any information. If the command generates numerous messages, the messages can indicate the possible source of problems. When configuring or making changes to a router or interface for, enable the debug events command. Doing so alerts you to the progress of the changes or to any errors that might result. Also use this command periodically when you suspect network problems.
Examples
The following is sample output from the debug events command:
Router# debug events RESET(4/0): PLIM type is 1, Rate is 100Mbps aip_disable(4/0): state=1 config(4/0) aip_love_note(4/0): asr=0x201 aip_enable(4/0) aip_love_note(4/0): asr=0x4000 aip_enable(4/0): restarting VCs: 7 aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:2 vpi:2 vci:2 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:3 vpi:3 vci:3 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:4 vpi:4 vci:4 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:6 vpi:6 vci:6 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:7 vpi:7 vci:7 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:11 vpi:11 vci:11 aip_love_note(4/0): asr=0x200
Table 45 describes the significant fields in the display.
Table 45
debug events Field Descriptions
Field PLIM type
Description Indicates the interface rate in Mbps. Possible values are:

1 = TAXI(4B5B) 100 Mbps 2 = SONET 155 Mbps 3 = E3 34 Mbps
state
Indicates current state of the AIP. Possible values are:

1 = An ENABLE will be issued soon. 0 = The AIP will remain shut down.
asr
Defines a bitmask, which indicates actions or completions to commands. Valid bitmask values are:

0x0800 = AIP crashed, reload may be required. 0x0400 = AIP detected a carrier state change. 0x0n00 = Command completion status. Command completion status codes are:
o o o o o
n = 8 Invalid PLIM detected n = 4 Command failed n = 2 Command completed successfully n = 1 CONFIG request failed n = 0 Invalid value
The following line indicates that the AIP was reset. The PLIM detected was 1, so the maximum rate is set to 100 Mbps.
RESET(4/0): PLIM type is 1, Rate is 100Mbps
The following line indicates that the AIP was given a shutdown command, but the current configuration indicates that the AIP should be up:
aip_disable(4/0): state=1
The following line indicates that a configuration command has been completed by the AIP:
aip_love_note(4/0): asr=0x201
The following line indicates that the AIP was given a no shutdown command to take it out of the shutdown state:
aip_enable(4/0)
The following line indicates that the AIP detected a carrier state change. It does not indicate that the carrier is down or up, only that it has changed.
aip_love_note(4/0): asr=0x4000
The following line of output indicates that the AIP enable function is restarting all PVCs automatically:
aip_enable(4/0): restarting VCs: 7
The following lines of output indicate that PVC 1 was set up and a successful completion code was returned:
aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200
debug ip auth-proxy
To display the authentication proxy configuration information on the router, use the debug ip auth-proxy command in privileged EXEC mode. debug ip auth-proxy {ftp | function-trace | http | object-creation | object-deletion | tcp | telnet | timer}
Syntax Description
ftp Displays FTP events related to the authentication proxy.
function-trace
Displays the authentication proxy functions.
http
Displays HTTP events related to the authentication proxy.
objectcreation
Displays additional entries to the authentication proxy cache.
objectdeletion
Displays deletion of cache entries for the authentication proxy.
tcp
Displays TCP events related to the authentication proxy.
telnet
Displays Telnet-related authentication proxy events.
timer
Displays authentication proxy timer-related events.
Command History
Usage Guidelines
Use the debug ip auth-proxy command to display authentication proxy activity. See the "Examples" section for more information about the debug options. Note The function-trace debugging information provides low-level software information for Cisco technical support representatives. No output examples are provided for this keyword option.
Examples
The following examples illustrates the output of the debug ip auth-proxy command. In these examples, debugging is on for object creations, object deletions, HTTP, and TCP. In this example, the client host at 192.168.201.1 is attempting to make an HTTP connection to the web server located at 192.168.21.1. The HTTP debugging information is on for the authentication proxy. The output shows that the router is setting up an authentication proxy entry for the login request:
00:11:10: AUTH-PROXY creates info: cliaddr - 192.168.21.1, cliport - 36583 seraddr - 192.168.201.1, serport - 80 ip-addr 192.168.21.1 pak-addr 0.0.0.0
Following a successful login attempt, the debugging information shows the authentication proxy entries created for the client. In this example, the client is authorized for SMTP (port 25), FTP data (port 20), FTP control (port 21), and Telnet (port 23) traffic. The dynamic ACL entries are included in the display.
00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61AD60CC 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 6151C908 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61A40B88 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61879550 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY OBJ_CREATE:acl item 61AD60CC OBJ_CREATE:create acl wrapper 6151C7C8 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [25] OBJ_CREATE:acl item 6151C908 OBJ_CREATE:create acl wrapper 6187A060 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [20] OBJ_CREATE:acl item 61A40B88 OBJ_CREATE:create acl wrapper 6187A0D4 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [21] OBJ_CREATE:acl item 61879550 OBJ_CREATE:create acl wrapper 61879644 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [23]
The next example shows the debug output following a clear ip auth-proxy cache command to clear the authentication entries from the router. The dynamic ACL entries are removed from the router.
00:12:36:AUTH-PROXY 00:12:36:AUTH-PROXY item 61AD60CC 00:12:36:AUTH-PROXY item 6151C908 00:12:36:AUTH-PROXY item 61A40B88 00:12:36:AUTH-PROXY item 61879550 OBJ_DELETE:delete auth_proxy cache 61AD6298 OBJ_DELETE:delete create acl wrapper 6151C7C8 -- acl OBJ_DELETE:delete create acl wrapper 6187A060 -- acl OBJ_DELETE:delete create acl wrapper 6187A0D4 -- acl OBJ_DELETE:delete create acl wrapper 61879644 -- acl
The following example shows the timer information for a dynamic ACL entry. All times are expressed in milliseconds. The first laststart is the time that the ACL entry is created relative to the startup time of the router. The lastref is the time of the last packet to hit the dynamic ACL relative to the startup time of the router. The exptime is the next expected expiration time for the dynamic ACL. The delta indicates the remaining time before the dynamic ACL expires. After the timer expires, the debugging information includes a message indicating that the ACL and associated authentication proxy information for the client have been removed.
00:19:51:first laststart 1191112 00:20:51:AUTH-PROXY:delta 54220 lastref 1245332 exptime 1251112 00:21:45:AUTH-PROXY:ACL and cache are removed
Related Commands
Command show debug Description Displays the debug options set on the router.
debug ip dhcp server

To enable DHCP Server debugging, use the debug ip dhcp server privileged EXEC command. debug ip dhcp server {events | packets | linkage}
Syntax Description
events Reports server events, like address assignments and database updates.
packets
Decodes DHCP receptions and transmissions.
linkage
Displays database linkage information (such as parent-child relationships in a radix tree).
Defaults
Disabled by default
Command History
debug ip eigrp
To display information on Enhanced IGRP protocol packets, use the debug ip eigrp privileged EXEC command. The no form of this command disables debugging output. debug ip eigrp no debug ip eigrp
Syntax Description
Usage Guidelines
This command helps you analyze the packets that are sent and received on an interface. Because the debug ip eigrp command generates a substantial amount of output, only use it when traffic on the network is light.
Examples
The following is sample output from the debug ip eigrp command:
Router# debug ip eigrp IP-EIGRP: Processing incoming UPDATE packet IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200 IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480 IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400 IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080 IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1
Table 70 describes the significant fields shown in the display. Table 70 debug ip eigrp Field Descriptions Field Description
IPEIGRP:
Indicates that this is an IP Enhanced IGRP packet.
Ext
Indicates that the following address is an external destination rather than an internal destination, which would be labeled as Int.
Displays the computed metric, which includes SM and the cost between this router and the neighbor. The first number is the composite metric. The next two numbers are the inverse bandwidth and the delay, respectively.
SM
Displays the metric as reported by the neighbor.
debug ip ftp
To activate the debugging option to track the transactions submitted during an FTP session, use the debug ip ftp privileged EXEC command. To disable debugging output, use the no form of this command. debug ip ftp no debug ip ftp
Syntax Description
Usage Guidelines
The debug ip ftp command is useful for debugging problems associated with FTP.
Examples
The following is an example of the debug ip ftp command:
Router# debug ip ftp FTP transactions debugging is on
The following is sample output from the debug ip ftp command:

FTP: 220 ProFTPD 1.2.0pre8 Server (DFW Nostrum FTP Server) [defiant.dfw.nostrum.com] Dec 27 22:12:09.133: FTP: ---> USER router Dec 27 22:12:09.133: FTP: 331 Password required for router. Dec 27 22:12:09.137: FTP: ---> PASS WQHK5JY2 Dec 27 22:12:09.153: FTP: 230 Anonymous access granted, restrictions apply. Dec 27 22:12:09.153: FTP: ---> TYPE I Dec 27 22:12:09.157: FTP: 200 Type set to I. Dec 27 22:12:09.157: FTP: ---> PASV . . . . . . . . . . . . . . Dec 27 22:12:09.173: FTP: ---> QUIT
Dec 27 22:12:09.181: FTP: 221 Goodbye.
debug ip http authentication

To troubleshoot HTTP authentication problems, use privileged EXEC command. The no form of this command disables debugging output. debug ip http authentication no debug ip http authentication
Syntax Description
Usage Guidelines
The debug ip http authentication command displays the authentication method the router attempted and authentication-specific status messages.
Examples
The following is sample output from the debug ip http authentication command:
Router# debug ip http authentication Authentication for url `/' `/' level 15 privless `/' Authentication username = `local15' priv-level = 15 auth-type = local
Table 71 describes the significant fields shown in the display. Table 71 debug ip http authentication Command Descriptions Field Authentication for url Description Provides information about the URL in different forms.
Authentication username
Identifies the user.
priv-level
Indicates the user privilege level.
auth-type
Indicates the authentication method.
debug ip http transaction

To display HTTP server transaction processing, use the debug ip http transaction privileged EXEC command. The no form of this command disables debugging output. debug ip http transaction no debug ip http transaction
Syntax Description
Usage Guidelines
Use the debug ip http transaction command to display what the HTTP server is parsing at a high level. To display what the HTTP server is parsing at a low level, use the debug ip http token command.
Examples
The following is sample output from the debug ip http transaction command. In this example, the browser accessed the router's home page http:/ /routername/.
Router# debug ip http transaction HTTP: parsed uri '/' HTTP: client version 1.0 HTTP: parsed extension Referer HTTP: parsed line http://www.company.com/ HTTP: parsed extension Connection HTTP: parsed line Keep-Alive HTTP: parsed extension User-Agent HTTP: parsed line Mozilla/2.01 (X11; I; FreeBSD 2.1.0-RELEASE i386) HTTP: parsed extension Host HTTP: parsed line router-name HTTP: parsed extension Accept HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/ HTTP: parsed extension Authorization HTTP: parsed authorization type Basic HTTP: received GET ''
Table 72 lists describes some of the fields in the output. Table 72 debug ip http transaction Field Descriptions Field HTTP: parsed uri '/' Description Uniform resource identifier that is
requested.
HTTP: client version 1.0
Client HTTP version.
HTTP: parsed extension Referer
HTTP extension.
HTTP: parsed line http://www.company.com/
Value of HTTP extension.
HTTP: received GET ''
HTTP request method.
Related Commands
Command debug ip http ezsetup Description Displays the configuration changes that occur during the EZ Setup process.
debug ip http token
Displays individual tokens parsed by the HTTP server.
debug ip http url
Shows the URLs accessed from the router.
debug ip http url

To show the URLs accessed from the router, use the debug ip http url privileged EXEC command. The no form of this command disables debugging output. debug ip http url no debug ip http url
Syntax Description
Usage Guidelines
Use the debug ip http url command to keep track of the URLs that are accessed and to determine from which hosts the URLs are accessed.
Examples
The following output is from the debug ip http url command. In this example, the HTTP server accessed the URLs and /exec. The output shows the URL being requested and the IP address of the host requesting the URL.
Router# debug ip http url HTTP: processing URL '/' from host 172.31.2.141 HTTP: processing URL '/exec' from host 172.31.2.141
Related Commands
Command debug ip http ezsetup Description Displays the configuration changes that occur during the EZ Setup process.
debug ip http token
Displays individual tokens parsed by the HTTP server.
debug ip http transaction
Displays HTTP server transaction processing.
debug ip icmp
To display information on Internal Control Message Protocol (ICMP) transactions, use the debug ip icmp privileged EXEC command. The no form of this command disables debugging output. debug ip icmp no debug ip icmp
Syntax Description
Usage Guidelines
This command helps you determine whether the router is sending or receiving ICMP messages. Use it, for example, when you are troubleshooting an end-toend connection problem.
Note For more information about the fields in debug ip icmp command output, refer to RFC-792, Internet Control Message Protocol; Appendix I of RFC-950, Internet Standard Subnetting Procedure; and RFC-1256, ICMP Router Discovery Messages.
Examples
The following is sample output from the debug ip icmp command:
Router# debug ip icmp ICMP: rcvd type 3, code 1, from 10.95.192.4 ICMP: 10.56.0.202, dst 172.69.16.1, echo reply ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: 172.69.12.35, dst 172.69.20.7, echo reply ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: 10.56.0.202, dst 172.69.16.1, echo reply ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from
10.120.1.15 rcv from 10.31.7.21 10.120.1.15 rcv from 10.31.7.21 10.120.1.15 10.120.1.15 rcv from 10.31.7.21 10.120.1.15
Table 73 describes the significant fields shown in the display. Table 73 debug ip icmp Field Descriptions Field Description
ICMP:
Indication that this message describes an ICMP packet.
rcvd type 3
The type field can be one of the following:

0Echo Reply 3Destination Unreachable 4Source Quench 5Redirect 8Echo 9Router Discovery Protocol Advertisement 10Router Discovery Protocol Solicitations 11Time Exceeded 12Parameter Problem 13Timestamp 14Timestamp Reply 15Information Request 16Information Reply 17Mask Request 18Mask Reply
code 1
This field is a code. The meaning of the code depends upon the type field value, as follows:

Echo and Echo ReplyThe code field is always zero. Destination UnreachableThe code field can have the following values: 0Network unreachable 1Host unreachable 2Protocol unreachable 3Port unreachable 4Fragmentation needed and DF bit set 5Source route failed
Source QuenchThe code field is always 0. RedirectThe code field can have the following
values: 0Redirect datagrams for the network 1Redirect datagrams for the host 2Redirect datagrams for the command mode of service and network 3Redirect datagrams for the command mode of service and host
Router Discovery Protocol Advertisements and SolicitationsThe code field is always zero.
Time ExceededThe code field can have the following values: 0Time to live exceeded in transit 1Fragment reassembly time exceeded
Parameter ProblemThe code field can have the following values: 0General problem 1Option is missing 2Option missing, no room to add
Timestamp and Timestamp ReplyThe code field is always zero. Information Request and Information ReplyThe code field is always zero. Mask Request and Mask ReplyThe code field is always zero.
from 10.95.192.4
Source address of the ICMP packet.
Table 74 describes the significant fields in the second line of the display.
Table 74 debug ip icmp Field Descriptions Field ICMP: Description Indicates that this message describes an ICMP packet.
10.56.10.202
Address of the sender of the echo.
dst 172.69.16.1
Address of the receiving router.
echo reply
Indicates that the router received an echo reply.
Other messages that the debug ip icmp command can generate follow. When an IP router or host sends out an ICMP mask request, the following message is generated when the router sends a mask reply:
ICMP: sending mask reply (255.255.255.0) to 172.69.80.23 via Ethernet0
The following two lines are examples of the two forms of this message. The first form is generated when a mask reply comes in after the router sends out a mask request. The second form occurs when the router receives a mask reply with a nonmatching sequence and ID. Refer to Appendix I of RFC 950, Internet Standard Subnetting Procedures, for details.
ICMP: mask reply 255.255.255.0 from 172.69.80.31 ICMP: unexpected mask reply 255.255.255.0 from 172.69.80.32
The following output indicates that the router sent a redirect packet to the host at address 172.69.80.31, instructing that host to use the gateway at address 172.69.80.23 in order to reach the host at destination address 172.69.1.111:
ICMP: redirect sent to 172.69.80.31 for dest 172.69.1.111 use gw 172.69.80.23
The following message indicates that the router received a redirect packet from the host at address 172.69.80.23, instructing the router to use the gateway at address 172.69.80.28 in order to reach the host at destination address 172.69.81.34:
ICMP: redirect rcvd from 172.69.80.23 -- for 172.69.81.34 use gw 172.69.80.28
The following message is displayed when the router sends an ICMP packet to the source address (172.69.94.31 in this case), indicating that the destination address (172.69.13.33 in this case) is unreachable:
ICMP: dst (172.69.13.33) host unreachable sent to 172.69.94.31
The following message is displayed when the router receives an ICMP packet from an intermediate address (172.69.98.32 in this case), indicating that the destination address (172.69.13.33 in this case) is unreachable:
ICMP: dst (172.69.13.33) host unreachable rcv from 172.69.98.32
Depending on the code received (as Table 73 describes), any of the unreachable messages can have any of the following "strings" instead of the "host" string in the message:
net protocol port frag. needed and DF set source route failed prohibited
The following message is displayed when the TTL in the IP header reaches zero and a time exceed ICMP message is sent. The fields are self-explanatory.
ICMP: time exceeded (time to live) send to 10.95.1.4 (dest was 172.69.1.111)
The following message is generated when parameters in the IP header are corrupted in some way and the parameter problem ICMP message is sent. The fields are self-explanatory.
ICMP: parameter problem sent to 128.121.1.50 (dest was 172.69.1.111)
Based on the preceding information, the remaining output can be easily understood:
ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: parameter problem rcvd 172.69.80.32 source quench rcvd 172.69.80.32 source quench sent to 128.121.1.50 (dest was 172.69.1.111) sending time stamp reply to 172.69.80.45 sending info reply to 172.69.80.12 rdp advert rcvd type 9, code 0, from 172.69.80.23 rdp solicit rcvd type 10, code 0, from 172.69.80.43
debug ip inspect
To display messages about Context-Based Access Control (CBAC) events, use the debug ip inspect privileged EXEC command. The no form of this command disables debugging output. debug ip inspect {function-trace | object-creation | object-deletion | events | timers | protocol | detailed} no debug ip inspect detailed
Syntax Description
functiontrace Displays messages about software functions called by CBAC.
objectcreation
Display messages about software objects being created by CBAC. Object creation corresponds to the beginning of CBACinspected sessions.
objectdeletion
Displays messages about software objects being deleted by CBAC. Object deletion corresponds to the closing of CBACinspected sessions.
events
Displays messages about CBAC software events, including information about CBAC packet processing.
timers
Displays messages about CBAC timer events such as when a CBAC idle timeout is reached.
protocol
Displays messages about CBAC-inspected protocol events, including details about the packets of the protocol. Table 3 provides a list of protocol keywords.
detailed
Causes detailed information to be displayed for all the other enabled CBAC debugging. Use this form of the command in conjunction with other CBAC debugging commands.
Table 75 Protocol Keywords for the debug ip inspect Command
Application Protocol Transport-layer protocols
protocol keyword
TCP
tcp
UDP
udp
Application-layer protocols
CU-SeeMe
cuseeme
FTP commands and responses
ftp-cmd
FTP tokens (enables tracing of the FTP tokens parsed)
ftp-tokens
H.323 (version 1 and version 2)
h323
HTTP
http
Microsoft NetShow
netshow
UNIX r-commands (rlogin, rexec, rsh)
rcmd
RealAudio
realaudio
RPC
rpc
RTSP
rtsp
SMTP
smtp
SQL*Net
sqlnet
StreamWorks
streamworks
TFTP
tftp
VDOLive
vdolive
Command History
Release 11.2P Modification This command was introduced.
12.0(5)T
NetShow support was introduced.
12.0(7)T
H.323 V2 and RTSP protocol support was introduced
Examples
The following is sample output from the debug ip inspect function-trace command:
*Mar *Mar *Mar 41 *Mar *Mar *Mar *Mar *Mar 2 01:16:16: CBAC FUNC: insp_inspection 2 01:16:16: CBAC FUNC: insp_pre_process_sync 2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 2 2 2 2 2 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: CBAC CBAC CBAC CBAC CBAC FUNC: FUNC: FUNC: FUNC: FUNC: insp_find_pregen_session insp_get_idbsb insp_get_idbsb insp_get_irc_of_idb insp_get_idbsb
*Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 41 *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 41
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16:
CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC
FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC:
insp_create_sis insp_inc_halfopen_sis insp_link_session_to_hash_table insp_inspect_pak insp_l4_inspection insp_process_tcp_seg insp_listen_state insp_ensure_return_traffic insp_add_acl_item insp_ensure_return_traffic insp_add_acl_item insp_process_syn_packet insp_find_tcp_host_entry addr 40.0.0.1 bucket
CBAC FUNC: insp_create_tcp_host_entry CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC FUNC: insp_dec_halfopen_sis CBAC FUNC: insp_remove_sis_from_host_entry CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket
This output shows the functions called by CBAC as a session is inspected. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect object-creation and debug ip inspect object-deletion command:
*Mar 2 01:18:30: *Mar 2 01:18:30: 25A3634 *Mar 2 01:18:30: *Mar 2 01:18:30: *Mar 2 01:18:30: bucket 31 *Mar 2 01:18:30: *Mar 2 01:18:30: item 25A3634 *Mar 2 01:18:31: CBAC OBJ_CREATE: create pre-gen sis 25A3574 CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl item CBAC OBJ_CREATE: create sis 25C1CC4 CBAC OBJ_DELETE: delete pre-gen sis 25A3574 CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 CBAC OBJ_DELETE: delete sis 25C1CC4 CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1
The following is sample output from the debug ip inspect object-creation, debug ip inspect object-deletion, and debug ip inspect events commands:
*Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC 25A3634 *Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC 30.0.0.1[46406:46406] OBJ_CREATE: create pre-gen sis 25A3574 OBJ_CREATE: create acl wrapper 25A36FC -- acl item 10.1.0.1 Port [1:65535] Dst 10.0.0.1 Port [46406:46406] Pre-gen sis 25A3574 created: 10.1.0.1[1:65535]
*Mar 2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4 *Mar 2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20) responder_addr (30.0.0.1:46406) initiator_alt_addr (40.0.0.1:20) responder_alt_addr (10.0.0.1:46406) *Mar 2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1
The following is sample output from the debug ip inspect timers command:
*Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC Time: 30000 milisecs *Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC milisecs *Mar 2 01:19:15: CBAC 3600000 milisecs *Mar 2 01:19:15: CBAC milisecs *Mar 2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574 Timer Start: Pre-gen sis 25A3574 Timer: 25A35D8 Timer Init Leaf: sis 25C1CC4 Timer Stop: Pre-gen sis 25A3574 Timer: 25A35D8 Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 30000 Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 5000 Timer Stop: sis 25C1CC4 Timer: 25C1D5C
The following is sample output from the debug ip inspect tcp command:
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30) (10.0.0. 1:46409) <= (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062 seq 4200176247(15) (10.0.0. 1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) => (10.0.0.1:46411) *Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0) (10.1.0.1:20) <= (10.0.0.1:46411)
This sample shows TCP packets being processed, and lists the corresponding acknowledge (ACK) packet numbers and sequence (SEQ) numbers. The number of data bytes in the TCP packet is shown in parenthesesfor example, (22). For each packet shown, the addresses and port numbers are shown separated by a colon. For example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP port number of 21. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used.
The following is sample output from the debug ip inspect tcp and debug ip inspect detailed commands:
*Mar 2 01:20:58: CBAC* Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76,proto=6 *Mar 2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160 seq 4200176262(22) (30.0.0.1:46409) => (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP seq 4200176262(22) Flags: ACK 4223720160 PSH *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet 2541E38 (30.0.0.1:46409) (40.0.0.1:21) bytes 22 ftp *Mar 2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223 720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* Bump up: inspection requires the packet in the process path(30.0.0.1) (40.0.0.1) *Mar 2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76, proto=6
debug ip nat
To display information about IP packets translated by the IP Network Address Translation (NAT) feature, use the debug ip nat privileged EXEC command. To disable debugging output, use the no form of this command. debug ip nat [access-list | detailed | h323 | pptp] no debug ip nat [access-list | detailed | h323 | pptp]
Syntax Description
accesslist (Optional) The standard IP access list number. If the datagram is not permitted by the specified access list, the related debugging output is suppressed.
detailed
(Optional) Displays debug information in a detailed format.
h323
(Optional) Displays H.225/H.245 protocol information.
pptp
(Optional) Displays Point-to-Point Tunneling (PPTP) protocol information.
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
12.1(5)T
This command was modified to include the h323 keyword.
Usage Guidelines
The NAT feature reduces the need for unique, registered IP addresses. It can also save private network administrators from needing to renumber hosts and routers that do not conform to global IP addressing. Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exceptional conditions, such as the failure to allocate a global address. To display messages related to the processing of H.225 signalling and H.245 messages, use the debug ip nat h323 command.
Caution Because the debug ip nat command generates a substantial amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.
Examples
The following is sample output from the debug ip nat command. In this example, the first two lines show the debugging output produced by a Domain Name System (DNS) request and reply. The remaining lines show the debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).
Router# debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
Table 80 describes the significant fields shown in the display. Table 80 debug ip nat Field Descriptions Field NAT: Description Indicates that the packet is being translated by the NAT feature. An asterisk (*) indicates that the translation is occurring in the fast path. The first packet in a
conversation always goes through the slow path (that is, they are process switched). The remaining packets go through the fast path if a cache entry exists.
s=192.168.1.95 172.31.233.209
Source address of the packet and how it is being translated.
d=172.31.2.132
Destination address of the packet.
[6825]
IP identification number of the packet. Might be useful in the debugging process to correlate with other packet traces from protocol analyzers.
The following is sample output from the debug ip nat detailed command. In this example, the first two lines show the debugging output produced by a DNS request and reply. The remaining lines show the debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. In this example, the inside host 192.168.1.95 was assigned the global address 172.31.233.193.
Router# debug ip nat detailed NAT: i: udp (192.168.1.95, 1493) -> (172.31.2.132, NAT: o: udp (172.31.2.132, 53) -> (172.31.233.193, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, 53) [22399] 1493) [63671] 23) [22400] 1135) [22002] 23) [22401] 23) [22402] 1135) [22060] 1135) [22071]
Table 81 describes the significant fields shown in the display. Table 81 debug ip nat detailed Field Descriptions Field NAT: Description Indicates that the packet is being translated by the NAT feature. An asterisk (*) indicates that the translation is occurring in the fast path.
i:
Indicates that the packet is moving from a host inside the network to one outside the network.
o:
Indicates that the packet is moving from a host outside the network to one inside the network.
udp
Protocol of the packet.
(192.168.1.95, 1493) (172.31.2.132, 53)
Indicates that the packet is sent from IP address 192.168.1.95, port number 1493 to IP address 172.31.2.132, port number 53.
[22399]
IP identification number of the packet.
The following is sample output from the debug ip nat h323 command. In this example, an H.323 call is established between two hosts, one host on the inside and the other one on the outside. The debug displays the H.323 messages names that NAT recognizes and the embedded IP addresses contained in those messages.
Router# debug ip nat h323 NAT:H225:[0] processing a Setup message NAT:H225:[0] found Setup sourceCallSignalling NAT:H225:[0] fix TransportAddress addr=192.168.122.50 port=11140 NAT:H225:[0] found Setup fastStart NAT:H225:[0] Setup fastStart PDU length:18 NAT:H245:[0] processing OpenLogicalChannel message, forward channel number 1 NAT:H245:[0] found OLC forward mediaControlChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517 NAT:H225:[0] Setup fastStart PDU length:29 NAT:H245:[0] processing OpenLogicalChannel message, forward channel number 1 NAT:H245:[0] found OLC reverse mediaChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16516 NAT:H245:[0] found OLC reverse mediaControlChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517 NAT:H225:[1] processing an Alerting message NAT:H225:[1] found Alerting fastStart NAT:H225:[1] Alerting fastStart PDU length:25 NAT:H245:[1] processing OpenLogicalChannel message, forward channe
Table 82 describes the significant fields shown in the display. Table 82 debug ip nat h323 Field Descriptions
Field NAT:
Description Indicates that the packet is being translated by the NAT feature.
H.225/H.245:
Protocol of the packet.
[1]
Indicates that the packet is moving from a host inside the network to one outside the network.
[0]
Indicates that the packet is moving from a host outside the network to one inside the network.
debug ip ospf events

To display information on Open Shortest Path First (OSPF)-related events, such as adjacencies, flooding information, designated router selection, and shortest path first (SPF) calculation, use the debug ip ospf events privileged EXEC command. The no form of this command disables debugging output. debug ip ospf events no debug ip ospf events
Syntax Description
Examples
The following is sample output from the debug ip ospf events command:
Router# debug ip ospf events OSPF:hello with invalid timers on interface Ethernet0 hello interval received 10 configured 10 net mask received 255.255.255.0 configured 255.255.255.0 dead interval received 40 configured 30
The debug ip ospf events output shown might appear if any of the following situations occurs:

The IP subnet masks for routers on the same network do not match. The OSPF hello interval for the router does not match that configured for a neighbor. The OSPF dead interval for the router does not match that configured for a neighbor. If a router configured for OSPF routing is not seeing an OSPF neighbor on an attached network, perform the following tasks:
Make sure that both routers have been configured with the same IP mask, OSPF hello interval, and OSPF dead interval. Make sure that both neighbors are part of the same area type. In the following example line, the neighbor and this router are not part of a stub area (that is, one is a part of a transit area and the other is a part of a stub area, as explained in RFC 1247):
OSPF: hello packet with mismatched E bit
Related Commands
Command Description
debug ip pgm host
Displays information about each OSPF packet received.
debug ip ospf packet

To display information about each Open Shortest Path First (OSPF) packet received, use the debug ip ospf packet privileged EXEC command. The no form of this command disables debugging output. debug ip ospf packet no debug ip ospf packet
Syntax Description
Examples
The following is sample output from the debug ip ospf packet command:
Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117 aid:0.0.0.0 chk:6AB2 aut:0 auk:
The debug ip ospf packet command produces one set of information for each packet received. The output varies slightly depending on which authentication is used. The following is sample output from the debug ip ospf packet command when MD5 authentication is used.
Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
Table 84 describes the fields shown in the display. Table 84 debug ip ospf packet Field Descriptions Field v: OSPF version. Description
t:
OSPF packet type. Possible packet types follow:

1Hello 2Data description 3Link state request 4Link state update 5Link state acknowledgment
l:
OSPF packet length in bytes.
rid:
OSPF router ID.
aid:
OSPF area ID.
chk:
OSPF checksum.
aut:
OSPF authentication type. Possible authentication types follow:

0No authentication 1Simple password 2MD5
auk:
OSPF authentication key.
keyid:
MD5 key ID.
seq:
Sequence number.
Related Commands
Command debug ip ospf events Description Displays information on OSPF-related events, such as adjacencies, flooding information, designated router selection, and SPF calculation.
debug ip packet
To display general IP debugging information and IP security option (IPSO) security transactions, use the debug ip packet privileged EXEC command. The no form of this command disables debugging output. debug ip packet [access-list-number] no debug ip packet [access-list-number]
Syntax Description
access-listnumber (Optional) The IP access list number that you can specify. If the datagram is not permitted by that access list, the related debugging output is suppressed.
Usage Guidelines
If a communication session is closing when it should not be, an end-to-end connection problem can be the cause. The debug ip packet command is useful for analyzing the messages traveling between the local and remote hosts. IP debugging information includes packets received, generated, and forwarded. Fast-switched packets do not generate messages. IPSO security transactions include messages that describe the cause of failure each time a datagram fails a security test in the system. This information is also sent to the sending host when the router configuration allows it.
Caution Because the debug ip packet command generates a substantial amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.
Examples
The following is sample output from the debug ip packet command:
Router# debug ip packet IP: s=172.69.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.69.16.2, forward IP: s=172.69.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.69.16.2, forward IP: s=172.69.1.6 (Ethernet4), d=255.255.255.255, rcvd 2 IP: s=172.69.1.55 (Ethernet4), d=172.69.2.42 (Fddi0), g=172.69.13.6, forward IP: s=172.69.89.33 (Ethernet2), d=10.130.2.156 (Serial2), g=172.69.16.2, forward
IP: s=172.69.1.27 (Ethernet4), d=172.69.43.126 (Fddi1), forward IP: s=172.69.1.27 (Ethernet4), d=172.69.43.126 (Fddi0), forward IP: s=172.69.20.32 (Ethernet2), d=255.255.255.255, rcvd IP: s=172.69.1.57 (Ethernet4), d=10.36.125.2 (Serial2), access denied
g=172.69.23.5, g=172.69.13.6, 2 g=172.69.16.2,
The output shows two types of messages that the debug ip packet command can produce; the first line of output describes an IP packet that the router forwards, and the third line of output describes a packet that is destined for the router. In the third line of output, rcvd 2 indicates that the router decided to receive the packet. Table 86 describes the fields shown in the first line. Table 86 debug ip packet Field Descriptions Field IP: Description Indicates that this is an IP packet.
s=172.69.13.44 (Fddi0)
Indicates the source address of the packet and the name of the interface that received the packet.
d=10.125.254.1 (Serial2)
Indicates the destination address of the packet and the name of the interface (in this case, S2) through which the packet is being sent out on the network.
g=172.69.16.2
Indicates the address of the next hop gateway.
forward
Indicates that the router is forwarding the packet. If a filter denies a packet, "access denied" replaces "forward," as shown in the last line of output.
The calculation on whether to send a security error message can be somewhat confusing. It depends upon both the security label in the datagram and the label of the incoming interface. First, the label contained in the datagram is examined for anything obviously wrong. If nothing is wrong, assume the datagram to be correct. If something is wrong, the datagram is treated as unclassified genser. Then the label is compared with the interface range, and the appropriate action is taken, as Table 87 describes.
Table 87 Security Actions Classification Too low Authorities Too low Good Too high Action Taken No Response No Response No Response
In range
Too low Good Too high
No Response Accept Send Error
Too high
Too low In range Too high
No Response Send Error Send Error
The security code can only generate a few types of ICMP error messages. The only possible error messages and their meanings follow:

ICMP Parameter problem, code 0Error at pointer ICMP Parameter problem, code 1Missing option ICMP Parameter problem, code 2See Note that follows ICMP Unreachable, code 10Administratively prohibited
Note The message "ICMP Parameter problem, code 2" identifies a specific error that occurs in the processing of a datagram. This message indicates that the router received a datagram containing a maximum length IP header but no security option. After being processed and routed to another interface, it is discovered that the outgoing interface is marked with "add a security label." Because the IP header is already full, the system cannot add a label and must drop the datagram and return an error message.
When an IP packet is rejected due to an IP security failure, an audit message is sent via DNSIX NAT. Also, any debug ip packet output is appended to include a description of the reason for rejection. This description can be any of the following:

No basic No basic, no response Reserved class Reserved class, no response Class too low, no response Class too high Class too high, bad authorities, no response Unrecognized class Unrecognized class, no response Multiple basic Multiple basic, no response Authority too low, no response Authority too high Compartment bits not dominated by maximum sensitivity level Compartment bits do not dominate minimum sensitivity level Security failure: extended security disallowed NLESO source appeared twice ESO source not found Postroute, failed xfc out No room to add IPSO
debug ip rip
To display information on RIP routing transactions, use the debug ip rip privileged EXEC command. The no form of this command disables debugging output. debug ip rip no debug ip rip
Syntax Description
Examples
The following is sample output from the debug ip rip command:
The output shows that the router being debugged has received updates from one router at source address 160.89.80.28. That router sent information about five destinations in the routing table update. Notice that the fourth destination address in the update131.108.0.0is inaccessible because it is more than 15 hops away from the router sending the update. The router being debugged also sent updates, in both cases to broadcast address 255.255.255.255 as the destination. The second line is an example of a routing table update. It shows how many hops a given Internet address is from the router. The entries show that the router is sending updates that are similar, except that the number in parentheses is the source address encapsulated into the IP header. Examples of additional output that the debug ip rip command can generate follow.
Entries such as the following appear at startup or when an event occurs such as an interface making a transition or a user manually clearing the routing table:
RIP: broadcasting general request on Ethernet0 RIP: broadcasting general request on Ethernet1
An entry such as the following is most likely caused by a malformed packet from the sender:
RIP: bad version 128 from 160.89.80.43
debug ip routing
To display information on Routing Information Protocol (RIP) routing table updates and route cache updates, use the debug ip routing privileged EXEC command. The no form of this command disables debugging output. debug ip routing no debug ip routing
Syntax Description
Examples
The following is sample output from the debug ip routing command:
Router# debug ip routing RT: add 172.25.168.0 255.255.255.0 via 172.24.76.30, igrp metric [100/3020] RT: metric change to 172.25.168.0 via 172.24.76.30, igrp metric [100/3020] new metric [100/2930] IP: cache invalidation from 0x115248 0x1378A, new version 5736 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/16200] RT: metric change to 172.26.219.0 via 172.24.76.30, igrp metric [100/16200] new metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5737 RT: 172.26.219.0 came out of holddown RT: garbage collecting entry for 172.26.219.0 IP: cache invalidation from 0x115248 0x1378A, new version 5738 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5739 RT: 172.26.219.0 came out of holddown RT: garbage collecting entry for 172.26.219.0 IP: cache invalidation from 0x115248 0x1378A, new version 5740 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/16200] RT: metric change to 172.26.219.0 via 172.24.76.30, igrp metric [100/16200] new metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5741
In the following lines, a newly created entry has been added to the IP routing table. The "metric change" indicates that this entry existed previously, but its metric changed and the change was reported by means of IGRP. The metric could also be reported via RIP, OSPF, or another IP routing protocol. The
numbers inside the brackets report the administrative distance and the actual metric.
RT: add 172.25.168.0 255.255.255.0 via 172.24.76.30, igrp metric [100/3020] RT: metric change to 172.25.168.0 via 172.24.76.30, igrp metric [100/3020] new metric [100/2930] IP: cache invalidation from 0x115248 0x1378A, new version 5736
"Cache invalidation" means that the fast-switching cache was invalidated due to a routing table change. "New version" is the version number of the routing table. When the routing table changes, this number is incriminated. The hexadecimal numbers are internal numbers that vary from version to version and software load to software load. In the following output, the "holddown" and "cache invalidation" lines are displayed. Most of the distance vector routing protocols use "holddown" to avoid typical problems like counting to infinity and routing loops. If you look at the output of the show ip protocols command you will see the timer values for "holddown" and "cache invalidation." "Cache invalidation" corresponds to "came out of holddown." "Delete route" is triggered when a better path comes along. It removes the old inferior path.
RT: RT: IP: RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] no routes to 172.26.219.0, entering holddown cache invalidation from 0x115248 0x1378A, new version 5737 172.26.219.0 came out of holddown
debug ip security
To display IP security option processing, use the debug ip security privileged EXEC command. The no form of this command disables debugging output. debug ip security no debug ip security
Syntax Description
Usage Guidelines
The debug ip security command displays information for both basic and extended IP security options. For interfaces where ip security is configured, each IP packet processed for that interface results in debugging output regardless of whether the packet contains IP security options. IP packets processed for other interfaces that also contain IP security information also trigger debugging output. Some additional IP security debugging information is also controlled by the debug ip packet privileged EXEC command.
Caution Because the debug ip security command generates a substantial amount of output for every IP packet processed, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.
Examples
The following is sample output from the debug ip security command:
Router# debug ip security IP Security: 172.24.72.52 dst 172.24.72.53, number of BSO 1 idb: NULL pak: insert (0xFF) 0x0 IP Security: BSO postroute: SECINSERT changed to secret (0x5A) 0x10 IP Security: 172.24.72.53 dst 172.24.72.52, number of BSO 1 idb: secret (0x6) 0x10 to secret (0x6) 0x10, no implicit def secret (0x6) 0x10 pak: secret (0x5A) 0x10 IP Security: checking BSO 0x10 against [0x10 0x10] IP Security: classified BSO as secret (0x5A) 0x10
Table 92 describes significant fields shown in the output. Table 92 debug ip security Field Descriptions Field number of Description Indicates the number of basic security options found in the
BSO idb
packet. Provides information on the security configuration for the incoming interface. Provides information on the security classification of the incoming packet. Indicates the source IP address.
pak
dst
Indicates the destination IP address.
The following line indicates that the packet was locally generated, and it has been classified with the internally significant security level "insert" (0xff) and authority information of 0x0:
idb: NULL pak: insert (0xff) 0x0
The following line indicates that the packet was received via an interface with dedicated IP security configured. Specifically, the interface is configured at security level "secret" and with authority information of 0x0. The packet itself was classified at level "secret" (0x5a) and authority information of 0x10.
idb: secret (0x6) 0x10 to secret (0x6) 0x10, no implicit def secret (0x6) 0x10 pak: secret (0x5A) 0x10
debug ip ssh
To display debug messages for Secure Shell (SSH), use the debug ip ssh EXEC command. To disable debugging output, use the no form of the command. debug ip ssh no debug ip ssh
Syntax Description
Defaults
Debugging for SSH is not enabled.
Command History
Release 12.0(5)S Modification This command was introduced.
12.1(1)T
This command was integrated into Cisco IOS Release 12.1 T.
Usage Guidelines
Use the debug ssh command to ensure normal operation of the SSH server.
Examples
The following example shows the SSH debugging output:
Router# debug ssh 00:53:46: SSH0: starting SSH control process 00:53:46: SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 00:53:46: SSH0: client version is - SSH-1.5-1.2.25 00:53:46: SSH0: SSH_SMSG_PUBLIC_KEY message sent 00:53:46: SSH0: SSH_CMSG_SESSION_KEY message received 00:53:47: SSH0: keys exchanged and encryption on 00:53:47: SSH0: authentication request for userid guest 00:53:47: SSH0: authentication successful for jcisco 00:53:47: SSH0: starting exec shell
debug ip tcp intercept

To display TCP intercept statistics, use the debug ip tcp intercept privileged EXEC command. The no form of this command disables debugging output. debug ip tcp intercept no debug ip tcp intercept
Syntax Description
Examples
Figure 4 illustrates a scenario in which a router configured with TCP intercept operates between a client and a server.
Figure 4 Example TCP Intercept Environment
The following is sample output from the debug ip tcp intercept command:
Router# debug ip tcp intercept
A connection attempt arrives:

INTERCEPT: new connection (172.19.160.17:61774) => (10.1.1.30:23) INTERCEPT: 172.19.160.17:61774 <- ACK+SYN (10.1.1.30:61774)
A second connection attempt arrives:

The router re-sends to both apparent clients:

INTERCEPT: retransmit 2 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 2 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD
A third connection attempt arrives:

The router sends more retransmissions trying to establish connections with the apparent clients:
INTERCEPT: retransmit 4 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 4 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 2 (171.69.232.23:1048) <- (10.1.1.30:23) SYNRCVD
The router establishes the connection with the third client and re-sends to the server:
INTERCEPT: 1st half of connection is established (171.69.232.23:1048) => (10.1.1.30:23) INTERCEPT: (171.69.232.23:1048) SYN -> 10.1.1.30:23 INTERCEPT: retransmit 2 (171.69.232.23:1048) -> (10.1.1.30:23) SYNSENT
The server responds; the connection is established:

INTERCEPT: 2nd half of connection established (171.69.232.23:1048) => (10.1.1.30:23) INTERCEPT: (171.69.232.23:1048) ACK -> 10.1.1.30:23
The router re-sends to the first two apparent clients, times out, and sends resets:
INTERCEPT: INTERCEPT: INTERCEPT: INTERCEPT: INTERCEPT: SYNRCVD INTERCEPT: INTERCEPT: SYNRCVD INTERCEPT: retransmit 8 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD retransmit 8 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD retransmit 16 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD retransmit 16 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD retransmitting too long (172.19.160.17:61774) => (10.1.1.30:23) 172.19.160.17:61774 <- RST (10.1.1.30:23) retransmitting too long (172.19.160.17:62030) => (10.1.1.30:23) 172.19.160.17:62030 <- RST (10.1.1.30:23)
debug ip tcp transactions

To display information on significant TCP transactions such as state changes, retransmissions, and duplicate packets, use the debug ip tcp transactions privileged EXEC command. The no form of this command disables debugging output. debug ip tcp transactions no debug ip tcp transactions
Syntax Description
Usage Guidelines
This command is particularly useful for debugging a performance problem on a TCP/IP network that you have isolated above the data link layer. The debug ip tcp transactions command displays output for packets the router sends and receives, but does not display output for packets it forwards.
Examples
The following is sample output from the debug ip tcp transactions command:
Router# debug ip tcp transactions TCP: sending SYN, seq 168108, ack 88655553 TCP0: Connection to 10.9.0.13:22530, advertising MSS 966 TCP0: state was LISTEN -> SYNRCVD [23 -> 10.9.0.13(22530)] TCP0: state was SYNSENT -> SYNRCVD [23 -> 10.9.0.13(22530)] TCP0: Connection to 10.9.0.13:22530, received MSS 956 TCP0: restart retransmission in 5996 TCP0: state was SYNRCVD -> ESTAB [23 -> 10.9.0.13(22530)] TCP2: restart retransmission in 10689 TCP2: restart retransmission in 10641 TCP2: restart retransmission in 10633 TCP2: restart retransmission in 13384 -> 10.0.0.13(16151)] TCP0: restart retransmission in 5996 [23 -> 10.0.0.13(16151)]
Table 96 describes the significant fields shown in the display. Table 96 debug ip tcp transactions Field Descriptions Field TCP: sending SYN Description Indicates that this is a TCP transaction. Indicates that a synchronize packet is being sent.
seq 168108 ack 88655553
Indicates the sequence number of the data being sent. Indicates the sequence number of the data being acknowledged. Indicates the TTY number (0, in this case) with which this TCP connection is associated. Indicates the remote address with which a connection has been established.
TCP0:
Connection to 10.9.0.13:22530
advertising MSS 966 Indicates the maximum segment size this side of the TCP connection is offering to the other side. state was LISTEN -> Indicates that the TCP state machine changed state from SYNRCVD LISTEN to SYNSENT. Possible TCP states follow:

CLOSEDConnection closed. CLOSEWAITReceived a FIN segment. CLOSINGReceived a FIN/ACK segment. ESTABConnection established. FINWAIT 1Sent a FIN segment to start closing the connection. FINWAIT 2Waiting for a FIN segment. LASTACKSent a FIN segment in response to a received FIN segment. LISTENListening for a connection request. SYNRCVDReceived a SYN segment, and responded. SYNSENTSent a SYN segment to start connection negotiation. TIMEWAITWaiting for network to clear segments for this connection before the network no longer recognizes the connection as valid. This must occur before a new connection can be set up.
[23 -> 10.9.0.13(22530)]
The element within these brackets are as follows:

The first field (23) indicates local TCP port. The second field (10.9.0.13) indicates the destination IP address. The third field (22530) indicates the destination TCP port.
restart
retransmission in 5996
debug ip trigger-authentication
To display information related to automated double authentication, use the debug ip trigger-authentication privileged EXEC command. The no form of this command disables debugging output. debug ip trigger-authentication [verbose] no debug ip trigger-authentication [verbose]
Syntax Description
verbose (Optional) Specifies that the complete debugging output be displayed, including information about packets that are blocked before authentication is complete.
Usage Guidelines
Use this command when troubleshooting automated double authentication. This command displays information about the remote host table. Whenever entries are added, updated, or removed, a new debugging message is displayed. What is the remote host table? Whenever a remote user needs to be userauthenticated in the second stage of automated double authentication, the local device sends a UDP packet to the host of the remote user. Whenever such a UDP packet is sent, the host IP address of the user is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the clear ip trigger-authentication command. If you include the verbose keyword, the debugging output also includes information about packet activity.
Examples
The following is sample output from the debug ip trigger-authentication command. In this example, the local device at 172.21.127.186 sends a UDP packet to the remote host at 172.21.127.114. The UDP packet is sent to request the remote user's username and password (or PIN). (The output indicates "New entry added.")
After a timeout period, the local device has not received a valid response from the remote host, so the local device sends another UDP packet. (The output indicates "Time stamp updated.") Then the remote user is authenticated, and after a length of time (the timeout period) the entry is removed from the remote host table. (The output indicates "remove obsolete entry.")
myfirewall# debug ip trigger-authentication TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.114, qdata=7C2504 New entry added, timestamp=2940514234 TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.114, qdata=7C2504 Time stamp updated, timestamp=2940514307 TRIGGER_AUTH: remove obsolete entry, remote host=172.21.127.114
The following is sample output from the debug ip trigger-authentication verbose command. In this example, messages about packet activity are included because of the use of the verbose keyword. You can see many packets that are being blocked at the interface because the user has not yet been double authenticated. These packets will be permitted through the interface only after the user has been double authenticated. (You can see packets being blocked when the output indicates "packet enqueued" then "packet ignored.")
TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.113, qdata=69FEEC Time stamp updated TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.113, qdata=69FEEC Time stamp updated TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC
debug ip udp
To enable logging of User Datagram Protocol (UDP) packets sent and received, use the debug ip udp privileged EXEC command. To disable debugging output, use the no form of this command. debug ip udp no debug ip udp
Syntax Description
Usage Guidelines
Enter the debug ip udp command on the device that should be receiving packets from the host. Check the debugging output to see whether packets are being received from the host.
Caution The debug ip udp command can use considerable CPU cycles on the device. Do not enable it if your network is heavily congested.
Examples
The following is sample output from the debug ip udp command:
Router# debug ip udp UDP packet debugging is on Router# 00:18:48: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=584 00:18:48: UDP: sent src=10.1.1.10(67), dst=172.17.110.136(67), length=604 00:18:48: UDP: rcvd src=172.17.110.136(67), dst=10.1.1.10(67), length=308 00:18:48: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=328 00:18:48: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=584 00:18:48: UDP: sent src=10.1.1.10(67), dst=172.17.110.136(67), length=604 00:18:48: UDP: rcvd src=172.17.110.136(67), dst=10.1.1.10(67), length=308 00:18:50: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=328
debug kerberos
To display information associated with the Kerberos Authentication Subsystem, use the debug kerberos privileged EXEC command. The no form of this command disables debugging output. debug kerberos no debug kerberos
Syntax Description
Usage Guidelines
Kerberos is a security system that authenticates users and services without passing a cleartext password over the network. Cisco supports Kerberos under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When Kerberos is used on the router, you can use the debug kerberos command for more detailed debugging information.
Examples
The following is part of the sample output from the debug aaa authentication command for a Kerberos login attempt that failed. The information indicates that Kerberos is the authentication method used.
Router# debug aaa authentication AAA/AUTHEN/START (116852612): Method=KRB5 AAA/AUTHEN (116852612): status = GETUSER AAA/AUTHEN/CONT (116852612): continue_login AAA/AUTHEN (116852612): status = GETUSER AAA/AUTHEN (116852612): Method=KRB5 AAA/AUTHEN (116852612): status = GETPASS AAA/AUTHEN/CONT (116852612): continue_login AAA/AUTHEN (116852612): status = GETPASS AAA/AUTHEN (116852612): Method=KRB5 AAA/AUTHEN (116852612): password incorrect AAA/AUTHEN (116852612): status = FAIL
The following is sample output from the debug kerberos command for a login attempt that was successful. The information indicates that the router sent a request to the KDC and received a valid credential.
Router# debug kerberos Kerberos: Requesting TGT with expiration date of 820911631 Kerberos: Sent TGT request to KDC Kerberos: Received TGT reply from KDC Kerberos: Received valid credential with endtime of 820911631
The following is sample output from the debug kerberos command for a login attempt that failed. The information indicates that the router sent a request to the KDC and received a reply, but the reply did not contain a valid credential.
Router# debug kerberos Kerberos: Requesting TGT with expiration date of 820911731 Kerberos: Sent TGT request to KDC Kerberos: Received TGT reply from KDC Kerberos: Received invalid credential. AAA/AUTHEN (425003829): password incorrect
The following output shows other failure messages you might see that indicate a configuration problem. The first message indicates that the router failed to find the default Kerberos realm, therefore the process failed to build a message to send to the KDC. The second message indicates that the router failed to retrieve its own IP address. The third message indicates that the router failed to retrieve the current time. The fourth message indicates the router failed to find or create a credentials cache for a user, which is usually caused by low memory availability.
Router# debug kerberos Kerberos: authentication Kerberos: authentication Kerberos: authentication Kerberos: authentication failed failed failed failed when parsing name while getting my address while getting time of day while allocating credentials cache
Related Commands
Command debug aaa authentication Description Displays information on accountable events as they occur.
debug list
To filter debugging information on a per-interface or per-access list basis, use the debug list privileged EXEC command. The no form of this command turns off the list filter. debug list [list] [interface] no debug list [list] [interface]
Syntax Description
list (Optional) An access list number in the range from 1100 to 1199.
interface
(Optional) The nterface type. Allowed values are the following:

channelIBM Channel interface ethernetIEEE 802.3 fddiANSI X3T9.5 nullNull interface serialSerial tokenringIEEE 802.5 tunnelTunnel interface
Usage Guidelines
The debug list command is used with other debug commands for specific protocols and interfaces to filter the amount of debug information that is displayed. In particular, this command is designed to filter specific physical unit (PU) output from bridging protocols. The debug list command is supported with the following commands:

debug llc2 errors debug llc2 packets debug llc2 state debug rif debug sdlc debug token ring
Note All debug commands that support access list filtering use access lists in the range from 1100 to 1199. The access list numbers shown in the examples are merely samples of valid numbers.
Examples
To use the debug list command on only the first of several LLC2 connections, use the show llc2 command to display the active connections:
Router# show llc2 SdllcVirtualRing2008 DTE: 4000.2222.22c7 4000.1111.111c 04 04 state NORMAL SdllcVirtualRing2008 DTE: 4000.2222.22c8 4000.1111.1120 04 04 state NORMAL SdllcVirtualRing2008 DTE: 4000.2222.22c1 4000.1111.1104 04 04 state NORMAL
Next, configure an extended bridging access list, numbered 1103, for the connection you want to filter:
access-list 1103 permit 4000.1111.111c 0000.0000.0000 4000.2222.22c7 0000.0000.0000 0xC 2 eq 0x404
The convention for the LLC debug list command filtering is to use dmac = 6 bytes, smac = 6 bytes, dsap_offset = 12, and ssap_offset = 13. Finally, you invoke the following debug commands:
Router# debug list 1103 Router# debug llc2 packet LLC2 Packets debugging is on for access list: 1103
To use the debug list command for SDLC connections, with the exception of address 04, create access list 1102 to deny the specific address and permit all others:
access-list 1102 deny 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000 0xC 1 eq 0x4 access-list 1102 permit 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000
The convention is to use dmac = 0.0.0, smac = 0.0.0, and sdlc_frame_offset = 12. Invoke the following debug commands:
Router# debug list 1102 Router# debug sdlc SDLC link debugging is on for access list: 1102
To enable SDLC debugging (or debugging for any of the other supported protocols) for a specific interface rather than for all interfaces on a router, use the following commands:
Router# debug list serial 0 Router# debug sdlc SDLC link debugging is on for interface: Serial0
To enable Token Ring debugging between two MAC address, 0000.3018.4acd and 0000.30e0.8250, configure an extended bridging access list 1106:
access-list 1106 permit 0000.3018.4acd 8000.0000.0000 0000.30e0.8250 8000.0000.0000 access-list 1106 permit 0000.30e0.8250 8000.0000.0000 0000.3018.4acd 8000.0000.0000
Invoke the following debug commands:

Router# debug list 1106 Router# debug token ring Token Ring Interface debugging is on for access list: 1106
To enable RIF debugging for a single MAC address, configure an access list 1109:
access-list 1109 permit permit 0000.0000.0000 ffff.ffff.ffff 4000.2222.22c6 0000.0000.0000
Invoke the following debug commands:

Router# debug list 1109 Router# debug rif RIF update debugging is on for access list: 1109
Related Commands
Command debug llc2 errors Description Displays LLC2 protocol error conditions or unexpected input.
debug llc2 packet
Displays all input and output from the LLC2 protocol stack.
debug llc2 state
Displays state transitions of the LLC2 protocol.
debug rif
Displays information on entries entering and leaving the RIF cache.
debug rtsp
Displays information on SDLC frames received and sent by any router serial interface involved in supporting SDLC end
station functions.
debug token ring
Displays messages about Token Ring interface activity.
debug netbios packet

To display general information about NetBIOS packets, use the debug netbios packet privileged EXEC command. The no form of this command disables debugging output. debug netbios packet no debug netbios packet
Syntax Description
Usage Guidelines
For complete information on the NetBIOS process, use the debug netbios error command along with the debug netbios packet command.
Examples
The following is sample output from the debug netbios packet and debug netbios error commands. This example shows the LLC header for an asynchronous interface followed by the NetBIOS information. For additional information on the NetBIOS fields, refer to IBM LAN Technical Reference IEEE 802.2.
Router# debug netbios packet Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_NAME_QUERY Resp_correlator= 0x6F 0x0 name=CS-NT-1 Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_GROUP_QUERY Resp_correlator= 0x6F 0x0 name=COMMSERVER-WG Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_NAME_QUERY Resp_correlator= 0x6F 0x0 name=CS-NT-1 Ethernet0 (i) U-format UI C_R=0x0 (i) NETBIOS_DATAGRAM Length= 0x2C 0x0 Dest name=COMMSERVER-WG name=CS-NT-3
Related Commands
Command Description
debug netbios error
Displays information about NetBIOS protocol errors.
debug netbios-namecache
Displays name caching activities on a router.
debug ntp
To display debug messages for Network Time Protocol (NTP) features, use the debug ntp command. To stop the output of ntp debugging messages, use the no form of this command. debug ntp {adjust | authentication | events | loopfilter | packets | params | refclock | select | sync | validity} no debug ntp {adjust | authentication | events | loopfilter | packets | params | refclock | select | sync | validity}
Syntax Description
adjust Displays debugging information on NTP clock adjustments.
authentication
Displays debugging information on NTP authentication.
events
Displays debugging information on NTP events.
loopfilter
Displays debugging information on NTP loop filters.
packets
Displays debugging information on NTP packets.
params
Displays debugging information on NTP clock parameters.
refclock
Displays debugging information on NTP reference clocks.
select
Displays debugging information on NTP clock selection.
sync
Displays debugging information on NTP clock synchronization.
validity
Displays debugging information on NTP peer clock validity.
Defaults
Debug commands are disabled by default.
Command History
Release 12.0 T Modification This command was introduced in a release prior to Cisco IOS Release 12.1.
Related Commands
Command ntp refclock Description Configures an external clock source for use with NTP services.
debug packet
To display per-packet debugging output, use the debug packet privileged EXEC command. The no form of this command disables debugging output. debug packet [interface number [vcd vcd-number] | vc vpi/vci | vcname] no debug packet [interface number [vcd vcd-number] | vc vpi/vci | vcname]
Syntax Description
interface number (Optional) interface or subinterface number.
vcd vcd-number
(Optional) Number of the virtual circuit designator (VCD).
vc vpi/vci
(Optional) VPI and VCI numbers of the VC.
vc-name
(Optional) Name of the PVC or SVC.
Usage Guidelines
The debug packet command displays all process-level packets for both outbound and inbound packets. This command is useful for determining whether packets are being received and sent correctly. The output reports information online when a packet is received or a transmission is attempted. For sent packets, the information is displayed only after the protocol data unit (PDU) is entirely encapsulated and a next hop VC is found. If information is not displayed, the address translation probably failed during encapsulation. When a next hop VC is found, the packet is displayed exactly as it will be presented on the wire. Having a display indicates that the packets are properly encapsulated for transmission. For received packets, information is displayed for all incoming frames. The display can show whether the sending station properly encapsulates the frames. Because all incoming frames are displayed, this information is useful when performing back-to-back testing and corrupted frames cannot be dropped by an intermediary switch.
The debug packet command also displays the initial bytes of the actual PDU in hexadecimal. This information can be decoded only by qualified support or engineering personnel. Caution Because the debug packet command generates a substantial amount of output for every packet processed, use it only when traffic on the network is low, so other activity on the system is not adversely affected.
Examples
The following is sample output from the debug packet command:
Router# debug packet 2/0.5(I): VCD:0x9 VCI:0x23 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length0x70 4500 002E 0000 0000 0209 92ED 836C A26E FFFF FFFF 1108 006D 0001 0000 0000 A5CC 6CA2 0000 000A 0000 6411 76FF 0100 6C08 00FF FFFF 0003 E805 DCFF 0105
Table 133 describes the significant fields in the display.

Table 133 debug packet Field Descriptions
Field 2/0.5 (I) VCD: 0xn
Description Indicates the subinterface that generated this packet. Indicates a receive packet. (O) indicates an output packet. Indicates the virtual circuit associated with this packet, where n is some value. Indicates the descriptor mode bits on output only, where nnnn is a hexadecimal value. Displays the encapsulation type for this packet. Displays the total length of the packet including the headers.
DM: 0xnnnn TYPE:n Length:n
The following two lines of output are the binary data, which are the contents of the protocol PDU before encapsulation:
4500 002E 0000 0000 0209 92ED 836C A26E FFFF FFFF 1108 006D 0001 0000 0000 A5CC 6CA2 0000 000A 0000 6411 76FF 0100 6C08 00FF FFFF 0003 E805 DCFF 0105
The following is sample output from the debug packet command:

Router# debug packet Ethernet0: Unknown ARPA, 0000.0c00.6fa4, dst ffff.ffff.ffff, type 0x0a0 data 00000c00f23a00000c00ab45, len 60
Serial3: Serial2: Serial7: Serial0:
Unknown HDLC, size 64, type 0xaaaa, flags 0x0F00 Unknown PPP, size 128 Unknown FRAME-RELAY, size 174, type 0x5865, DLCI 7a compressed TCP/IP packet dropped

Table 134 debug packet Field Descriptions
Field Ethernet0 Unknown
Description Name of the Ethernet interface that received the packet. Network could not classify this packet. Examples include packets with unknown link types. Packet uses ARPA-style encapsulation. Possible encapsulation styles vary depending on the media command mode (MCM) and encapsulation style. Ethernet (MCM)Encapsulation Style:

ARPA
APOLLO ARP ETHERTALK ISO1 ISO3 LLC2 NOVELL-ETHER SNAP
FDDI (MCM)Encapsulation Style:

APOLLO ISO1 ISO3 LLC2 SNAP
Frame RelayEncapsulation Style:

BRIDGE FRAME-RELAY
Serial (MCM)Encapsulation Style:

BFEX25 BRIDGE
DDN-X25 DDNX25-DCE ETHERTALK FRAME-RELAY HDLC HDH LAPB LAPBDCE MULTI-LAPB PPP SDLC-PRIMARY SDLC-SECONDARY SLIP SMDS STUN X25 X25-DCE
Token Ring (MCM)Encapsulation Style:

3COM-TR ISO1 ISO3 MAC LLC2 NOVELL-TR SNAP VINES-TR
0000.0c00.6fa4 dst.ffff.ffff.ffff type 0x0a0 data... len 60
MAC address of the node generating the packet. MAC address of the destination node for the packet. Packet type. First 12 bytes of the datagram following the MAC header. Length of the message (in bytes) that the interface received from the wire. Length of the message (in bytes) that the interface received from the wire. Equivalent to the len field.
size 64
flags 0x0F00 DLCI 7a compressed TCP/IP packet dropped
HDLC or PP flags field. The DLCI number on Frame Relay. TCP header compression is enabled on an interface and the packet is not HDLC or X25.
debug ppp
To display information on traffic and exchanges in an internetwork implementing the PPP, use the debug ppp privileged EXEC command. The no form of this command disables debugging output. debug ppp {packet | negotiation | error | authentication | compression | cbcp} no debug ppp {packet | negotiation | error | authentication | compression | cbcp}
Syntax Description
packet Displays PPP packets being sent and received. (This command displays low-level packet dumps.)
negotiation
Displays PPP packets sent during PPP startup, where PPP options are negotiated.
error
Displays protocol errors and error statistics associated with PPP connection negotiation and operation.
authentication
Displays authentication protocol messages, including Challenge Authentication Protocol (CHAP) packet exchanges and Password Authentication Protocol (PAP) exchanges.
compression
Displays information specific to the exchange of PPP connections using MPPC. This command is useful for obtaining incorrect packet sequence number information where MPPC compression is enabled.
cbcp
Displays protocol errors and statistics associated with PPP connection negotiations using MSCB.
Usage Guidelines
Use the debug ppp command when trying to find the following:
The Network Control Protocols (NCPs) that are supported on either end of a PPP connection Any loops that might exist in a PPP internetwork Nodes that are (or are not) properly negotiating PPP connections Errors that have occurred over the PPP connection Causes for CHAP session failures Causes for PAP session failures Information specific to the exchange of PPP connections using the Callback Control Protocol (CBCP), used by Microsoft clients Incorrect packet sequence number information where MPPC compression is enabled
Refer to Internet RFCs 1331, 1332, and 1333 for details concerning PPPrelated nomenclature and protocol information. Caution The debug ppp compression command is CPU-intensive and should be used with caution. This command should be disabled immediately after debugging.
Examples
The following is sample output from the debug ppp packet command as seen from the Link Quality Monitor (LQM) side of the connection. This display example depicts packet exchanges under normal PPP operation.
Router# debug ppp packet PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 3 (C) magic D3454 OPEN code = ECHOREQ(9) id 3 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 4 (C) magic D3454 OPEN code = ECHOREQ(9) id 4 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 5 (C) magic D3454 OPEN code = ECHOREQ(9) id 5 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 = 48 = 48
= 3 len = 12 = 48 = 48
= 4 len = 12 = 48 = 48
= 5 len = 12 = 48 = 48
PPP PPP PPP PPP PPP PPP PPP PPP PPP PPP PPP
Serial4: I LCP ECHOREQ(9) id Serial4: input(C021) state = Serial4: O LCP ECHOREP(A) id Serial4(o): lcp_slqr() state Serial4(i): pkt type 0xC025, Serial4(i): lcp_rlqr() state Serial4(i): pkt type 0xC021, Serial4: I LCP ECHOREQ(9) id Serial4: input(C021) state = Serial4: O LCP ECHOREP(A) id Serial4(o): lcp_slqr() state
6 (C) magic D3454 OPEN code = ECHOREQ(9) id 6 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 7 (C) magic D3454 OPEN code = ECHOREQ(9) id 7 (C) magic D21B4 = OPEN magic = D21B4, len
= 6 len = 12 = 48 = 48
= 7 len = 12 = 48

Table 140 debug ppp packet Field Descriptions
Field PPP Serial4 (o), O (i), I lcp_slqr() PPP debugging output.
Description
Interface number associated with this debugging information. Packet was detected as an output packet. Packet was detected as an input packet. Procedure name; running LQM, send a Link Quality Report (LQR). Procedure name; running LQM, received an LQR. Router received a packet of the specified packet type (in hexadecimal notation). A value of C025 indicates packet of type LQM. PPP state; normal state is OPEN.
lcp_rlqr() input (C021)
state = OPEN
magic = D21B4 Magic Number for indicated node; when output is indicated, this is the Magic Number of the node on which debugging is enabled. The actual Magic Number depends on whether the packet detected is indicated as I or O. datagramsize 52 code = ECHOREQ(9) Packet length including header.
Identifies the type of packet received. Both forms of the packet, string and hexadecimal, are presented.
len = 48 id = 3 pkt type 0xC025 LCP ECHOREQ(9) LCP ECHOREP(A)
Packet length without header. ID number per Link Control Protocol (LCP) packet format. Packet type in hexadecimal notation; typical packet types are C025 for LQM and C021 for LCP. Echo Request; value in parentheses is the hexadecimal representation of the LCP type. Echo Reply; value in parentheses is the hexadecimal representation of the LCP type.
To elaborate on the displayed output, consider the partial exchange. This sequence shows that one side is using ECHO for its keepalives and the other side is using LQRs.
Router# debug ppp packet PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 3 (C) magic D3454 OPEN code = ECHOREQ(9) id 3 (C) magic D21B4 = OPEN magic = D21B4, len = 48 = 48
= 3 len = 12 = 48
The first line states that the router with debugging enabled has sent an LQR to the other side of the PPP connection:
PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
The next two lines indicate that the router has received a packet of type C025 (LQM) and provides details about the packet:
PPP Serial4(i): pkt type 0xC025, datagramsize 52 PPP Serial4(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
The next two lines indicate that the router received an ECHOREQ of type C021 (LCP). The other side is sending ECHOs. The router on which debugging is configured for LQM but also responds to ECHOs.
PPP Serial4(i): pkt type 0xC021, datagramsize 16 PPP Serial4: I LCP ECHOREQ(9) id 3 (C) magic D3454
Next, the router is detected to have responded to the ECHOREQ with an ECHOREP and is preparing to send out an LQR:
PPP Serial4: O LCP ECHOREP(A) id 3 (C) magic D21B4 PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
The following is sample output from the debug ppp negotiation command. This is a normal negotiation, where both sides agree on Network Control
Program (NCP) parameters. In this case, protocol type IP is proposed and acknowledged.
Router# debug ppp negotiation ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8 ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC ppp: received config for type = 4 (QUALITYTYPE) acked ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok) PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5 ppp: config ACK received, type = 4 (CI_QUALITYTYPE), value = C025 ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 3D56CAC ppp: ipcp_reqci: returning CONFACK. (ok) PPP Serial4: state = ACKSENT fsm_rconfack(8021): rcvd id 4
Table 141 describes significant fields shown in the display.

Table 141 debug ppp Command Negotiation Field Descriptions
Field ppp sending CONFREQ type = 4 (CI_QUALITYTYPE)
Description PPP debugging output. Router sent a configuration request. Type of LCP configuration option that is being negotiated and a descriptor. A type value of 4 indicates Quality Protocol negotiation; a type value of 5 indicates Magic Number negotiation. For Quality Protocol negotiation, indicates NCP type and reporting period. In the example, C025 indicates LQM; 3E8 is a hexadecimal value translating to about 10 seconds (in hundredths of a second). For Magic Number negotiation, indicates the Magic Number being negotiated. Receiving node has received the proposed option negotiation for the indicated option type. Acknowledgment and acceptance of options. Specific PPP state in the negotiation process. IPCP notification message; sending CONFACK. Procedure fsm_rconfack processes received
value = C025/3E8
value = 3D56CAC
received config
acked state = ACKSENT ipcp_reqci fsm_rconfack (8021)
CONFACKs, and the protocol (8021) is IP. The first two lines indicate that the router is trying to bring up LCP and will use the indicated negotiation options (Quality Protocol and Magic Number). The value fields are the values of the options themselves. C025/3E8 translates to Quality Protocol LQM. 3E8 is the reporting period (in hundredths of a second). 3D56CAC is the value of the Magic Number for the router.
ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8 ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC
The next two lines indicate that the other side negotiated for options 4 and 5 as requested and acknowledged both. If the responding end does not support the options, a CONFREJ is sent by the responding node. If the responding end does not accept the value of the option, a CONFNAK is sent with the value field modified.
ppp: received config for type = 4 (QUALITYTYPE) acked ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok)
The next three lines indicate that the router received a CONFACK from the responding side and displays accepted option values. Use the rcvd id field to verify that the CONFREQ and CONFACK have the same ID field.
PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5 ppp: config ACK received, type = 4 (CI_QUALITYTYPE), value = C025 ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 3D56CAC
The next line indicates that the router has IP routing enabled on this interface and that the IPCP NCP negotiated successfully:
ppp: ipcp_reqci: returning CONFACK.
In the last line, the state of the router is listed as ACKSENT.

PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5\
The following is sample output from when the debug ppp packet and debug ppp negotiation commands are enabled at the same time.
The following is sample output from the debug ppp negotiation command when the remote side of the connection is unable to respond to LQM requests:
Router# debug ppp negotiation ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), value value value value value value value value value value value value value value value value value value value value value value value = = = = = = = = = = = = = = = = = = = = = = = C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8
ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 44C1488
The following is sample output when no response is detected for configuration requests (with both the debug ppp negotiation and debug ppp packet command enabled):
Router# debug ppp negotiation Router# debug ppp packet ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 14 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E0980 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 15 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E1828 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 16 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E27C8 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 17 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E3768 State= 3
C025/3E8 44DFDC8 192 37 0 0 3 232
C025/3E8 44DFDC8 192 37 0 0 3 232
C025/3E8 44DFDC8 192 37 0 0 3 232
C025/3E8 44DFDC8 192 37 0 0 3 232
The following is sample output from the debug ppp error command. These messages might appear when the Quality Protocol option is enabled on an interface that is already running PPP.
Router# debug ppp error PPP Serial3(i): rlqr receive failure. successes = 15 PPP: myrcvdiffp = 159 peerxmitdiffp = 41091 PPP: myrcvdiffo = 2183 peerxmitdiffo = 1714439 PPP: threshold = 25 PPP Serial4(i): rlqr transmit failure. successes = 15 PPP: myxmitdiffp = 41091 peerrcvdiffp = 159 PPP: myxmitdiffo = 1714439 peerrcvdiffo = 2183 PPP: l->OutLQRs = 1 LastOutLQRs = 1 PPP: threshold = 25 PPP Serial3(i): lqr_protrej() Stop sending LQRs. PPP Serial3(i): The link appears to be looped back.

Table 142 debug ppp Error Field Descriptions
Field PPP Serial3(i) PPP debugging output.
Description
Interface number associated with this debugging information; indicates that this is an input packet. Request to negotiate the Quality Protocol option is not
rlqr receive
failure myrcvdiffp = 159
accepted. Number of packets received over the time period.
peerxmitdiffp = Number of packets sent by the remote node over this period. 41091 myrcvdiffo = 2183 Number of octets received over this period.
peerxmitdiffo = Number of octets sent by the remote node over this period. 1714439 threshold = 25 Maximum error percentage acceptable on this interface. This percentage is calculated by the threshold value entered in the ppp quality number interface configuration command. A value of 100 - number (100 minus number) is the maximum error percentage. In this case, a number of 75 was entered. This means that the local router must maintain a minimum 75 percent non-error percentage, or the PPP link will be considered down. OutLQRs = 1 Local router's current send LQR sequence number.
LastOutLQRs = The last sequence number that the remote node side has seen 1 from the local node. The following is sample output from the debug ppp authentication command. Use this debug command to determine why an authentication fails.
Router# debug ppp authentication Serial0: Unable to authenticate. No name received from peer Serial0: Unable to validate CHAP response. USERNAME pioneer not found. Serial0: Unable to validate CHAP response. No password defined for USERNAME pioneer Serial0: Failed CHAP authentication with remote. Remote message is Unknown name Serial0: remote passed CHAP authentication. Serial0: Passed CHAP authentication with remote. Serial0: CHAP input code = 4 id = 3 len = 48
In general, these messages are self-explanatory. Fields that can show optional output are outlined in Table 143.
Table 143 debug ppp authentication Field Descriptions
Field
Description
Serial0
Interface number associated with this debugging information and CHAP access session in question.
The name pioneer in this example is the name received in USERNAME pioneer not found. the CHAP response. The router looks up this name in the list of usernames that are configured for the router. Remote message is Unknown name The following messages can appear:

No name received to authenticate Unknown name No secret for given name Short MD5 response received MD compare failed
code = 4
Specific CHAP type packet detected. Possible values are as follows:

1Challenge 2Response 3Success 4Failure
id = 3 len = 48
ID number per LCP packet format. Packet length without header.
The following shows sample output from the debug ppp command using the cbcp keyword. This output depicts packet exchanges under normal PPP operation where the Cisco access server is waiting for the remote PC to respond to the MSCB request. The router also has debug ppp negotiation and service timestamps msec commands enabled.
Router# debug ppp cbcp Dec 17 00:48:11.302: As8 MCB: User mscb Callback Number - Client ANY Dec 17 00:48:11.306: Async8 PPP: O MCB Request(1) id 1 len 9 Dec 17 00:48:11.310: Async8 MCB: O 1 1 0 9 2 5 0 1 0 Dec 17 00:48:11.314: As8 MCB: O Request Id 1 Callback Type Client-Num delay 0 Dec 17 00:48:13.342: As8 MCB: Timeout in state WAIT_RESPONSE Dec 17 00:48:13.346: Async8 PPP: O MCB Request(1) id 2 len 9 Dec 17 00:48:13.346: Async8 MCB: O 1 2 0 9 2 5 0 1 0 Dec 17 00:48:13.350: As8 MCB: O Request Id 2 Callback Type Client-Num delay 0 Dec 17 00:48:15.370: As8 MCB: Timeout in state WAIT_RESPONSE Dec 17 00:48:15.374: Async8 PPP: O MCB Request(1) id 3 len 9 Dec 17 00:48:15.374: Async8 MCB: O 1 3 0 9 2 5 0 1 0
Dec 17 00:48:15.378: delay 0 Dec 17 00:48:17.398: Dec 17 00:48:17.402: Dec 17 00:48:17.406: Dec 17 00:48:17.406: delay 0 Dec 17 00:48:19.426: Dec 17 00:48:19.430: Dec 17 00:48:19.430: Dec 17 00:48:19.434: delay 0 Dec 17 00:48:21.454: Dec 17 00:48:21.458: Dec 17 00:48:21.462: Dec 17 00:48:21.462: delay 0 Dec 17 00:48:23.482: Dec 17 00:48:23.486: Dec 17 00:48:23.490: Dec 17 00:48:23.490: delay 0 Dec 17 00:48:25.510: Dec 17 00:48:25.514: Dec 17 00:48:25.514: Dec 17 00:48:25.518: delay 0 Dec 17 00:48:26.242: Dec 17 00:48:26.246: Dec 17 00:48:26.250: Dec 17 00:48:26.254: Dec 17 00:48:26.258: 2492613 Dec 17 00:48:26.262: Dec 17 00:48:26.266: Dec 17 00:48:26.270: Dec 17 00:48:26.270: Dec 17 00:48:26.390: Dec 17 00:48:26.390: Dec 17 00:48:26.394: Dec 17 00:48:26.402: Async
As8 MCB: O Request Id 3 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 4 len 9 Async8 MCB: O 1 4 0 9 2 5 0 1 0 As8 MCB: O Request Id 4 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 5 len 9 Async8 MCB: O 1 5 0 9 2 5 0 1 0 As8 MCB: O Request Id 5 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 6 len 9 Async8 MCB: O 1 6 0 9 2 5 0 1 0 As8 MCB: O Request Id 6 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 7 len 9 Async8 MCB: O 1 7 0 9 2 5 0 1 0 As8 MCB: O Request Id 7 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 8 len 9 Async8 MCB: O 1 8 0 9 2 5 0 1 0 As8 MCB: O Request Id 8 Callback Type Client-Num As8 PPP: I pkt type 0xC029, datagramsize 18 Async8 PPP: I MCB Response(2) id 8 len 16 Async8 MCB: I 2 8 0 10 2 C C 1 32 34 39 32 36 31 33 0 As8 MCB: Received response As8 MCB: Response CBK-Client-Num 2 12 12, addr 1Async8 PPP: O MCB Ack(3) id 9 len 16 Async8 MCB: O 3 9 0 10 2 C C 1 32 34 39 32 36 31 33 0 As8 MCB: O Ack Id 9 Callback Type Client-Num delay 12 As8 MCB: Negotiated MCB with peer As8 LCP: I TERMREQ [Open] id 4 len 8 (0x00000000) As8 LCP: O TERMACK [Open] id 4 len 4 As8 MCB: Peer terminating the link As8 MCB: Initiate Callback for mscb at 2492613 using
The following is sample output from the debug ppp compression command with service timestamps enabled and shows a typical PPP packet exchange between the router and Microsoft client where the MPPC header sequence numbers increment correctly:
Router# debug ppp compression 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# 0x2003/0x0003 0x2004/0x0004 0x2005/0x0005 0x2006/0x0006 0x2007/0x0007
Table 144 describes the fields for the debug ppp compression output.
Table 144 debug ppp compression Field Descriptions
Field interface
Description Interface enabled with MPPC.
Decomp - hdr/ Decompression header and bit settings. exp_cc# 0x2003 0x0003 Expected coherency count. Received sequence number. Expected sequence number.
The following shows sample output from debug ppp negotiation and debug ppp error commands, which can be used to troubleshoot initial PPP negotiation and setup errors. This example shows a virtual interface (virtual interface 1) during normal PPP operation and CCP negotiation.
Router# debug ppp negotiation error Vt1 PPP: Unsupported or un-negotiated protocol. Link arp VPDN: Chap authentication succeeded for p5200 Vi1 PPP: Phase is DOWN, Setup Vi1 VPDN: Virtual interface created for dinesh@cisco.com Vi1 VPDN: Set to Async interface Vi1 PPP: Phase is DOWN, Setup Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking Vi1 CCP: Re-Syncing history using legacy method %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP: Treating connection as a dedicated line Vi1 PPP: Phase is ESTABLISHING, Active Open Vi1 LCP: O CONFREQ [Closed] id 1 len 25 Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000) Vi1 LCP: AuthProto CHAP (0x0305C22305) Vi1 LCP: MagicNumber 0x000FB69F (0x0506000FB69F) Vi1 LCP: PFC (0x0702) Vi1 LCP: ACFC (0x0802) Vi1 VPDN: Bind interface direction=2 Vi1 PPP: Treating connection as a dedicated line Vi1 LCP: I FORCED CONFREQ len 21 Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000) Vi1 LCP: AuthProto CHAP (0x0305C22305) Vi1 LCP: MagicNumber 0x12A5E4B5 (0x050612A5E4B5) Vi1 LCP: PFC (0x0702) Vi1 LCP: ACFC (0x0802) Vi1 VPDN: PPP LCP accepted sent & rcv CONFACK Vi1 PPP: Phase is AUTHENTICATING, by this end Vi1 CHAP: O CHALLENGE id 1 len 27 from "l_4000" Vi1 CHAP: I RESPONSE id 20 len 37 from "dinesh@cisco.com" Vi1 CHAP: O SUCCESS id 20 len 4 Vi1 PPP: Phase is UP Vi1 IPCP: O CONFREQ [Closed] id 1 len 10 Vi1 IPCP: Address 15.2.2.3 (0x03060F020203) Vi1 CCP: O CONFREQ [Not negotiated] id 1 len 10 Vi1 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) Vi1 IPCP: I CONFREQ [REQsent] id 1 len 34
Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1
IPCP: Address 0.0.0.0 (0x030600000000) IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) IPCP: Using the default pool IPCP: Pool returned 11.2.2.5 IPCP: O CONFREJ [REQsent] id 1 len 16 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) CCP: I CONFREQ [REQsent] id 1 len 15 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: Stacker history 1 check mode EXTENDED (0x1105000104) CCP: Already accepted another CCP option, rejecting this STACKER CCP: O CONFREJ [REQsent] id 1 len 9 CCP: Stacker history 1 check mode EXTENDED (0x1105000104) IPCP: I CONFACK [REQsent] id 1 len 10 IPCP: Address 15.2.2.3 (0x03060F020203) CCP: I CONFACK [REQsent] id 1 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: I CONFREQ [ACKrcvd] id 2 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: O CONFACK [ACKrcvd] id 2 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: State is Open IPCP: I CONFREQ [ACKrcvd] id 2 len 22 IPCP: Address 0.0.0.0 (0x030600000000) IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) IPCP: O CONFNAK [ACKrcvd] id 2 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: I CONFREQ [ACKrcvd] id 3 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: O CONFACK [ACKrcvd] id 3 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: State is Open IPCP: Install route to 11.2.2.5
debug radius
To display information associated with RADIUS, use the debug radius privileged EXEC command. The no form of this command disables debugging output. debug radius no debug radius
Syntax Description
Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When RADIUS is used on the router, you can use the debug radius command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a RADIUS login attempt that failed. The information indicates that RADIUS is the authentication method used.
Router# debug aaa authentication 14:02:55: AAA/AUTHEN (164826761): Method=RADIUS 14:02:55: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN/CONT (164826761): continue_login 14:03:01: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN (164826761): Method=RADIUS 14:03:04: AAA/AUTHEN (164826761): status = FAIL
The following is partial sample output from the debug radius command that shows a login attempt that failed because of a key mismatch (that is, a configuration problem):
Router# debug radius 13:55:19: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0x7, len 57 13:55:19: Attribute 4 6 AC150E5A 13:55:19: Attribute 5 6 0000000A 13:55:19: Attribute 1 7 62696C6C 13:55:19: Attribute 2 18 19D66483 13:55:22: Radius: Received from 171.69.1.152:1645, Access-Reject, id 0x7, len 20 13:55:22: Radius: Reply for 7 fails decrypt
The following is partial sample output from the debug radius command that shows a successful login attempt as indicated by an Access-Accept message:
Router# debug radius 13:59:02: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xB, len 56 13:59:02: Attribute 4 6 AC150E5A 13:59:02: Attribute 5 6 0000000A 13:59:02: Attribute 1 6 62696C6C 13:59:02: Attribute 2 18 0531FEA3 13:59:04: Radius: Received from 171.69.1.152:1645, Access-Accept, id 0xB, len 26 13:59:04: Attribute 6 6 00000001
The following is partial sample output from the debug radius command that shows an unsuccessful login attempt as indicated by the Access-Reject message:
Router# debug radius 13:57:56: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xA, len 57 13:57:56: Attribute 4 6 AC150E5A 13:57:56: Attribute 5 6 0000000A 13:57:56: Attribute 1 7 62696C6C 13:57:56: Attribute 2 18 49C28F6C 13:57:59: Radius: Received from 171.69.1.152:1645, Access-Reject, id 0xA, len 20
Related Commands
Command debug aaa accounting Description Displays information on accountable events as they occur.
Displays information on AAA/TACACS+ authentication.
debug serial interface

To display information on a serial connection failure, use the debug serial interface privileged EXEC command. The no form of this command disables debugging output. debug serial interface no debug serial interface
Syntax Description
Usage Guidelines
If the show interface serial EXEC command shows that the line and protocol are down, you can use the debug serial interface command to isolate a timing problem as the cause of a connection failure. If the keepalive values in the mineseq, yourseen, and myseen fields are not incrementing in each subsequent line of output, there is a timing or line problem at one end of the connection.
Caution Although the debug serial interface command typically does not generate a substantial amount of output, nevertheless use it cautiously during production hours. When SMDS is enabled, for example, it can generate considerable output. The output of the debug serial interface command can vary, depending on the type of WAN configured for an interface: Frame Relay, HDLC, HSSI, SMDS, or X.25. The output also can vary depending on the type of encapsulation configured for that interface. The hardware platform also can affect debug serial interface output.
Examples
The following sections show and describe sample debug serial interface output for various configurations.
Debug Serial Interface for Frame Relay Encapsulation
The following message is displayed if the encapsulation for the interface is Frame Relay (or HDLC) and the router attempts to send a packet containing an unknown packet type:
Illegal serial link type code xxx
Debug Serial Interface for HDLC
The following is sample output from the debug serial interface command for an HDLC connection when keepalives are enabled. This output shows that the remote router is not receiving all the keepalives the router is sending. When the difference in the values in the myseq and mineseen fields exceeds three, the line goes down and the interface is reset.
Table 160 describes the significant fields. Table 160 debug serial interface Field Descriptions for HDLC Field Serial 1 HDLC myseq 636119 mineseen 636119 Description Interface through which the serial connection is taking place. Serial connection is an HDLC connection. Myseq counter increases by one each time the router sends a keepalive packet to the remote router. Value of the mineseen counter reflects the last myseq sequence number the remote router has acknowledged receiving from the router. The remote router stores this value in its yourseen counter and sends that value in a keepalive packet to the router. Yourseen counter reflects the value of the myseq sequence number the router has received in a keepalive packet from the remote router. Connection between the routers is maintained. Value changes to "line down" if the values of the myseq and myseen fields in a keepalive packet differ by more than three. Value returns to "line up"
yourseen 515032
line up
when the interface is reset. If the line is in loopback mode, ("looped") appears after this field. Table 161 describes additional error messages that the debug serial interface command can generate for HDLC. Table 161 debug serial interface Error Messages for HDLC Field Illegal serial link type code <xxx>, PC = 0xnnnnnn Illegal HDLC serial type code <xxx>, PC = 0xnnnnn Description Router attempted to send a packet containing an unknown packet type. Unknown packet type is received.
Serial 0: attempting to restart Interface is down. The hardware is then reset to correct the problem, if possible Serial 0: Received bridge Bridge packet is received over a serial interface packet sent to <nnnnnnnnn> configured for HDLC, and bridging is not configured on that interface.
Debug Serial Interface for HSSI
On an HSSI interface, the debug serial interface command can generate the following additional error message:
HSSI0: Reset from 0xnnnnnnn
This message indicates that the HSSI hardware has been reset. The 0xnnnnnnn variable is the address of the routine requesting that the hardware be reset; this value is useful only to development engineers.
Debug Serial Interface for ISDN Basic Rate
Table 162 describes error messages that the debug serial interface command can generate for ISDN Basic Rate. Table 162 debug serial interface Error Messages for ISDN Basic Rate Message BRI: D-chan collision Description Collision on the ISDN D channel has occurred; the software will retry transmission. ISDN hardware has lost frame alignment. This usually
Received SID Loss of
Frame Alignment int.
indicates a problem with the ISDN network.
Unexpected IMP int: ipr ISDN hardware received an unexpected interrupt. The = 0xnn 0xnn variable indicates the value returned by the interrupt register. BRI(d): RX Frame Length Violation. Length=n BRI(d): RX Nonoctet Aligned Frame BRI(d): RX Abort Sequence BRI(d): RX CRC Error BRI(d): RX Overrun Error BRI(d): RX Carrier Detect Lost BRI0: Reset from 0xnnnnnnn BRI hardware has been reset. The 0xnnnnnnn variable is the address of the routine that requested that the hardware be reset; it is useful only to development engineers. Any of these messages can be displayed when a receive error occurs on one of the ISDN channels. The (d) indicates which channel it is on. These messages can indicate a problem with the ISDN network connection.
BRI(d): Bad state in Any of these messages can be displayed if the ISDN SCMs scm1=x scm2=x hardware is not in the proper state. The hardware is scm3=x then reset. If the message is displayed constantly, it usually indicates a hardware problem. BRI(d): Bad state in SCONs scon1=x scon2 =x scon3=x BRI(d): Bad state ub SCR; SCR=x BRI(d): Illegal packet encapsulation=n Packet is received, but the encapsulation used for the packet is not recognized. The interface might be misconfigured.
Debug Serial Interface for an MK5025 Device
Table 163 describes the additional error messages that the debug serial interface command can generate for an MK5025 device. Table 163 debug serial interface Error Messages for an MK5025 Device Message MK5(d): Reset from 0xnnnnnnnn Description Hardware has been reset. The 0xnnnnnnn variable is the address of the routine that requested that the hardware be reset; it is useful only to development engineers. Packet is received, but the encapsulation used for the packet is not recognized. Interface might be misconfigured. Serial driver attempted to get a buffer (memory) and was unable to do so.
MK5(d): Illegal packet encapsulation=n
MK5(d): No packet available for packet realignment MK5(d): Bad state in CSR0=(x)
This message is displayed if the hardware is not in the proper state. The hardware is reset. If this message is displayed constantly, it usually indicates a hardware problem. Hardware has interrupted the software. It displays the state that the hardware is reporting. If the interrupt indicates that the state of carrier has changed, one of these messages is displayed to indicate the current state of DCD.
MK5(d): New serial state=n MK5(d): DCD is down. MK5(d): DCD is up.
Debug Serial Interface for SMDS Encapsulation
When encapsulation is set to SMDS, the debug serial interface command displays SMDS packets that are sent and received, and any error messages resulting from SMDS packet transmission. The error messages that the debug serial interface command can generate for SMDS follow.
The following message indicates that a new protocol requested SMDS to encapsulate the data for transmission. SMDS is not yet able to encapsulate the protocol.
SMDS: Error on Serial 0, encapsulation bad protocol = x
The following message indicates that SMDS was asked to encapsulate a packet, but no corresponding destination E.164 SMDS address was found in any of the static SMDS tables or in the ARP tables:
SMDS send: Error in encapsulation, no hardware address, type = x
The following message indicates that a protocol such as CLNS or IP has been enabled on an SMDS interface, but the corresponding multicast addresses have not been configured. The n variable displays the link type for which encapsulation was requested.
SMDS: Send, Error in encapsulation, type=n
The following messages can occur when a corrupted packet is received on an SMDS interface. The router expected x, but received y.
SMDS: Invalid packet, Reserved NOT ZERO, x y SMDS: Invalid packet, TAG mismatch x y SMDS: Invalid packet, Bad TRAILER length x y
The following messages can indicate an invalid length for an SMDS packet:
SMDS: SMDS: SMDS: SMDS: Invalid Invalid Invalid Invalid packet, packet, packet, packet, Bad Bad Bad Bad BA length x header extension length x header extension type x header extension value x
The following messages are displayed when the debug serial interface command is enabled:
Interface Serial 0 Sending SMDS L3 packet: SMDS: dgsize:x type:0xn :y dst:z
If the debug serial interface command is enabled, the following message can be displayed when a packet is received on an SMDS interface, but the destination SMDS address does not match any on that interface:
SMDS: Packet n, not addressed to us
debug serial packet

To display more detailed serial interface debugging information than you can obtain using the debug serial interface command, use the debug serial packet privileged EXEC command. The no form of this command disables debugging output. debug serial packet no debug serial packet
Syntax Description
Usage Guidelines
The debug serial packet command generates output that is dependent on the type of serial interface and the encapsulation running on that interface. The hardware platform also can impact debug serial packet output. The debug serial packet command displays output for only SMDS encapsulations.
Examples
The following is sample output from the debug serial packet command when SMDS is enabled on the interface:
Router# debug serial packet Interface Serial2 Sending SMDS L3 packet: SMDS Header: Id: 00 RSVD: 00 BEtag: EC Basize: 0044 Dest:E18009999999FFFF :C12015804721FFFF Xh:04030000030001000000000000000000 SMDS LLC: AA AA 03 00 00 00 80 38 SMDS Data: E1 19 01 00 00 80 00 00 0C 00 38 1F 00 0A 00 80 00 00 0C 01 2B 71 SMDS Data: 06 01 01 0F 1E 24 00 EC 00 44 00 02 00 00 83 6C 7D 00 00 00 00 00 SMDS Trailer: RSVD: 00 BEtag: EC Length: 0044
As the output shows, when encapsulation is set to SMDS, the debug serial packet command displays the entire SMDS header (in hexadecimal notation), and some payload data on transmit or receive. This information is useful only when you have an understanding of the SMDS protocol. The first line of the output indicates either Sending or Receiving.
debug snmp packet

To display information about every SNMP packet sent or received by the router, use the debug snmp packet privileged EXEC command. The no form of this command disables debugging output. debug snmp packet no debug snmp packet
Syntax Description
Examples
The following is sample output from the debug snmp packet command. In this example, the router receives a get-next request from the host at 172.16.63.17 and responds with the requested information.
Router# debug snmp packet SNMP: Packet received via UDP from 172.16.63.17 on Ethernet0 SNMP: Get-next request, reqid 23584, errstat 0, erridx 0 sysUpTime = NULL TYPE/VALUE system.1 = NULL TYPE/VALUE system.6 = NULL TYPE/VALUE SNMP: Response, reqid 23584, errstat 0, erridx 0 sysUpTime.0 = 2217027 system.1.0 = Cisco Internetwork Operating System Software system.6.0 = SNMP: Packet sent via UDP to 172.16.63.17
Based on the kind of packet sent or received, the output may vary. For get-bulk requests, a line similar to the following is displayed:
SNMP: Get-bulk request, reqid 23584, nonrptr 10, maxreps 20
For traps, a line similar to the following is displayed:

SNMP: V1 Trap, ent 1.3.6.1.4.1.9.1.13, gentrap 3, spectrap 0
Table 170 describes the significant fields shown in the display. Table 170 debug snmp packet Field Descriptions Field Get-next request Description Indicates what type of SNMP PDU the packet is. Possible types are as follows:

Get request Get-next request Response Set request
V1 Trap Get-bulk request Inform request V2 Trap
Depending on the type of PDU, the rest of this line displays different fields. The indented lines following this line list the MIB object names and corresponding values. reqid Request identification number. This number is used by the SNMP manager to match responses with requests. Error status. All PDU types other than response will have an errstat of 0. If the agent encounters an error while processing the request, it will set errstat in the response PDU to indicate the type of error. Error index. This value will always be 0 in all PDUs other than responses. If the agent encounters an error, the erridx will be set to indicate which varbind in the request caused the error. For example, if the agent had an error on the second varbind in the request PDU, the response PDU will have an erridx equal to 2. Nonrepeater value. This value and the maximum repetition value are used to determine how many varbinds are returned. Refer to RFC 1905 for details. Maximum repetition value. This value and the nonrepeater value are used to determine how many varbinds are returned. Refer to RFC 1905 for details. Enterprise object identifier. Refer to RFC 1215 for details. Generic trap value. Refer to RFC 1215 for details. Specific trap value. Refer to RFC 1215 for details.
errstat
erridx
nonrptr
maxreps
ent gentrap spectrap
debug snmp requests

To display information about every SNMP request made by the SNMP manager, use the debug snmp requests privileged EXEC command. The no form of this command disables debugging output. debug snmp requests no debug snmp requests
Syntax Description
Examples
The following is sample output from the debug snmp requests command:
Router# debug snmp requests SNMP Manager API: request dest: 171.69.58.33.161, community: public retries: 3, timeout: 30, mult: 2, use session rtt userdata: 0x0
Table 171 describes the significant fields shown in the display. Table 171 debug snmp requests field Field Descriptions Field SNMP Manager API dest community retries timeout Description Indicates that the router sent an SNMP request.
Destination of the request. Community string sent with the request. Number of times the request has been re-sent. Request timeout, or how long the router will wait before resending the request. Timeout multiplier. The timeout for a re-sent request will be equal to the previous timeout multiplied by the timeout multiplier.
mult
use session rtt Indicates that the average round-trip time of the session should be used in calculating the timeout value.
userdata
Internal Cisco IOS software data.
debug tacacs events

To display information from the TACACS+ helper process, use the debug tacacs events privileged EXEC command. The no form of this command disables debugging output. debug tacacs events no debug tacacs events
Syntax Description
Usage Guidelines
Use the debug tacacs events command only in response to a request from service personnel to collect data when a problem has been reported.
Caution Use the debug tacacs events command with caution because it can generate a substantial amount of output. The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating out the authentication, authorization, and accounting (AAA) functionality.
Examples
The following is sample output from the debug tacacs events command. In this example, the opening and closing of a TCP connection to a TACACS+ server are shown, and the bytes read and written over the connection and the TCP status of the connection:
Router# debug tacacs events %LINK-3-UPDOWN: Interface Async2, changed state to up 00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15 00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/1049 00:03:16: TAC+: periodic timer started 00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued 00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytes 00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=49 00:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed 00:03:22: TAC+: periodic timer stopped (queue empty)
00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 192.168.58.104/1049 00:03:22: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15 00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 192.168.58.104/1049 00:03:22: TAC+: periodic timer started 00:03:22: TAC+: 192.168.58.104 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB) expire=14 AUTHEN/START/SENDPASS/CHAP queued 00:03:23: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 41 of 41 bytes 00:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=21 wanted=21 alloc=21 got=9 00:03:23: TAC+: 192.168.58.104 received 21 byte reply for 3BD868 00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13 AUTHEN/START/SENDPASS/CHAP processed 00:03:23: TAC+: periodic timer stopped (queue empty)
The TACACS messages are intended to be self-explanatory or for consumption by service personnel only. However, the messages shown are briefly explained in the following text. The following message indicates that a TCP open request to host 192.168.58.104 on port 1049 will time out in 15 seconds if it gets no response:
00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15
The following message indicates a successful open operation and provides the address of the internal TCP "handle" for this connection:
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/1049
The following message indicates that a TACACS+ request has been queued:
00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued
The message identifies the following:

Server that the request is destined for Internal address of the request TACACS+ ID of the request TACACS+ version number of the request Internal TCP handle the request uses (which will be zero for a singleconnection server) TCP status of the connectionwhich is one of the following:
o o o o o o o o o o
CLOSED LISTEN SYNSENT SYNRCVD ESTAB FINWAIT1 FINWAIT2 CLOSEWAIT LASTACK CLOSING
TIMEWAIT Number of seconds until the request times out Request type
o
The following message indicates that all 46 bytes were written to address 192.168.58.104 for request 3BD868:
00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytes
The following message indicates that 12 bytes were read in reply to the request:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
The following message indicates that 49 more bytes were read, making a total of 61 bytes in all, which is all that was expected:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=49
The following message indicates that a complete 61-byte reply has been read and processed for request 3BD868:
00:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed
The following message indicates that the TACACS+ server helper process switched itself off when it had no more work to do:
00:03:22: TAC+: periodic timer stopped (queue empty)
Related Commands
Displays information on AAA/TACACS+ authorization.
debug sw56
Displays debug information for switched 56 K services.
debug tacacs
To display information associated with the TACACS, use the debug tacacs privileged EXEC command. The no form of this command disables debugging output. debug tacacs no debug tacacs
Syntax Description
Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS
The following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs 14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.79 14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.15 14:00:09: TAC+ (383258052): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.15 14:00:10: TAC+ (383258052): received authen response status = GETPASS
14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.15 14:00:14: TAC+ (383258052): received authen response status = PASS 14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15
The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs 13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 192.48.0.79 13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.15 13:53:35: TAC+ (416942312): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.15 13:53:37: TAC+ (416942312): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.15 13:53:38: TAC+ (416942312): received authen response status = FAIL 13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15
Related Commands
debug tftp
To display Trivial File Transfer Protocol (TFTP) debugging information when encountering problems netbooting or using the copy tftp system:runningconfig or copy system:running-config tftp commands, use the debug tftp privileged EXEC command. The no form of this command disables debugging output. debug tftp no debug tftp
Syntax Description
Examples
The following is sample output from the debug tftp command from the copy system:running-config tftp EXEC command:
Router# debug TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock tftp 0x292B4; 0x2A63C; 0x2A6DC; 0x2A6DC; 0x2A6DC; 0x2A6E4; Sending write request (retry 0), socket_id 0x301DA8 Sending write request (retry 1), socket_id 0x301DA8 Received ACK for block 0, socket_id 0x301DA8 Received ACK for block 0, socket_id 0x301DA8 Sending block 1 (retry 0), socket_id 0x301DA8 Received ACK for block 1, socket_id 0x301DA8
Table 213 describes the significant fields in the first line of output.
Table 213 debug tftp Field Descriptions
Message TFTP: msclock 0x292B4; Sending write request (retry 0) socket_id 0x301DA8 TFTP packet.
Description
Internal timekeeping clock (in milliseconds). TFTP operation.
Unique memory address for the socket for the TFTP connection.
debug vpdn pppoe-data

To display data packets of PPPoE sessions, use the debug vpdn pppoe-data command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-data no debug vpdn pppoe-data
Syntax Description
Defaults
Command History
Usage Guidelines
The debug vpdn pppoe-data command displays a large number of debug messages and should generally be used only on a debug chassis with a single active session.
Examples
The following is an example of output from the debug vpdn pppoe-data command:
6d20h:%LINK-3-UPDOWN:Interface Virtual-Access1, changed state to up 6d20h:PPPoE:OUT contiguous pak, size 19 FF 03 C0 21 01 01 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 6d20h:PPPoE:IN particle pak, size 1240 C0 21 01 01 00 0A 05 06 39 53 A5 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 C0 21 02 01 00 0A 05 06 39 53 A5 17 6d20h:PPPoE:OUT
contiguous pak, size 19 FF 03 C0 21 01 02 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 6d20h:PPPoE:IN particle pak, size 1740 C0 21 02 02 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:OUT contiguous pak, size 30 FF 03 C2 23 01 06 00 1A 10 99 1E 6E 8F 8C F2 C6 EE 91 0A B0 01 CB 89 68 13 47 61 6E 67 61 6d20h:PPPoE:IN particle pak, size 3840 C2 23 02 06 00 24 10 E6 84 FF 3A A4 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 8 FF 03 C2 23 03 06 00 04 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 01 01 00 0A 03 06 65 65 00 66 6d20h:PPPoE:IN particle pak, size 1240 80 21 01 01 00 0A 03 06 00 00 00 00 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 03 01 00 0A 03 06 65 65 00 67 6d20h:PPPoE:IN particle pak, size 1240 80 21 02 01 00 0A 03 06 65 65 00 66 00 04 AA AA 03 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:IN particle pak, size 1240 80 21 01 02 00 0A 03 06 65 65 00 67 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 02 02 00 0A 03 06 65 65 00 67 6d20h:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1, changed state to up 6d20h:PPPoE:OUT contiguous pak, size 16 FF 03 C0 21 09 01 00 0C D3 FF 2B DA 4C 4D 49 A4 6d20h:PPPoE:IN particle pak, size 1440 C0 21 0A 01 00 0C 39 53 A5 17 4C 4D 49 A4 AA AA 03 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:IN particle pak, size 1440 C0 21 09 01 00 0C 39 53 A5 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Table 227 describes the fields shown in the displays.

Table 227 debug vpdn pppoe-data Field Descriptions
Field 6d20h:%LINK-3-UPDOWN:Interface VirtualAccess1, changed state to up 6d20h:PPPoE:OUT
Descriptions Virtual access interface 1 came up. The host delivered a PPPoE session packet to the access concentrator. The access concentrator received a PPPoE session packet.
6d20h:PPPoE:IN
Line protocol is up; the line can 6d20h:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1, changed be used. state to up contiguous pak, size 19 particle pak, size 1240 Size 19 contiguous packet. Size 1240 particle packet.
Related Commands
Command debug vpdn pppoe-error Description Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
debug vpdn pppoe-events
Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.
debug vpdn pppoe-packet
Displays each PPPoE protocol packet exchanged.
protocol (VPDN)
Specifies the L2TP that the VPDN subgroup will use.
show vpdn
Displays information about active L2F protocol tunnel and message identifiers in a VPDN.
vpdn enable
Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is pre-sent.
debug vpdn pppoe-error

To display PPPoE protocol errors that prevent a session from being established or errors that cause an established sessions to be closed, use the debug vpdn pppoe-error command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-error no debug vpdn pppoe-error
Syntax Description
Defaults
Command History
Examples
The following is a full list of error messages displayed by the debug vpdn pppoe-error command:
PPPOE:pppoe_acsys_err cannot grow packet PPPoE:Cannot find PPPoE info PPPoE:Bad MAC address:00b0c2eb1038 PPPOE:PADI has no service name tag PPPoE:pppoe_handle_padi cannot add AC name/Cookie. PPPoE:pppoe_handle_padi cannot grow packet PPPoE:pppoe_handle_padi encap failed PPPoE cannot create virtual access. PPPoE cannot allocate session structure. PPPoE cannot store session element in tunnel. PPPoE cannot allocate tunnel structure. PPPoE cannot store tunnel PPPoE:VA221:No Session, Packet Discarded PPPOE:Tried to shutdown a null session PPPoE:Session already open, closing PPPoE:Bad cookie:_addr=00b0c2eb1038 PPPoE:Max session count on mac elem exceeded:mac=00b0c2eb1038 PPPoE:Max session count on vc exceeded:vc=3/77 PPPoE:Bad MAC address - dropping packet PPPoE:Bad version or type - dropping packet
Table 228 describes the fields shown in the displays.

Table 228 debug vpdn pppoe-error Field Descriptions
Field PPPOE:pppoe_acsys_err cannot grow packet PPPoE:Cannot find PPPoE info
Descriptions Asynchronous PPPoE packet initialization error. The access concentrator sends a PADO to the host. The host was unable to identify the Ethernet MAC address. PADI requires a service name tag.
PPPoE:Bad MAC address:00b0c2eb1038
PPPOE:PADI has no service name tag
PPPoE:pppoe_handle_padi cannot add AC pppoe_handle_padi could not name/Cookie. append AC name. PPPoE:pppoe_handle_padi cannot grow packet PPPoE:pppoe_handle_padi encap failed pppoe_handle_padi could not append packet. pppoe_handle_padi could not specify PPPoE on ATM encapsulation. PPPoE session unable to verify virtual access interface. PPPoE session unable to allocate Stage Protocol. PPPoE tunnel cannot allocate session element. PPPoE tunnel unable to allocate Stage Protocol. PPPoE configuration settings unable to initialize a tunnel. No sessions created. All packets dropped.
PPPoE cannot create virtual access.
PPPoE cannot allocate session structure.
PPPoE cannot store session element in tunnel. PPPoE cannot allocate tunnel structure.
PPPoE cannot store tunnel
PPPoE:VA221:No Session, Packet Discarded
PPPOE:Tried to shutdown a null session PPPoE:Session already open, closing PPPoE:Bad cookie:_addr=00b0c2eb1038
Null session shutdown. PPPoE session already open. PPPoE session unable to append new cookie. The maximum number of sessions exceeded the Ethernet MAC address. The maximum number of sessions exceeded the PVC connection. The host was unable to identify the MAC address. Packet dropped. The host was unable to identify the encapsulation type.
PPPoE:Max session count on mac elem exceeded:mac=00b0c2eb1038
PPPoE:Max session count on vc exceeded:vc=3/77 PPPoE:Bad MAC address - dropping packet PPPoE:Bad version or type - dropping packet
Related Commands
Command debug vpdn pppoe-data Description Displays data packets of PPPoE sessions.
protocol (VPDN)
show vpdn
Displays information about active L2F protocol tunnel and
message identifiers in a VPDN.
vpdn enable

To display PPPoE protocol messages about events that are part of normal session establishment or shutdown, use the debug vpdn pppoe-events command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-events no debug vpdn pppoe-events
Syntax Description
Defaults
Command History
Examples
The following is an example of output from the debug vpdn pppoe-events command:
1w5d:IN PADI from PPPoE tunnel 1w5d:OUT PADO from PPPoE tunnel 1w5d:IN PADR from PPPoE tunnel 1w5d:PPPoE:VPN session created. 1w5d:%LINK-3-UPDOWN:Interface Virtual-Access2, changed state to up 1w5d:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to up

Table 229 debug vpdn pppoe-events Field Descriptions
Field 1w5d:IN PADI from PPPoE tunnel
Descriptions The access concentrator receives a PADI packet from the PPPoE Tunnel.
1w5d:OUT PADO from PPPoE tunnel
The access concentrator sends a PADO to the host. The host sends a single PADR to the access concentrator that it has chosen. The access concentrator receives the PADR packet and creates a VPN session. Virtual access interface 2 came up. Line protocol is up. The line can be used.
1w5d:IN PADR from PPPoE tunnel
1w5d:PPPoE:VPN session created.
1w5d:%LINK-3-UPDOWN:Interface VirtualAccess2, changed state to up 1w5d:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to up
Related Commands
Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
protocol (VPDN)
show vpdn
vpdn enable

To display each PPPoE protocol packet exchanged, use the debug vpdn pppoe-packet command in EXEC mode.To disable the debugging output, use the no form of this command. debug vpdn pppoe-packet no debug vpdn pppoe-packet
Syntax Description
Defaults
Command History
Usage Guidelines
The debug vpdn pppoe-packet command displays a large number of debug messages and should generally only be used on a debug chassis with a single active session.
Examples
The following is an example of output from the debug vpdn pppoe-packet command:
PPPoE control packets debugging is on 1w5d:PPPoE:discovery packet contiguous pak, size 74 FF FF FF FF FF FF 00 10 7B 01 2C D9 88 00 00 00 04 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1w5d:OUT PADO from PPPoE tunnel contiguous pak, size 74 00 01 09 00 AA AA 03 00 80 C2 00 07 00 7B 01 2C D9 00 90 AB 13 BC A8 88 63 11 00 20 01 01 00 00 01 02 00 04 41 67 6E 1w5d:PPPoE:discovery packet contiguous pak, size 74 00 90 AB 13 BC A8 00 10 7B 01 2C D9 88
63 11 09 00 00 00 00 00 ...
00 00 10 07 00 00 69 01 ...
63 11 19
00 00 00 20 01 01 00 00 01 02 00 04 41 67 6E 69 01 04 00 10 B7 4B 86 5B 90 A5 EF 11 64 A9 BA ...
Table 230 describes the significant fields shown in the displays.

Table 230 debug vpdn pppoe-packet Field Descriptions
Field Descriptions PPPoE control packets debugging PPPoE debugging of packets is enabled. is on 1w5d:PPPoE:discovery packet The host performs a discovery to initiate a PPPoE session. The access concentrator sends a PADO to the host. The host performs a discovery to initiate a PPPoE session. Size 74 contiguous packet.
1w5d:OUT PADO from PPPoE tunnel 1w5d:PPPoE:discovery packet
contiguous pak, size 74
Related Commands
Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
protocol (VPDN)
show vpdn
vpdn enable
debug vpdn
To display debug traces for the virtual private dialup networks (VPDN), which provide PPP tunnels using the Layer 2 Forwarding (L2F) Protocol, use the debug vpdn command in privileged EXEC mode. The no form of this command disables debugging output. debug vpdn {error | event [disconnected] | l2tp-sequencing | l2x-data | l2x-errors | l2x-events | l2x-packets | packet [errors] | pppoe-data | pppoe-errors | pppoe-events | pppoe-packets} no debug vpdn {error | event [disconnected] | l2tp-sequencing | l2xdata | l2x-errors | l2x-events | l2x-packets | packet [errors] | pppoedata | pppoe-errors | pppoe-events | pppoe-packets}
Syntax Description
error Displays VPDN protocol errors.
event
Displays VPDN events.
disconnected
(Optional) Displays VPDN disconnect reasons.
l2tp-sequencing
Displays Layer 2 Tunneling Protocol (L2TP) sequencing.
l2x-data
Displays L2F Protocol and L2TP data packets.
l2x-errors
Displays L2F Protocol and L2TP protocol errors.
l2x-events
Displays L2F Protocol and L2TP protocol events.
l2x-packets
Displays L2F Protocol and L2TP control packets.
packet
Displays VPDN packets.
errors
(Optional) Displays VPDN packet errors.
pppoe-data
Displays PPP over Ethernet (PPPoE) data packets.
pppoe-errors
Displays PPPoE protocol errors.
pppoe-events
Displays PPPoE protocol events.
pppoe-packets
Displays PPPoE control packets.
Examples
The following is sample output for the natural sequence of events for an L2TP network server (LNS) named stella:
Router# debug vpdn event 20:47:33: %LINK-3-UPDOWN: Interface Async7, changed state to up 20:47:35: As7 VPDN: Looking for tunnel -- cisco.com -20:47:35: As7 VPDN: Get tunnel info for cisco.com with NAS stella, IP 172.21.9.13 20:47:35: As7 VPDN: Forward to address 172.21.9.13 20:47:35: As7 VPDN: Forwarding... 20:47:35: As7 VPDN: Bind interface direction=1 20:47:35: Tnl/Cl 8/1 L2TP: Session FS enabled 20:47:35: Tnl/Cl 8/1 L2TP: Session state change from idle to wait-fortunnel 20:47:35: As7 8/1 L2TP: Create session 20:47:35: Tnl 8 L2TP: SM State idle 20:47:35: Tnl 8 L2TP: Tunnel state change from idle to wait-ctl-reply 20:47:35: Tnl 8 L2TP: SM State wait-ctl-reply 20:47:35: As7 VPDN: bum1@cisco.com is forwarded 20:47:35: Tnl 8 L2TP: Got a challenge from remote peer, stella 20:47:35: Tnl 8 L2TP: Got a response from remote peer, stella 20:47:35: Tnl 8 L2TP: Tunnel Authentication success 20:47:35: Tnl 8 L2TP: Tunnel state change from wait-ctl-reply to established 20:47:35: Tnl 8 L2TP: SM State established 20:47:35: As7 8/1 L2TP: Session state change from wait-for-tunnel to waitreply 20:47:35: As7 8/1 L2TP: Session state change from wait-reply to established 20:47:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up
The following shows sample debug output on the L2TP access concentrator (LAC) named stella:
Router# debug vpdn event 20:19:17: L2TP: I SCCRQ from stella tnl 8 20:19:17: L2X: Never heard of stella 20:19:17: Tnl 7 L2TP: New tunnel created for remote stella, address 172.21.9.4 20:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, stella 20:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply 20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from stella 20:19:17: Tnl 7 L2TP: Tunnel Authentication success 20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established 20:19:17: Tnl 7 L2TP: SM State established 20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-fortunnel 20:19:17: Tnl/Cl 7/1 L2TP: New session created 20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to stella 8/1 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established 20:19:17: Vi1 VPDN: Virtual interface created for bum1@cisco.com 20:19:17: Vi1 VPDN: Set to Async interface 20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking 20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up 20:19:18: Vi1 VPDN: Bind interface direction=2 20:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK 20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Related Commands
Command debug aaa authentication Description Displays information on AAA/TACACS+ authentication.
Command Name: Mode: Syntax: cdp enable no cdp enable Syntax Description:
no cdp enable router(config-if)#
This command has no arguments or keywords. Command Description: To enable Cisco Discovery Protocol (CDP) on an interface, use the cdp enable interface configuration command. To disable CDP on an interface, use the no form of this command. Usage Guidelines CDP is enabled by default at the global level and on each supported interface in order to send or receive CDP information. However, some interfaces, such as ATM interfaces, do not support CDP. Using the no form of this command can be useful for security. Example: router(config-if)#cdp enable Misconceptions: none Related commands: cdp run Sample Configurations:
Command Name: Mode: Syntax: cdp run no cdp run Syntax Description:
no cdp run router(config)#
This command has no arguments or keywords. Command Description: To enable Cisco Discovery Protocol (CDP), use the cdp run global configuration command. To disable CDP, use the no form of this command. Usage Guidelines CDP is enabled on your router by default, which means the Cisco IOS software will receive CDP information. CDP also is enabled on supported interfaces by default. To disable CDP on an interface, use the no cdp enable interface configuration command. Using the no form of this command can be useful for security. Example: router(config)#no cdp run Misconceptions: none Related commands: cdp enable Sample Configurations: no cdp run ! line con 0 exec-timeout 0 0 logging synchronous login local transport input none line aux 0 no exec
login local line vty 0 4 access-class 1 in login local ! end
no ip directed-broadcast router(config-if)#
ip directed-broadcast [access-list-number] | [extended access-list-number] no ip directed-broadcast [access-list-number] | [extended access-list-number]
Syntax Description:
access-list-number (Optional) Standard access list number in the range from 1 to 199. If specified, a broadcast must pass the access list to be forwarded.
extended accesslist-number
(Optional) Extended access list number in the range from 1300 to 2699.
Command Description: To enable the translation of a directed broadcast to physical broadcasts, use the ip directedbroadcast interface configuration command. To disable this function, use the no form of this command. Usage Guidelines An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet. A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a router that is directly connected to its destination subnet, that packet is "exploded" as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast. The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts. If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet. If an access list has been configured with the ip directed-
broadcast command, only directed broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts destined for the interface subnet will be dropped. If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast. Note Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, we recommend that securityconscious users disable the ip directed-broadcast command on any intereface where directed broadcasts are not needed and that they use access lists to limit the number of exploded packets. Example: router(config-if)#no ip directed-broadcast Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !
no ip finger router(config)#
ip finger [rfc-compliant] no ip finger Syntax Description: rfccompliant (Optional) Configures the system to wait for "Return" or "/W" input when processing Finger requests. This keyword should not be used for those systems.
Command Description: To configure a system to accept Finger protocol requests (defined in RFC 742), use the ip finger global configuration command. To disable this service, use the no form of this command. Usage Guidelines The Finger service allows remote users to view the output equivalent to the show users [wide] command. When ip finger is configured, the router will respond to a telnet a.b.c.d finger command from a remote host by immediately displaying the output of the show users command and then closing the connection. When the ip finger rfc-compliant command is configured, the router will wait for input before displaying anything (as required by RFC 1288). The remote user can then enter the Return key to display the output of the show users EXEC command, or enter /W to display the output of the show users wide EXEC command. After this information is displayed, the connection is closed. Note As with all minor services, the Finger service should be disabled on your system if you do not have a need for it in your network. Note Any network device that has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have the services disabled to protect against Denial of Service attacks. Because of the potential for hung lines, the rfc-compliant form of this command should not be configured for devices with more than 20 simultaneous users.
Example: router(config)# no ip finger Misconceptions: none Related commands: service ip finger Sample Configurations: ! username student password 0 cisco memory-size iomem 25 clock timezone PST -8 clock summer-time zone recurring ip subnet-zero no ip source-route no ip finger ip tcp selective-ack ip tcp path-mtu-discovery no ip domain-lookup !
Command Name: Mode: Syntax: ip http server no ip http server Syntax Description:
no ip http server router(config)#
This command has no arguments or keywords. Command Description: To enable the Cisco Web browser UI on a router or access server, use the ip http server global configuration command. To disable this feature, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config)#ip http server Misconceptions: none Related commands: none Sample Configurations: ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.1.2 no ip http server !
no ip mroute-cache router(config-if)#
ip mroute-cache [distributed] no ip mroute-cache [distributed] Syntax Description:

distributed (Optional) Enables MDS on the interface. In the case of RSP, this keyword is optional; if it is omitted, fast switching occurs. On the GSR, this keyword is required because the GSR does only distributed switching.
Command Description: To configure IP multicast fast switching or multicast distributed switching (MDS), use the ip mroute-cache command in interface configuration mode. To disable either of these features, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config-if)#no ip mroute-cache Misconceptions: none Related commands: none Sample Configurations: interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache
Command Name: Mode: Syntax: ip proxy-arp no ip proxy-arp Syntax Description:
no ip proxy-arp router(config-if)#
This command has no arguments or keywords. Command Description: To enable proxy Address Resolution Protocol (ARP) on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command. Example: router(config-if)#no ip proxy-arp Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !
Command Name: Mode: Syntax: ip redirects no ip redirects Syntax Description:
no ip redirects router(config-if)#
This command has no arguments or keywords. Command Description: To enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config-if)#no ip redirects Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !
Command Name: Mode: Syntax: ip source-route no ip source-route Syntax Description:
no ip source-route router(config)#
This command has no arguments or keywords. Command Description:
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config)#no ip source-route Misconceptions: none Related commands: none Sample Configurations: ! username student password 0 cisco memory-size iomem 25 clock timezone PST -8 clock summer-time zone recurring ip subnet-zero no ip source-route no ip finger ip tcp selective-ack ip tcp path-mtu-discovery no ip domain-lookup !

ip unreachables no ip unreachables
no ip unreachables router(config-if)#
Syntax Description: This command has no arguments or keywords. Command Description: To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command. If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP unreachable message to the source. If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message. This command affects all types of ICMP unreachable messages. Using the no form of this command can be useful for security. Example: router(config-if)#no ip unreachables Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in
no no no no no no !
ip ip ip ip ip ip
redirectsj unreachables directed-broadcast proxy-arp route-cache mroute-cache
Command Name: Mode: Syntax: service finger no service finger Syntax Description:
no service finger router(config)#
This command has no arguments or keywords. Command Description: The service finger command has been replaced by the ip finger command. However, the service finger and no service finger commands continue to function to maintain backward compatibility with older versions of Cisco IOS software. Support for this command may be removed in a future release. See the description of the ip finger command in this chapter for more information. Example: Misconceptions: none Related commands: ip finger Sample Configurations:
no service tcp-small-servers router(config)#
service tcp-small-servers no service tcp-small-servers Syntax Description: This command has no arguments or keywords. Command Description: To access minor TCP/IP services available from hosts on the network, use the service tcp-smallservers global configuration command. To disable these services, use the no form of the command. Usage Guidelines By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled. When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports cause the Cisco IOS software to send a TCP RESET packet to the sender and discard the original incoming packet. Example: router(config)#no service tcp-small-servers Misconceptions: none Related commands: none Sample Configurations: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers
! hostname NAS !
no service udp-small-servers router(config)#
service udp-small-servers no service udp-small-servers Syntax Description: This command has no arguments or keywords. Command Description: To access minor User Datagram Protocol (UDP) services available from hosts on the network, use the service udp-small-servers global configuration command. To disable these services, use the no form of this command. Usage Guidelines By default the UPD servers for Echo, Discard, and Chargen services are disabled. When the servers are disabled, access to Echo, Discard, and Chargen ports causes the Cisco IOS software to send an "ICMP port unreachable" message to the sender and discard the original incoming packet. Example: router(config)#no service udp-small-servers Misconceptions: none Related commands: none Sample Configurations: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers
! hostname NAS !
Command Name: Mode: Syntax: no snmp-server Syntax Description:
no snmp-server router(config)#
This command has no arguments or keywords. Command Description: To disable Simple Network Management Protocol (SNMP) agent operation, use the no snmpserver global configuration command. This command disables all running versions of SNMP (SNMPv1, SNMPv2C, and SNMPv3) on the device. Example: router(config)# no snmp-server Misconceptions: none Related commands: none Sample Configurations:
Command Name: Mode: Syntax: ip ftp passive

no ip ftp passive
ip ftp passive router(config)#
Syntax Description: This command has no arguments or keywords. Command Description: To configure the router to use only passive File Transfer Protocol (FTP) connections, use the ip ftp passive global configuration command. To allow all types of FTP connections, use the no form of this command. Example: The following example configures the router to use only passive FTP connections: router(config)#ip ftp passive Misconceptions: none Related commands: ip ftp password ip ftp source-interface ip ftp username Sample Configurations:
ip ftp password router(config)#
ip ftp password [type] password no ip ftp password Syntax Description:

type (Optional) Type of encryption to use on the password. A value of 0 disables encryption. A value of 7 indicates proprietary encryption.
password
Password to use for FTP connections.
Command Description: To specify the password to be used for File Transfer Protocol (FTP) connections, use the ip ftp password global configuration command. To return the password to its default, use the no form of this command. Example: The following example configures the router to use the username red and the password blue for FTP connections: router(config)#ip ftp username red router(config)#ip ftp password blue Misconceptions: none Related commands: ip ftp password ip ftp source-interface ip ftp username Sample Configurations: supposed
ip ftp source-interface router(config)#
ip ftp source-interface interface no ip ftp source-interface Syntax Description:

interface The interface type and number to use to obtain the source address for FTP connections.
Command Description: To specify the source IP address for File Transfer Protocol (FTP) connections, use the ip ftp source-interface global configuration command. To use the address of the interface where the connection is made, use the no form of this command. Example: The following example configures the router to use the IP address associated with the Ethernet 0 interface as the source address on all FTP packets, regardless of which interface is actually used to send the packet: router(config)#ip ftp source-interface ethernet 0 Misconceptions: none Related commands: ip ftp passive ip ftp password ip ftp username Sample Configurations:
ip ftp username router(config)#
ip ftp username username no ip ftp username Syntax Description:

username Username for FTP connections.
Command Description: To configure the username for File Transfer Protocol (FTP) connections, use the ip ftp username global configuration command. To configure the router to attempt anonymous FTP, use the no form of this command. The remote username must be associated with an account on the destination server. Example: In the following example, the router is configured to use the username "red" and the password "blue" for FTP connections: router(config)# ip ftp username red router(config)# ip ftp password blue Misconceptions: none Related commands: ip ftp passive ip ftp password ip ftp source-interface Sample Configurations: ! resource-pool disable dial-tdm-clock priority 1 trunk-slot 1 port 0 spe link-info poll voice 5
spe default-firmware spe-firmware-1 ip subnet-zero ip cef distributed ip ftp username mgcusr ip ftp password lab no ip domain lookup ip host colos_tftp 10.100.00.00 ip host brios 255.255.255.255 ip dhcp smart-relay !
Command Name: Mode: Syntax: tunnel checksum no tunnel checksum Syntax Description:
tunnel checksum router(config-if)#
This command has no arguments or keywords. Command Description: To enable encapsulator-to-decapsulator checksumming of packets on a tunnel interface, use the tunnel checksum interface configuration command. To disable checksumming, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. Some passenger protocols rely on media checksums to provide data integrity. By default, the tunnel does not guarantee packet integrity. By enabling end-to-end checksums, the routers will drop corrupted packets. Example: In the following example, all protocols will have encapsulator-to-decapsulator checksumming of packets on the tunnel interface: router(config-if)# tunnel checksum Misconceptions: none Related commands: none Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128
ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams
tunnel destination router(config-if)#
tunnel destination {hostname | ip-address} no tunnel destination Syntax Description:

hostname Name of the host destination.
ip-address
IP address of the host destination expressed in decimal in four-part, dotted notation.
Command Description: To specify the destination for a tunnel interface, use the tunnel destination interface configuration command. To remove the destination, use the no form of this command. Usage Guidelines You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. Example: router(config-if)# tunnel destination 10.108.164.19 Misconceptions: none Related commands: tunnel mode tunnel source Sample Configurations: ! interface tunnel 0
novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams
tunnel key router(config-if)#
tunnel key key-number no tunnel key Syntax Description:

key-number Number from 0 to 4,294,967,295 that identifies the tunnel key.
Command Description: To enable an ID key for a tunnel interface, use the tunnel key interface configuration command. To remove the ID key, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. Note IP multicast traffic is not supported when a tunnel ID key is configured unless the traffic is process-switched. You must configure the no ip mroute-cache command in interface configuration mode on the interface if an ID key is configured. This note applies only to Cisco IOS Release 12.0 and earlier releases. Note When GRE is used, the ID key is carried in each packet. We do not recommend relying on this key for security purposes. Example: The following example sets the tunnel key to 3: router(config-if)# tunnel key 3 Misconceptions: none Related commands: none
Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams
Command Name: Mode Syntax:
tunnel mode router(config-if)#
tunnel mode {aurp | cayman | dvmrp | eon | gre | ipip | iptalk | mpls | nos} no tunnel mode Syntax Description:
aurp AppleTalk Update Routing Protocol (AURP).
cayman
Cayman TunnelTalk AppleTalk encapsulation.
dvmrp
Distance Vector Multicast Routing Protocol.
eon
EON compatible CLNS tunnel.
gre
Generic route encapsulation (GRE) protocol. This is the default.
ipip
IP over IP encapsulation.
iptalk
Apple IPTalk encapsulation.
mpls
MPLS encapsulation.
nos
KA9Q/NOS compatible IP over IP.
Command Description: To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration command. To restore the default, use the no form of this command. Usage Guidelines
You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. Cayman tunneling implements tunneling as designed by Cayman Systems. This enables our routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between our router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address. This means that there is no way to ping the other end of the tunnel. Use DVMRP when a router connects to an mrouted router to run DVMRP over a tunnel.You must configure Protocol-Independent Multicast (PIM) and an IP address on a DVMRP tunnel. GRE (generic routing encapsulation) tunneling can be done between our routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. This means that you can ping the other end of the tunnel. Example: router(config-if)# tunnel mode gre ip Misconceptions: none Related commands: tunnel destination tunnel source Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre ip tunnel checksum needed tunnel key 42 tunnel sequence-datagrams
tunnel sequence-datagrams router(config-if)#
tunnel sequence-datagrams no tunnel sequence-datagrams Syntax Description: This command has no arguments or keywords. Command Description: To configure a tunnel interface to drop datagrams that arrive out of order, use the tunnel sequence-datagrams interface configuration command. To disable this function, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. This command is useful when carrying passenger protocols that behave poorly when they receive packets out of order (for example, LLC2-based protocols). Example: The following example configures the tunnel to drop datagrams that arrive out of order: router(config-if)# tunnel sequence-datagrams Misconceptions: none Related commands: none Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4
tunnel tunnel tunnel tunnel tunnel tunnel
source ethernet 0 destination 131.108.14.12 mode gre checksum needed key 42 sequence-datagrams
tunnel source router(config-if)#
tunnel source {ip-address | type number} no tunnel source Syntax Description:

ipaddress IP address to use as the source address for packets in the tunnel.
type
Interface type.
number
Specifies the port, connector, or interface card number. The numbers are assigned at the factory at the time of installation or when added to a system and can be displayed with the show interfaces command.
Command Description: To set source address for a tunnel interface, use the tunnel source interface configuration command. To remove the source address, use the no form of this command. Usage Guidelines Encapsulation Mode Two tunnels cannot use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. IP Addresses The IP address specified as the source address must be an address of an interface on the router. When using tunnels to Cayman boxes, you must set the tunnel source command to an explicit IP address on the same subnet as the Cayman box, not the tunnel itself. Example: router(config-if)# tunnel source ethernet0
Misconceptions: none Related commands: tunnel destination Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams
tunnel udlr receive-only router(config-if)#
tunnel udlr receive-only type number no tunnel udlr receive-only type number Syntax Description:
type number Interface type and number. The type and number arguments must match the unidirectional send-only interface type and number specified by the interface command. Thus, when packets are received over the tunnel, the upper layer protocols will treat the packets as if they are received over the unidirectional send-only interface.
Command Description: To configure a unidirectional, generic routing encapsulation (GRE) tunnel to act as a back channel that can receive messages, when another interface is configured for unidirectional link routing (UDLR) to send messages, use the tunnel udlr receive-only command in interface configuration mode. To remove the tunnel, use the no form of this command. Usage Guidelines Use this command to configure a router that has a unidirectional interface with send-only capabilities. One example of when you might configure this command is if you have traffic traveling via a satellite. The type and number arguments must match the send-only interface type and number specified by the interface command. You must configure the tunnel udlr send-only command at the opposite end of the tunnel. If you have a large number of receivers, you should configure UDLR by an alternative means: Internet Group Management Protocol (IGMP) UDLR. See the description of the ip igmp unidirectional-link command earlier in this chapter. Example: router(config-if)# tunnel udlr receive-only serial 0 Misconceptions: none
Related commands: interface interface tunnel tunnel udlr send-only Sample Configurations: ip multicast-routing ! interface serial 0 encapsulation hdlc ip address 10.1.0.1 255.255.0.0 ip pim sparse-dense-mode ! interface tunnel 0 tunnel source ethernet 0 tunnel destination tunnel udlr receive-only serial 0 ! router ospf network 10.0.0.0 0.255.255.255 area 0
tunnel udlr send-only router(conifig-if)#
tunnel udlr send-only type number no tunnel udlr send-only type number Syntax Description:
type number Interface type and number. The type and number arguments must match the unidirectional receive-only interface type and number specified by the interface command. Thus, when packets are sent by upper layer protocols over the interface, they will be redirected and sent over this GRE tunnel.
Command Description: To configure a unidirectional, generic routing encapsulation (GRE) tunnel to act as a back channel that can send messages, when another interface is configured for unidirectional link routing (UDLR) to receive messages, use the tunnel udlr send-only command in interface configuration mode. To remove the tunnel, use the no form of this command. Usage Guidelines Use this command to configure a router that has a unidirectional interface with receive-only capabilities. The UDLR tunnel will act as a back channel. One example of when you might configure this command is if you have traffic traveling via a satellite. The type and number arguments must match the receive-only interface type and number specified by the interface command. You must configure the tunnel udlr receive-only command at the opposite end of the tunnel. Example: router(config-if)# tunnel udlr send-only serial 1 Misconceptions: none Related commands: interface interface tunnel
tunnel udlr receive-only Sample Configurations: ip multicast-routing ! ! Serial1 has receive-only capability ! interface serial 1 encapsulation hdlc ip address 10.1.0.2 255.255.0.0 ip pim sparse-dense-mode ! ! Configure tunnel as send-only UDLR tunnel. ! interface tunnel 0 tunnel source ethernet 0 tunnel destination tunnel udlr send-only serial 1
clear ip audit configuration router#
clear ip audit configuration Syntax Description: This command has no arguments or keywords. Command Description: To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip audit configuration privileged EXEC command. Usage Guidelines Use the clear ip audit configuration privileged EXEC command to disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources. Example: The following example clears the existing IP audit configuration: router#clear ip audit configuration Misconceptions: none Related commands: clear ip audit statistics Sample Configurations:
clear ip audit statistics router#
clear ip audit statistics
Syntax Description: This command has no arguments or keywords. Command Description: To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics privileged EXEC command. Example: The following example clears all IP audit statistics: router#clear ip audit statistics Misconceptions: none Related commands: clear ip audit configuration Sample Configurations:
debug ip audit router#
debug ip audit {timers | object-creation | object-deletion | function trace | detailed | ftp-cmd | ftp-token | icmp | ip | rpc | smtp | tcp | tftp | udp} no debug ip audit {timers | object-creation | object-deletion | function trace | detailed | ftp-cmd | ftp-token | icmp | ip | rpc | smtp | tcp | tftp | udp} Syntax Description:
detailed
Audit Detailed debug records
ftp-cmd
Audit FTP commands and responses
ftp-token
Audit FTP tokens
function-trace
Audit function trace
icmp
Audit ICMP packets
ip
Audit IP packets
object-creation
Audit Object Creations
object-deletion
Audit Object Deletions
rpc
Audit RPC
smtp
Audit SMTP
Audit TCP
tcp
tftp
Audit TFTP
timers
Audit Timer related events
udp
Audit UDP
Command Description: To display the integrated Intrusion Detection System (IDS) configuration features information on the router use the debug ip audit in privileged EXEC mode. Use the no form of the command to disable debugging for a given option. Example: Router# debug ip audit timers Router# debug ip audit object-creation Router# debug ip audit object-deletion Router# debug ip audit function trace Router# debug ip audit detailed Router# debug ip audit ftp-cmd Router# debug ip audit ftp-token Router# debug ip audit icmp Router# debug ip audit ip Router# debug ip audit rpc Router# debug ip audit smtp Router# debug ip audit tcp
Router# debug ip audit tftp Router# debug ip audit udp Misconceptions: none Related commands: none Sample Configurations:
ip audit attack router(config)#
audit attack {action [alarm] [drop] [reset]} no ip audit attack Syntax Description:
action Specifies an action for the attack signature to take in response to a match.
alarm
(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Used with the action keyword.
drop
(Optional) Drops the packet. Used with the action keyword.
reset
(Optional) Resets the TCP session. Used with the action keyword.
Command Description: To specify the default actions for attack signatures, use the ip audit attack global configuration command. To set the default action for attack signatures, use the no form of this command. Example: In the following example, the default action for attack signatures is set to all three actions: router(config)#ip audit attack action alarm drop reset Misconceptions: none Related commands: none Sample Configurations:
ip audit info router(config)#
ip audit info {action [alarm] [drop] [reset]} no ip audit info Syntax Description:
action Sets an action for the info signature to take in response to a match.
alarm
(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Used with the action keyword.
drop
(Optional) Drops the packet. Used with the action keyword.
reset
(Optional) Resets the TCP session. Used with the action keyword.
Command Description: To specify the default actions for info signatures, use the ip audit info global configuration command. To set the default action for info signatures, use the no form of this command. Example: In the following example, the default action for info signatures is set to all three actions: router(config)#ip audit info action alarm drop reset Misconceptions: none Related commands: none Sample Configurations:
ip audit name router(config)#
ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]] no ip audit name audit-name {info | attack} Syntax Description:
audit-name Name for an audit specification.
info
Specifies that the audit rule is for info signatures.
attack
Specifies that the audit rule is for attack signatures.
list
(Optional) Specifies an ACL to attach to the audit rule.
standardacl
(Optional) Integer representing an access control list. Use with the list keyword.
action
(Optional) Specifies an action or actions to take in response to a match.
alarm
(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Use with the action keyword.
drop
(Optional) Drops the packet. Use with the action keyword.
reset
(Optional) Resets the TCP session. Use with the action keyword.
Command Description: To create audit rules for info and attack signature types, use the ip audit name global configuration command. To delete an audit rule, use the no form of this command.
Example: In the following example, an audit rule called INFO.2 is created, and configured with all three actions: router(config)#ip audit name INFO.2 info action alarm drop reset In the following example, an info signature is disabled and an audit rule called INFO.3 is created: router(config)#ip audit signature 1000 disable router(config)#ip audit name INFO.3 info action alarm drop reset In the following example, an audit rule called ATTACK.2 is created with an attached ACL 91, and the ACL is created: router(config)#ip audit name ATTACK.2 list 91 router(config)#access-list 91 deny 10.1.0.0 0.0.255.255 router(config)#access-list 91 permit any Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
ip audit notify router(config)#
ip audit notify {nr-director | log} no ip audit notify {nr-director | log} Syntax Description:
nr-director Send messages in NetRanger format to the NetRanger Director or Sensor.
log
Send messages in syslog format.
Command Description: To specify the method of event notification, use the ip audit notify global configuration command. To disable event notifications, use the no form of this command. Usage Guidelines If messages are sent to the NetRanger Director, then you must also configure the NetRanger Director's Post Office transport parameters using the ip audit po remote command. Example: In the following example, event notifications are specified to be sent in NetRanger format: router(config)#ip audit notify nr-director Misconceptions: none Related commands: ip audit po local ip audit po remote Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director
ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
ip audit po local router(config)#
ip audit po local hostid id-number orgid id-number no ip audit po local [hostid id-number orgid id-number] Syntax Description:
hostid Specifies a NetRanger host ID.
id-number (hostid)
Unique integer in the range 1-65535 used in NetRanger communications to identify the local host. Use with the hostid keyword.
orgid
Specifies a NetRanger organization ID.
id-number (orgid)
Unique integer in the range 1-65535 used in NetRanger communications to identify the group to which the local host belongs. Use with the orgid keyword.
Command Description: To specify the local Post Office parameters used when sending event notifications to the NetRanger Director, use the ip audit po local global configuration command. To set the local Post Office parameters to their default settings, use the no form of this command. Usage Guidelines Use the ip audit po local global configuration command to specify the local Post Office parameters used when sending event notifications to the NetRanger Director. Example: In the following example, the local host is assigned a host ID of 10 and an organization ID of 500: router(config)#ip audit po local hostid 10 orgid 500 Misconceptions: none
Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
ip audit po max-events router(config)#
ip audit po max-events number-of-events no ip audit po max-events Syntax Description:

number-ofevents Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.
Command Description: To specify the maximum number of event notifications that are placed in the router's event queue, use the ip audit po max-events global configuration command. To set the number of recipients to the default setting, use the no version of this command. Usage Guidelines Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory. Example: In the following example, the number of events in the event queue is set to 250: router(config)#ip audit po max-events 250 Misconceptions: none Related commands: none Sample Configurations: ! ip audit notify log ip audit po max-events 100 !
ip audit po protected router(config)#
ip audit po protected ip-addr [to ip-addr] no ip audit po protected [ip-addr] Syntax Description:
to (Optional) Specifies a range of IP addresses.
ip-addr
IP address of a network host.
Command Description: To specify whether an address is on a protected network, use the ip audit po protected global configuration command. To remove network addresses from the protected network list, use the no form of this command. If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list. Usage Guidelines You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source and/or destination of the packet belongs to a protected network or not. Example:
In the following example, a range of addresses is added to the protected network list: router(config)#ip audit po protected 10.1.1.0 to 10.1.1.255 In the following example, three individual addresses are added to the protected network list: router(config)#ip audit po protected 10.4.1.1 router(config)#ip audit po protected 10.4.1.8 router(config)#ip audit po protected 10.4.1.25 In the following example, an address is removed from the protected network list: router(config)#no ip audit po protected 10.4.1.1
Misconceptions: If no addresses are defined as protected, then all addresses are considered outside the protected network. Related commands: none Sample Configurations:
ip audit po remote router(config)#
ip audit po remote hostid host-id orgid org-id rmtaddress ipaddress localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}] no ip audit po remote hostid host-id orgid org-id rmtaddress ipaddress Syntax Description:
host-id Unique integer in the range from 1 to 65535 used in NetRanger communications to identify the local host. Use with the hostid keyword.
hostid
Specifies a NetRanger host ID.
org-id
Unique integer in the range from 1 to 65535 used in NetRanger communications to identify the group in which the local host belongs. Use with the orgid keyword.
orgid
Specifies a NetRanger organization ID.
rmtaddress
Specifies the IP address of the NetRanger Director.
localaddress
Specifies the IP address of the Cisco IOS Firewall IDS router.
ip-address
IP address of the NetRanger Director or Cisco IOS Firewall IDS router's interface. Use with the rmtaddress and localaddress keywords.
port-number
(Optional) Integer representing the UDP port on which the NetRanger Director is listening for event notifications. Use with the port keyword.
port
(Optional) Specifies a User Datagram Protocol port through which to send messages.
preference
(Optional) Specifies a route preference for communication.
preferencenumber
(Optional) Integer representing the relative priority of a route to a NetRanger Director, if more than one route exists. Use with the preference keyword.
seconds
(Optional) Integer representing the heartbeat timeout value for Post Office communications. Use with the timeout keyword.
timeout
(Optional) Specifies a timeout value for Post Office communications.
application
(Optional) Specifies the type of application that is receiving the Cisco IOS Firewall IDS messages.
director
(Optional) Specifies that the receiving application is the NetRanger Director interface.
logger
(Optional) Specifies that the receiving application is a NetRanger Sensor.
Command Description: To specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router, use the ip audit po remote global configuration command. To remove a NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command. Usage Guidelines A router can report to more than one NetRanger Director. In this case, use the ip audit po remote command to add each NetRanger Director to which the router sends notifications. More than one route can be established to the same NetRanger Director. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again. A router can also report to a NetRanger Sensor. In this case, use the ip audit po remote command and specify logger as the application. Example:
In the following example, two communication routes for the same dual-homed NetRanger Director are defined: router(config)#ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1 preference 1 router(config)#ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference 2 The router uses the first entry to establish communication with the NetRanger Director defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route. In the following example, a different Director is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application: router(config)#ip audit po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout 10 application director Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
ip audit signature router(config)#
ip audit signature signature-id {disable | list acl-list} no ip audit signature signature-id Syntax Description:
signatureid Unique integer specifying a signature as defined in the NetRanger Network Security Database.
disable
Disables the ACL associated with the signature.
list
Specifies an ACL to associate with the signature.
acl-list
Unique integer specifying a configured ACL on the router. Use with the list keyword.
Command Description: To attach a policy to a signature, use the ip audit signature global configuration command. You can set two policies: disable a signature or qualify the audit of a signature with an access list. To remove the policy, use the no form of this command. If the policy disabled a signature, then the no form of this command reenables the signature. If the policy attached an access list to the signature, the no form of this command removes the access list. Usage Guidelines This command is mostly used to disable the auditing of a signature or to exclude some hosts or network segments from being audited. If you are attaching an access control list to a signature, then you also need to create an audit rule with the ip audit name command and apply it to an interface with the ip audit command. Example: In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined: router(config)#ip audit signature 6150 disable
router(config)#ip audit signature 1000 list 99 router(config)#access-list 99 deny 10.1.10.0 0.0.0.255 router(config)#access-list 99 permit any Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit signature 1234 disable ip audit name AUDIT.1 info list 90 action alarm ip audit name AUDIT.1 attack list 90 action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny 172.16.59.16 access-list 90 permit any
ip audit smtp router(config)#
ip audit smtp spam number-of-recipients no ip audit smtp spam Syntax Description:

spam Specifies a threshold beyond which the Cisco IOS Firewall IDS alarms on spam e-mail.
number-ofrecipients
Integer in the range of 1-65535 that designates the maximum number of recipients in a mail message before a spam attack is suspected. Use with the spam keyword. The default is 250 recipients.
Command Description: To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip audit smtp global configuration command. To set the number of recipients to the default setting, use the no form of this command. Example: In the following example, the number of recipients is set to 300: router(config)#ip audit smtp spam 300 Misconceptions: none Related commands: none Sample Configurations: ip ip ip ip audit audit audit audit smtp spam 25 notify nr-director notify log po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
ip audit router(config-if)#
ip audit audit-name {in | out} no ip audit audit-name {in | out} Syntax Description:
audit-name Name of an audit specification.
in
Inbound traffic.
out
Outbound traffic.
Command Description: To apply an audit specification created with the ip audit command to a specific interface and for a specific direction, use the ip audit interface configuration command. To disable auditing of the interface for the specified direction, use the no version of this command. Example:
In the following example, the audit specification MARCUS is applied to an interface and direction: router(config)#interface e0 router(config-if)#ip audit MARCUS in In the following example, the audit specification MARCUS is removed from the interface on which it was previously added: router(config)#interface e0 router(config-if)#no ip audit MARCUS in Misconceptions: none Related commands:
none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
show ip audit configuration router>
show ip audit configuration Syntax Description: This command has no argument or keywords. Command Description: To display additional configuration information, including default values that may not be displayed using the show run command, use the show ip audit configuration EXEC command. Example: router>show ip audit configuration Misconceptions: none Related commands: clear ip audit statistics Sample Configurations: router>show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0 HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0 CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn) Audit Rule Configuration Audit name AUDIT.1 info actions alarm
show ip audit interface router>
show ip audit interface Syntax Description: This command has no arguments or keywords. Command Description: To display the interface configuration, use the show ip audit interface EXEC command. Example: router>show ip audit interface Misconceptions: none Related commands: none Sample Configurations: router>show ip audit interface Interface Configuration Interface Ethernet0 Inbound IDS audit rule is AUDIT.1 info actions alarm Outgoing IDS audit rule is not set Interface Ethernet1 Inbound IDS audit rule is AUDIT.1 info actions alarm Outgoing IDS audit rule is AUDIT.1 info actions alarm
show ip audit statistics router>
show ip audit statistics Syntax Description: This command has no arguments or keywords. Command Description: To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics EXEC command. Example: router> show ip audit statistics Misconceptions: none Related commands: clear ip audit statistics Sample Configurations: router> show ip audit statistics Signature audit statistics [process switch:fast switch] signature 2000 packets audited: [0:2] signature 2001 packets audited: [9:9] signature 2004 packets audited: [0:2] signature 3151 packets audited: [0:12] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 11 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [2:1:0] Last session created 19:18:27 Last statistic reset never HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
certificate router(config-cert-chain)#
certificate certificate-serial-number no certificate certificate-serial-number Syntax Description:

certificate-serial-number Serial number of the certificate to add or delete.
Command Description: To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router's certificate or any registration authority certificates stored on your router, use the no form of this command. Usage Guidelines You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates. Example: The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted. myrouter# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set myrouter# configure terminal myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit myrouter(config)# Misconceptions: none Related commands: crypto ca certificate chain Sample Configurations: The following example shows how to configure the router to autoenroll with a CA on start-up: crypto ca trustpoint frog enrollment url http://frog.phoobin.com/ subject-name OU=Spiral Dept., O=tiedye.com ip-address ethernet-0 auto-enroll regenerate password revokeme rsa-key frog 2048 ! crypto ca certificate chain frog certificate ca 0B 30820293 3082023D A0030201 0202010B 300D0609 04050030 79310B30 09060355 04061302 5553310B 30090603 15301306 0355040A 130C4369 73636F20 53797374 656D3120 17737562 6F726420 746F206B 6168756C 75692049 50495355 03131B79 6E692D75 31302043 65727469 66696361 7465204D 170D3030 30373134 32303536 32355A17 0D303130 37313430 310E300C 06035504 0A130543 6973636F 3120301E 06092A86 11706B69 2D343562 2E636973 636F2E63 6F6D305C 300D0609 01050003
2A864886 F70D0101 55040813 02434131 301E0603 55040B13 31243022 06035504 616E6167 6572301E 31323834 335A3032 4886F70D 01090216 2A864886 F70D0101
4B003048 B5A422C4 15E947F6 01EF7DD2 6C136AEB 02052030 1C060355 6D301D06 03551D0E 301F0603 551D2304 73308185 0603551D 13054369 73636F31 69636174 65204D61 73636F31 24302206 65204D61 6E616765 696697DF E887007F 5737246B 0A25550A quit
024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 24302206 03550403 131B796E 692D7531 30204365 72746966 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 03550403 131B796E 692D7531 30204365 72746966 69636174 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 25910E27 8B8B428E 32F8D948 3DD1784F 954C70
Command Name: Mode: Syntax: crl optional no crl optional Syntax Description:
crl optional router(ca-identity)#
This command has no arguments or keywords. Command Description: To allow other peers' certificates to still be accepted by your router even if the appropriate certificate revocation list (CRL) is not accessible to your router, use the crl optional command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command. Usage Guidelines When your router receives a certificate from a peer, it will download a certificate revocation list (CRL) from either the CA or a CRL distribution point as designated in the peer's certificate. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.) With CA systems that support registration authorities (RAs), multiple CRLs exist. The peer's certificate will indicate which CRL applies and should be downloaded by your router. If your router does not have the applicable CRL and is unable to obtain one, your router will reject the peer's certificateunless you include the crl optional command in your configuration. If you use the crl optional command, your router will still try to obtain a CRL, but if it cannot obtain a CRL it can accept the peer's certificate anyway. When your router receives additional certificates from peers, your router will continue to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a peer's certificate outright. Example: router(ca-identity)#crl optional Misconceptions:
none Related commands: crypto ca identity Sample Configurations: crypto ca identity myca enrollment url http://ca_server enrollment retry-period 20 enrollment retry-count 100 crl optional
crl query router(ca-root)#
crl query ldap-url no crl query ldap-url Syntax Description:

ldap-url Specifies the LDAP URL published by the configured root; for example, ldap://another_server.
Command Description: To query the certificate revocation list (CRL) published by the configured root with the Lightweight Directory Access Protocol (LDAP) URL, use the crl query trusted root configuration command. To remove the crl query LDAP URL, use the no form of this command. Usage Guidelines Use this command to query the CRL published by the configured trusted root. You should check the CRL to ensure that the certificate of the peer has not been revoked. Note The URL used to query the CRL must be an LDAP URL. Note After you enter this command, an entry is created in the router for the root subject-name command. The entry is based on information contained in the router. Example: router(ca-root)#crl query ldap://ciscoca-ultra Misconceptions: none Related commands: crl optional crypto ca identity crypto ca trusted-root root CEP root PROXY
root TFTP Sample Configurations:

crypto ca trusted-root netscape root CEP http://ciscoca-ultra:80 crl query ldap://ciscoca-ultra
crypto ca authenticate router(config)#
crypto ca authenticate name Syntax Description:

name Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Command Description: To authenticate the certification authority (by getting the CA's certificate), use the crypto ca authenticate command in global configuration mode. Usage Guidelines This command is required when you initially configure CA support at your router. This command authenticates the CA to your router by obtaining the CA's self-signed certificate which contains the CA's public key. Because the CA signs its own certificate, you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command. If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate. This command is not saved to the router configuration. However, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain"). If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Example: In the following example, the router requests the CA's certificate. The CA sends its certificate and the router prompts the administrator to verify the CA's certificate by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If
the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid. router(config)#crypto ca authenticate myca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y# Misconceptions: none Related commands: crypto ca identity debug crypto pki transactions show crypto ca certificates Sample Configurations:
crypto ca certificate chain router(config)#
crypto ca certificate chain name Syntax Description:

name Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Command Description: To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.) Usage Guidelines This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command. Example: The following example deletes the router's certificate. In this example, the router had a generalpurpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted. myrouter# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set myrouter# configure terminal myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit myrouter(config)# Misconceptions: none Related commands: certificate crypto ca identity Sample Configurations:
crypto ca certificate query router(config)#
crypto ca certificate query no crypto ca certificate query Syntax Description: This command has no arguments or keywords. Command Description: To specify that certificates and certificate revocation lists (CRLs) should not be stored locally but retrieved from the certification authority when needed, use the crypto ca certificate query command in global configuration mode. This command puts the router into query mode. To cause certificates and CRLs to be stored locally (the default), use the no form of this command. Usage Guidelines Normally, certain certificates and certificate revocation lists (CRLs) are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, which prevents certificates and CRLs from being stored locally; instead, they are retrieved from the CA when needed. This will save NVRAM space but could result in a slight performance impact. Example: The following example prevents certificates and CRLs from being stored locally on the router; instead, they are retrieved from the CA when needed. router(config)#crypto ca certificate query Misconceptions: none Related commands: none Sample Configurations:
crypto ca crl request router(config)#
crypto ca crl request name Syntax Description:

name Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Command Description: To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl request command in global configuration mode. Usage Guidelines A CRL lists all the network's devices' certificates that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router. The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.) A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, it will download the new CRL. If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL. This command is not saved to the configuration. Example: The following example immediately downloads the latest CRL to your router: router(config)#crypto ca crl request Misconceptions:
none Related commands: crypto ca identity Sample Configurations:
crypto ca enroll router(config)#
crypto ca enroll name no crypto ca enroll name Syntax Description:

name Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Command Description: To obtain your router's certificate(s) from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command. Usage Guidelines This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.) Your router needs a signed certificate from the CA for each of your router's RSA key pairs; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs. If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.) The crypto ca enroll command is not saved in the router configuration. Note If your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command. Responding to Prompts When you issue the crypto ca enroll command, you are prompted a number of times. First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's
certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests. Note This password is not stored anywhere, so you need to remember this password. If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity. You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number. Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec. If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command. Example: In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate. There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation. myrouter(config)# crypto ca enroll myca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: mypassword Re-enter password: mypassword
% The subject name in the certificate will be: myrouter.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 03433678 % Include an IP address in the subject name [yes/no]? yes Interface: ethernet0/0 Request certificate from CA [yes/no]? yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. myrouter(config)# Some time later, the router receives the certificate from the CA and displays the following confirmation message: myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210 %CRYPTO-6-CERTRET: Certificate received from Certificate Authority myrouter(config)# If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator. If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead: %CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.) Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority Misconceptions: none Related commands: crypto ca identity debug crypto pki messages
debug crypto pki transactions show crypto ca certificates Sample Configurations: crypto ca trustpoint MS enroll terminal crypto ca authenticate MS ! crypto ca enroll MS crypto ca import MS certificate
crypto ca identity router(config)#
crypto ca identity name no crypto ca identity name Syntax Description:

name Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.
Command Description: To declare the certification authority that your router should use, use the crypto ca identity command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command. Usage Guidelines Use this command to declare a CA. Performing this command puts you into the ca-identity configuration mode, where you can specify characteristics for the CA with the following commands:

enrollment url (Specify the URL of the CAalways required.) enrollment mode ra (Specify RA mode, required only if your CA system provides a registration authority [RA]). query url (Specify the URL of the Lightweight Directory Access Protocol server, required only if your CA supports an RA and the LDAP protocol.) enrollment retry period (Specify a period of time the router should wait between sending certificate request retriesoptional.) enrollment retry count (Specify how many certificate request retries your router will send before giving upoptional.) crl optional (Specify that your router can still accept other peers' certificates if the certificate revocation list is not accessibleoptional.)
Example: The following example declares a CA and identifies characteristics of the CA. In this example, the name "myca" is created for the CA, which is located at http://ca_server.
The CA does not use an RA or LDAP, and the CA's scripts are stored in the default location. This is the minimum possible configuration required to declare a CA. crypto ca identity myca enrollment url http://ca_server The following example declares a CA when the CA uses an RA. The CA's scripts are stored in the default location, and the CA uses the SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA. crypto ca identity myca_with_ra enrollment url http://ca_server enrollment mode ra query url ldap://serverx The following example declares a CA that uses an RA and a nonstandard cgi-bin script location. This example also specifies a nonstandard retry period and retry count, and permits the router to accept certificates when CRLs are not obtainable. crypto ca identity myca_with_ra enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx enrollment retry-period 20 enrollment retry-count 100 crl optional In the previous example, if the router does not receive a certificate back from the CA within 20 minutes of sending a certificate request, the router will resend the certificate request. The router will keep sending a certificate request every 20 minutes until a certificate is received or until 100 requests have been sent. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the nonstandard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts. Misconceptions: none Related commands: crl optional enrollment mode ra enrollment retry count enrollment retry period enrollment url query url Sample Configurations:
crypto ca trusted-root router(config)#
crypto ca trusted-root name no crypto ca trusted-root name Syntax Description:

name Creates a name for the trusted root.
Command Description: To configure a trusted root with a selected name, use the crypto ca trusted-root global configuration command. To deconfigure a trusted root, use the no form of this command. Usage Guidelines This command allows you to configure a trusted root with a selected name. You want to configure a trusted root so that your router can verify certificates issued to peers. Thus, your router does not have to enroll with the certification authority that issued the certificates to the peers. This command enables trusted root configuration mode. You can specify characteristics for the trusted root with the following commands:

crl queryQueries the certificate revocation list (CRL) published by the configured root with the Lightweight Directory Access Protocol URL (optional). crl optionalSpecifies that your router can still accept other peers' certificates if the CRL is not accessible (optional). root CEPSpecifies Simple Certificate Enrollment Protocol, which is formerly known as Cisco Enrollment Protocol (CEP), (or TFTP) to get the root certificate (required). root PROXYSpecifies the Hypertext Transfer Protocol (HTTP) proxy server for getting the root certificate (required). root TFTPSpecifies TFTP (or SCEP) to get the root certificate (required).
Example: The following example shows configuring a trusted root. In this example, the name "netscape" is created for the trusted root. router(config)#crypto ca trusted-root netscape Misconceptions:
none Related commands: crl optional crl query crypto ca authenticate crypto ca identity root CEP root PROXY root TFTP Sample Configurations: ! crypto ca trusted-root griffin root SCEP http://griffin:80 root proxy http://megatron:8080 !
crypto key generate rsa router(config)#
crypto key generate rsa [usage-keys] Syntax Description:

usagekeys (Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.
Command Description: To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode. Usage Guidelines Use this command to generate RSA key pairs for your Cisco device (such as a router). RSA keys are generated in pairsone public RSA key and one private RSA key. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys Note Before issuing this command, make sure your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device). There are two mutually exclusive styles of RSA key pairs: special-usage keys and generalpurpose keys. When you generate RSA key pairs, you will be prompted to select whether to generate special-usage keys or general-purpose keys. Special Usage Keys If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA encrypted nonces as the authentication method.
A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA encrypted nonces. (However, you could specify more than one IKE policy, and have RSA signatures specified in one policy and RSA encrypted nonces in another policy.) If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both purposes, increasing that key's exposure.) General-Purpose Keys If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA-encrypted nonces. Therefore, a general-purpose key pair might get used more frequently than a special usage key pair. Modulus Length When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate and takes longer to use. (The Cisco IOS software does not support a modulus greater than 2048 bits.) A length of less than 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.) Example: The following example generates special-usage RSA keys: crypto key generate rsa usage-keys The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. The following example generates general-purpose RSA keys. (Note, you cannot generate both special usage and general-purpose keys; you can only generate one or the other.) myrouter(config)# crypto key generate rsa The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. Misconceptions: none Related commands: none Sample Configurations:
crypto key zeroize rsa router(config)#
crypto key zeroize rsa Syntax Description: This command has no arguments or keywords. Command Description: To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode. Usage Guidelines This command deletes all RSA keys that were previously generated by your router. If you issue this command, you must also perform two additional tasks:
Ask the certification authority administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates with the crypto ca enroll command. Manually remove the router's certificates from the configuration using the certificate command.
Note This command cannot be undone (after you save your configuration), and after RSA keys have been deleted you cannot use certificates or the CA or participate in certificate exchanges with other IP Security peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again. This command is not saved to the configuration. Example: The following example deletes the general purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration. router(config)#crypto key zeroize rsa router(config)#crypto ca certificate chain router(config-cert-chain)#no certificate Misconceptions:
none Related commands: certificate crypto ca certificate chain Sample Configurations:
enrollment mode ra router(ca-identity)#
enrollment mode ra no enrollment mode ra Syntax Description: This command has no arguments or keywords. Command Description: To turn on registration authority mode, use the enrollment mode ra command in ca-identity configuration mode. To turn off RA mode, use the no form of the command. Usage Guidelines This command is required if your CA system provides a registration authority (RA). This command provides compatibility with RA systems. Example: The following example shows the minimum configuration required to declare a CA when the CA provides an RA: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment mode ra router(ca-identity)#ldap://serverx Misconceptions: none Related commands: crypto ca identity Sample Configurations: crypto ca identity myca_with_ra enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx
enrollment retry-period 20 enrollment retry-count 100 crl optional
enrollment retry count router(ca-identity)#
enrollment retry count number no enrollment retry count Syntax Description:

number Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request. Specify from 1 to 100 retries.
Command Description: To specify how many times a router will resend a certificate request, use the enrollment retry count command in ca-identity configuration mode. To reset the retry count to the default of 0, which indicates an infinite number of retries, use the no form of the command. Usage Guidelines After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (the retry count) is exceeded. By default, the router will keep sending requests forever, but you can change this to a finite number with this command. A retry count of 0 indicates that there is no limit to the number of times the router should resend the certificate request. By default, the retry count is 0. Example: The following example declares a CA, changes the retry period to 10 minutes, and changes the retry count to 60 retries. The router will resend the certificate request every 10 minutes until the router receives the certificate or until approximately 10 hours pass since the original request was sent, whichever occurs first. (10 minutes x 60 tries = 600 minutes = 10 hours.) router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment retry-period 10 router(ca-identity)#enrollment retry-count 60
Misconceptions: none Related commands: crypto ca identity enrollment retry period Sample Configurations:
! no ip domain lookup ip domain name tac.com ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry count 5 enrollment retry period 2 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number ip-address FastEthernet0 subject-name OU=MADRID O=SPAIN crl optional rsakeypair ipsecpki auto-enroll 100 regenerate crypto ca certificate chain caserver1 certificate ca 0E7EC1B68A2F14BD4C4515AF44C45732 308202BE 30820268 A0030201 0202100E 7EC1B68A 2F14BD4C 4515AF44 C4573230 0D06092A 864886F7 0D010105 05003076 310B3009 06035504 06130255 53310B30 !--- Certificate is abbreviated for easier viewing. quit certificate 611652F700000000003A 30820407 308203B1 A0030201 02020A61 1652F700 00000000 3A300D06 092A8648 86F70D01 01050500 3076310B 30090603 55040613 02555331 0B300906 03550408 !--- Certificate is abbreviated for easier viewing. quit certificate 61165F5B00000000003B 30820407 308203B1 A0030201 02020A61 165F5B00 00000000 3B300D06 092A8648 86F70D01 01050500 3076310B 30090603 55040613 02555331 0B300906 03550408
!--- Certificate is abbreviated for easier viewing. quit ! crypto isakmp policy 10 hash md5 crypto isakmp identity hostname !
enrollment retry period router(ca-identity)#
enrollment retry period minutes no enrollment retry period Syntax Description:

minutes Specify the number of minutes the router waits before resending a certificate request to the certification authority, when the router does not receive a certificate from the CA by the previous request. Specify from 1 to 60 minutes. By default, the router retries every 1 minute.
Command Description: To specify the wait period between certificate request retries, use the enrollment retry period command in ca-identity configuration mode. To reset the retry period to the default of 1 minute, use the no form of this command. Usage Guidelines After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. (By default, the router will keep sending requests forever, but you can change this to a finite number of permitted retries with the enrollment retry count command.) Use the enrollment retry-period command to change the retry period from the default of 1 minute between retries. Example: The following example declares a CA and changes the retry period to 5 minutes: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment retry-period 5 Misconceptions: none
Related commands: crypto ca identity enrollment retry count Sample Configurations: ! ip domain name cisco.com ip host caserver2 171.69.89.111 ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry period 5 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number fqdn 2611-vpn.cisco.com ip-address Ethernet0/0 password 7 1107160B12 subject-name OU=PARIS O=FRANCE crl optional rsakeypair ciscovpn auto-enroll regenerate !
enrollment url router(ca-identity)#
enrollment url url no enrollment url url Syntax Description:

url Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server. This URL must be in the form of http:// CA_name, where CA_name is the CA's host Domain Name System name or IP address. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.
Command Description: To specify the certification authority location by naming the CA's URL, use the enrollment url command in ca-identity configuration mode. To remove the CA's URL from the configuration, use the no form of this command. Usage Guidelines Use this command to specify the CA's URL. This command is required when you declare a CA with the crypto ca identity command. The URL must include the CA script location if the CA scripts are not loaded into the default cgi-script location. The CA administrator should be able to tell you where the CA scripts are located. To change a CA's URL, repeat the enrollment url command to overwrite the older URL. Example:
The following example shows the absolute minimum configuration required to declare a CA: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server
Misconceptions: none Related commands: crypto ca identity Sample Configurations:
! ip domain name cisco.com ip host caserver2 171.69.89.111 ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry period 5 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number fqdn 2611-vpn.cisco.com ip-address Ethernet0/0 password 7 1107160B12 subject-name OU=PARIS O=FRANCE crl optional rsakeypair ciscovpn auto-enroll regenerate !
Command Name: Mode: Syntax: query url url no query url url Syntax Description:
url
query url router(ca-identity)#
Specify the URL of the Lightweight Directory Access Protocol server; for example, ldap://another_server. This URL must be in the form of ldap://server_name where server_name is the host Domain Name System name or IP address of the LDAP server.
Command Description: To specify LDAP protocol support, use the query url command in ca-identity configuration mode. To remove the query URL from the configuration and specify the default query protocol, Simple Certificate Enrollment Protocol (SCEP), use the no form of this command. Usage Guidelines This command is required if the CA supports a registration authority (RA) and the LDAP protocol; LDAP is a query protocol used when the router retrieves certificates and CRLs. The CA administrator should be able to tell you whether the CA supports LDAP or SCEP; if the CA supports the LDAP protocol, the CA administrator can tell you the LDAP location where certificates and certificate revocation lists should be retrieved. To change the query URL, repeat the query url command to overwrite the older URL. This command is only valid if you also use the enrollment mode ra command. Example: The following example shows the configuration required to declare a CA when the CA supports LDAP: router(config)#router(crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment mode ra router(ca-identity)#query url ldap://bobs_server Misconceptions:
none Related commands: crypto ca identity Sample Configurations:
Command Name: Mode: Syntax: root CEP url Syntax Description:

url
root CEP router(ca-root)#
Specifies the given URL of the configured root.
Command Description: To define the Simple Certificate Enrollment Protocol (SCEP), which gets the root certificate of a given certification authority, use the root CEP trusted root configuration command. Usage Guidelines After configuring a trusted root, use this command to get the root certificate of a given CA using the SCEP protocol. To ensure authenticity of the root certificate, the router administrator is expected to compare the root certificate fingerprint with the image in the server administrator. The fingerprint of the root certificate is an MD5 hash of the complete root certificate. Note SCEP is formerly known as Cisco Enrollment Protocol; the functionality remains the same. Example: The following example shows defining SCEP as the desired protocol to get the root certificate of the CA. In this example, the URL is defined as "http://ciscoca-ultra:80". router(config)#crypto ca trusted-root netscape router(ca-root)#root CEP http://ciscoca-ultra:80 Misconceptions: none Related commands: crl query crypto ca identity crypto ca trusted-root root PROXY
root TFTP Sample Configurations:
Command Name: Mode: Syntax: root PROXY url Syntax Description:

url
root PROXY router(ca-root)#
Specifies the URL of the HTTP proxy server; for example, http://proxy_server.
Command Description: To define the Hypertext Transfer Protocol proxy server for getting the root certificate, use the root PROXY trusted root configuration command. Usage Guidelines After configuring a trusted root and defining the protocol, use this command to define the HTTP proxy server for getting the given root certificate of a certification authority. Example: The following example defines the HTTP proxy server for getting the root certificate of a certification authority. In this example, SCEP is the defined protocol, and the HTTP proxy server is "megatron." router(config)#crypto ca trusted-root griffin router(ca-root)#root CEP http://griffin:80 router(ca-root)#root proxy http://megatron:8080 Misconceptions: none Related commands: crl query crypto ca identity root CEP root TFTP Sample Configurations:
root TFTP router(ca-root)#
root TFTP server-hostname filename
Syntax Description:
server-hostname Creates a name for the server.
filename
Creates a name for the file that will store the root certificate.
Command Description: To define the TFTP protocol, which gets the root certificate of a given certification authority, use the root TFTP trusted root configuration command. Usage Guidelines After configuring a trusted root, use this command to get the root certificate of a given CA using the TFTP protocol. This command enables an authenticated root certificate to be stored as a file on the TFTP server. Note This command should be used if your CA server does not support Simple Certificate Enrollment Protocol, which is formerly known as Cisco Enrollment Protocol (CEP). Example: The following example shows defining TFTP as the desired protocol to get the root certificate of a certification authority. In this example, the name "banana" is created for the trusted root, "strawberry" is the server hostname, and "ca-cert/banana" is the filename where the root certificate is stored. router(config)#crypto ca trusted-root banana router(ca-root)#root tftp strawberry ca-cert/banana Misconceptions: none Related commands:
crl query crypto ca identity crypto ca trusted-root root CEP root PROXY Sample Configurations:
show crypto ca certificates router>
show crypto ca certificates Syntax Description: This command has no arguments or keywords. Command Description: To view information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto ca certificates command in EXEC mode. Usage Guidelines This command shows information about the following certificates:

Your certificate, if you have requested one from the CA (see the crypto ca enroll command) The CA's certificate, if you have received the CA's certificate (see the crypto ca authenticate command) RA certificates, if you have received RA certificates (see the crypto ca authenticate command)r
Example: The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto ca authenticate command: CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set The CA certificate might show Key Usage as "Not Set." The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair. Certificate Subject Name Name: myrouter.example.com
IP Address: 10.0.0.1 Serial Number: 04806682 Status: Pending Key Usage: General Purpose Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000 CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output. The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair. Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95 Key Usage: Signature Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897 Key Usage: Encryption CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command. CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate
Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption Misconceptions: none Related commands: crypto ca authenticate crypto ca enroll debug crypto pki messages debug crypto pki transactions Sample Configurations:
Command Name: Mode: Syntax: show crypto ca crls Syntax Description:
show crypto ca crls router>
This command has no arguments or keywords. Command Description: To display the current certificate revocation list (CRL) on router, use the show crypto ca crls command in EXEC configuration mode. Example: The following is sample output of the show crypto ca crls command: router# show crypto ca crls CRL Issuer Name: OU = sjvpn, O = cisco, C = us LastUpdate: 16:17:34 PST Jan 10 2002 NextUpdate: 17:17:34 PST Jan 11 2002 Retrieved from CRL Distribution Point: LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us Misconceptions: none Related commands: crypto ca crl request Sample Configurations:
Command Name: Mode: Syntax: show crypto ca roots Syntax Description:
show crypto ca roots router>
This command has no arguments or keywords. Command Description: To display the roots configured in the router, use the show crypto ca roots EXEC configuration command. Example: router# show crypto ca roots Misconceptions: none Related commands: crypto ca authenticate crypto ca identity crypto ca trusted-root root CEP root PROXY root TFTP Sample Configurations: router# show crypto ca roots Root netscape: Subject Name: CN=Certificate Manager OU=On 07/01 O=cisco C=US Serial Number:01 Certificate configured. Root identity:netscape CEP URL:http://cisco-ultra
CRL query url: ldap://cisco-ultra
Command Name: Mode: Syntax: clear crypto sa
clear crypto sa router#
clear crypto sa peer {ip-address | peer-name} clear crypto sa map map-name clear crypto sa entry destination-address protocol spi clear crypto sa counters Syntax Description:
peer Deletes any IPSec security associations for the specified peer.
ip-address
Specifies a remote peer's IP address.
peer-name
Specifies a remote peer's name as the fully qualified domain name, for example remotepeer.example.com.
map
Deletes any IPSec security associations for the named crypto map set.
map-name
Specifies the name of a crypto map set.
entry
Deletes the IPSec security association with the specified address, protocol, and SPI.
destinationaddress
Specifies the IP address of your peer or the remote peer.
protocol
Specifies either the Encapsulation Security Protocol or Authentication Header.
spi
Specifies an SPI (found by displaying the security association database).
counters
Clears the traffic counters maintained for each security association; counters does not clear the security associations themselves.
Command Description: To delete IP Security security associations, use the clear crypto sa privileged EXEC command. Usage Guidelines This command clears (deletes) IPSec security associations. If the security associations were established via Internet Key Exchange, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.) If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.) If peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer. The map keyword deletes any IPSec security associations for the named crypto map set. The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.
If any of the above commands cause a particular security association to be deleted, all the "sibling" security associationsthat were established during the same IKE negotiationare deleted as well. The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves. If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear crypto sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear crypto sa command before the changes take effect. If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the security association database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec security associations; to clear IKE state, use the clear crypto isakmp command. Example: The following example clears (and reinitializes if appropriate) all IPSec security associations at the router: router#clear crypto sa The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256: router#clear crypto sa entry 10.0.0.1 AH 256 Misconceptions: none Related commands: clear crypto isakmp Sample Configurations:
crypto dynamic-map router(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num no crypto dynamic-map dynamic-map-name [dynamic-seq-num] Syntax Description:
dynamic-map-name Specifies the name of the dynamic crypto map set.
dynamic-seq-num
Specifies the number of the dynamic crypto map entry
Command Description: To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map global configuration command. To delete a dynamic crypto map set or entry, use the no form of this command. Usage Guidelines Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.) When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map. The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.) If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results
of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed. Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected. The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional. Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface. You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map. To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set. For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.) For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs). Note Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected. Example: router(config)#crypto map mymap 10 ipsec-isakmp router(config)#crypto map mymap 20 ipsec-isakmp
router(config)#crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap router(config)#crypto dynamic-map mydynamicmap 10 Misconceptions: none Related commands: crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto dynamic-map show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2 set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto ipsec security-association lifetime router(config)#
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} no crypto ipsec security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).
kilobytes kilobytes
Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
Command Description: To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of this command. Usage Guidelines IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lirfetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached. If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations,
but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details. To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed. To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key. Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry). How These Lifetimes Work The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour). router#crypto ipsec security-association lifetime seconds 2700 router#crypto ipsec security-association lifetime kilobytes 2304000 Misconceptions:
none Related commands: set security-association lifetime show crypto ipsec security-association lifetime Sample Configurations:
crypto ipsec transform-set router(config)#
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] no crypto ipsec transform-set transform-set-name Syntax Description:
transform-setname Specifies the name of the transform set to create (or modify).
transform1 transform2 transform3
Specifies up to three "transforms." These transforms define the IPSec security protocols and algorithms. Accepted transform values are described in the "Usage Guidelines" section.
Command Description: To define a transform setan acceptable combination of security protocols and algorithmsuse the crypto ipsec transform-set global configuration command. To delete a transform set, use the no form of the command. Usage Guidelines A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec security associations. When IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. Before a transform set can be included in a crypto map entry it must be defined using this command.
A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The table below lists the acceptable transform combination selections for the AH and ESP protocols. Table 22: Allowed Transform Combinations
Transform type AH Transform (Pick up to one.) Transform ah-md5-hmac ah-sha-hmac ah-sha-hmac AH with the SHA (HMAC variant) authentication algorithm AH with the SHA (HMAC variant) authentication algorithm Description AH with the MD5 (HMAC variant) authentication algorithm
ESP Encryption Transform (Pick up to one.)
esp-des esp-3des esp-null
ESP with the 56-bit DES encryption algorithm ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) Null encryption algorithm
ESP Authentication Transform (Pick up to one.)
esp-md5hmac esp-shahmac
ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm
IP Compression Transform (Pick
comp-lzs
IP compression with the LZS algorithm.
up to one.)
Examples of acceptable transform combinations are:

ah-md5-hmac esp-des esp-3des and esp-md5-hmac ah-sha-hmac and esp-des and esp-sha-hmac comp-lzs
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set. IPSec Protocols: Encapsulation Security Protocol and Authentication Header Both the Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols implement security services for IPSec. ESP provides packet encryption and optional data authentication and anti-replay services. AH provides data authentication and anti-replay services. ESP encapsulates the protected dataeither a full IP datagram r(or only the payload)with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description. Selecting Appropriate Transforms The following tips may help you select transforms that are appropriate for your situation:

If you want to provide data confidentiality, include an ESP encryption transform. If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set. If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower. Note that some transforms might not be supported by the IPSec peer. In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:

esp-des and esp-sha-hmac ah-sha-hmac and esp-des and esp-sha-hmac
The Crypto Transform Configuration Mode After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions. Changing Existing Transforms If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Example: The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms. router(config)#crypto ipsec transform-set newer esp-3des espsha-hmac router(config)#crypto ipsec transform-set older ah-rfc-1828 esprfc1829
Misconceptions: none Related commands: mode (IPSec) set transform-set show crypto ipsec transform-set Sample Configurations:
crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set mypolicy esp-des esp-md5-hmac ! crypto dynamic-map dyna 10 set transform-set mypolicy ! crypto map test 10 ipsec-isakmp dynamic dyna
Command Name: Mode: Syntax: crypto map map-name
crypto map (interface IPSec) router(config-if)#
no crypto map [map-name] Syntax Description:

mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.
Command Description: To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. To remove the crypto map set from the interface, use the no form of this command. Usage Guidelines Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of cisco, ipsec-isakmp, and ipsec-manual crypto map entries. Example: The following example assigns crypto map set "mymap" to the S0 interface. When traffic passes through S0, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association will be established per that crypto map entry's configuration (if no security association or connection already exists). router(config)#interface S0 router(config-if)#crypto map mymap
Misconceptions: none Related commands: crypto map (global IPSec) crypto map local-address show crypto map (IPSec) Sample Configurations: ! interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast duplex auto speed auto crypto map mymap !
crypto map local-address router(config)#
crypto map map-name local-address interface-id no crypto map map-name local-address Syntax Description:
mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
interfaceid
The identifying interface that should be used by the router to identify itself to remote peers. If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
Command Description: To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address global configuration command. To remove this command from the configuration, use the no form of this command. Usage Guidelines If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler. This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces. If applying the same crypto map set to more than one interface, the default behavior is as follows:
Each interface will have its own security association database.
The IP address of the local interface will be used as the local address for IPSec traffic originating from/destined to that interface.
However, if you use a local-address for that crypto map set, it has multiple effects:
Only one IPSec security association database will be established and shared for traffic through both interfaces. The IP address of the specified interface will be used as the local address for IPSec (and IKE) traffic originating from or destined to that interface.
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down. Example: The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0. router(config)#interface S0 router(config-if)#crypto map mymap router(config)#interface S1 router(config-if)#crypto map mymap router(config)#crypto map mymap local-address loopback0 Misconceptions: none Related commands: crypto map (interface IPSec) Sample Configurations:
crypto map (global IPSec) router(config)#
crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-mapname] [discover] no crypto map map-name [seq-num] Syntax Description:
map-name The name that identifies the crypto map set. This is the name assigned when the crypto map was created.
seq-num
The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.
ipsecmanual
Indicates that Internet Key Exchange will not be used to establish the IP Security security associations for protecting the traffic specified by this crypto map entry.
ipsecisakmp
Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic
(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.
dynamicmap-name
(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
discover
(Optional) Enables peer discovery. By default, peer discovery is not enabled.
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command. Usage Guidelines Use this command to create a new crypto map entry or to modify an existing crypto map entry. Once a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, once a map entry has been created as ipsec-isakmp, you cannot change it to ipsec-manual or cisco; you must delete and reenter the map entry. After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command. What Crypto Maps Are For Crypto maps provide two functions: (1) filtering and classifying traffic to be protected and (2) defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic. IPSec crypto maps link together definitions of the following:

What traffic should be protected Which IPSec peers the protected traffic can be forwarded tothese are the peers with which a security association can be established Which transform sets are acceptable for use with the protected traffic How keys and security associations should be used or managed (or what the keys are, if IKE is not used)
Multiple Crypto Map Entries with the Same map-name Form a Crypto Map Set A crypto map set is a collection of crypto map entries, each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num. The seq-num Argument The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map
entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority. For example, imagine that there is a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named mymap is applied to interface Serial 0. When traffic passes through the Serial 0 interface, the traffic is evaluated first for mymap 10. If the traffic matches a permit entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec security associations when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.) Dynamic Crypto Maps Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps. You should make crypto map entries which reference dynamic map sets the lowest priority map entries, so that inbound security association negotiations requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set. To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set. Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (IPSec global configuration) command using the dynamic keyword. Tunnel Endpoint Discovery Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With Tunnel Endpoint Discovery, the initiating router can dynamically determine an IPSec peer for secure IPSec communications. Dynamic Tunnel Endpoint Discovery allows IPSec to scale to large networks by reducing multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations: crypto map mymap 10 ipsec-isakmp
match address 101 set transform-set my_t_set1 set peer 10.0.0.1 The following example shows the minimum required crypto map configuration when the security associations are manually established: crypto transform-set someset ah-md5-hmac esp-des crypto map mymap 10 ipsec-manual match address 102 set transform-set someset set peer 10.0.0.5 set session-key inbound ah 256 98765432109876549876543210987654 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc set session-key inbound esp 256 cipher 0123456789012345 set session-key outbound esp 256 cipher abcdefabcdefabcd The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set. Crypto map "mymap 10" allows security associations to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102. Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped. crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2
set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3 The following example configures Tunnel Endpoint Discovery on a Cisco router: crypto map testtag 10 ipsec-isakmp dynamic dmap discover Misconceptions: none Related commands: crypto dynamic-map crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations:
match address (IPSec) router(config-crypto-map)#
match address [access-list-id | name] no match address [access-list-id | name] Syntax Description:
accesslist-id (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.
name
(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.
Command Description: To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. To remove the extended access list from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended. Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands. The extended access list specified with this command will be used by IPSec to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.) Note that the crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination. The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic
matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.) In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.) router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 router(config-crypto-map)#set peer 10.0.0.1 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66
crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache
mode (IPSec) router(cfg-crypto-tran)#
mode [tunnel | transport] no mode Syntax Description:

tunnel | transport (Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.
Command Description: To change the mode for a transform set, use the mode crypto transform configuration command. To reset the mode to the default value of tunnel mode, use the no form of the command. Usage Guidelines Use this command to change the mode specified for the transform. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode). If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode. After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined. If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode. If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries which specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details.
Tunnel Mode With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination. Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints. Transport Mode With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec. Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode. Example: The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers. router(config)#crypto ipsec transform-set newer esp-des esp-shahmac router(cfg-crypto-tran)#mode transport router(cfg-crypto-tran)#exit Misconceptions: none Related commands: rcrypto ipsec transform-set Sample Configurations:
Command Name: Mode:
set peer (IPSec) router(config-crypto-map)#
Syntax: set peer {hostname | ip-address} no set peer {hostname | ip-address} Syntax Description:
hostname Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).
ipaddress
Specifies the IPSec peer by its IP address.
Command Description: To specify an IP Security peer in a crypto map entry, use the set peer crypto map configuration command. To remove an IPSec peer from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to specify an IPSec peer for a crypto map. This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown). For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list. For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer. You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command. Example:
router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 Misconceptions: none Related commands: crypto dynramic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2
Command Name: Mode:
set pfs router(config-crypto-map)#
Syntax: set pfs [group1 | group2] no set pfs Syntax Description:

group1 (Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2
(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
Command Description: To specify that IP Security should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS it will accept any offer of PFS from the peer. PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could be also compromised.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.) The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1. Example: The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10": router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set pfs group2 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set security-association level per-host set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations: ! crypto ipsec profile foo-profile set transform-set foo-transforms set pfs group2 !
set security-association level per-host router(config-crypto-map)#
set security-association level per-host no set security-association level per-host Syntax Description: This command has no arguments or keywords. Command Description: To specify that separate IP Security security associations should be requested for each source/destination host pair, use the set security-association level per-host crypto map configuration command. To specify that one security association should be requested for each crypto map access list permit entry, use the no form of this command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map entries. When you use this command, you need to specify that a separate security association should be used for each source/destination host pair. Normally, within a given crypto map, IPSec will attempt to request security associations at the granularity specified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A and subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP protocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected traffic between these two subnets would use the same security association. This command causes IPSec to request separate security associations for each source/destination host pair. In this case, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to request a separate security association. With this command, one security association would be requested to protect traffic between host A and host B, and a different security association would be requested to protect traffic between host A and host C. The access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the access list entry specifies protocols and ports, these values are applied when establishing the unique security associations.
Use this command with care, as multiple streams between given subnets can rapidly consume system resources. Example: The following example shows what happens with an access list entry of permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 and a per-host level:
A packet from 1.1.1.1 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.1. A packet from 1.1.1.1 to 2.2.2.2 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.2. A packet from 1.1.1.2 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.2 host 2.2.2.1.
Without the per-host level, any of the above packets will initiate a single security association request originated via permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255. Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations:
set security-association lifetime router(config-crypto-map)#
set security-association lifetime {seconds seconds | kilobytes kilobytes} no set security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring.
kilobytes kilobytes
Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires.
Command Description: To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime crypto map configuration command. To reset a crypto map entry's lifetime value to the global value, use the no form of this command. Usage Guidelines This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries. IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry has lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail. To change the timed lifetime, use the set security-association lifetime seconds form of the command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed. To change the traffic-volume lifetime, use the set security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key. Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes need more CPU processing time. The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry). How These Lifetimes Work Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the seconds time out or after the kilobytes amount of traffic is passed. A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to
the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes). router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set security-association lifetime seconds 2700 Misconceptions: none Related commands: crypto dynamic-map crypto ipsec security-association lifetime crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set transform-set show crypto map (IPSec) Sample Configurations:
set session-key router(config-crypto-map)#
set session-key {inbound | outbound} ah spi hex-key-string set session-key {inbound | outbound} esp spi cipher hex-keystring [authenticator hex-key-string] no set session-key {inbound | outbound} ah no set session-key {inbound | outbound} esp Syntax Description:
inbound Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound
Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah
Sets the IPSec session key for the Authentication Header protocol. Use when the crypto map entry's transform set includes an AH transform.
esp
Sets the IPSec session key for the Encapsulation Security Protocol. Use when the crypto map entry's transform set includes an ESP transform.
spi
Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the router if inbound, the peer if outbound.
hex-key-string
Specifies the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. If the crypto map's transform set includes a DES algorithm, specify at least 8 bytes per
key. If the crypto map's transform set includes an MD5 algorithm, specify at least 16 bytes per key. If the crypto map's transform set includes an SHA algorithm, specify 20 bytes per key. Keys longer than the above sizes are simply truncated.
cipher
Indicates that the key string is to be used with the ESP encryption transform.
authenticator
(Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
Command Description: To manually specify the IP Security session keys within a crypto map entry, use the set sessionkey crypto map configuration command. This command is only available for ipsec-manual crypto map entries. To remove IPSec session keys from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case of ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically established via the IKE negotiation.) If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic. When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI assignment with your peer's operator, making certain that the same SPI is not used more than once for the same destination address/protocol combination. Security associations established via this command do not expire (unlike security associations established via IKE). Session keys at one peer must match the session keys at the remote peer.
If you change a session key, the security association using the key will be deleted and reinitialized. Example: The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol. crypto ipsec transform-set t_set ah-sha-hmac ! crypto map mymap 20 ipsec-manual match address 102 set transform-set t_set set peer 10.0.0.21 set session-key inbound ah 300 1111111111111111111111111111111111111111 set session-key outbound ah 300 2222222222222222222222222222222222222222 The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords. crypto ipsec transform-set someset ah-sha-hmac esp-des esp-shahmac ! crypto map mymap 10 ipsec-manual match address 101 set transform-set someset set peer 10.0.0.1 set session-key inbound ah 300 9876543210987654321098765432109876543210 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc set session-key inbound esp 300 cipher 0123456789012345 authenticator 0000111122223333444455556666777788889999 set session-key outbound esp 300 cipher abcdefabcdefabcd authenticator 9999888877776666555544443333222211110000 Misconceptions: none Related commands:
crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set transform-set show crypto map (IPSec) Sample Configurations:
set transform-set router(config-crypto-map)#
set transform-set transform-set-name [transform-setname2...transform-set-name6] no set transform-set Syntax Description:

transform-setname Name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to 6 transform sets.
Command Description: To specify which transform sets can be used with the crypto map entry, use the set transformset crypto map configuration command. To remove all transform sets from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static and dynamic crypto map entries. Use this command to specify which transform sets to include in a crypto map entry. For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first. If the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches one of the transform sets specified in the crypto map entry. The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic. If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command. Example: The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.) router(config)#crypto ipsec transform-set my_t_set1 esp-des espsha-hmac router(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac ! router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 my_t_set2 router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets. Misconceptions: none Related commands: none Sample Configurations: crypto isakmp policy 1
hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66 crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache
show crypto dynamic-map router#
show crypto dynamic-map [tag map-name] Syntax Description:

tag map-name (Optional) Displays only the crypto dynamic map set with the specified map-name.
Command Description: To view a dynamic crypto map set, use the show crypto dynamic-map privileged EXEC command. Example: router# show crypto dynamic-map Misconceptions: none Related commands: none Sample Configurations: Router# show crypto dynamic-map
Crypto Map Template"dyn1" 10 Extended IP access list 152 access-list 152 permit ip source: addr = 172.21.114.67/0.0.0.0 dest: addr = 0.0.0.0/255.255.255.255 Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ tauth, t1, }
show crypto ipsec sa router#
show crypto ipsec sa [map map-name | address | identity] [detail] Syntax Description:
map mapname (Optional) Displays any existing security associations created for the crypto map set named map-name.
address
(Optional) Displays the all existing security associations, sorted by the destination address (either the local address or the address of the IP Security remote peer) and then by protocol (Authentication Header or Encapsulation Security Protocol).
identity
(Optional) Displays only the flow information. It does not show the security association information.
detail
(Optional) Displays detailed error counters. (The default is the high level send/receive error counters.)
Command Description: To view the settings used by current security associations, use the show crypto ipsec sa privileged EXEC command. Usage Guidelines If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound). Example:
router# show crypto ipsec sa
Related commands: none Sample Configurations: router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y
outbound ah sas: interface: Tunnel0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas:
Command Name: lifetime Mode: Syntax:
show crypto ipsec security-association
router#
show crypto ipsec security-association lifetime Syntax Description: This command has no arguments or keywords. Command Description: To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime privileged EXEC command. Example: router# show crypto ipsec security-association lifetime Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec security-association lifetime Security-association lifetime: 4608000 kilobytes/120 seconds
show crypto ipsec transform-set router#
show crypto ipsec transform-set [tag transform-set-name] Syntax Description:

tag transform-setname (Optional) Displays only the transform sets with the specified transform-setname.
Command Description: To view the configured transform sets, use the show crypto ipsec transform-set privileged EXEC command. Example: router# show crypto ipsec transform-set Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac will negotiate = { Tunnel, }, Transform set combined-des-md5: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t1: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t100: { ah-sha-hmac } will negotiate = { Transport, }, } }
show crypto map router#
show crypto map [interface interface | tag map-name] Syntax Description:

interface interface (Optional) Displays only the crypto map set applied to the specified interface.
tag map-name
(Optional) Displays only the crypto map set with the specified map-name.
Command Description: To view the crypto map configuration, use the show crypto map privileged EXEC command. Example: router# show crypto map Misconceptions: none Related commands: none Sample Configurations: router# show crypto map
Crypto Map: "router-alice" idb: Ethernet0 local address: 172.21.114.123 Crypto Map "router-alice" 10 ipsec-isakmp Peer = 172.21.114.67 Extended IP access list 141 access-list 141 permit ip source: addr = 172.21.114.123/0.0.0.0
dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ t1, }
Command Name: Mode: Syntax: address ip-address Syntax Description:

ip-address
address router(config-pubkey-chain)#
Specifies the IP address of the remote peer.
Command Description: To specify the IP address of the remote peer's RSA public key you will manually configure, use the address public key configuration command. Usage Guidelines Use this command in conjunction with the named-key command to specify which IP Security peer's RSA public key you will manually configure next. This command should only be used when the router has a single interface that processes IPSec. Example: router(config-pubkey-key)# address 10.5.5.1 Misconceptions: none Related commands: addressed-key crypto key pubkey-chain rsa key-string (IKE) show crypto key pubkey-chain rsa Sample Configurations: The following sample manually specifies the RSA public keys of an IPSec peer: Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# named-key otherpeer.example.com Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# key-string Router(config-pubkey)# 005C300D 06092A86 Router(config-pubkey)# 00034B00 30480241 Router(config-pubkey)# 04AEF1BA A54028A6 Router(config-pubkey)# 64CAB820 847EDAD9 Router(config-pubkey)# BD62A8A9 FA603DD2 Router(config-pubkey)# D58AD221 B583D7A4 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# exit Router(config)#
4886F70D 00C5E23B 9ACC01C5 DF0B4E4C E2A8A6F8 71020301
01010105 55D6AB22 129D99E4 73A05DD2 98F76E28 0001
addressed-key router(config-pubkey-chain)#
addressed-key key-address [encryption | signature] Syntax Description:

keyaddress Specifies the IP address of the remote peer's RSA keys.
encryption
(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
signature
(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.
Command Description: To specify which peer's RSA public key you will manually configure, use the addressed-key public key chain configuration command. Usage Guidelines Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next. Follow this command with the key string command to specify the key. If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords. If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively. Example: Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption Misconceptions:
none Related commands: crypto key pubkey-chain rsa key-string (IKE) named-key show crypto key pubkey-chain rsa Sample Configurations: The following sample manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys. Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# named-key otherpeer.example.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey-key)# key-string Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105 Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22 Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4 Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption Router(config-pubkey-key)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# addressed-key 10.1.1.2 signature Router(config-pubkey-key)# key-string Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228 Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16 Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4 Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# exit
Router(config)#
authentication (IKE policy) router(config-isakmp)#
authentication {rsa-sig | rsa-encr | pre-share} no authentication Syntax Description:

rsa-sig Specifies RSA signatures as the authentication method.
rsa-encr
Specifies RSA encrypted nonces as the authentication method.
pre-share
Specifies preshared keys as the authentication method.
Command Description: To specify the authentication method within an Internet Key Exchange policy, use the authentication ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command. Usage Guidelines Use this command to specify the authentication method to be used in an IKE policy. If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA). If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, and address commands.) If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.) Example: router(config-isakmp)#authentication pre-share Misconceptions:
none Related commands: crypto isakmp key crypto isakmp policy crypto key generate rsa (IKE) encryption (IKE policy) group (IKE policy) hash (IKE policy) lifetime (IKE policy) show crypto isakmp policy Sample Configurations: ! crypto isakmp policy 15 authentication pre-share exit !
clear crypto isakmp router#
clear crypto isakmp [connection-id] Syntax Description:

connectionid (Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.
Command Description: To clear active Internet Key Exchange connections, use the clear crypto isakmp privileged EXEC configuration command. Example: router#clear crypto iskmp Misconceptions: none Related commands: show crypto isakmp sa Sample Configurations:
Command Name: pool local Mode: Syntax:
crypto isakmp client configuration address-
router(config)#
crypto isakmp client configuration address-pool local pool-name no crypto isakmp client configuration address-pool local Syntax Description:
pool-name Specifies the name of a local address pool.
Command Description: To configure the IP address local pool to reference Internet Key Exchange on your router, use the crypto isakmp client configuration address-pool local global configuration command. To restore the default value, use the no form of this command. Example: The following example references IP address local pools to IKE on your router, with "ire" as the pool-name: router(config)#crypto isakmp client configuration address-pool local ire Misconceptions: IP address local pools do not reference IKE. Related commands: ip local pool Sample Configurations: ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp client configuration address-pool local mypool !
crypto isakmp enable router(config)#
crypto isakmp enable no crypto isakmp enable Syntax Description: This command has no arguments or keywords. Command Description: To globally enable Internet Key Exchange at your peer router, use the crypto isakmp enable global configuration command. To disable IKE at the peer, use the no form of this command. Usage Guidelines IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router. If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your IP Security peers. If you disable IKE at one peer, you must disable it at all your IPSec peers. If you disable IKE, you will have to make these concessions at the peers:

You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. The IPSec SAs of the peers will never time out for a given IPSec session. During IPSec sessions between the peers, the encryption keys will never change. Anti-replay services will not be available between the peers. Certification authority (CA) support cannot be used.
Example: The following example disables IKE at one peer. (The same command should be issued at all remote peers.) router(config)#no crypto isakmp enable Misconceptions: none Related commands:
crypto isakmp identity router(config)#
crypto isakmp identity {address | hostname} no crypto isakmp identity Syntax Description:
address Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
hostname
Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).
Command Description: To define the identity used by the router when participating in the Internet Key Exchange protocol, use the crypto isakmp identity global configuration command. Set an Internet Security Association Key Management Protocol identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command. Usage Guidelines Use this command to specify an ISAKMP identity either by IP address or by host name. The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known. The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses). As a general rule, you should set all peers' identities in the same way, either by IP address or by host name. Example: router(config)#crypto isakmp identity address Misconceptions:
none Related commands: authentication (IKE policy) crypto isakmp key Sample Configurations: ! crypto isakmp policy 3 hash md5 authentication pre-share group 2 crypto isakmp identity hostname !
crypto isakmp key router(config)#
crypto isakmp key keystring address peer-address [mask] crypto isakmp key keystring hostname peer-hostname no crypto isakmp key keystring address peer-address no crypto isakmp key keystring hostname peer-hostname Syntax Description:
address Use this keyword if the remote peer Internet Security Association Key Management Protocol identity was set with its IP address.
hostname
Use this keyword if the remote peer ISAKMP identity was set with its hostname.
keystring
Specify the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This preshared key must be identical at both peers.
peeraddress
Specify the IP address of the remote peer.
peerhostname
Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).
mask
(Optional) Specify the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)
Command Description: To configure a preshared authentication key, use the crypto isakmp key global configuration command. You must configure this key whenever you specify preshared keys in an Internet Key Exchange policy. To delete a preshared authentication key, use the no form of this command. Usage Guidelines Use this command to configure preshared authentication keys. You must perform this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peersotherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished with the crypto isakmp identity command.) Use the address keyword if the remote peer ISAKMP identity was set with its IP address. Use the hostname keyword if the remote ISAKMP identity was set with its host name. With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users. Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.) With the hostname keyword, you might also have to map the host name of the remote peer to all IP addresses of the remote peer interfaces that could be used during the IKE negotiation. (This is done with the ip host command.) You must map the host name to IP address unless this mapping is already done in a Domain Name System (DNS) server. Example: In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address: router(config)#crypto isakmp identity address In the following example, the local peer "LocalRouter" also specifies an ISAKMP identity, but by host name: router(config)#crypto isakmp identity hostname Now, the preshared key must be specified at each peer. In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask: router(config)#crypto isakmp key sharedkeystring address 172.21.230.33 255.255.255.255 In the following example, the remote peer specifies the same preshared key and designates the local peer by its host name: router(config)#crypto isakmp key sharedkeystring hostname LocalRouter.example.com The remote peer also maps multiple IP addresses to the same host name for the local peer because the local peer has two interfaces which both might be used during an IKE negotiation
with the local peer. These two interfaces' IP addresses (10.0.0.1 and 10.0.0.2) are both mapped to the remote peer's host name. router(config)#ip host LocalRouter.example.com 10.0.0.1 10.0.0.2 (This mapping would not have been necessary if LocalRouter.example.com was already mapped in DNS.) In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name. Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp identity ip host Sample Configurations: ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0 !
crypto isakmp policy router(config)#
crypto isakmp policy priority no crypto isakmp policy Syntax Description:

priority Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Command Description: To define an Internet Key Exchange policy, use the crypto isakmp policy global configuration command. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command. Usage Guidelines Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].) This command invokes the Internet Security Association Key Management Protocol policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:

encryption (IKE policy); default = 56-bit DES-CBC hash (IKE policy); default = SHA-1 authentication (IKE policy); default = RSA signatures group (IKE policy); default = 768-bit Diffie-Hellman lifetime (IKE policy); default = 86,400 seconds (one day)
If you do not specify one of these commands for a policy, the default value will be used for that parameter. To exit the config-isakmp command mode, type exit. You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer. Example:
router(config)#crypto isakmp policy 15 Misconceptions: none Related commands: authentication (IKE policy) encryption (IKE policy) group (IKE porlicy) hash (IKE policy) lifetime (IKE policy) show crypto isakmp policy Sample Configurations: crypto isakmp policy 15 hash md5 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 20 authentication pre-share lifetime 10000
crypto key generate rsa (IKE) router(config)#
crypto key generate rsa [usage-keys] Syntax Description:

usagekeys (Optional) Specifies that two RSA special usage key pairs should be generated (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.
Command Description: To generate RSA key pairs, use the crypto key generate rsa global configuration command. Usage Guidelines Use this command to generate RSA key pairs for your Cisco device (such as a router). RSA keys are generated in pairsone public RSA key and one private RSA key. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys. Note Before issuing this command, make sure your router has a host name and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device). There are two mutually exclusive types of RSA key pairs: special-usage keys and generalpurpose keys. When you generate RSA key pairs, you can indicate whether to generate specialusage keys or general-purpose keys. Special-Usage Keys If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted nonces as the authentication method.
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special usage keys, one key is used for both authentication methods, increasing that key's exposure.) General-Purpose Keys If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general purpose key pair might get used more frequently than a special usage key pair. Example: The following example generates special-usage RSA keys: router(config)# crypto key generate rsa usage-keys The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK]. Router(config)# Note You cannot generate both special-usage and general-purpose keys; you can only generate one or the other. The following example generates general-purpose RSA keys: router(config)# crypto key generate rsa The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return> Generating RSA keys.... [OK]. router(config)# Misconceptions: You cannot generate both special-usage and general-purpose keys; you can only generate one or the other.
Related commands: debug crypto engine show crypto key mypubkey rsa Sample Configurations:
crypto key pubkey-chain rsa router(config)#
crypto key pubkey-chain rsa Syntax Description: This command has no arguments or keywords. Command Description: To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa global configuration command. Usage Guidelines Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router. Example: router(config)# crypto key pubkey-chain rsa Misconceptions: none Related commands: address address-key key-string (IKE) named-key show crypto key pubkey-chain rsa Sample Configurations: The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity. Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# addressed-key 10.5.5.1
Router(config-pubkey-key)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# addressed-key 10.1.1.2 Router(config-pubkey-key)# key-string Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228 Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16 Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4 Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# exit Router(config)#
crypto map client authentication list router(config)#
crypto map map-name client authentication list list-name no crypto map map-name client authentication list list-name Syntax Description:
mapname The name you assign to the crypto map set.
listname
Character string used to name the list of authentication methods activated when a user logs in. The list-name must match the list-name defined during AAA configuration.
Command Description: To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list global configuration command. To restore the default value, use the no form of this command. Usage Guidelines Before configuring Xauth, you should complete the following tasks:

Set up an authentication list using AAA commands Configure an IP Security transform Configure a crypto map Configure Internet Security Association Key Management Protocol policy
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface. Example: The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap: router(config)#crypto map xauthmap client authentication list xauthlist
The following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap: router(config)#crypto map xauthmap client authentication list xauthlist router(config)#crypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamic Misconceptions: none Related commands: aaa authentication login crypto ipsec transform-set crypto isakmp key crypto isakmp policy crypto map (global configuration) interface Sample Configurations:
crypto map client configuration address router(config)#
crypto map tag client configuration address [initiate | respond] no crypto map tag client configuration address Syntax Description:
tag The name that identifies the crypto map.
initiate
(Optional) A keyword that indicates the router will attempt to set IP addresses for each peer.
respond
(Optional) A keyword that indicates the router will accept requests for IP addresses from any requesting peer.
Command Description: To configure IKE Mode Configuration on your router, use the crypto map client configuration address global configuration command. To disable IKE Mode Configuration, use the no form of this command. Usage Guidelines At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default. Example: The following examples configure IKE Mode Configuration on your router: router(config)#crypto map dyn client configuration address initiate router(config)#crypto map dyn client configuration address respond Misconceptions: none Related commands:
crypto map (global) Sample Configurations:
crypto map isakmp authorization list router(config)#
crypto map map-name isakmp authorization list list-name no crypto map map-name isakmp authorization list list-name Syntax Description:
mapname Name you assign to the crypto map set.
listname
Character string used to name the list of authorization methods activated when a user logs in. The list name must match the list name defined during AAA configuration.
Command Description: To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list global configuration command. To restore the default value, use the no form of this command. Usage Guidelines Use the crypto map client authorization list command to enable key lookup from a AAA server. Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key. Before configuring the crypto map client authorization list command, you should perform the following tasks:

Set up an authorization list using AAA commands. Configure an IPSec transform. Configure a crypto map. Configure an Internet Security Association Key Management Protocol policy using IPSec and IKE commands.
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface. Example: The following example shows how to configure the crypto map client authorization list command: router(config)#crypto map ikessaaamap isakmp authorization list ikessaaalist router(config)#crypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadyn Misconceptions: none Related commands: aaa authorization crypto ipsec transform-set crypto map (global configuration) crypto isakmp policy crypto isakmp key interface Sample Configurations:
encryption (IKE policy) router(config-isakmp)#
encryption {des | 3des} no encryption Syntax Description:

des Specifies 56-bit DES-CBC as the encryption algorithm.
3des
Specifies 168-bit DES (3DES) as the encryption algorithm.
Command Description: To specify the encryption algorithm within an Internet Key Exchange policy, use the encryption ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command. Example: router(config-isakmp)# encryption 3des Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp policy group (IKE policy) hash (IKE policy) lifetime (IKE policy) show crypto isakmp policy Sample Configurations: crypto isakmp policy encryption 3des
exit
Command Name: Mode: Syntax: group {1 | 2} no group Syntax Description:

1
group (IKE policy) router(config-isakmp)#
Specifies the 768-bit Diffie-Hellman group.
Specifies the 1024-bit Diffie-Hellman group.
Command Description: To specify the Diffie-Hellman group identifier within an Internet Key Exchange policy, use the group ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command. Example: router(config-isakmp)#group 2 Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp policy encryption (IKE policy) hash (IKE policy) lifetime (IKE policy) show crypto isakmp policy Sample Configurations: crypto isakmp policy 15 group 2
exit
Command Name: Mode: Syntax: hash {sha | md5} no hash Syntax Description:
sha
hash (IKE policy) router(config-isakmp)#
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Command Description: To specify the hash algorithm within an Internet Key Exchange policy, use the hash ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command. Example: router(config-isakmp)#hash md5 Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp policy encryption (IKE policy) group (IKE policy) lifetime (IKE policy) show crypto isakmp policy Sample Configurations: crypto isakmp policy 15 hash md5
exit
key-string (IKE) router(config-pubkey-key)#
key-string key-string Syntax Description:

keystring Enter the key in hexadecimal format. While entering the key data you can press Return to continue entering data.
Command Description: To manually specify a remote peer's RSA public key, use the key-string public key configuration command. Usage Guidelines Use this command to manually specify the RSA public key of an IP Security peer. Before using this command, you must identify the remote peer using either the addressed-key or named-key command. If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data). To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt. Example: router(config-pubkey-key)# key-string Misconceptions: none Related commands: addressed-key crypto key pubkey-chain rsa named-key show crypto key pubkey-chain rsa
Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# named-key otherpeer.example.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey-key)# key-string Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105 Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22 Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4 Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(config-pubkey-chain)# exit Router(config)#
Command Name: Mode: Syntax: lifetime seconds no lifetime Syntax Description:

seconds
lifetime (IKE policy) router(config-isakmp)#
Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.
Command Description: To specify the lifetime of an Internet Key Exchange security association (SA), use the lifetime Internet Security Association Key Management Protocol policy configuration command. To reset the SA lifetime to the default value, use the no form of this command. Usage Guidelines Use this command to specify how long an IKE SA exists before expiring. When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire. So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack. Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is longer than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be shorter and the responding peer's lifetime must be longer, and the shorter lifetime will be used. Example: router(config-isakmp)#lifetime 600
Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp policy encryption (IKE policy) group (IKE policy) hash (IKE policy) show crypto isakmp policy Sample Configurations: crypto isakmp policy 15 lifetime 600 exit
named-key router(config-pubkey-chain)#
named-key key-name [encryption | signature] Syntax Description:

key-name Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.example.com.
encryption
(Optional) Indicates that the RSA public key to be specified will be an encryption specialusage key.
signature
(Optional) Indicates that the RSA public key to be specified will be a signature specialusage key.
Command Description: To specify which peer's RSA public key you will manually configure, use the named-key public key chain configuration command. This command should only be used when the router has a single interface that processes IP Security. Usage Guidelines Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next. Follow this command with the key-string command to specify the key. If you use the named-key command, you also need to use the address public key configuration command to specify the IP address of the peer. If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keyword. If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords in turn. Example:
router(config-pubkey-chain)#named-key otherpeer.example.com Misconceptions: none Related commands: address addressed-key crypto key pubkey-chain rsa key-string (IKE) show crypto key pubkey-chain rsa Sample Configurations: crypto key pubkey-chain rsa named-key otherpeer.example.com address 10.5.5.1 key-string 005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001 quit exit addressed-key 10.1.1.2 encryption key-string 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5 18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB 07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21 quit exit addressed-key 10.1.1.2 signature key-string 0738BC7A 2BC3E9F0 679B00FE 098533AB 01030201 42DD06AF E228D24C 458AD228 58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16 0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1 quit
exit
show crypto isakmp policy router#
show crypto isakmp policy Syntax Description: This command has no arguments or keywords. Command Description: To view the parameters for each Internet Key Exchange policy, use the show crypto isakmp policy privileged EXEC command. Example: router# show crypto isakmp policy Misconceptions: none Related commands: authentication (IKE policy) crypto isakmp policy encryption (IKE policy) group (IKE policy) hash (IKE policy) lifetime (IKE policy) Sample Configurations: router# show crypto isakmp policy Protection suite priority 15 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #2 (1024 bit) lifetime: 5000 seconds, no volume limit Protection suite priority 20 encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard authentication method: preshared Key Diffie-Hellman Group: #1 (768 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
show crypto isakmp sa router#
show crypto isakmp sa Syntax Description: This command has no arguments or keywords. Command Description: To view all current Internet Key Exchange security associations (SAs) at a peer, use the show crypto isakmp sa privileged EXEC command. Usage Guidlines Listed below are the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Explanation The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at MM_NO_STATE this stagethere is no state. MM_SA_SETUP The peers have agreed on parameters for the ISAKMP SA. MM_KEY_EXCH The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated. MM_KEY_AUTH The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins. States in Aggressive Mode Exchange State Explanation AG_NO_STATE The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stagethere is no state. AG_INIT_EXCH The peers have done the first exchange in Aggressive Mode, but the SA is not authenticated. AG_AUTH The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins. State
States in Quick Mode Exchange
State Explanation QM_IDLE The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent Quick Mode exchanges. It is in a quiescent state.
Example: router# show crypto isakmp sa Misconceptions: none Related commands: crypto isakmp policy lifetime (IKE policy) Sample Configurations: router# show crypto isakmp sa dst state conn-id slot 172.21.114.123 172.21.114.67 QM_IDLE 1 0 155.0.0.2 155.0.0.1 QM_IDLE 8 0
show crypto key mypubkey rsa router#
show crypto key mypubkey rsa Syntax Description: This command has no arguments or keywords. Command Description: To view the RSA public keys of your router, use the show crypto key mypubkey rsa privilged EXEC command. Example: router#show crypto key mypubkey rsa Misconceptions: none Related commands: crypto key generate rsa (IKE) Sample Configurations: router#show crypto key mypubkey rsa % Key pair was generated at: 06:07:49 UTC Jan 13 1996 Key name: myrouter.example.com Usage: Signature Key Key Data: 005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001 % Key pair was generated at: 06:07:50 UTC Jan 13 1996 Key name: myrouter.example.com Usage: Encryption Key Key Data:
00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5 18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB 07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
show crypto key pubkey-chain rsa router#
show crypto key pubkey-chain rsa [name key-name | address keyaddress] Syntax Description:
name key-name (Optional) The name of a particular public key to view.
address key-address
(Optional) The address of a particular public key to view.
Command Description: To view peers' RSA public keys stored on your router, use the show crypto key pubkey-chain rsa privileged EXEC command. Usage Guidelines This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured). If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again. Use the name or address keywords to display details about a particular RSA public key stored on your router. If no keywords are used, this command displays a list of all RSA public keys stored on your router. Example: router# show crypto key pubkey-chain rsa router# show crypto key pubkey rsa name router# show crypto key pubkey rsa address 192.168.10.3:
Misconceptions: none Related commands: none Sample Configurations: The following is sample output from the show crypto key pubkey-chain rsa command: router# show crypto key pubkey-chain rsa Codes: M - Manually Configured, C - Extracted from certificate Code Usage IP-address Name M Signature 10.0.0.l myrouter.example.com M Encryption 10.0.0.1 myrouter.example.com C Signature 172.16.0.1 routerA.example.com C Encryption 172.16.0.1 routerA.example.com C General 192.168.10.3 routerB.domain1.com The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com: router# show crypto key pubkey rsa name Key name: somerouter.example.com Key address: 10.0.0.1 Usage: Signature Key Source: Manual Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001 Key name: somerouter.example.com Key address: 10.0.0.1 Usage: Encryption Key Source: Manual Data: 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5 18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB 07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3: router# show crypto key pubkey rsa address 192.168.10.3: Key name: routerB.example.com Key address: 192.168.10.3 Usage: General Purpose Key Source: Certificate Data: 0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228 58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16 0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1
clear logging
To clear messages from the logging buffer, use the clear logging privileged EXEC command. clear logging
Syntax Description
Command Modes
Privileged EXEC
Examples
In the following example, the logging buffer is cleared:
Router# clear logging Clear logging buffer [confirm] Router#
Related Commands
Command logging buffered Description Logs messages to an internal buffer.
show logging
Displays the state of logging (syslog).
logging buffered
To limit messages logged to an internal buffer based on severity, use the logging buffered global configuration command. To cancel the use of the buffer, use the no form of this command. The default form of this command returns the buffer size to the default size. logging buffered [buffer-size | level] no logging buffered default logging buffered
Syntax Description
buffersize (Optional) Size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform.
level
(Optional) Limits the logging of messages to the buffer to a specified level. You can enter the level name or level number. See Table 55 for a list of the accepatable level name or level number keywords.
Defaults
For most platforms, the Cisco IOS software logs messages to the internal buffer.
Command Modes
Usage Guidelines
This command copies logging messages to an internal buffer. The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled. Specifying a level causes messages at that level and numerically lower levels to be logged in an internal buffer. See Table 55 for a list of level arguments. Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached. The default logging buffered command resets the buffer size to the default for the platform. To display the messages that are logged in the buffer, use the show logging EXEC command. The first message displayed is the oldest message in the buffer. The show logging EXEC command displays the addresses and levels associated with the current logging setup, and any other logging statistics. Table 55 Error Message Logging Priorities and Corresponding Level Names/Numbers Level Name Level Number Description emergencies 0 System unusable alerts critical errors 1 2 3 Immediate action needed Critical conditions Error conditions Syslog Definition LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR
warnings
Warning conditions
LOG_WARNING
notifications 5 informational 6 debugging 7
Normal but significant condition LOG_NOTICE Informational messages only Debugging messages LOG_INFO LOG_DEBUG
Examples
In the following example, the user enables logging to an internal buffer:
logging buffered
Related Commands
Command clear logging Description Clears messages from the logging buffer.
show logging
logging console
To limit messages logged to the console based on severity, use the logging console global configuration command. To disable logging to the console terminal, use the no form of this command. logging console level no logging console
Syntax Description
level Limits the logging of messages displayed on the console terminal to a specified level. You can enter the level number or level name. See Table 56 for a list of the level arguments.
Defaults
debugging
Command Modes
Usage Guidelines
Specifying a level causes messages at that level and numerically lower levels to be displayed at the console terminal. The show logging EXEC command displays the addresses and levels associated with the current logging setup, and any other logging statistics. See Table 56. Table 56 Error Message Logging Priorities and Corresponding Level Names/Numbers Level Arguments Level Description emergencies 0 System unusable alerts critical errors warnings notifications informational debugging 1 2 3 4 5 6 7 Immediate action needed Critical conditions Error conditions Warning conditions Syslog Definition LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING
The effect of the log keyword with the IP access list (extended) interface configuration command depends on the setting of the logging console command. The log keyword takes effect only if the logging console level is set to 6 or 7. If you change the default to a level lower than 6 and specify the log keyword with the IP access list (extended) command, no information is logged or displayed.
Examples
In the following example, the user changes the level of messages displayed to the console terminal to alerts, which means alerts and emergencies are displayed:
logging console alerts
Related Commands
Command access-list (extended) Description Defines an extended XNS access list.
logging facility
Configures the syslog facility in which error messages are sent.
logging facility
To configure the syslog facility in which error messages are sent, use the logging facility global configuration command. To revert to the default of local7, use the no form of this command. logging facility facility-type no logging facility
Syntax Description
facilitytype Syslog facility. See the Usage Guidelines section of this command reference entry for descriptions of acceptable keywords.
Defaults
local7
Command Modes
Usage Guidelines
Table 57 describes the acceptable keywords for the facility-type argument. Table 57 logging facility facility-type Argument Facility-type keyword Description auth Authorization system cron daemon kern local0-7 lpr mail news sys9 sys10 sys11 sys12 sys13 sys14 Cron facility System daemon Kernel Reserved for locally defined messages Line printer system Mail system USENET news System use System use System use System use System use System use
syslog user uucp
System log User process UNIX-to-UNIX copy system
Examples
In the following example, the user configures the syslog facility to the kernel facility type:
logging facility kern
Related Commands
Command logging console Description Limits messages logged to the console based on severity.
logging history size

To change the number of syslog messages stored in the router's history table, use the logging history size global configuration command. To return the number of messages to the default value, use the no form of this command. logging history size number no logging history size
Syntax Description
number Number from 1 to 500 that indicates the maximum number of messages stored in the history table.
Defaults
One message
Command Modes
Usage Guidelines
When the history table is full (that is, it contains the maximum number of message entries specified with the logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.
Examples
In the following example, the user sets the number of messages stored in the history table to 20:
logging history size 20
Related Commands
Command logging history Description Limits syslog messages sent to the router's history table and the SNMP network management station based on severity.
show logging
logging history
To limit syslog messages sent to the router's history table and the Simple Network Management Protocol (SNMP) network management station based on severity, use the logging history global configuration command. To return the logging of syslog messages to the default level, use the no form of this command with the previously configured severity level argument. logging history [severity-level-name | severity-level-number] no logging history [severity-level-name | severity-level-number]
Syntax Description
severity-levelname Name of the severity level. Specifies the lowest severity level for system error messag logging. See the Usage Guidelines section of this command for available keywords.
severity-levelnumber
Number of the severity level. Specifies the lowest severity level for system error messag logging. See the Usage Guidelines section of this command for available keywords.
Defaults
Logging of error messages of severity levels 0 through 4 (emergency, alert, critical, error, and warning levels); in other words, "saving level warnings or higher"
Command Modes
Usage Guidelines
Sending syslog messages to the SNMP network management station occurs when you enable syslog traps with the snmp-server enable traps global configuration command. Because SNMP traps are inherently unreliable and much too important to lose, at least one syslog message, the most recent message, is stored in a history table on the router. The history table, which contains table size, message status, and message text data, can be viewed using the show logging history command. The number of messages stored in the table is governed by the logging history size EXEC command. Severity levels are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest severity level (that is, the lower the number, the more critical the message). Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router's history table and sent to the SNMP network management station. For example, specifying the level critical causes messages as the critical (3), alert (2), and emergency (1) levles to be saved to the logging history table. Table 58 provides a description of logging severity levels, listed from higest severity to lowest severity, and the arguments used inthe logging history command syntax. Note that you can use the level name or the level number as the level argument in this command. Table 58 Syslog Error Message Severity Levels Severity Level Name Severity Level Number Description emergencies 0 System unusable alerts critical errors 1 2 3 Immediate action needed Critical conditions Error conditions Syslog Definition LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR
warnings notifications informational debugging
4 5 6 7
Warning conditions
LOG_WARNING
Examples
In the following example, the system is initially configured to the default of saving severity level 4 or higher. The logging history1 command is used to configure the system to save only level 1 (alert) and level 0 (emergency) messages to the logging history table. The configuration is then confirmed using the show logging history command.
Router#show logging history Syslog History Table:10 maximum table entries, ! The following line shows that system-error-message-logging is set to the ! default level of "warnings" (4). saving level warnings or higher 23 messages ignored, 0 dropped, 0 recursion drops 1 table entries flushed SNMP notifications not enabled entry number 2 : LINK-3-UPDOWN Interface FastEthernet0, changed state to up timestamp: 2766 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#logging history 1 Router(config)#end Router# 4w0d: %SYS-5-CONFIG_I: Configured from console by console Router#show logging history Syslog History Table:1 maximum table entries, ! The following line indicates that `logging history level 1' is configured. saving level alerts or higher 18 messages ignored, 0 dropped, 0 recursion drops 1 table entries flushed SNMP notifications not enabled entry number 2 : LINK-3-UPDOWN Interface FastEthernet0, changed state to up timestamp: 2766 Router#
Related Commands
Command logging on Description Controls (enables or disables) the logging of error messages.
Changes the number of syslog messages stored in the router's history table.
show logging
show logging history
Displays the state of logging history.
snmp-server host
Specifies the recipient of an SNMP notification operation.
logging linecard
To log messages to an internal buffer on a line card, use the logging linecard global configuration command. To cancel the use of the internal buffer on the line cards, use the no form of this command. logging linecard [size | level] no logging linecard
Syntax Description
size (Optional) Size of the buffer used for each line card. The range is from 4096 to 65,536 bytes. The default is 8 KB.
level
(Optional) Limits the logging of messages displayed on the console terminal to a specified level. The message level can be one of the following:
alertsImmediate action needed criticalCritical conditions debuggingDebugging messages emergenciesSystem is unusable errorsError conditions informationalInformational messages notificationsNormal but significant conditions warningsWarning conditions
Defaults
The Cisco IOS software logs messages to the internal buffer on the GRP card.
Command Modes
Command History
Release 11.2 GS Modification This command was added to support the Cisco 12000 series Gigabit Switch Routers.
Usage Guidelines
Specifying a message level causes messages at that level and numerically lower levels to be stored in the internal buffer on the line cards. Table 59 lists the message levels and associated numerical level. For example, if you specify a message level of critical, all critical, alert, and emergency messages will be logged. Table 59 Message Levels Level Keyword Level emergencies 0
alerts critical errors warnings notifications informational debugging
1 2 3 4 5 6 7
To display the messages that are logged in the buffer, use the show logging slot EXEC command. The first message displayed is the oldest message in the buffer. Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached.
Examples
The following example enables logging to an internal buffer on the line cards using the default buffer size and logging warning, error, critical, alert, and emergency messages:
logging linecard warnings end
Related Commands
show logging
logging monitor
To limit messages logged to the terminal lines (monitors) based on severity, use the logging monitor global configuration command. This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above the level argument. To disable logging to terminal lines other than the console line, use the no form of this command. logging monitor severity-level no logging monitor
Syntax Description
severitylevel Limits the logging of messages logged to the terminal lines (monitors) to a specified level. You can enter the level number or level name. See the Usage Guidelines section for a list of acceptable severity-level keywords.
Defaults
debugging (severity-level 7)
Command Modes
Usage Guidelines
Specifying a level causes messages at that level and numerically lower levels to be displayed to the monitor. Table 60 logging monitor Error Message Logging Priorities Level Name Level Number Description emergencies 0 System unusable alerts critical errors warnings 1 2 3 4 Immediate action needed Critical conditions Error conditions Warning conditions Syslog Definition LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING
notifications 5 informational 6 debugging 7
Normal but significant conditions LOG_NOTICE Informational messages only Debugging messages LOG_INFO LOG_DEBUG
Examples
In the following example, the user specifies that only messages of the levels errors, critical, alerts, and emergencies be displayed on terminals:
logging monitor 3
Related Commands
Command terminal monitor
Description Displays debug command output and system error messages for the current terminal and session.
logging on
To control logging of error messages, use the logging on global configuration command. This command sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. To disable the logging process, use the no form of this command. logging on no logging on
Syntax Description
Defaults
The Cisco IOS software sends messages to the asynchronous logging process.
Command Modes
Usage Guidelines
The logging process controls the distribution of logging messages to the various destinations, such as the logging buffer, terminal lines, or syslog server. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages will be sent to these destinations. Only the console will receive messages. Additionally, the logging process logs messages to the console and the various destinations after the processes that generated them have completed. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.
Caution Disabling the logging on command will substantially slow down the router. Any process generating debug or error messages will wait until the messages have been displayed on the console before continuing. The logging synchronous line configuration command also affects the displaying of messages to the console. When the logging synchronous command is enabled, messages will appear only after the user types a carriage return.
Examples
The following example shows command output and message output when logging is enabled. The ping process finishes before any of the logging information is printed to the console (or any other destination).
Router(config)# logging on Router(config)# end Router# %SYS-5-CONFIG_I: Configured from console by console Router# ping dirt Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms Router# IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: IP: IP: IP: IP: IP: IP:
s=171.69.1.129 s=172.21.96.41 s=171.69.1.129 s=172.21.96.41 s=171.69.1.129 s=172.21.96.41 s=171.69.1.129
(Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
In the following example, logging is disabled. The message output is displayed as messages are generated, causing the debug messages to be interspersed with the message "Type escape sequence to abort."
Router(config)# no logging on Router(config)# end %SYS-5-CONFIG_I: Configured from console by console Router# Router# ping dirt IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingTyp IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1e IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending esc IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingape IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingse IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1 IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingquen IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1ce to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 152/152/156 ms Router#
Related Commands
Command logging Description Logs messages to a syslog server host.
logging buffered
Logs messages to an internal buffer.
logging monitor
Limits messages logged to the terminal lines (monitors) based on severity.
logging synchronous
Synchronizes unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty.
logging rate-limit
To limit the rate of messages logged per second, use the logging rate-limit configuration command. To disable the limit, use the no form of this command. logging rate-limit {number | all | console} [except severity] no logging rate-limit
Syntax Description
number Specifies rate of messages logged per second. The valid values are from 1 to 10000.
all
Sets the rate limit to all messages including the debug messages.
console
Sets the rate limit only to console messages.
except
(Optional) Excludes messages of this severity or higher.
severity
(Optional) Sets the logging severity level. The valid levels are from 0 to 7.
Defaults
Command Modes
Configuration mode
Usage Guidelines
The logging rate-limit command controls the output of messages from the system. Use this command if you want to avoid a flood of output messages. You can select the severity of the output messages and output rate by using the logging rate-limit command. You can use the logging rate-limit command anytime; it will not negatively impact the performance of your system and may improve the system performance by specifying the severities and rates of output messages. You can use this command with or without the logging synchronous line configuration command. For example, if you want to see all severity 0, 1, and 2 messages, use the no logging synchronous command and specify logging rate-limit 10 except 2. By using the two commands together, you cause all messages of 0, 1, and 2 severity to print and limit the less severe ones (higher than 2) to only 10 per second. Table 61 compares the error message logging numeric severity level with its equivalent word description. Table 61 Error Message Logging Severity Level and Equivalent Word Descriptions Numeric Severity Level Equivalent Word Description emergencies System unusable alerts critical Immediate action needed Critical conditions
1 2
3 4 5 6 7
errors warnings notifications informational debugging
Error conditions Warning conditions Normal but significant condition Informational messages only Debugging messages
For additional details about error message logging, see the "Troubleshooting the Router " chapter in the Release 12.2 Cisco IOS Configuration Fundamentals Configuration Guide .
Examples
In the following example, the logging rate-limit configuration mode command limits message output to 200 per second:
Router(config)# logging rate-limit 200
Related Commands
Command logging synchronous Description Synchronizes unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty.
logging source-interface
To specify the source IP address of syslog packets, use the logging source-interface global configuration command. To remove the source designation, use the no form of this command. logging source-interface interface-type interface-number no logging source-interface
Syntax Description
interface-type Interface type.
interface-number
Interface number.
Defaults
No interface is specified.
Command Modes
Global configuration Normally, a syslog message contains the IP address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP address of a particular interface, regardless of which interface the packet uses to exit the router.
Examples
In the following example, the user specifies that the IP address for Ethernet interface 0 is the source IP address for all syslog messages:
logging source-interface ethernet 0

The following example specifies that the IP address for Ethernet interface 2/1 on a Cisco 7000 series router is the source IP address for all syslog messages:
logging source-interface ethernet 2/1
Related Commands
logging synchronous
To synchronize unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty, use the logging synchronous line configuration command. To disable synchronization of unsolicited messages and debug output, use the no form of this command. logging synchronous [level severity-level | all] [limit number-of-buffers] no logging synchronous [level severity-level | all] [limit number-of-buffers]
Syntax Description
level severity-level (Optional) Specifies the message severity level. Messages with a severity level equal to or higher than this value are printed asynchronously. Low numbers indicate greater severity and high numbers indicate lesser severity. The default value is 2.
all
(Optional) Specifies that all messages are printed asynchronously, regardless of the severity level.
limit number-ofbuffers
(Optional) Specifies the number of buffers to be queued for the terminal after which new messages are dropped. The default value is 20.
Defaults
This feature is turned off by default. If you do not specify a severity level, the default value of 2 is assumed. If you do not specify the maximum number of buffers to be queued, the default value of 20 is assumed.
Command Modes
Line configuration
Usage Guidelines
When synchronous logging of unsolicited messages and debug output is turned on, unsolicited Cisco IOS software output is displayed on the console or printed after solicited Cisco IOS software output is displayed or printed. Unsolicited messages and debug output is displayed on the console after the prompt for user input is returned. To keep unsolicited messages and debug output from being interspersed with solicited software output and prompts. After the unsolicited messages are displayed, the console displays the user prompt again. When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity. When a message queue limit of a terminal line is reached, new messages are dropped from the line, although these messages might be displayed on other lines. If messages are dropped, the notice "%SYS3-MSGLOST number-of-messages due to overflow" follows any messages that are displayed. This notice is displayed only on the terminal that lost the messages. It is not sent to any other lines, any logging servers, or the logging buffer.
Caution By configuring abnormally large message queue limits and setting the terminal to "terminal monitor" on a terminal that is accessible to intruders, you expose yourself to "denial of service"
attacks. An intruder could carry out the attack by putting the terminal in synchronous output mode, making a Telnet connection to a remote host, and leaving the connection idle. This could cause large numbers of messages to be generated and queued, and these messages would unlikely consume all available RAM. You should guard against this type of attack through proper configuration.
Examples
In the following example, line 4 is identified and synchronous logging for line 4 is enabled with a severity level of 6. Then another line, line 2, is identified and the synchronous logging for line 2 is enabled with a severity level of 7 and is specified with a maximum number of buffers to be 70,000.
line 4 logging synchronous level 6 line 2 logging synchronous level 7 limit 70000
Related Commands
Command line Description Identifies a specific line for configuration and starts the line configuration command collection mode.
logging on
Controls logging of error messages and sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
logging trap
To limit messages logged to the syslog servers based on severity, use the logging trap global configuration command. The command limits the logging of error messages sent to syslog servers to only those messages at the specified level. To disable logging to syslog servers, use the no form of this command. logging trap level no logging trap
Syntax Description
level Limits the logging of messages to the syslog servers to a specified level. You can enter the level number or level name. See the Usage Guidelines section for a list of acceptable level keywords.
Defaults
informational (level 6)
Command Modes
Usage Guidelines
The show logging EXEC command displays the addresses and levels associated with the current logging setup. The command output also includes ancillary statistics. Table 1 lists the syslog definitions that correspond to the debugging message levels. Additionally, four categories of messages are generated by the software, as follows:
Error messages about software or hardware malfunctions at the LOG_ERR level. Output for the debug commands at the LOG_WARNING level. Interface up/down transitions and system restarts at the LOG_NOTICE level. Reload requests and low process stacks at the LOG_INFO level.
Use the logging and logging trap commands to send messages to a UNIX syslog server. Table 62 logging trap Error Message Logging Priorities Level Arguments Level Description emergencies 0 System unusable alerts critical errors warnings notifications informational 1 2 3 4 5 6 Immediate action needed Critical conditions Error conditions Warning conditions Syslog Definition LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING
Normal but significant condition LOG_NOTICE Informational messages only LOG_INFO
debugging
Debugging messages
LOG_DEBUG
Examples
In the following example, the messages to a host named john is logged:
logging john logging trap notifications
Related Commands
logging
To log messages to a syslog server host, use the logging global configuration command. To delete the syslog server with the specified address from the list of syslogs, use the no form of this command. logging host-name no logging host-name
Syntax Description
host-name Name or IP address of the host to be used as a syslog server.
Defaults
No messages are logged to a syslog server host.
Command Modes
Usage Guidelines
This command identifies a syslog server host to receive logging messages. By issuing this command more than once, you build a list of syslog servers that receive logging messages.
Examples
In the following example, messages are logged to a host named john:
logging john
Related Commands
Command logging trap Description Limits messages logged to the syslog servers based on severity and limits the logging of error messages sent to syslog servers to only those messages at the specified level.

To display information about the state of the syslog history table, use the show logging history privileged EXEC command. show logging history
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays information about the syslog history table, such as the table size, the status of messages, and text of messages stored in the table. Messages stored in the table are governed by the logging history global configuration command.
Examples
The following example shows sample output from the show logging history command. In this example, notifications of severity level 5 (notifications) through severity level 0 (emergencies) are configured to be written to the logging history table.
Router# show logging history Syslog History Table: 1 maximum table entries, saving level notifications or higher 0 messages ignored, 0 dropped, 15 table entries flushed, SNMP notifications not enabled entry number 16: SYS-5-CONFIG_I Configured from console by console timestamp: 1110 Router#
Table 82 describes the significant fields shown in the output. Table 82 show logging history Field Descriptions Field maximum table entry saving level notifications <x> or higher messages ignored Description Number of messages that can be stored in the history table. Set with the logging history size command. Level of messages that are stored in the history table and sent to the SNMP server (if SNMP notification is enabled). The severity level can be configured with the logging history command. Number of messages not stored in the history table because the severity level is greater than that specified with the logging history command.
dropped
Number of messages that could not be processed due to lack of system resources. Dropped messages do not appear in the history table and are not sent to the SNMP server.
table entries flushed Number of messages that have been removed from the history table to make room for newer messages. SNMP notifications Whether syslog traps of the appropriate level are sent to the SNMP server. The sending of syslog traps are enabled or disabled through the snmp-server enable traps syslog command. Number of the message entry in the history table. In the example above, the message "SYS-5-CONFIG_I Configured from console by console" indicates a syslog message consisting of the facility name (SYS), which indicates where the message came from, the severity level (5) of the message, the message name (CONFIG_I), and the message text. Time, based on the up time of the router, that the message was generated.
entry number:
timestamp
Related Commands
logging history
Limits syslog messages sent to the router's history table to a specified severity level.
Changes the number of syslog messages that can be stored in the history table.
logging linecard
Logs messages to an internal buffer on a line card. This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above level.
snmp-server enable traps
The [no] snmp-server enable traps syslog form of this command controls (enables or disables) the sending of system-logging messages to a network management station.
show logging
To display the state of logging (syslog), use the show logging privileged EXEC command. show logging [slot slot-number | summary]
Syntax Description
slot slotnumber (Optional) Displays information in the syslog history table for a specific line card. Slot numbers range from 0 to 11 for the Cisco 12012 router and 0 to 7 for the Cisco 12008 router.
summary
(Optional) Displays counts of messages by type for each line card.
Command Modes
Privileged EXEC
Command History
11.2 GS
The slot and summary keywords were added.
Usage Guidelines
This command displays the state of syslog error and event logging, including host addresses, and whether console logging is enabled. This command also displays Simple Network Management Protocol (SNMP) configuration parameters and protocol activity.
Examples
The following is sample output from the show logging command:
Router# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging, 266 messages logged. Trap logging: level informational, 266 messages logged. Logging to 192.180.2.238 SNMP logging: disabled, retransmission after 30 seconds 0 messages logged Router#
Table 80 describes the significant fields shown in the display. Table 80 show logging in Field Descriptions Field Syslog logging Description When enabled, system logging messages are sent to a UNIX host that acts as a syslog server; that is, syslog messages are saved to the specified server.
Console logging Monitor logging
Minimum level of severity required for a log message to be sent to the console. If disabled, the word "disabled" is displayed. Minimum level of severity required for a log message to be sent to a monitor terminal (not the console).
Trap logging Minimum level of severity required for a log message to be sent to a syslog server. SNMP logging Displays whether SNMP logging is enabled, the number of messages logged, and the retransmission interval.
The following is sample output from the show logging summary command for the Cisco 12012 router. A number in the column indicates that the syslog contains that many messages for the line card. For example, line card in slot 9 has 1 error message, 4 warning messages, and 47 notification messages.
Router# show logging summary +-----+-------+-------+-------+-------+-------+-------+-------+-------+ SLOT | EMERG | ALERT | CRIT | ERROR |WARNING| NOTICE| INFO | DEBUG | +-----+-------+-------+-------+-------+-------+-------+-------+-------+ |* 0* | . | . | . | . | . | . | . | . | | 1 | | | | | | | | | | 2 | | | | 1 | 4 | 45 | | | | 3 | | | | | | | | | | 4 | | | | 5 | 4 | 54 | | | | 5 | | | | | | | | | | 6 | | | | | | | | | | 7 | | | | 17 | 4 | 48 | | | | 8 | | | | | | | | | | 9 | | | | 1 | 4 | 47 | | | | 10 | | | | | | | | | | 11 | | | | 12 | 4 | 65 | | | +-----+-------+-------+-------+-------+-------+-------+-------+-------+ Router#
Table 81 describes the logging level fields shown in the display. Table 81 show logging summary Field Descriptions Field SLOT Description Indicates the slot number of the line card. An asterisk next to the slot number indicates the GRP card whose error message counts are not displayed. For information on the GRP card, use the show logging command. Indicates that the system is unusable. Indicates that immediate action is needed. Indicates a critical condition. Indicates an error condition.
EMERG ALERT CRIT ERROR
WARNING Indicates a warning condition. NOTIFICE Indicates a normal but significant condition. INFO Indicates an informational message only.
DEBUG
Indicates a debugging message.
Related Commands
Changes the number of syslog messages stored in the history table of the router.
logging linecard
Logs messages to an internal buffer on a line card and limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above level.
Displays information about the configuration of the syslog history table.
clear ip nat translation

To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command. clear ip nat translation {* | [inside global-ip local-ip] [outside local-ip global-ip]} clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip global-ip]
Syntax Description
* Clears all dynamic translations.
inside
(Optional) Clears the inside translations containing the specified global-ip and local-ip addresses.
global-ip
(Optional) When used without the arguments protocol, global-port, and local-port arguments, clears a simple translation that also contains the specified local-ip address. When used with the protocol, global-port, and local-port arguments, clears an extended translation.
local-ip
(Optional) Clears an entry that contains this local IP address and the specified global-ip address.
outside
(Optional) Clears the outside translations containing the specified global-ip and local-ip addresses.
protocol
Clears an entry that contains this protocol and the specified global-ip address, local-ip address, global-port value, and local-port value.
globalport
Clears an entry that contains this global-port value and the specified protocol value, global-ip address, local-ip address, and local-port value.
localport
Clears an entry that contains this local-port value and the specified protocol value, global-ip address, local-ip address, and global-port value.
Command Modes
EXEC
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example shows the NAT entries before and after the User Datagram Protocol (UDP) entry is cleared:
Router# show ip nat translation Pro Inside global Inside local Outside local Outside global udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53 tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23 Router# clear ip nat translation udp inside 171.69.233.209 1220 192.168.1.95 1220 171.69.2.132 53 171.69.2.132 53 Router# show ip nat translation Pro Inside global Inside local Outside local Outside global tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
Related Commands
Command ip nat Description Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination
Enables NAT of the inside destination address.
ip nat inside source
Enables NAT of the inside source address.
ip nat outside source
Enables NAT of the outside source address.
ip nat pool
Defines a pool of IP addresses for NAT.
ip nat service
Changes the amount of time after which NAT translations time out.
show ip nat statistics
Displays NAT statistics.
show ip nat translations
Displays active NAT translations.

To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination global configuration command. To remove the dynamic association to a pool, use the no form of this command. ip nat inside destination list {access-list-number | name} pool name no ip nat inside destination list {access-list-number | name}
Syntax Description
list access-listnumber Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
list name
Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
pool name
Name of the pool from which global IP addresses are allocated during dynamic translation.
Defaults
No inside destination addresses are translated.
Command Modes
Command History
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Examples
The following example translates between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside destination list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1
ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
Command clear ip nat translation Description Clears dynamic NAT translations from the translation table.
ip nat
Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat pool
ip nat service
Enables a port other than the default port.

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command. ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool pool-name} [overload] no ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool pool-name} [overload]
Static NAT
ip nat inside source {static {local-ip global-ip} [extendable] [no-alias] no ip nat inside source {static {local-ip global-ip} [extendable] [no-alias]
Port Static NAT

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [noalias] no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias]
Network Static NAT

ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] no ip nat inside source {static {network local-network global-network mask} [extendable] [noalias]
Syntax Description
list accesslist-number Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name
Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name
Name of the pool from which global IP addresses are allocated dynamically.
overload
(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or UDP port number of each inside host distinguishes between the multiple conversations using the same local IP address.
static local-ip
Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
local-port
Sets the local TCP/UDP port in a range from 1-65535.
static globalip
Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
global-port
Sets the global TCP/UDP port in a range from 1-65535.
extendable
(Optional) Extends the translation.
no-alias
(Optional) Prohibits an alias from being created for the global address.
tcp
Establishes the Transmission Control Protocol.
udp
Establishes the User Datagram Protocol.
network localnetwork
Specifies the local subnet translation.
global-network
Specifies the global subnet translation.
mask
Establishes the IP Network mask the subnet translations.
Defaults
No NAT translation of inside source addresses occurs.
Command Modes
Command History
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command. Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Examples
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
ip nat
ip nat pool
ip nat service

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source global configuration command. To remove the static entry or the dynamic association, use the no form of this command. ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route] no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route]
Static NAT
ip nat outside source static {global-ip local-ip}[add-route] [extendable] [no-alias] no ip nat outside source static {global-ip local-ip} add-route] [extendable] [no-alias]
Port Static NAT

ip nat outside source {static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] no ip nat outside source {static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias]
Networkt Static NAT

ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] no ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias]
Syntax Description
list accesslist-number Standard IP access list number. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
list name
Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
pool name
Name of the pool from which global IP addresses are allocated.
add-route
(Optional) Adds a static route for the outside local address.
static globalip
Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.
global-port
Sets the global TCP/UDP port in a range from 1-65535.
static local-ip
Sets up a single static translation. This argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).
local-port
Sets the local TCP/UDP port in a range from 1-65535.
extendable
(Optional) Extends the translation.
no-alias
(Optional) Prohibits an alias from being created for the local address.
tcp
Establishes the Transmission Control Protocol.
udp
Establishes the User Datagram Protocol.
network global-network
Specifies the global subnet translation.
local-network
Specifies the local subnet translation.
mask
Establishes the IP network mask for the subnet translations.
Defaults
No translation of source addresses coming from the outside to the inside network occurs.
Command Modes
Command History
Usage Guidelines
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command. Alternatively, the syntax form with the static keyword establishes a single static translation.
Examples
The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24 ip nat inside source list 1 pool net-208 ip nat outside source list 1 pool net-10 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 9.114.11.39 255.255.255.0 ip nat inside ! access-list 1 permit 9.114.11.0 0.0.0.255
Related Commands
ip nat
ip nat pool
ip nat service
ip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool global configuration command. To remove one or more addresses from the pool, use the no form of this command. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}[type rotary] no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]
Syntax Description
name Name of the pool.
start-ip
Starting IP address that defines the range of addresses in the address pool.
end-ip
Ending IP address that defines the range of addresses in the address pool.
netmask netmask
Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.
prefix-length prefix-length
Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.
type rotary
(Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur.
Defaults
No pool of addresses is defined.
Command Modes
Command History
Usage Guidelines
This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.
Examples
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
ip nat
ip nat service
ip nat service
To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command. ip nat service {list {access-list-number | access-list-name} ftp tcp port port-number | skinny tcp port port-number} no ip nat service {list {access-list-number | access-list-name} ftp tcp port port-number | skinny tcp port port-number}
Syntax Description
list access-list-number Standard access list number in the range from 1 to 199.
access-list-name
Name of a standard IP access list.
ftp
FTP protocol.
tcp
TCP protocol.
port port-number
Port other than the default port in the range from 1 to 65533.
skinny
Skinny protocol.
Defaults
Disabled
Command Modes
Command History
12.1(5)T
The skinny keyword was added.
Usage Guidelines
A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.
NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.
Examples
The following example configures the nonstandard port 2021:
ip nat service list 10 ftp tcp port 2021 access-list 10 permit 10.1.1.1
The following example configures the standard FTP port 21 and the nonstandard port 2021:
ip nat service list 10 ftp tcp port 21 ip nat service list 10 ftp tcp port 2021 access-list 10 permit 10.1.1.1
The following example configures the 20002 port of the CallManager:
ip nat service skinny tcp port 20002
Related Commands
ip nat
ip nat translation
To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation global configuration command. To disable the timeout, use the no form of this command. ip nat translation [max-entries number] {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout} seconds | never no ip nat translation [max-entries number] {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout}
Syntax Description
max-entries number (Optional) Specifies the maximum number (1-2147483647) of NAT entries. Default is unlimited.
timeout
Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86400 seconds (24 hours).
udp-timeout
Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).
dns-timeout
Specifies that the timeout value applies to connections to the Domain Naming System (DNS). Default is 60 seconds.
tcp-timeout
Specifies that the timeout value applies to the TCP port. Default is 86400 seconds (24 hours).
finrst-timeout
Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
icmp-timeout
Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.
pptp-timeout
Specifies the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. Default is 86400 seconds (24 hours).
syn-timeout
Specifies the timeout value for TCP flows immediately after a synchronous transmission (SYN) message. The default is 60 seconds.
port-timeout
Specifies that the timeout value applies to the TCP/UDP port.
seconds
Number of seconds after which the specified port translation times out. The default is 0.
never
Specifies no port translation time out.
Defaults
timeout: 86400 seconds (24 hours) udp-timeout: 300 seconds (5 minutes) dns-timeout: 60 seconds (1 minute) tcp-timeout: 86400 seconds (24 hours) finrst-timeout: 60 seconds (1 minute) icmp-timeout: 60 seconds (1 minute) pptp-timeout: 86400 seconds (24 hours) syn-timeout: 60 seconds (1 minute) port-timeout: 0 (never)
Command Modes
Command History
Usage Guidelines
When port translation is configured, there is finer control over translation entry timeouts because each entry contains more context about the traffic that is using it. Non-DNS UDP translations time out after 5 minutes, while DNS times out in 1 minute. TCP translations timeout in 24 hours, unless an RST or FIN is seen on the stream, in which case they will time out in 1 minute.
Examples
The following example causes UDP port translation entries to time out after 10 minutes:
ip nat translation udp-timeout 600
Related Commands
Command Description
clear ip nat translation
Clears dynamic NAT translations from the translation table.
ip nat
ip nat pool
ip nat
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command. ip nat {inside | outside} | log {translations syslog} no ip nat {inside | outside} | log {translations syslog}
Syntax Description
inside Indicates that the interface is connected to the inside network (the network subject to NAT translation).
outside
Indicates that the interface is connected to the outside network.
log
Enables NAT logging.
translations
Enables NAT logging translations.
syslog
Enables syslog for NAT logging translations.
Defaults
Traffic leaving or arriving at this interface is not subject to NAT.
Command Modes
Interface configuration
Command History
Usage Guidelines
Only packets moving between inside and outside interfaces can be translated. You must specify at least one inside interface and outside interface for each border router where you intend to use NAT. NAT translations logging can be enabled or disabled with the ip nat log translations syslog command.
Examples
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208
! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
Related Commands
ip nat pool
ip nat service

To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXEC command. show ip nat statistics
Syntax Description
Command Modes
EXEC
Command History
Examples
The following is sample output from the show ip nat statistics command:
Router# show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool net-208 refcount 2 pool net-208: netmask 255.255.255.240 start 171.69.233.208 end 171.69.233.221 type generic, total addresses 14, allocated 2 (14%), misses 0
Table 7 describes the significant fields shown in the display. Table 7 show ip nat statistics Field Descriptions Field Total translations Outside interfaces Inside interfaces Hits Misses Description Number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out. List of interfaces marked as outside with the ip nat outside command.
List of interfaces marked as inside with the ip nat inside command.
Number of times the software does a translations table lookup and finds an entry. Number of times the software does a translations table lookup, fails to find an entry, and must try to create one. Cumulative count of translations that have expired since the router was booted.
Expired
translations Dynamic mappings Inside Source access-list pool refcount netmask start end type Indicates that the information that follows is about dynamic mappings.
The information that follows is about an inside source translation. Access list number being used for the translation. Name of the pool (in this case, net-208). Number of translations using this pool. IP network mask being used in the pool. Starting IP address in the pool range. Ending IP address in the pool range. Type of pool. Possible types are generic or rotary.
total addresses Number of addresses in the pool available for translation. allocated misses Number of addresses being used. Number of failed allocations from the pool.
Related Commands
ip nat
ip nat pool
ip nat service

To display active Network Address Translation (NAT) translations, use the show ip nat translations EXEC command. show ip nat translations [verbose]
Syntax Description
verbose (Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show ip nat translations command. Without overloading, two inside hosts are exchanging packets with some number of outside hosts.
Router# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 171.69.233.209 192.168.1.95 --- ----- 171.69.233.210 192.168.1.89 --- -With overloading, a translation for a Domain Name Server (DNS) transaction is still active, and translations for two Telnet sessions (from two different hosts) are also active. Note that two different inside hosts appear on the outside with a single IP address.
Router# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53 tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
The following is sample output that includes the verbose keyword:
Router# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53 create 00:00:02, use 00:00:00, flags: extended tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 create 00:01:13, use 00:00:50, flags: extended tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23 create 00:00:02, use 00:00:00, flags: extended
Table 8 show ip nat translations Field Descriptions Field Pro Inside global Description Protocol of the port identifying the address. The legitimate IP address that represents one or more inside local IP addresses to the outside world.
Inside local The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider. Outside local Outside global create use flags IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider. The IP address assigned to a host on the outside network by its owner.
How long ago the entry was created (in hours:minutes:seconds). How long ago the entry was last used (in hours:minutes:seconds). Indication of the type of translation. Possible flags are:
extendedExtended translation staticStatic translation destinationRotary translation outsideOutside translation timing outTranslation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.
Related Commands
ip nat
ip nat pool
ip nat service
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group global configuration command. To remove access control to the NTP services, use the no form of this command. ntp access-group {query-only | serve-only | serve | peer} access-list-number no ntp access-group {query-only | serve-only | serve | peer}
Syntax Description
query-only Allows only NTP control queries. See RFC 1305 (NTP version 3).
serve-only
Allows only time requests.
serve
Allows time requests and NTP control queries, but does not allow the system to synchronize to the remote system.
peer
Allows time requests and NTP control queries and allows the system to synchronize to the remote system.
access-listnumber
Number (from 1 to 99) of a standard IP access list.
Defaults
No access control (full access granted to all systems)
Command Modes
Command History
Usage Guidelines
The access group options are scanned in the following order from least restrictive to most restrictive: 1. peer 2. serve 3. serve-only 4. query-only
Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If any access groups are specified, only the specified access is granted. This facility provides minimal security for the time services of the system. However, it can be circumvented by a determined programmer. If tighter security is desired, use the NTP authentication facility.
Examples
The following example configures the system to allow itself to be synchronized by a peer from access list 99. However, the system restricts access to allow only time requests from access list 42.
Router(config)# ntp access-group peer 99 Router(config)# ntp access-group serve-only 42
Related Commands
Command access-list Description Configures the access list mechanism for filtering frames by protocol type or vendor code.
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate global configuration command. To disable the feature, use the no form of this command. ntp authenticate no ntp authenticate
Syntax Description
Defaults
No authentication
Command Modes
Command History
Usage Guidelines
Use this command if you want authentication. If this command is specified, the system will not synchronize to a system unless it carries one of the authentication keys specified in the ntp trusted-key global configuration command.
Examples
The following example configures the system to synchronize only to systems that provide authentication key 42 in their NTP packets:
Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 42
Related Commands
Command ntp authentication-key Description Defines an authentication key for NTP.
ntp trusted-key
Authenticates the identity of a system to which NTP will synchronize.
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key global configuration command. To remove the authentication key for NTP, use the no form of this command. ntp authentication-key number md5 value no ntp authentication-key number
Syntax Description
number Key number (from 1 to 4294967295).
md5
Authentication key. Message authentication support is provided using the message digest algorithm 5 (MD5) algorithm. The key type md5 is currently the only key type supported.
value
Key value (an arbitrary string of up to eight characters).
Defaults
No authentication key is defined for NTP.
Command Modes
Command History
Usage Guidelines
Use this command to define authentication keys for use with other NTP commands in order to provide a higher degree of security.
Note When this command is written to NVRAM, the key is encrypted so that it is not displayed when the configuration is viewed.
Examples
The following example configures the system to synchronize only to systems providing authentication key 42 in their NTP packets:
Related Commands
Command Description
ntp authenticate
Enables NTP authentication.
ntp peer
Configures the software clock to synchronize a peer or to be synchronized by a peer.
ntp server
Allows the software clock to be synchronized by a time server.
ntp trusted-key
Authenticates the identity of a system to which NTP will synchronize.
ntp broadcast client

To configure the system to receive Network Time Protocol (NTP) broadcast packets on a specified interface, use the ntp broadcast client interface configuration command. To disable this capability, use the no form of this command. ntp broadcast client no ntp broadcast client
Syntax Description
Defaults
Disabled
Command Modes
Command History
Usage Guidelines
Use this command to allow the system to listen to broadcast packets on an interface-by-interface basis.
Examples
In the following example, the system is configured to receive (listen to) NTP broadcasts on Ethernet interface 1:
Router(config)# interface ethernet 1 Router(config-if)# ntp broadcast client
Related Commands
Command ntp broadcast Description Configures the specified interface to send NTP broadcast packets.
ntp broadcastdelay
Sets the estimated round-trip delay between the system and an NTP broadcast server.
ntp broadcast
To configure the system to send Network Time Protocol (NTP) broadcast packets on a specified interface, use the ntp broadcast interface configuration command. To disable this capability, use the no form of this command. ntp broadcast [version number] no ntp broadcast
Syntax Description
version number (Optional) Number from 1 to 3 indicating the NTP version.
Defaults
Disabled
Command Modes
Command History
Examples
The following example configures Ethernet interface 0 to send NTP version 2 broadcasts:
Router(config)# interface ethernet 0 Router(config-if)# ntp broadcast version 2
Related Commands
Command ntp broadcast client Description Allows the system to receive NTP broadcast packets on an interface.
ntp broadcastdelay
Sets the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server.
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay global configuration command. To revert to the default value, use the no form of this command. ntp broadcastdelay microseconds no ntp broadcastdelay
Syntax Description
microseconds Estimated round-trip time (in microseconds) for NTP broadcasts. The range is from 1 to 999999.
Defaults
3000 microseconds
Command Modes
Command History
Usage Guidelines
Use this command when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds.
Examples
The following example sets the estimated round-trip delay between a router and the broadcast client to 5000 microseconds:
Router(config)# ntp broadcastdelay 5000
Related Commands
Command ntp broadcast Description Configures the specified interface to send NTP broadcast packets.
ntp broadcast client
Configures the specified interface to receive NTP broadcast packets.
ntp clock-period
Caution Do not enter this command; it is documented for informational purposes only. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates. As NTP compensates for the error in the software clock, it keeps track of the correction factor for this error. The system automatically saves this value into the system configuration using the ntp clock-period global configuration command. To revert to the default, use the no form of this command. ntp clock-period value no ntp clock-period
Syntax Description
value Amount to add to the software clock for each clock hardware tick (this value is multiplied by 2 ).
-32
Defaults
17179869 2
-32
seconds (4 milliseconds)
Command Modes
Command History
Usage Guidelines
Do not manually set a value for the NTP clock-period. If a copy running-config startup-config command is entered to save the configuration to NVRAM, the ntp clock-period command will automatically be added to the startup configuration. We recommend saving the running configuration to the startup configuration after NTP has been running for a week or so specifically for the purpose of capturing the current setting for the clock-period; performing this task will help NTP synchronize more quickly if the system is restarted.
Examples
The following example shows a typical difference between the values of the NTP clock-period setting in the running configuration and the startup configuration:
Router# show startup-config | include clock-period ntp clock-period 17180239 Router# show running-config | include clock-period ntp clock-period 17180255
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable interface configuration command. To enable receipt of NTP packets on an interface, use the no form of this command. ntp disable no ntp disable
Syntax Description
Defaults
Enabled
Command Modes
Command History
Usage Guidelines
This command provides a simple method of access control.
Examples
The following example prevents Ethernet interface 0 from receiving NTP packets:
Router(config)# interface ethernet 0 Router(config-if)# ntp disable
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master global configuration command. To disable the master clock function, use the no form of this command. ntp master [stratum] no ntp master [stratum] Caution Use this command with caution. It is very easy to override valid time sources using this command, especially if a low stratum number is configured. Configuring multiple machines in the same network with the ntp master command can cause instability in keeping time if the machines do not agree on the time.
Syntax Description
stratum (Optional) Number from 1 to 15. Indicates the NTP stratum number that the system will claim.
Defaults
By default, the master clock function is disabled. When enabled, the default stratum is 8.
Command Modes
Command History
Usage Guidelines
Because the Cisco implementation of NTP does not support directly attached radio or atomic clocks, the router is normally synchronized, directly or indirectly, to an external system that has such a clock. In a network without Internet connectivity, such a time source may not be available. The ntp master command is used in such cases. If the system has ntp master configured, and it cannot reach any clock with a lower stratum number, the system will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it via NTP.
Note The software clock must have been set from some source, including manually, before the ntp master command will have any effect. This protects against distributing erroneous time after the system is restarted.
Examples
The following example configures a router as an NTP master clock to which peers may synchronize:
Router(config)# ntp master 10
Related Commands
Command clock calendarvalid
Description Configures the system hardware clock an authoritative time source for the network.
ntp max-associations
To configure the maximum number of NTP peers and clients for the routing device, use the ntp maxassociations command in global configuration mode. To return the maximum associations value to the default, use the no form of this command. ntp max-associations number no ntp max-associations
Syntax Description
number Specifies the number of NTP associations. The range is 0 to 4294967295.
Defaults
100 maximum associations.
Command Modes
Command History
Usage Guidelines
The router can be configured to define the maximum number of NTP peer and client associations that the router will serve. The ntp max-associations command is used to set this limit. This command is useful for ensuring that that the router isn't overwhelmed by huge numbers of NTP synchronization requests or, for an NTP master server, to allow large numbers of devices to sync to the router.
Examples
In the following example the router is configured so that it can act as an NTP server to over 100 clients:
Router(config)# ntp max-associations 200
Related Commands
Command show ntp associations Description Shows all current NTP associations for the device.
ntp multicast client

To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command. To disable this capability, use the no form of this command. ntp multicast client [ip-address] no ntp multicast client [ip-address]
Syntax Description
ip-address (Optional) IP address of the multicast group. Default address is 224.0.1.1.
Defaults
Disabled
Command Modes
Command History
Usage Guidelines
Use this command to allow the system to listen to multicast packets on an interface-by-interface basis.
Examples
In the following example, the system is configured to receive (listen to) NTP multicast packets on Ethernet interface 1:
Router(config)# interface ethernet 1 Router(config-if)# ntp multicast client
Related Commands
Command ntp multicast Description Configures the specified interface to send NTP multicast packets.
ntp multicast
To configure the system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. To disable this capability, use the no form of this command. ntp multicast [ip-address] [key keyid] [ttl value] [version number] no ntp multicast [ip-address]
Syntax Description
ip-address (Optional) IP address of the multicast group. Default address is 224.0.1.1.
key
(Optional) Defines a multicast authentication key.
keyid
(Optional) Authentication key number in the range from 1 to 4294967295.
ttl
(Optional) Defines the time-to-live (TTL) value of a multicast NTP packet.
value
(Optional) TTL value in the range from 1 to 255. Default TTL value is 16.
version
(Optional) Defines the NTP version number.
number
(Optional) NTP version number in the range from 1 to 3. Default version number is 3.
Defaults
Disabled
Command Modes
Command History
Usage Guidelines
The TTL value is used to limit the scope of an audience for multicast routing.
Examples
The following example configures Ethernet interface 0 to send NTP version 2 broadcasts:
Router(config)# interface ethernet 0 Router(config-if)# ntp multicast version 2
Related Commands
ntp multicast client
Allows the system to receive NTP multicast packets on an interface.
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer global configuration command. To disable this capability, use the no form of this command. ntp peer ip-address [version number] [key keyid] [source interface] [prefer] no ntp peer ip-address
Syntax Description
ip-address IP address of the peer providing, or being provided, the clock synchronization.
version
(Optional) Defines the Network Time Protocol (NTP) version number.
number
(Optional) NTP version number (1 to 3).
key
(Optional) Defines the authentication key.
keyid
(Optional) Authentication key to use when sending packets to this peer.
source
(Optional) Names the interface.
interface
(Optional) Name of the interface from which to pick the IP source address.
prefer
(Optional) Makes this peer the preferred peer that provides synchronization.
Defaults
No peers are configured by default. If a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IP address is taken from the outgoing interface.
Command Modes
Command History
Usage Guidelines
Use this command if you want to allow this machine to synchronize with the peer, or vice versa. Using the prefer keyword reduces switching back and forth between peers.
Tip If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version 2 (NTPv2).
Examples
The following example configures a router to allow its software clock to be synchronized with the clock of the peer (or vice versa) at IP address 192.168.22.33 using NTP version 2. The source IP address is the address of Ethernet 0.
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
Related Commands
ntp server
ntp source
Uses a particular source address in NTP packets.
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. To disable support of the external time source, use the no form of this command. ntp refclock {trimble | telecom-solutions} pps {cts | ri | none} [inverted] [pps-offset number] [stratum number] [timestamp-offset number] no ntp refclock
Syntax Description
trimble Enables the reference clock driver for the Trimble Palisade NTP Synchronization Kit (Cisco 7200 series routers only).
telecom-solutions
Enables the reference clock driver for a Telecom Solutions GPS device.
pps
Pulse per second (PPS) signal line. Indicate PPS pulse reference clock support. Choices are cts, ri, or none.
cts
Pulse per second on CTS.
ri
Pulse per second on RI.
none
No PPS signal available.
inverted
(Optional) PPS signal is inverted.
pps-offset number
(Optional) Offset of PPS pulse. The number is the offset (in milliseconds).
stratum number
(Optional) Number from 0 to 14. Indicates the NTP stratum number that the system will claim.
timestamp-offset number
(Optional) Offset of time stamp. The number is the offset (in milliseconds).
Defaults
This command is disabled by default.
Command Modes
Line configuration
Command History
Release 12.1
Modification The trimble keyword was added to provide driver activation for a Trimble GPS time source on the Cisco 7200 series router.
Usage Guidelines
To configure a PPS signal as the source for NTP synchronization, use the following form of the ntp refclock command: ntp refclock pps {cts | ri} [inverted] [pps-offset number] [stratum number] [timestamp-offset number] To configure a Trimble Palisade NTP Synchronization Kit as the GPS clock source connected to the auxiliary port of a Cisco 7200 router, use the following form of the ntp refclock command: ntp refclock trimble pps none [stratum number] To configure a Telecom Solutions product as the GPS clock source, use the ntp refclock telecomsolutions form of the command: ntp refclock telecom-solutions pps cts [stratum number]
Examples
The following example shows configuration of a Trimble Palisade GPS time source on a Cisco 7200 router:
Router(config)# ntp master Router(config)# ntp update-calendar Router(config)# line aux 0 Router(config-line)# ntp refclock trimble pps none
The following example shows configuration of a Telecom Solutions GPS time source on a Catalyst switch platform:
Router(config)# ntp master Router(config)# ntp update-calendar Router(config)# line aux 0 Router(config-line)# ntp refclock telecom-solutions pps cts stratum 1
Related Commands
Command show ntp associations Description Displays the status of NTP associations configured for your system.
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server global configuration command. To disable this capability, use the no form of this command. ntp server ip-address [version number] [key keyid] [source interface] [prefer] no ntp server ip-address
Syntax Description
ipaddress IP address of the time server providing the clock synchronization.
version
(Optional) Defines the NTP version number.
number
(Optional) NTP version number (1 to 3).
key
(Optional) Defines the authentication key.
keyid
(Optional) Authentication key to use when sending packets to this peer.
source
(Optional) Identifies the interface from which to pick the IP source address.
interface
(Optional) Name of the interface from which to pick the IP source address.
prefer
(Optional) Specifies that the server referenced in this command is preferred over other configured NTP servers.
Defaults
No peers are configured by default. If a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IP address is taken from the outgoing interface.
Command Modes
Command History
Usage Guidelines
Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine. Use the prefer keyword if you use this command multiple times, and you want to set a preferred server. Using the prefer keyword reduces switching back and forth between servers. If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version 2. Some NTP servers on the Internet run version 2.
Examples
The following example configures a router to allow its software clock to be synchronized with the clock by the device at IP address 172.16.22.44 using NTP version 2:
Router(config)# ntp server 172.16.22.44 version 2
Related Commands
Command ntp authenticationkey Description Defines an authentication key for NTP.
ntp peer
Configures the software clock to synchronize a peer or to be synchronized by a peer.
ntp source
Uses a particular source address in NTP packets.
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source global configuration command. To remove the specified source address, use the no form of this command. ntp source type number no ntp source
Syntax Description
type Type of interface.
number
Number of the interface.
Defaults
Source address is determined by the outgoing interface.
Command Modes
Command History
Usage Guidelines
Use this command when you want to use a particular source IP address for all NTP packets. The address is taken from the named interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. If the source keyword is present on an ntp server or ntp peer global configuration command, that value overrides the global value set by this command.
Examples
The following example configures a router to use the IP address of Ethernet 0 as the source address of all outgoing NTP packets:
Router(config)# ntp source ethernet 0
Related Commands
Command ntp peer Description Configures the software clock to synchronize a peer or to be synchronized by a peer.
ntp server
ntp trusted-key
To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key global configuration command. To disable authentication of the identity of the system, use the no form of this command. ntp trusted-key key-number no ntp trusted-key key-number
Syntax Description
key-number Key number of authentication key to be trusted.
Defaults
Disabled
Command Modes
Command History
Usage Guidelines
If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key.
Examples
The following example configures the system to synchronize only to systems providing authentication key 42 in its NTP packets:
Related Commands
Command ntp authenticate Description Enables NTP authentication.
ntp authentication-key
Defines an authentication key for NTP.
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar global configuration command. To disable the periodic updates, use the no form of this command. ntp update-calendar no ntp update-calendar
Syntax Description
Defaults
The hardware clock (calendar) is not updated.
Command Modes
Command History
Usage Guidelines
Some platforms have a battery-powered hardware clock, referred to in the command-line interface (CLI) as the "calendar," in addition to the software based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted. If the software clock is synchronized to an outside time source via NTP, it is a good practice to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift), and the software clock and hardware clock may become out of synchronization with each other. The ntp update-calendar command will enable the hardware clock to be periodically updated with the time specified by the NTP source. The hardware clock will be updated only if NTP has synchronized to an authoritative time server. Many lower-end routers (for example, the Cisco 2500 series or the Cisco 2600 series) do not have hardware clocks, so this command is not available on those platforms. To force a single update of the hardware clock from the software clock, use the clock update-calendar EXEC command.
Examples
The following example configures the system to periodically update the hardware clock from the NTP time source:
Router(config)# ntp update-calendar
Related Commands
Command Description
clock read-calendar
Performs a one-time update of the software clock from the hardware clock (calendar).
clock updatecalendar
Performs a one-time update of the hardware clock (calendar) from the software clock.
show ntp associations

To show the status of Network Time Protocol (NTP) associations, use the show ntp associations EXEC command. show ntp associations [detail]
Syntax Description
detail (Optional) Displays detailed information about each NTP association.
Command Modes
EXEC
Command History
Examples
Detailed descriptions of the information displayed by this command can be found in the NTP specification (RFC 1305). The following is sample output from the show ntp associations command:
Router> show ntp associations address ref clock st when poll reach delay offset disp ~172.31.32.2 172.31.32.1 5 29 1024 377 4.2 -8.59 1.6 +~192.168.13.33 192.168.1.111 3 69 128 377 4.1 3.48 2.3 *~192.168.13.57 192.168.1.111 3 32 128 377 7.9 11.18 3.6 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Table 51 describes the significant fields shown in the display. Table 51 show ntp associations Field Descriptions Field (leading characters in display lines) Description The first characters in a display line can be one or more of the following characters: * Synchronized to this peer # Almost synchronized to this peer + Peer selected for possible synchronization - Peer is a candidate for selection ~ Peer is statically configured address Address of peer.
ref clock st when poll reach delay offset disp
Address of reference clock of peer. Stratum of peer. Time since last NTP packet was received from peer. Polling interval (in seconds). Peer reachability (bit string, in octal). Round-trip delay to peer (in milliseconds). Relative time of peer clock to local clock (in milliseconds). Dispersion
The following is sample output of the show ntp associations detail command:
Router> show ntp associations detail 172.31.32.2 configured, insane, invalid, stratum 5 ref ID 172.31.32.1, time AFE252C1.6DBDDFF2 (00:12:01.428 PDT Mon Jul 5 1993) our mode active, peer mode active, our poll intvl 1024, peer poll intvl 64 root delay 137.77 msec, root disp 142.75, reach 376, sync dist 215.363 delay 4.23 msec, offset -8.587 msec, dispersion 1.62 precision 2**19, version 3 org time AFE252E2.3AC0E887 (00:12:34.229 PDT Mon Jul 5 1993) rcv time AFE252E2.3D7E464D (00:12:34.240 PDT Mon Jul 5 1993) xmt time AFE25301.6F83E753 (00:13:05.435 PDT Mon Jul 5 1993) filtdelay = 4.23 4.14 2.41 5.95 2.37 2.33 4.26 4.33 filtoffset = -8.59 -8.82 -9.91 -8.42 -10.51 -10.77 -10.13 -10.11 filterror = 0.50 1.48 2.46 3.43 4.41 5.39 6.36 7.34 192.168.13.33 configured, selected, sane, valid, stratum 3 ref ID 192.168.1.111, time AFE24F0E.14283000 (23:56:14.078 PDT Sun Jul 4 1993) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 83.72 msec, root disp 217.77, reach 377, sync dist 264.633 delay 4.07 msec, offset 3.483 msec, dispersion 2.33 precision 2**6, version 3 org time AFE252B9.713E9000 (00:11:53.442 PDT Mon Jul 5 1993) rcv time AFE252B9.7124E14A (00:11:53.441 PDT Mon Jul 5 1993) xmt time AFE252B9.6F625195 (00:11:53.435 PDT Mon Jul 5 1993) filtdelay = 6.47 4.07 3.94 3.86 7.31 7.20 9.52 8.71 filtoffset = 3.63 3.48 3.06 2.82 4.51 4.57 4.28 4.59 filterror = 0.00 1.95 3.91 4.88 5.84 6.82 7.80 8.77 192.168.13.57 configured, our_master, sane, valid, stratum 3 ref ID 192.168.1.111, time AFE252DC.1F2B3000 (00:12:28.121 PDT Mon Jul 5 1993) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 125.50 msec, root disp 115.80, reach 377, sync dist 186.157 delay 7.86 msec, offset 11.176 msec, dispersion 3.62 precision 2**6, version 2 org time AFE252DE.77C29000 (00:12:30.467 PDT Mon Jul 5 1993) rcv time AFE252DE.7B2AE40B (00:12:30.481 PDT Mon Jul 5 1993) xmt time AFE252DE.6E6D12E4 (00:12:30.431 PDT Mon Jul 5 1993) filtdelay = 49.21 7.86 8.18 8.80 4.30 4.24 7.58 6.42 filtoffset = 11.30 11.18 11.13 11.28 8.91 9.09 9.27 9.57 filterror = 0.00 1.95 3.91 4.88 5.78 6.76 7.74 8.71
Table 52 describes the significant fields shown in the display. Table 52 show ntp associations detail Field Descriptions Field configured dynamic our_master selected candidate sane insane valid invalid leap_add leap-sub unsynced ref ID time our mode peer mode our poll intvl Descriptions Peer was statically configured. Peer was dynamically discovered. Local machine is synchronized to this peer. Peer is selected for possible synchronization. Peer is a candidate for selection. Peer passes basic sanity checks. Peer fails basic sanity checks. Peer time is believed to be valid. Peer time is believed to be invalid. Peer is signalling that a leap second will be added. Peer is signalling that a leap second will be subtracted. Peer is not synchronized to any other machine. Address of machine peer is synchronized to. Last time stamp peer received from its master. Our mode relative to peer (active/passive/client/server/bdcast/bdcast client). Peer's mode relative to us. Our poll interval to peer.
peer poll intvl Peer's poll interval to us. root delay root disp reach sync dist delay offset Delay along path to root (ultimate stratum 1 time source). Dispersion of path to root. Peer reachability (bit string in octal). Peer synchronization distance. Round-trip delay to peer. Offset of peer clock relative to our clock.
dispersion precision version org time rcv time xmt time filtdelay filtoffset filterror
Dispersion of peer clock. Precision of peer clock in Hertz. NTP version number that peer is using. Originate time stamp. Receive time stamp. Transmit time stamp. Round-trip delay (in milliseconds) of each sample. Clock offset (in milliseconds) of each sample. Approximate error of each sample.
Related Commands
Command show ntp status Description Displays the status of the NTP.
show ntp status

To show the status of the Network Time Protocol (NTP), use the show ntp status EXEC command. show ntp status
Syntax Description
Command Modes
EXEC
Command History
Examples
The following is sample output from the show ntp status command:
Router> show ntp status Clock is synchronized, stratum 4, reference is 192.168.13.57 nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19 reference time is AFE2525E.70597B34 (00:10:22.438 PDT Mon Jul 5 1993) clock offset is 7.33 msec, root delay is 133.36 msec root dispersion is 126.28 msec, peer dispersion is 5.98 msec
Table 53 describes the significant fields shown in the display. Table 53 show ntp status Field Descriptions Field synchronized Description System is synchronized to an NTP peer.
unsynchronized System is not synchronized to any NTP peer. stratum reference nominal freq actual freq precision reference time clock offset root delay NTP stratum of this system. Address of peer the system is synchronized to. Nominal frequency of system hardware clock. Measured frequency of system hardware clock. Precision of the clock of this system (in Hertz). Reference time stamp. Offset of the system clock to synchronized peer. Total delay along path to root clock.
root dispersion Dispersion of root path. peer dispersion Dispersion of synchronized peer.
Related Commands
Command show ntp associations Description Displays the status of the NTP associations.
enable password
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement use the no form of this command. enable password [level level] {password | [encryption-type] encrypted-password} no enable password [level level]
Syntax Description
level level (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).
password
Password users type to enter enable mode.
encryptiontype
(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).
encryptedpassword
Encrypted password you enter, copied from another router configuration.
Defaults
No password is defined. The default is level 15.
Command Modes
Command History
Usage Guidelines
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels. You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered. You can enable or disable password encryption with the service password-encryption command. An enable password is defined as follows:
Must contain from 1 to 25 uppercase and lowercase alphanumeric characters. Must not have a number as the first character. Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are Can contain the question mark (?) character if you precede the question mark with the key
combination Crtl-v when you create the password; for example, to create the password abc?123, do the following: recognized.
o Enter abc. o Type Crtl-v. o Enter ?123.
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example enables the password "pswd2" for privilege level 2:
enable password level 2 pswd2

The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:
enable password level 2 7 $1$i5Rkls3LoyxzS8t9
Related Commands
Command disable Description Exits privileged EXEC mode and returns to user EXEC mode.
enable
Enters privileged EXEC mode.
enable secret
Specifies an additional layer of security over the enable password command.
privilege
Configures a new privilege level for users and associate commands with that privilege level.
service passwordencryption
Encrypts passwords.
show privilege
Displays your current level of privilege.
enable secret
To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command. enable secret [level level] {password | [encryption-type] encrypted-password} no enable secret [level level]
Syntax Description
level level (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.
password
Password for users to enter enable mode. This password should be different from the password created with the enable password command.
encryptiontype
(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).
encryptedpassword
Encrypted password you enter, copied from another router configuration.
Defaults
No password is defined. The default level is 15.
Command Modes
Command History
Usage Guidelines
Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server. You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.
Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method. If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
Note After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method. If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered. You can enable or disable password encryption with the service password-encryption command. An enable password is defined as follows:
Must contain from 1 to 25 uppercase and lowercase alphanumeric characters Must not have a number as the first character Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are
recognized.
Can contain the question mark (?) character if you precede the question mark with the key
combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:
o Enter abc. o Type Crtl-v. o Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example specifies the enable secret password of "greentree":
enable secret greentree

After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: greentree
The following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Related Commands
Command enable Description Enters privileged EXEC mode.
enable password
Sets a local password to control access to various privilege levels.
privilege level
To set the default privilege level for a line, use the privilege level command in line configuration mode. To restore the default user privilege level to the line, use the no form of this command.
privilege level level no privilege level
Syntax Description
level Privilege level associated with the specified line.
Defaults
Level 15 is the level of access permitted by the enable password. Level 1 is normal EXEC-mode user privileges.
Command Modes
Line configuration
Usage Guidelines
Users can override the privilege level you set using this command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You can use level 0 to specify a subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands. You might specify a high level of privilege for your console line to restrict line usage.
Examples
The following example configures the auxiliary line for privilege level 5. Anyone using the auxiliary line has privilege level 5 by default:
line aux 0 privilege level 5
The following example sets all show ip commands, which includes all show commands, to privilege level 7:
privilege exec level 7 show ip route
This is equivalent to the following command:

privilege exec level 7 show
The following example sets the show ip route to level 7 and the show and show ip commands to level 1:
privilege exec level 7 show ip route privilege exec level 1 show ip
Related Commands
Command Description
enable password
privilege
To configure a new privilege level for users and associate commands with that privilege level, use the privilege command in global configuration mode. Use the no form of this command to revert to default privileges for the specified command.
privilege mode {level level | reset} command-string no privilege mode {level level | reset} command-string
Syntax Description
mode Configuration mode for the specified command. See Table 29 in the "Usage Guidelines" section for a list of options for this argument.
level level
Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number from 0 to 15.
reset
Resets the privilege level of the specified command or commands to the default and removes the privilege level configuration from the running-config file. Note If you use the no form of this command to reset the privilege level to the default, the default form of this command will still appear in the configuration file. To completely remove a privilege configuration, use the reset keyword.
commandstring
Command associated with the specified privilege level.
Defaults
User EXEC mode commands are privilege level 1. Privileged EXEC mode and configuration mode commands are privilege level 15.
Command Modes
Examples
The following example shows how to set the configure command to privilege level 14 and establish SecretPswd14 as the password users must enter to use level 14 commands:
privilege exec level 14 configure enable secret level 14 SecretPswd14
The following example resets the configure command privilege level:

privilege exec reset configure
Related Commands
Command Description
enable password
enable secret
privilege level
Sets the default privilege level for a line.
service password-encryption
To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.
service password-encryption no service password-encryption
Syntax Description
Defaults
No encryption
Command Modes
Command History
Release Modification
10.0
This command was introduced.
Usage Guidelines
The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file. When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.
Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.
Examples
The following example causes password encryption to take place:
service password-encryption
Related Commands
Command Description
enable password
key-string (authentication)
Specifies the authentication string for a key.
neighbor password
Enables MD5 authentication on a TCP connection between two BGP peers.
show privilege
To display your current level of privilege, use the show privilege command in EXEC mode.
show privilege
Syntax Description
Command Modes
EXEC
Usage Guidelines
Use this command to display your current level of privilege.
Examples
The following example shows sample output from the show privilege command. The current privilege level is 15.
Router# show privilege Current privilege level is 15
Related Commands
Command Description
enable password
enable secret
username
To establish a username-based authentication system, use the username command in global configuration mode.
username name {nopassword | password password | password encryption-type encrypted-password} username name password secret username name [access-class number] username name [autocommand command] username name [callback-dialstring telephone-number] username name [callback-rotary rotary-group-number] username name [callback-line [tty] line-number [ending-line-number]] username name dnis username name [nocallback-verify] username name [noescape] [nohangup] username name [privilege level] username name user-maxlinks number
Syntax Description
name Host name, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
nopassword
No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
password
Specifies a possibly encrypted password for this username.
password
Password a user enters.
encryption-type
Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.
encryptedpassword
Encrypted password a user enters.
password
Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
secret
For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote
devices to be authenticated.
access-class
(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.
number
(Optional) Access list number.
autocommand
(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
command
(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
callbackdialstring
(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.
telephonenumber
(Optional) For asynchronous callback only: telephone number to pass to the DCE device.
callback-rotary
(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.
rotary-groupnumber
(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.
callback-line
(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.
tty
(Optional) For asynchronous callback only: standard asynchronous line.
line-number
(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.
ending-line-
(Optional) Relative number of the last line in a contiguous group on which you want to
number
enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.
dnis
Do not require password when obtained via DNIS.
nocallbackverify
(Optional) Authentication not required for EXEC callback on the specified line.
noescape
(Optional) Prevents a user from using an escape character on the host to which that user is connected.
nohangup
(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.
privilege
(Optional) Sets the privilege level for the user.
level
(Optional) Number between 0 and 15 that specifies the privilege level for the user.
user-maxlinks
Limit the user's number of inbound links.
number
User-maxlinks limit for inbound links.
Defaults
No username-based authentication system is established.
Command Modes
Usage Guidelines
The username command provides username and/or password authentication for login purposes only. Multiple username commands can be used to specify options for a single user. Add a username entry for each remote system that the local router communicates with and requires authentication from. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device. This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password, but connects the user to a general purpose information service.
The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry or each remote system from which the local router requires authentication.
Note To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname entry that has already been assigned to the other router.
If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug ppp negotiation, debug serial-interface, and debug serial-packet commands. For more information about debug commands, refer to the Cisco IOS Debug Command Reference.
Examples
The following example implements a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router:
username who nopassword nohangup autocommand show users
The following example implements an information service that does not require a password to be used. The command takes the following form:
username info nopassword noescape autocommand telnet nic.ddn.mil
The following example implements an ID that works even if the TACACS+ servers all break. The command takes the following form:
username superuser password superpassword
The following example enables CHAP on interface serial 0 of "server_l." It also defines a password for a remote server named "server_r."
hostname server_l username server_r password theirsystem interface serial 0 encapsulation ppp ppp authentication chap
When you look at your configuration file, the passwords will be encrypted, and the display will look similar to the following:
hostname server_l username server_r password 7 121F0A18 interface serial 0 encapsulation ppp ppp authentication chap
Related Commands
Command Description
arap callback
Enables an ARA client to request a callback from an ARA client.
callback forcedwait
Forces the Cisco IOS software to wait before initiating a callback to a requesting client.
ppp callback
Enables a dialer interface that is not a DTR interface to function either as a callback
(DDR)
client that requests callback or as a callback server that accepts callback requests.
ppp callback (PPP client)
Enables a PPP client to dial into an asynchronous interface and request a callback.
ip port-map router(config)#
ip port-map appl_name port port_num [list acl_num] no ip port-map appl_name port port_num [list acl_num] Syntax Description:
appl_name Specifies the name of the application with which to apply the port mapping.
port
Indicates that a port number maps to the application.
port_num
Identifies a port number in the range 1 to 65535.
list
(Optional) Indicates that the port mapping information applies to a specific host or subnet.
acl_num
(Optional) Identifies the standard access control list (ACL) number used with PAM.
Command Description: To establish Port to Application Mapping (PAM), use the ip port-map global configuration command. To delete user-defined PAM entries, use the no form of this command. The ip port-map command associates TCP or User Datagram Protocol port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application. The port mapping information in the PAM table is of one of three types:

System-defined User-defined Host-specific
System-Defined Port Mapping
Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-based Access Control feature requires the system-defined mapping information to function properly. System-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP). Listed below are the default system-defined services and applications in the PAM table.
Application Name cuseeme Well-Known or Registered Port Number 7648
Protocol Description CU-SeeMe Protocol
exec
512
Remote Process Execution
ftp
21
File Transfer Protocol (control port)
http
80
Hypertext Transfer Protocol
h323
1720
H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)
login
513
Remote login
msrpc
135
Microsoft Remote Procedure Call
netshow
1755
Microsoft NetShow
real-audio-video
7070
RealAudio and RealVideo
smtp
25
Simple Mail Transfer Protocol
sql-net
1521
SQL-NET
streamworks
1558
StreamWorks Protocol
sunrpc
111
SUN Remote Procedure Call
tftp
69
Trivial File Transfer Protocol
vdolive
7000
VDOLive Protocol
User-Defined Port Mapping Network applications that use non-standard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table. To map a range of port numbers with a service or application, you must create a separate entry for each port number. Note If you try to map an application to a system-defined port, a message appears warning you of a mapping conflict. Use the no form of the ip port-map command to delete user-defined entries from the PAM table. To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port. Host-Specific Port Mapping User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list option for the ip portmap command to specify an ACL for a host or subnet that uses PAM. Note If the host-specific port mapping information is the same as existing system-defined or user-defined default entries, host-specific port changes have no effect. Example: The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.
In the following example, non-standard port 8000 is established as the user-defined default port for HTTP services: router(config)#ip port-map http port 8000 The following example shows PAM entries establish a range of non-standard ports for HTTP services: router(config)#ip router(config)#ip router(config)#ip router(config)#ip port-map port-map port-map port-map http http http http 8001 8002 8003 8004
In the following example the command fails because it tries to map port 21, which is the systemdefined default port for FTP, with HTTP: router(config)#ip port-map http port 21 In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services: router(config)#access-list 10 permit 192.168.32.43 router(config)#ip port-map ftp port 8000 list 10 In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21. router(config)#ip port-map realaudio port 21 list 10 In the following example, the ip port-map command fails and generates an error message: router(config)#ip port-map netshow port 21 Command fail: the port 21 has already been defined for ftp by the system. No change can be made to the system defined port mappings. The no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP. router(config)#no ip port-map ftp port 1022 list 10 In the following example, the command fails because it tries to delete the system-defined default port for HTTP: router(config)#no ip port-map http port 80
In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services. router(config)#access-list 10 permit 192.168.32.43 router(config)#ip port-map ftp port 8000 list 10 In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services. router(config)#access-list 50 permit 192.168.92.0 router(config)#ip port-map http 8080 list 50 In the following example, a specific host runs HTTP services on port 25, which is the systemdefined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services. router(config)#access-list 15 permit 192.168.33.43 router(config)#ip port-map http port 25 list 15 In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for Telnet services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL. router(config)#access-list router(config)#access-list router(config)#ip port-map router(config)#ip port-map Misconceptions: none Related commands: show ip port-map Sample Configurations: 10 permit 192.168.3.4 20 permit 192.168.5.6 http port 8000 list 10 http ftp 8000 list 20
show ip port-map router#
show ip port-map [appl_name | port port_num] Syntax Description:

appl_name (Optional) Specifies the name of the application to which to apply the port mapping.
port port_num
(Optional) Specifies the alternative port number that maps to the application.
Command Description: To display the Port to Application Mapping (PAM) information, use the show ip port-map privileged EXEC command. Usage Guidelines Use this command to display the port mapping information at the firewall, including the systemdefined and user-defined information. Include the application name to display the list of entries by application. Include the port number to display the entries by port. Example: router#show ip port-map Misconceptions: none Related commands: ip port-map Sample Configurations: The following is sample output for the show ip port-map command, including system-defined mapping information: router#show ip port-map
Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: system defined Default mapping: defined Host specific: defined Host specific: defined Host specific: defined
vdolive sunrpc netshow cuseeme tftp
port 7000 port 111 port 1755 port 7648 port 69
real-audio-video port 7070 streamworks ftp h323 smtp http msrpc exec login sql-net tftp ftp netshow smtp port 1558 port 21 port 1720 port 25 port 80 port 135 port 512 port 513 port 1521 port 70 port 1000 port 70 port 70 in list 10 in list 10 in list 50 user user user user
temp
ip authentication key-chain eigrp

To enable authentication of Enhanced IGRP (EIGRP) packets, use the ip authentication key-chain eigrp command in interface configuration mode. To disable such authentication, use the no form of this command.
ip authentication key-chain eigrp as-number key-chain no ip authentication key-chain eigrp as-number key-chain
Syntax Description
as-number Autonomous system number to which the authentication applies.
key-chain
Name of the authentication key chain.
Defaults
No authentication is provided for EIGRP packets.
Command Modes
Examples
The following example applies authentication to autonomous system 2 and identifies a key chain named SPORTS:
ip authentication key-chain eigrp 2 SPORTS
Related Commands
Command Description
accept-lifetime
Sets the time period during which the authentication key on a key chain is received as valid.
ip authentication mode eigrp
Specifies the type of authentication used in EIGRP packets.
key
Identifies an authentication key on a key chain.
key chain
Enables authentication of routing protocols.
send-lifetime
Sets the time period during which an authentication key on a key chain is valid to be sent.
ip authentication mode eigrp

To specify the type of authentication used in Enhanced IGRP (EIGRP) packets, use the ip authentication mode eigrp command in interface configuration mode. To disable that type of authentication, use the no form of this command.
ip authentication mode eigrp as-number md5 no ip authentication mode eigrp as-number md5
Syntax Description
as-number Autonomous system number.
md5
Keyed Message Digest 5 (MD5) authentication.
Defaults
No authentication is provided for EIGRP packets.
Command Modes
Usage Guidelines
Configure authentication to prevent unapproved sources from introducing unauthorized or false routing messages. When authentication is configured, an MD5 keyed digest is added to each EIGRP packet in the specified autonomous system.
Examples
The following example configures the interface to use MD5 authentication in EIGRP packets in autonomous system 10:
ip authentication mode eigrp 10 md5
Related Commands
Command Description
accept-lifetime
Sets the time period during which the authentication key on a key chain is received as valid.
ip authentication key-chain eigrp
Enables authentication of EIGRP packets.
key
Identifies an authentication key on a key chain.
key chain
Enables authentication of routing protocols.
send-lifetime
Sets the time period during which an authentication key on a key chain is valid to be sent.
area authentication
To enable authentication for an OSPF area, use the area authentication command in router configuration mode. To remove an authentication specification of an area or a specified area from the configuration, use the no form of this command.
area area-id authentication [message-digest] no area area-id authentication [message-digest]
Syntax Description
area-id Identifier of the area for which authentication is to be enabled. The identifier can be specified as either a decimal value or an IP address.
messagedigest
(Optional) Enables Message Digest 5 (MD5) authentication on the area specified by the area-id argument.
Defaults
Type 0 authentication (no authentication)
Command Modes
Router configuration
Usage Guidelines
Specifying authentication for an area sets the authentication to Type 1 (simple password) as specified in RFC 1247. If this command is not included in the configuration file, authentication of Type 0 (no authentication) is assumed. The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other via OSPF. Use the ip ospf authentication-key interface command to specify this password. If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command. To remove the authentication specification for an area, use the no form of this command with the authentication keyword.
Note To remove the specified area from the software configuration, use the no area area-id command (with no other keywords). That is, the no area areaid command removes all area options, such as area authentication, area default-cost, area nssa, area range, area stub, and area virtual-link.
Examples
The following example mandates authentication for areas 0 and 10.0.0.0 of OSPF routing process 201. Authentication keys are also provided.
interface ethernet 0 ip address 192.168.251.201 255.255.255.0 ip ospf authentication-key adcdefgh ! interface ethernet 1 ip address 10.56.0.201 255.255.0.0
ip ospf authentication-key ijklmnop ! router ospf 201 network 10.0.0.0 0.255.255.255 area 10.0.0.0 network 192.168.0.0 0.0.255.255 area 0 area 10.0.0.0 authentication area 0 authentication
Related Commands
Command Description
area default-cost
Specifies a cost for the default summary route sent into a stub area.
area stub
Defines an area as a stub area.
ip ospf authenticationkey
Assigns a password to be used by neighboring routers that are using the simple password authentication of OSPF.
ip ospf messagedigest-key
Enables OSPF MD5 authentication.
ip ospf authentication
To specify the authentication type for an interface, use the ip ospf authentication command in interface configuration mode. To remove the authentication type for an interface, use the no form of this command.
ip ospf authentication [message-digest | null] no ip ospf authentication
Syntax Description
messagedigest (Optional) Specifies that message-digest authentication will be used.
null
(Optional) No authentication is used. Useful for overriding password or message-digest authentication if configured for an area.
Defaults
The area default is no authentication (null authentication).
Command Modes
Usage Guidelines
Before using the ip ospf authentication command, configure a password for the interface using the ip ospf authentication-key command. If you use the ip ospf authentication message-digest command, configure the message-digest key for the interface with the ip ospf message-digest-key command. For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication).
Examples
The following example enables message-digest authentication:
ip ospf authentication message-digest
Related Commands
Command Description
area authentication
Enables authentication for an OSPF area.
ip ospf authenticationkey
Assigns a password to be used by neighboring routers that are using the simple password authentication of OSPF.
ip ospf messagedigest-key
Enables OSPF MD5 authentication.
ip ospf authentication-key
To assign a password to be used by neighboring routers that are using the OSPF simple password authentication, use the ip ospf authentication-key command in interface configuration mode. To remove a previously assigned OSPF password, use the no form of this command.
ip ospf authentication-key password no ip ospf authentication-key
Syntax Description
password Any continuous string of characters that can be entered from the keyboard up to 8 bytes in length.
Defaults
No password is specified.
Command Modes
Usage Guidelines
The password created by this command is used as a "key" that is inserted directly into the OSPF header when the Cisco IOS software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
Note The Cisco IOS software will use this key only when authentication is enabled for an area with the area authentication router configuration command.
Examples
The following example enables the authentication key with the string yourpass:
ip ospf authentication-key yourpass
Related Commands
Command Description
area authentication
Enables authentication for an OSPF area.
ip ospf authentication
Specifies authentication type for an interface.
ip rip authentication key-chain

To enable authentication for Routing Information Protocol (RIP) Version 2 packets and to specify the set of keys that can be used on an interface, use the ip rip authentication key-chain command in interface configuration mode. To prevent authentication, use the no form of this command.
ip rip authentication key-chain name-of-chain no ip rip authentication key-chain [name-of-chain]
Syntax Description
name-of-chain Enables authentication and specifies the group of keys that are valid.
Defaults
No authentication is provided for RIP packets.
Command Modes
Usage Guidelines
If no key chain is configured with the key-chain command, no authentication is performed on the interface (not even the default authentication).
Examples
The following example configures the interface to accept and send any key belonging to the key chain named trees:
ip rip authentication key-chain trees
Related Commands
Command Description
key chain
Enables authentication for routing protocols.
ip rip authentication mode

To specify the type of authentication used in Routing Information Protocol (RIP) Version 2 packets, use the ip rip authentication mode command in interface configuration mode. To restore clear text authentication, use the no form of this command.
ip rip authentication mode {text | md5} no ip rip authentication mode
Syntax Description
text Clear text authentication.
md5
Keyed Message Digest 5 (MD5) authentication.
Defaults
Clear text authentication is provided for RIP packets.
Command Modes
Usage Guidelines
RIP Version 1 does not support authentication.
Examples
The following example configures the interface to use MD5 authentication:
ip rip authentication mode md5
Related Commands
Command Description
ip rip authentication key-chain
Enables authentication for RIP Version 2 packets and specifies the set of keys that can be used on an interface.
key chain
Enables authentication for routing protocols.
debug ip scp
To troubleshoot SCP (secure copy) authentication problems, use the debug ip scp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip scp no debug ip scp
Syntax Description
Command Modes
Privileged EXEC
Examples
The following example is sample output from the debug ip scp command. In this example, a opy of the file scptest.cfg from a UNIX host to the router's running configuration was successful.
Router# debug ip scp 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv C0644 20 scptest.cfg 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv 20 bytes 4d06h:SCP:[22 <- 10.11.29.252:1018] recv <OK> 4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK> 4d06h:SCP:[22 <- 10.11.29.252:1018] recv <EOF>
The following example is also sample output from the debug ip scp command, but in this example, the user has privilege 0 and is therefore denied:
Router# debug ip scp 4d06h:SCP:[22 -> 10.11.29.252:1018] send Privilege denied.
Related Commands
Command Description
ip scp server enable
Enables SCP server-side functionality.
ip scp server enable

To enable SCP (secure copy) server-side functionality, use the ip scp server enable command in global configuration mode. To disable this functionality, use the no form of this command.
ip scp server enable no ip scp server enable
Syntax Description
Defaults
Command Modes
Usage Guidelines
Use the ip scp server enable command to enable a Cisco router to support SCP server-side functionality, which allows an authenticated user to securely copy configuration and image files to or from a remote workstation. Before a user can utilize the SCP server-side functionality, SSH, authentication, and authorization must be properly configured so a router can determine whether a user is at the right privilege level.
Examples
The following example shows how to transfer a file from the router using SCP:
Router# copy flash:c3620-ik9s-mz.122-0.17.T scp://tiger@10.1.1.2/ Address or name of remote host [10.1.1.2]? Destination username [tiger]? Destination filename [c3620-ik9s-mz.122-0.17.T]? Writing c3620-ik9s-mz.122-0.17.T Password: Router# Note When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted.
Related Commands
Command Description
aaa authentication login
Sets AAA authentication at login.
aaa authorization
copy
Copies any file from a source to a destination.
username
Establishes a username-based authentication system.
no snmp-server
To disable Simple Network Management Protocol (SNMP) agent operation, use the no snmp-server global configuration command.
no snmp-server
Syntax Description
Defaults
None
Command Modes
Command History
10.0
Usage Guidelines
This command disables all running versions of SNMP (SNMPv1, SNMPv2C, and SNMPv3) on the device.
Examples
The following example disables the current running version of SNMP:
Router(config)# no snmp-server
show management event

To display the Simple Network Management Protocol (SNMP) Event values that have been configured on your routing device through the use of the Event MIB, use the show management event command in privileged EXEC mode.
show management event
Syntax Description
Defaults
Command Modes
Privileged EXEC
Command History
12.1(3)T
Usage Guidelines
The Event MIB allows you to configure your own traps, informs, or set operations through the use of an external network management application. The show management event command is used to display the values for the Events configured on your system. There are no Cisco IOS CLI commands for configuring Event MIB values. For information on Event MIB functionality, see RFC 2981, available at http://www.ietf.org.
Examples
The following example shows sample output of the show management event command:
Router# show management event Mgmt Triggers: (1): Owner: aseem (1): 01, Comment: TestEvent, Sample: Abs, Freq: 120 Test: Existence Threshold Boolean ObjectOwner: aseem, Object: sethi OID: ifEntry.10.3, Enabled 1, Row Status 1 Existence Entry: , Absent, Changed StartUp: Present, Absent ObjOwn: , Obj: , EveOwn: aseem, Eve: 09 Boolean Entry: Value: 10, Cmp: 1, Start: 1 ObjOwn: , Obj: , EveOwn: aseem, Eve: 09 Threshold Entry: Rising: 50000, Falling: 20000 ObjOwn: ase, Obj: 01 RisEveOwn: ase, RisEve: 09 , FallEveOwn: ase, FallEve: 09 Delta Value Table: (0): Thresh: Rising, Exis: 1, Read: 0, OID: ifEntry.10.3 , val: 69356097
Mgmt Events: (1): Owner: aseem (1)Name: 09 , Comment: , Action: Set, Notify, Enabled: 1 Status: 1 Notification Entry: ObjOwn: , Obj: , OID: ifEntry.10.1 Set: OID: ciscoSyslogMIB.1.2.1.0, SetValue: 199, Wildcard: 2 TAG: , ContextName: Object Table: (1): Owner: aseem (1)Name: sethi, Index: 1, OID: ifEntry.10.1, Wild: 1, Status: 1
Related Commands
Command Description
debug management event
Allows real-time monitoring of Event MIB activities for the purposes of debugging.
show snmp engineID

To display the identification of the local Simple Network Management Protocol (SNMP) engine and all remote engines that have been configured on the router, use the show snmp engineID EXEC command.
show snmp engineID
Syntax Description
Command Modes
EXEC
Command History
12.0(3)T
Usage Guidelines
An SNMP engine is a copy of SNMP that can reside on a local or remote device.
Examples
The following example specifies 00000009020000000C025808 as the local engineID and 123456789ABCDEF000000000 as the remote engine ID, 171.69.37.61 as the IP address of the remote engine (copy of SNMP) and 162 as the port from which the remote device is connected to the local device:
router# show snmp engineID Local SNMP engineID: 00000009020000000C025808 Remote Engine ID 123456789ABCDEF000000000 IP-addr 171.69.37.61 Port 162
Table 101 describes the fields shown in the example.

Table 101 show snmp engineID Field Descriptions
Field
Definition
Local SNMP engine ID A string that identifies the copy of SNMP on the local device. Remote Engine ID IP-addr Port A string that identifies the copy of SNMP on the remote device. The IP address of the remote device. The port number on the local device to which the remote device is connected.
Related Commands
Command Description
snmp-server engineID
Configures a name for either the local or remote SNMP engine on the router.
show snmp group

To display the names of groups on the router and the security model, the status of the different views, and the storage type of each group, use the show snmp group EXEC command.
show snmp group
Syntax Description
This command has no keywords or arguments.
Command Modes
EXEC
Command History
12.0(3)T
Examples
The following example specifies the group name as public, the security model as v1, the read view name as v1default, the notify view name as *tv.FFFFFFFF, and the storage type as volatile:
router# show snmp group groupname: public readview:v1default writeview: no writeview specified notifyview: *tv.FFFFFFFF storage-type: volatile security model:v1
Table 102 describes the fields shown in the example.

Table 102 show snmp group Field Descriptions
Field
Definition
groupname security model readview writeview notifyview
The name of the SNMP group, or collection of users that have a common access policy. The security model used by the group, either v1, v2c, or v3.
A string identifying the read view of the group. A string identifying the write view of the group. A string identifying the notify view of the group.
storage-type Indicates whether the settings have been set in volatile or temporary memory on the device, or in nonvolatile or persistent memory where settings will remain after the device has been turned off and on again.
Related Commands
Command
Description
snmp-server group
Configures a new SNMP group or a table that maps SNMP users to SNMP views.
show snmp pending

To display the current set of pending Simple Network Management Protocol (SNMP) requests, use the show snmp pending EXEC command.
show snmp pending
Syntax Description
Command Modes
EXEC
Command History
11.3 T
Usage Guidelines
After the SNMP manager sends a request, the request is "pending" until the manager receives a response or the request timeout expires.
Examples
The following is sample output from the show snmp pending command:
Router# show snmp pending req id: 47, dest: 171.69.58.33.161, V2C community: public, Expires in 5 secs req id: 49, dest: 171.69.58.33.161, V2C community: public, Expires in 6 secs req id: 51, dest: 171.69.58.33.161, V2C community: public, Expires in 6 secs req id: 53, dest: 171.69.58.33.161, V2C community: public, Expires in 8 secs
Table 103 describes the fields shown in the display.

Table 103 show snmp pending Field Descriptions
Field
Description
req id dest
ID number of the pending request. IP address of the intended receiver of the request.
V2C community SNMP version 2C community string sent with the request. Expires in Remaining time before request timeout expires.
Related Commands
Command Description
show snmp
Checks the status of SNMP communications.
show snmp sessions
Displays the current SNMP sessions.
snmp-server manager
Starts the SNMP manager process.
snmp-server manager sessiontimeout
Sets the amount of time before a nonactive session is destroyed.
show snmp sessions

To display the current Simple Network Management Protocol (SNMP) sessions, use the show snmp sessions EXEC command.
show snmp sessions [brief]
Syntax Description
brief (Optional) Displays a list of sessions only. Does not display session statistics.
Command Modes
EXEC
Command History
11.3 T
Usage Guidelines
Sessions are created when the SNMP manager in the router sends SNMP requests, such as inform requests, to a host or receives SNMP notifications from a host. One session is created for each destination host. If there is no further communication between the router and host within the session timeout period, the corresponding session will be deleted.
Examples
The following is sample output from the show snmp sessions command:
Router# show snmp sessions Destination: 171.69.58.33.162, V2C community: public Round-trip-times: 0/0/0 (min/max/last) packets output 0 Gets, 0 GetNexts, 0 GetBulks, 0 Sets, 4 Informs 0 Timeouts, 0 Drops packets input 0 Traps, 0 Informs, 0 Responses (0 errors) Destination: 171.69.217.141.162, V2C community: public, Expires in 575 secs Round-trip-times: 1/1/1 (min/max/last) packets output 0 Gets, 0 GetNexts, 0 GetBulks, 0 Sets, 4 Informs 0 Timeouts, 0 Drops packets input 0 Traps, 0 Informs, 4 Responses (0 errors)
The following is sample output from the show snmp sessions brief command:
Router# show snmp sessions brief Destination: 171.69.58.33.161, V2C community: public, Expires in 55 secs
Table 104 describes the fields shown in these displays.

Table 104 show snmp sessions Field Descriptions
Field
Description
Destination
IP address of the remote agent.
V2C community SNMP version 2C community string used to communicate with the remote agent. Expires in Remaining time before the session timeout expires.
Round-trip-times Minimum, maximum, and the last round-trip time to the agent. packets output Gets GetNexts GetBulks Sets Informs Timeouts Drops packets input Traps Informs Responses errors Packets sent by the router. Number of get requests sent. Number of get-next requests sent. Number of get-bulk requests sent. Number of set requests sent. Number of inform requests sent. Number of request timeouts. Number of packets that could not be sent. Packets received by the router. Number of traps received. Number of inform responses received. Number of request responses received. Number of responses that contained an SNMP error code.
Related Commands
Command Description
show snmp
show snmp pending
Displays the current set of pending SNMP requests.
snmp-server manager
show snmp user

To display information on each Simple Network Management Protocol (SNMP) username in the group username table, use the show snmp user EXEC command.
show snmp user
Syntax Description
Command Modes
EXEC
Command History
12.0(3)T
Usage Guidelines
An SNMP user is a remote user for which an SNMP management operation is performed. For example, inform operations can be sent to a user on a remote SNMP engine. The user is designated using the snmp-server user command.
Examples
The following example specifies the username as authuser, the engine ID string as 00000009020000000C025808, and the storage-type as nonvolatile:
router# show snmp user User name: authuser Engine ID: 00000009020000000C025808 storage-type: nonvolatile
Table 105 describes fields shown in the example.

Table 105 show snmp user Field Descriptions
Field
Definition
User name
A string identifying the name of the SNMP user.
Engine ID A string identifying the name of the copy of SNMP on the device. storagetype Indicates whether the settings have been set in volatile or temporary memory on the device, or in nonvolatile or persistent memory where settings will remain after the device has been turned off and on again.
Related Commands
Command Description
snmp-server user
Configures a new user to an SNMP group.
show snmp
To check the status of Simple Network Management Protocol (SNMP) communications, use the show snmp EXEC command.
show snmp
Syntax Description
Command Modes
EXEC
Command History
10.0
Usage Guidelines
This command provides counter information for SNMP operations. It also displays the chassis ID string defined with the snmp-server chassis-id global configuration command.
Examples
The following is sample output from the show snmp command:
Router# show snmp Chassis: 01506199 37 SNMP packets input 0 Bad SNMP version errors 4 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 24 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 28 Get-next PDUs 0 Set-request PDUs 78 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 24 Response PDUs 13 Trap PDUs SNMP logging: enabled Logging to 171.69.58.33.162, 0/10, 13 sent, 0 dropped. SNMP Manager-role output packets 4 Get-request PDUs 4 Get-next PDUs 6 Get-bulk PDUs 4 Set-request PDUs
23 Inform-request PDUs 30 Timeouts 0 Drops SNMP Manager-role input packets 0 Inform response PDUs 2 Trap PDUs 7 Response PDUs 1 Responses with errors SNMP informs: enabled Informs in flight 0/25 (current/max) Logging to 171.69.217.141.162 4 sent, 0 in-flight, 1 retries, 0 failed, 0 dropped Logging to 171.69.58.33.162 0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped
Table 100 describes the fields shown in the display.

Table 100 show snmp Field Descriptions
Field
Description
Chassis SNMP packets input Bad SNMP version errors
Chassis ID string. Total number of SNMP packets input. Number of packets with an invalid SNMP version.
Unknown community name Number of SNMP packets with an unknown community name. Number of packets requesting an operation not allowed for that community. Illegal operation for community name supplied Encoding errors Number of requested variables Number of altered variables Get-request PDUs Get-next PDUs Set-request PDUs SNMP packets output Too big errors Maximum packet size No such name errors Bad values errors General errors Number of SNMP packets that were improperly encoded. Number of variables requested by SNMP managers.
Number of variables altered by SNMP managers.
Number of get requests received. Number of get-next requests received. Number of set requests received. Total number of SNMP packets sent by the router. Number of SNMP packets which were larger than the maximum packet size. Maximum size of SNMP packets. Number of SNMP requests that specified a MIB object that does not exist. Number of SNMP set requests that specified an invalid value for a MIB object. Number of SNMP set requests that failed due to some other error. (It was not
a noSuchName error, badValue error, or any of the other specific errors.) Response PDUs Trap PDUs SNMP logging sent dropped Number of responses sent in reply to requests. Number of SNMP traps sent. Indicates whether logging is enabled or disabled. Number of traps sent. Number of traps dropped. Traps are dropped when the trap queue for a destination exceeds the maximum length of the queue, as set by the snmpserver queue-length global configuration command.
SNMP Manager-role output Information related to packets sent by the router as an SNMP manager. packets Get-request PDUs Get-next PDUs Get-bulk PDUs Set-request PDUs Inform-request PDUs Timeouts Drops Number of get requests sent. Number of get-next requests sent. Number of get-bulk requests sent. Number of set requests sent. Number of inform requests sent. Number of request timeouts. Number of requests dropped. Reasons for drops include no memory, a bad destination address, or an unreasonable destination address. Information related to packets received by the router as an SNMP manager.
SNMP Manager-role input packets Inform response PDUs Trap PDUs Response PDUs Responses with errors SNMP informs Informs in flight
Number of inform request responses received. Number of SNMP traps received. Number of responses received. Number of responses containing errors. Indicates whether SNMP informs are enabled. Current and maximum possible number of informs waiting to be acknowledged. Destination of the following informs. Number of informs sent to this host. Number of informs currently waiting to be acknowledged.
Logging to sent in-flight
retries failed dropped
Number of inform retries sent. Number of informs that were never acknowledged. Number of unacknowledged informs that were discarded to make room for new informs.
Related Commands
Command Description
show snmp pending
show snmp sessions
snmp-server chassis-id
Provides a message line identifying the SNMP server serial number.
snmp-server manager
snmp-server queue-length
Establishes the message queue length for each trap host.
snmp trap link-status

To enable Simple Network Management Protocol (SNMP) link trap generation, use the snmp trap linkstatus interface configuration command. To disable SNMP link traps, use the no form of this command.
snmp trap link-status no snmp trap link-status
Syntax Description
Defaults
SNMP link traps are sent when an interface goes up or down.
Command Modes
Command History
10.0
Usage Guidelines
By default, SNMP link traps are sent when an interface goes up or down. For interfaces expected to go up and down during normal usage, such as ISDN interfaces, the output generated by these traps may not be useful. The no form of this command disables these traps.
Examples
The following example disables the sending of SNMP link traps related to the ISDN BRI 0 interface:
interface bri 0 no snmp trap link-status
snmp-server chassis-id
To provide a message line identifying the Simple Network Management Protocol (SNMP) server serial number, use the snmp-server chassis-id global configuration command. To restore the default value, if any, use the no form of this command.
snmp-server chassis-id text no snmp-server chassis-id
Syntax Description
text Message you want to enter to identify the chassis serial number.
Defaults
On hardware platforms where the serial number can be machine read, the default is the serial number. For example, a Cisco 7000 router has a default chassis-id value of its serial number.
Command Modes
Command History
10.0
Usage Guidelines
The Cisco MIB provides a chassis MIB variable that enables the SNMP manager to gather data on system card descriptions, chassis type, chassis hardware version, chassis ID string, software version of ROM monitor, software version of system image in ROM, bytes of processor RAM installed, bytes of NVRAM installed, bytes of NVRAM in use, current configuration register setting, and the value of the configuration register at the next reload. The following installed card information is provided: type of card, serial number, hardware version, software version, and chassis slot number. The chassis ID message can be seen with the show snmp command.
Examples
In the following example, the chassis serial number specified is 1234456:
Router(config)# snmp-server chassis-id 1234456
Related Commands
Command Description
show snmp
snmp-server community
To set up the community access string to permit access to the Simple Network Management Protocol (SNMP), use the snmp-server community global configuration command. To remove the specified community string, use the no form of this command.
snmp-server community string [view view-name] [ro | rw] [number] no snmp-server community string
Syntax Description
string Community string that acts like a password and permits access to the SNMP protocol.
view viewname
(Optional) Name of a previously defined view. The view defines the objects available to the community.
ro
(Optional) Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.
rw
(Optional) Specifies read-write access. Authorized management stations are able to both retrieve and modify MIB objects.
number
(Optional) Integer from 1 to 99 that specifies an access list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.
Defaults
By default, an SNMP community string permits read-only access to all objects.
Note If the snmp-server community command is not used during the SNMP configuration session, it will automatically be added to the configuration after the snmp host command is used. In this case, the default password (string) for the snmp-server community will be taken from the snmp host command.
Command Modes
Command History
10.0
Usage Guidelines
The no snmp-server command disables all versions of SNMP (SNMPv1, SNMPv2C, SNMPv3). The first snmp-server command that you enter enables all versions of SNMP.
Examples
The following example assigns the string comaccess to SNMP allowing read-only access and specifies that IP access list 4 can use the community string:
Router(config)# snmp-server community comaccess ro 4
The following example assigns the string mgr to SNMP allowing read-write access to the objects in the restricted view:
Router(config)# snmp-server community mgr view restricted rw
The following example removes the community comaccess:

Router(config)# no snmp-server community comaccess
The following example disables all versions of SNMP:

Router(config)# no snmp-server
Related Commands
Command Description
access-list
Configures the access list mechanism for filtering frames by protocol type or vendor code.
snmp-server view
Creates or updates a view entry.
snmp-server contact
To set the system contact (sysContact) string, use the snmp-server contact global configuration command. To remove the system contact information, use the no form of this command.
snmp-server contact text no snmp-server contact
Syntax Description
text String that describes the system contact information.
Defaults
No system contact string is set.
Command Modes
Command History
10.0
Examples
The following is an example of a system contact string:
Router(config)# snmp-server contact Dial System Operator at beeper # 27345
Related Commands
Command Description
snmp-server location
Sets the system location string.
snmp-server enable traps aaa_server

To enable authentication, authorization, and accounting (AAA) server state-change Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps aaa_server global configuration command. To disable AAA sever state-change SNMP notifications, use the no form of this command.
snmp-server enable traps aaa_server no snmp-server enable traps aaa_server
Syntax Description
Defaults
SNMP notifications are disabled by default.
Command Modes
Command History
12.1(3)T
This command was introduced for the Cisco AS5300 and Cisco AS5800.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) AAA Server state change (casServerStateChange) notifications. ServerStateChange notifications, when enabled, will be sent when the server moves from an "up" to "dead" state or when a server moves from a "dead" to "up" state. The Cisco AAA Server State is defined by the casState object in the Cisco AAA Server MIB. The possible values are as follows:

up(1)Server is responding to requests. dead(2)Server failed to respond to requests.
A server is marked "dead" if it does not respond after maximum retransmissions. A server is marked "up" again either after a waiting period or if some response is received from it. The initial value of casState is "up(1)" at system startup. This will only transition to "dead(2)" if an attempt to communicate fails. For a complete description of this notification and additional MIB functions, see the CISCO-AAA-SERVERMIB.my file, available on Cisco.com at http://www.cisco.com/public/mibs/v2/. The snmp-server enable traps aaa_sever command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send AAA Server up/down informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps aaa_server Router(config)# snmp-server host myhost.cisco.com informs version 2c public
Related Commands
Command Description
aaa session-mib disconnect
Allows a remote network management system to perform Set operations and disconnect users on the configured device using SNMP.
show caller
Displays caller information for Async, Dialer, and Serial interfaces.
show radius statistics
Displays AAA Server MIB statistics for AAA functions.
snmp-server host
snmp-server trapsource
Specifies the interface that an SNMP trap should originate from.
snmp-server enable traps atm pvc

To enable the sending of ATM permanent virtual circuit (PVC) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps atm pvc global configuration command. To disable ATM PVC-specific SNMP notifications, use the no form of this command.
snmp-server enable traps atm pvc [interval seconds] [fail-interval seconds] no snmp-server enable traps atm pvc
Syntax Description
interval seconds (Optional) Minimum period between successive traps, in the range from 1 to 3600. Generation of PVC traps is dampened by the notification interval in order to prevent trap storms. No traps are sent until the interval lapses.
fail-interval seconds
(Optional) Minimum period for storing the failed time stamp, in the range from 0 to 3600.
Defaults
SNMP notifications are disabled by default. The default interval is 30. The default fail-interval is 0.
Command Modes
Command History
12.0(1)T
This command was introduced for those platforms that support ATM PVC Management.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for the specified notification types. ATM notifications are defined in the CISCO-IETF-ATM2PVCTRAP-MIB.my file, available from the Cisco FTP site at ftp://www.cisco.com/public/mibs/v2/. ATM PVC failure notification are sent when a PVC on an ATM interface fails or leaves the UP operational state. Only one trap is generated per hardware interface, within the specified interval defined by the interval keyword (stored as the atmIntfPvcNotificationInterval in the MIB). If other PVCs on the same interface go DOWN during this interval, traps are generated and held until the fail-interval has elapsed. Once the interval has elapsed, the traps are sent if the PVCs are still DOWN. No notifications are generated when a PVC returns to the UP state after having been in the DOWN state. If you need to detect the recovery of PVCs, you must use the SNMP management application to regularly poll your router.
The snmp-server enable traps atm pvc command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Examples
The following example shows the enabling of ATM PVC traps on a router, so that if PVC 0/1 goes down, host 172.16.61.90 will receive the notifications:
!For ATM PVC Trap Support to work on your router, you must first have SNMP support and !an IP routing protocol configured on your router: Router(config)# snmp-server community public ro Router(config)# snmp-server host 172.16.61.90 public Router(config)# ip routing Router(config)# router igrp 109 Router(config-router)# network 172.16.0.0 ! !Enable ATM PVC Trap Support and OAM management: Router(config)# snmp-server enable traps atm pvc interval 40 fail-interval 10 Router(config)# interface atm 1/0.1 Router(config-if)# pvc 0/1 Router(config-if-atm-vc)# oam-pvc manage
Related Commands
Command Description
show atm pvc
Displays all ATM permanent virtual circuits (PVCs) and traffic information.
Enables all available SNMP notifications on your system.
snmp-server host
snmp-server trap-source
snmp-server enable traps bgp

To enable Border Gateway Protocol (BGP) state-change Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps bgp global configuration command. To disable BGP state-change SNMP notifications, use the no form of this command.
snmp-server enable traps bgp no snmp-server enable traps bgp
Syntax Description
Defaults
Command Modes
Command History
12.1(3)T
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) Border Gateway Protocol server state change notifications, as defined in the BGP4-MIB (enterprise 1.3.6.1.2.1.15.7). The notifications types are: (1) bgpEstablished (2) bgpBackwardTransition. The BGP notifications are defined in the BGP-4 MIB as follows:
bgpTraps OBJECT IDENTIFIER ::= { bgp 7 } bgpEstablished NOTIFICATION-TYPE OBJECTS { bgpPeerLastError, bgpPeerState } STATUS current DESCRIPTION "The BGP Established event is generated when the BGP FSM enters the ESTABLISHED state." ::= { bgpTraps 1 } bgpBackwardTransition NOTIFICATION-TYPE OBJECTS { bgpPeerLastError, bgpPeerState } STATUS current DESCRIPTION "The BGPBackwardTransition Event is generated
when the BGP FSM moves from a higher numbered state to a lower numbered state." ::= { bgpTraps 2 }
For a complete description of these notifications and additional MIB functions, see the BGP4-MIB.my file, available through the Cisco FTP site at ftp://www.cisco.com/public/mibs/v2/. The snmp-server enable traps bgp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send BGP state change informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps bgp Router(config)# snmp-server host myhost.cisco.com informs version 2c public
Related Commands
Command Description
snmp-server host
snmp-server enable traps calltracker

To enable Call Tracker CallSetup and Call Terminate Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps calltracker global configuration command. To disable Call Tracker SNMP notifications, use the no form of this command.
snmp-server enable traps calltracker no snmp-server enable traps calltracker
Syntax Description
Defaults
Command Modes
Command History
12.1(3)T
This command was introduced for the Cisco AS5300 and Cisco AS580 access servers.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) Call Tracker CallSetup and CallTerminate notifications. CallSetup notifications are generated at the start of each call, when an entry is created in the active table (cctActiveTable), and CallTerminate notifications are generated at the end of each call, when an entry is created in the history table (cctHistoryTable). For a complete description of these notifications and additional MIB functions, refer to the CISCO-CALLTRACKER-MIB.my file, available on Cisco.com at http://www.cisco.com/public/mibs/v2/. The snmp-server enable traps calltracker command is used in conjunction with the snmp-server host global configuration command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send call-start and call-stop informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps calltracker Router(config)# snmp-server host myhost.cisco.com informs version 2c public calltracker
Related Commands
Command Description
calltracker callrecord
Enables call record SYSLOG generation for the purpose of debugging, monitoring, or externally saving detailed call record information.
calltracker enable
Enables the Call Tracker feature on an access server.
isdn snmp busyout b-channel
Enables PRI B channels to be busied out via SNMP.
show call calltracker
Displays Call Tracker activity and configuration information such as the number of active calls and the history table attributes.
show modem calltracker
Displays all of the information stored within the Call Tracker Active or History Database for the latest call assigned to specified modem.
snmp-server host
snmp-server enable traps envmon

To enable Environmental Monitor Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps envmon global configuration command. To disable environmental monitor SNMP notifications, use the no form of this command.
snmp-server enable traps envmon [shutdown] [voltage] [temperature] [fan] [supply] no snmp-server enable traps envmon [shutdown] [voltage] [temperature] [fan] [supply]
Syntax Description
shutdown (Optional) Controls shutdown notifications. A ciscoEnvMonShutdownNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.13.3.1) is sent if the environmental monitor detects a testpoint reaching a critical state and is about to initiate a shutdown.
voltage
(Optional) Controls voltage notifications. A ciscoEnvMonVoltageNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.13.3.2) is sent if the voltage measured at a given testpoint is outside the normal range for the testpoint (i.e. is at the warning, critical, or shutdown stage). For access servers, this notification is defined as the caemVoltageNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.61.2.2).
temperature
(Optional) Controls temperature notifications. A ciscoEnvMonTemperatureNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.13.3.3) is sent if the temperature measured at a given testpoint is outside the normal range for the testpoint (i.e. is at the warning, critical, or shutdown stage). For access servers, this notification is defined as the caemTemperatureNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.61.2.1).
fan
(Optional) Controls fan failure notifications. A ciscoEnvMonFanNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.13.3.4) is sent if any one of the fans in a fan array fails.
supply
(Optional) Controls Redundant Power Supply (RPS) failure notifications. A ciscoEnvMonRedundantSupplyNotification (enterprise MIB OID 1.3.6.1.4.1.9.9.13.2.5) is sent if a redundant power supply fails.
Defaults
Command Modes
Command History
10.3
11.3(6)AA
Support for this command was introduced for the Cisco AS5300 access server.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) Environmental Monitor (EnvMon) status notifications for supported systems. Cisco enterprise EnvMon notifications are triggered when an environmental threshold is exceeded. If none of the optional keywords are specified, all available environmental notifications are enabled. For a complete description of these notifications and additional MIB functions, see the CISCO-ENVMONMIB.my and CISCO-ACCESS-ENVMON-MIB.my files, available on Cisco.com at http://www.cisco.com/public/mibs/v2/. Status of the Environmental Monitor can be viewed using the show environment command. The snmp-server enable traps envmon command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables a Cisco 12000 GSR to send environmental failure informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps envmon Router(config)# snmp-server host myhost.cisco.com informs version 2c public envmon
Related Commands
Command Description
show environment
Displays environmental conditions on the system.
snmp-server host
snmp-server enable traps frame-relay

To enable Frame Relay DLCI link status Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps frame-relay global configuration command. To disable Frame Relay link status SNMP notifications, use the no form of this command.
snmp-server enable traps frame-relay no snmp-server enable traps frame-relay
Syntax Description
Defaults
Command Modes
Command History
10.3
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) Data Link Connection Identifier (DLCI) Frame Relay notifications, as defined in the RFC1315-MIB (enterprise 1.3.6.1.2.1.10.32). The notification type is frDLCIStatusChange (1). This trap indicates that the indicated Virtual Circuit (VC) has changed state, meaning that the VC has either been created or invalidated, or has toggled between the active and inactive states.
Note For large scale configurations (systems containing hundreds of Frame Relay point-to-point subinterfaces), note that having Frame Relay notifications enabled could potentially have a negative impact on network performance when there are line status changes.
For a complete description of this notification and additional MIB functions, see the RFC1315-MIB.my file and the CISCO-FRAME-RELAY-MIB.my file, available in the "v1" and "v2" directories, repectively, at the Cisco.com MIB web site at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. The snmp-server enable traps frame-relay command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
In the following examplethe router is configured to send Frame Relay DLCI state change informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps frame-relay
Router(config)# snmp-server host myhost.cisco.com informs version 2c public
Related Commands
Command Description
snmp-server host
snmp-server enable traps isdn

To enable the sending of Integrated Services Digital Network (ISDN) specific Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps isdn global configuration command. To disable ISDN-specific SNMP notifications, use the no form of this command.
snmp-server enable traps isdn [call-information] [chan-not-avail] [isdnu-interface] [layer2] no snmp-server enable traps isdn [call-information] [chan-not-avail] [isdnu-interface] [layer2]
Syntax Description
callinformation (Optional) Controls SNMP ISDN call information notifications, as defined in the CISCOISDN-MIB (enterprise 1.3.6.1.4.1.9.9.26.2). Notification types are:
demandNbrCallInformation (1) This notification is sent to the manager whenever a successful call clears, or a failed call attempt is determined to have ultimately failed. In the event that call retry is active, then this is after all retry attempts have failed. However, only one such notification is sent in between successful call attempts; subsequent call attempts do not generate notifications of this type.
demandNbrCallDetails (2) This notification is sent to the manager whenever a call connects, or clears, or a failed call attempt is determined to have ultimately failed. In the event that call retry is active, then this is after all retry attempts have failed. However, only one such notification is sent in between successful call attempts; subsequent call attempts do not generate notifications of this type.
chan-notavail
(Optional) Controls SNMP ISDN channel-not-available notifications. ISDN PRI channelnot-available traps are generated when a requested DS-0 channel is not available, or when there is no modem available to take the incoming call. These notifications are available only for ISDN PRI interfaces.
isdnuinterface
(Optional) Controls SNMP ISDN U interface notifications.
layer2
(Optional) Controls SNMP ISDN layer2 transition notifications.
Defaults
SNMP notifications are disabled by default. If you enter this command with none of the optional keywords, all available notifications are enabled.
Command Modes
Command History
10.3
The snmp-server enable traps isdn command was introduced.
11.3
The call-information and isdnu-interface keywords were added for the Cisco 1600 series router.
12.0
Support for the call-information and isdnu-interface keywords was introduced for most voice platforms.
12.1(5)T
Support for the isdn chan-not-available option was added for the Cisco AS5300, Cisco AS5400, and Cisco AS5800 access servers only.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for the specified notification types. ISDN notifications are defined in the CISCO-ISDN-MIB.my and CISCO-ISDNU-IF-MIB.my files, available on Cisco.com at http://www.cisco.com/public/mibs/v2/. Availability of notifications will depend on your platform. To see what notifications are available, use the snmp-server enable traps isdn ? command. If you do not enter an snmp-server enable traps isdn command, no notifications controlled by this command are sent. In order to configure the router to send these SNMP notifications, you must enter at least one snmp-server enable traps isdn command. If you enter the command with no keywords, all notification types are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps snmp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example shows the checking of what notification types are available on a Cisco AS5300, and the enabling of channel-not-available and layer2 informs:
NAS(config)#snmp-server enable traps isdn ? call-information Enable SNMP isdn call information traps chan-not-avail Enable SNMP isdn channel not avail traps layer2 Enable SNMP isdn layer2 transition traps <cr> NAS(config)#snmp-server enable traps isdn chan-not-avail layer2 NAS(config)#snmp-server host myhost.cisco.com informs version 2c public isdn
Related Commands
Command Description
snmp-server host
snmp-server informs
Specifies inform request options.
snmp-server enable traps repeater

To enable or disable standard repeater (hub) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps repeater global configuration command. To disable repeater notifications, use the no form of this command.
snmp-server enable traps repeater [health] [reset] no snmp-server enable traps repeater [health] [reset]
Syntax Description
health (Optional) The rptrHealth trap conveys information related to the operational status of the repeater. This trap is sent either when the value of rptrOperStatus changes, or upon completion of a non-disruptive test. The rptrOperStatus object indicates the operational state of the repeater. Status values are as follows:

other(1)undefined or unknown status ok(2)no known failures rptrFailure(3)repeater-related failure groupFailure(4)group-related failure portFailure(5)port-related failure generalFailure(6)failure, unspecified type
reset
(Optional) The rptrResetEvent trap is sent on completion of a repeater reset action (triggered by the transition to a START state by a manual command). The rptrResetEvent trap is not sent when the agent restarts and sends an SNMP coldStart or warmStart trap.
Defaults
SNMP notifications are disabled by default. If no keywords are specified, all repeater notifications available on your system are enabled or disabled.
Command Modes
Command History
11.1
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests.
This command controls (enables or disables) Repeater MIB notifications, as defined in RFC 1516. RFC 1516 defines objects for managing IEEE 802.3 10 Mbps baseband repeaters, also known as hubs. There are two sets of notifications available for this command. The following notification is defined in the CISCO-REPEATER-MIB (enterprise 1.3.6.1.4.1.9.9.22.3):
1 ciscoRptrIllegalAddrTrap (illegal source address trap )
The following notifications are defined in the CISCO-REPEATER-MIB-V1SMI (enterprise 1.3.6.1.2.1.22):

1 rptrHealth 2 rptrGroupChange 3 rptrResetEvent
For a complete description of the repeater notifications and additional MIB functions, refer to the CISCOREPEATER-MIB.my and CISCO-REPEATER-MIB-V1SMI.my files, available on Cisco.com at http://www.cisco.com/public/mibs/. The snmp-server enable traps repeater command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send repeater inform notifications to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps repeater Router(config)# snmp-server host myhost.cisco.com informs version 2c public
Related Commands
Command Description
snmp-server host
snmp-server enable traps snmp

To enable the sending of RFC 1157 Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps snmp global configuration command. To disable RFC 1157 SNMP notifications, use the no form of this command.
snmp-server enable traps snmp [authentication] [linkup] [linkdown] [coldstart] [warmstart] no snmp-server enable traps snmp [authentication] [linkup] [linkdown] [coldstart] [warmstart]
Syntax Description
authentication (Optional) Controls the sending of SNMP authentication failure notifications. An authenticationFailure(4) trap signifies that the sending device is the addressee of a protocol message that is not properly authenticated. The authentication method depends on the version of SNMP being used. For SNMPv1 or SNMPv2c, authentication failure occurs for packets with an incorrect community string . For SNMPv3, authentication failure occurs for packets with an incorrect SHA/MD5 authentication key or for a packet that is outside of the authoritative SNMP engine's window (for example, falls outside of configured access lists or time ranges).
linkup
(Optional) Controls the sending of SNMP linkUp notifications. A linkUp(3) trap signifies that the sending device recognizes that one of the communication links represented in the agent's configuration has come up.
linkdown
(Optional) Controls the sending of SNMP linkDown notifications. A linkDown(2) trap signifies that the sending device recognizes a failure in one of the communication links represented in the agent's configuration.
coldstart
(Optional) Controls the sending of SNMP coldStart notifications. A coldStart(0) trap signifies that the sending device is reinitializing itself such that the agent's configuration or the protocol entity implementation may be altered.
warmstart
(Optional) Controls the sending of SNMP warmStart notifications. A warmStart(1) trap signifies that the sending device is reinitializing itself such that neither the agent configuration nor the protocol entity implementation is altered.
Defaults
SNMP notifications are disabled by default. If you enter this command with none of the optional keywords, all RFC 1157 SNMP notifications are enabled (or disabled, if using the no form).
Command Modes
Command History
Release
Modification
11.3
The snmp-server enable traps snmp authentication command was introduced. This command replaced the snmp-server trap-authentication command.
12.1(3)T
The following keywords were added:

linkup linkdown coldstart
12.1(5)T
The warmstart keyword was added.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for the specified notification types. If you do not enter an snmp-server enable traps snmp command, no notifications controlled by this command are sent. In order to configure the router to send these SNMP notifications, you must enter at least one snmp-server enable traps snmp command. If you enter the command with no keywords, all notification types are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps snmp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command. For a host to receive a notification controlled by this command, both the snmp-server enable traps command and the snmp-server host command for that host must be enabled. If the notification type is not controlled by this command, just the appropriate snmp-server host command must be enabled. The snmp-server enable traps snmp [ linkup] [linkdown] form of this command globally enables or disables SNMP linkUp and linkDown traps. After enabling either of these traps globally, you can disable these traps on specific interfaces using the no snmp trap link-status command in interface configuration mode. Note that on the interface level, linkUp and linkDown traps are enabled by default. This means that you do not have to enable these notifications on a per-interface basis. However, linkUp and linkDown notifications will not be sent unless you enable them globally using the snmp-server enable traps snmp command.
Examples
The following example enables the router to send all traps to the host myhost.cisco.com, using the community string defined as public:
Router(config)# snmp-server enable traps snmp Router(config)# snmp-server host myhost.cisco.com public snmp
The following example enables the router to send all inform notifications to the host myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps snmp Router(config)# snmp-server host myhost.cisco.com informs version 2c public snmp
The following example shows the enabling all SNMP trap types, then the disabling of only the linkUp and linkDown traps.
Router> enable Password: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# snmp-server enable traps snmp Router(config)# end Router# more system:running-config | include traps snmp snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# no snmp-server enable traps snmp linkup linkdown Router(config)# end Router# more system:running-config | include traps snmp snmp-server enable traps snmp authentication coldstart warmstart
Related Commands
Command Description
snmp-server host
snmp-server informs
snmp-server enable traps voice poor-qov

To enable poor quality of voice Simple Network Management Protocol (SNMP) notifications, use the snmpserver enable traps voice poor-qov global configuration command. To disable poor quality of voice SNMP notifications, use the no form of this command.
snmp-server enable traps voice poor-qov no snmp-server enable traps voice poor-qov
Syntax Description
Defaults
Command Modes
Command History
12.1(3)T
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command controls (enables or disables) poor-quality-of-voice notifications. The poor-quality-of-voice notification is defined in CISCO-VOICE-DIAL-CONTROL-MIB as follows: enterprise 1.3.6.1.4.1.9.9.63.2 (1) cvdcPoorQoVNotification For a complete description of this notification and additional MIB functions, see the CISCO-VOICE-DIALCONTROL-MIB.my file, available on Cisco.com at http://www.cisco.com/public/mibs/v2/. The snmp-server enable traps voice poor-qov command is used in conjunction with the snmpserver host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to poor-quality-of-voice informs to the host at the address myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps voice poor-qov Router(config)# snmp-server host myhost.cisco.com informs version 2c public
Related Commands
Command
Description
snmp-server host

To enable all Simple Network Management Protocol (SNMP) notifications (traps or informs) available on your system, use the snmp-server enable traps global configuration command. To disable all available SNMP notifications, use the no form of this command.
snmp-server enable traps [notification-type] no snmp-server enable traps [notification-type]
Syntax Description
notificationtype (Optional) Type of notification (trap or inform) to enable or disable. If no type is specified, all notifications available on your device are enabled or disabled. The notification type can be one of the following keywords:

configControls configuration notifications, as defined in the CISCO-CONFIG-MAN-MIB (enterprise 1.3.6.1.4.1.9.9.43.2). The notification type is: (1) ciscoConfigManEvent. dlsw [circuit | tconn]Controls DLSw notifications, as defined in the CISCO-DLSW-MIB (enterprise 1.3.6.1.4.1.9.10.9.1.7). When the dlsw keyword is used, you can specify the specific notification types you wish to enable or disable. If no keyword is used, all DLSw notification types are enabled. The option can be one of the following keywords:
o
circuitEnables DLSw circuit traps: (5) ciscoDlswTrapCircuitUp (6) ciscoDlswTrapCircuitDown tconnEnables DLSw peer transport connection traps: (1) ciscoDlswTrapTConnPartnerReject (2) ciscoDlswTrapTConnProtViolation (3) ciscoDlswTrapTConnUp (4) ciscoDlswTrapTConnDown
ds0-busyoutSends notification whenever the busyout of a DS0 interface changes state (Cisco AS5300 platform only). This is from the CISCO-POP-MGMT-MIB (enterprise 1.3.6.1.4.1.9.10.19.2) and the notification type is:(1) cpmDS0BusyoutNotification
ds1-loopbackSends notification whenever the DS1 interface goes into loopback mode (Cisco AS5300 platform only). This notification type is defined in the CISCO-POP-MGMT-MIB (enterprise 1.3.6.1.4.1.9.10.19.2) as: (2) cpmDS1LoopbackNotification.
entityControls Entity MIB modification notifications. This notification type is defined in the ENTITY-MIB (enterprise 1.3.6.1.2.1.47.2) as: (1) entConfigChange. hsrpControls Hot Standby Routing Protocol (HSRP) notifications, as defined in the CISCO-HSRP-MIB (enterprise 1.3.6.1.4.1.9.9.106.2). The notification type is: (1) cHsrpStateChange.
ipmulticastControls IP Multicast notifications. modem-healthControls modem-health notifications. rsvpControls Resource Reservation Protocol (RSVP) notifications. rtrControls Service Assurance Agent / Response Time Reporter (RTR) notifications. syslogControls error message notifications (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command. xgcpSends External Media Gateway Control Protocol (XGCP) notifications. This notification is from the XGCP-MIBV1SMI.my and the notifications are: enterprise 1.3.6.1.3.90.2 (1) xgcpUpDownNotification
Defaults
This command is disabled by default. Most notification types are disabled. However, some notification types cannot be controlled with this command. If you enter this command with no notification-type keywords, the default is to enable all notification types controlled by this command.
Command Modes
Command History
10.3
This command was introduced with the frame-relay, isdn, and envmon trap types.
12.0(2)T
The rsvp keyword was added.
12.0(3)T
The hsrp keyword was added.
Usage Guidelines
For additional notification types, see the Related Commands table for this command. SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for the specified notification types. To specify whether the notifications should be sent as traps or informs, use the snmp-server host [traps | informs] command. If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure the router to send these SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, all notification types are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. In order to enable multiple types of notifications, you must issue a separate snmpserver enable traps command for each notification type and notification option. The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send all traps to the host specified by the name myhost.cisco.com, using the community string defined as public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com public
The following example enables the router to send Frame Relay and environmental monitor traps to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps frame-relay Router(config)# snmp-server enable traps envmon temperature Router(config)# snmp-server host myhost.cisco.com public
The following example will not send traps to any host. The BGP traps are enabled for all hosts, but the only traps enabled to be sent to a host are ISDN traps (which are not enabled in this example).
Router(config)# snmp-server enable traps bgp Router(config)# snmp-server host bob public isdn
The following example enables the router to send all inform requests to the host at the address myhost.cisco.com, using the community string defined as public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com informs version 2c public
The following example sends HSRP MIB traps to the host myhost.cisco.com using the community string public.
Router(config)# snmp-server enable traps hsrp Router(config)# snmp-server host myhost.cisco.com traps version 2c public hsrp
Related Commands
Command Description
snmp-server enable traps atm pvc
Controls (enables or disables) ATM PVC SNMP notifications.
snmp-server enable traps bgp
Controls (enables or disables) BGP server state change SNMP notifications.
snmp-server enable traps calltracker
Controls (enables or disables) Call Tracker callSetup and callTerminate SNMP notifications.
snmp-server enable traps envmon
Controls (enables or disables) environmental monitor SNMP notifications.
snmp-server enable traps frame-relay
Controls (enables or disables) Frame Relay DLCI link staus change SNMP notifications.
snmp-server enable traps isdn
Controls (enables or disables) ISDN SNMP notifications.
snmp-server enable traps snmp
Controls (enables or disables) RFC 1157 SNMP notifications.
snmp-server enable traps repeater
Controls (enables or disables) RFC 1516 Hub notifications.
snmp-server host
Specifies whether you want the SNMP notifications sent as traps or informs, the version of SNMP to use, the security level of the notifications (for SNMPv3), and the recipient (host) of the notifications.
snmp-server informs
Specifies the interface (and hence the corresponding IP address) that an SNMP trap should originate from.
snmp trap illegaladdress
Issues an SNMP trap when a MAC address violation is detected on an Ethernet hub port of a Cisco 2505, Cisco 2507, or Cisco 2516 router.
snmp-server engineID
To configure a name for either the local or remote Simple Network Management Protocol (SNMP) engine on the router, use the snmp-server engineID global configuration command. To remove a specified SNMP group, use the no form of this command.
snmp-server engineID {local engineid-string | remote ip-address [udp-port port] engineid-string} no snmp-server engineID
Syntax Description
local Specifies the local copy of SNMP on the router. (You must specify either local or remote.)
engineidstring
The name of a copy of SNMP.
remote
Specifies the remote copy of SNMP on the router. (You must specify either local or remote.)
ip-address
The IP address of the device that contains the remote copy of SNMP.
udp-port
(Optional) Specifies a UDP port of the host to use.
port
(Optional) The socket number on the remote device that contains the remote copy of SNMP.
Defaults
There is no default engineID. The default udp-port for remote engines is 161.
Command Modes
Command History
12.0(3)T
Usage Guidelines
Note that you need not specify the entire 24-character engine ID if it contains trailing zeros. Specify only the portion of the Engine ID up until the point where only zeros remain in the value. To configure an engine
ID of 123400000000000000000000, you can specify the value 1234, for example, snmp-server engineID local 1234. Changing the value of snmpEngineID has important side-effects. A user's password (entered on the command line) is converted to an MD5 or SHA security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of engineID changes, the security digests of SNMPv3 users will be invalid, and the users will have to be reconfigured. Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Please refer to the examples in the Configuring Informs section in the snmp-server host command reference page.
Related Commands
Command Description
show snmp engineID
Displays the identification of the local SNMP engine and all remote engines that have been configured on the router.
snmp-server host
Specifies the recipient (SNMP manager) of an SNMP trap notification.
snmp-server group
To configure a new Simple Network Management Protocol (SNMP) group, or a table that maps SNMP users to SNMP views, use the snmp-server group global configuration command. To remove a specified SNMP group, use the no form of this command.
snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview ] [access access-list] no snmp-server group
Syntax Description
groupname The name of the group.
v1
The least secure of the possible security models.
v2c
The second least secure of the possible security models. It allows for the transmission of informs and counter 64, which allows for integers twice the width of what is normally allowed.
v3
The most secure of the possible security models.
auth
Specifies authentication of a packet without encrypting it.
noauth
Specifies no authentication of a packet.
priv
Specifies authentication of a packet with encryption.
read
(Optional) The option that allows you to specify a read view.
readview
A string (not to exceed 64 characters) that is the name of the view that enables you only to view the contents of the agent.
write
(Optional) The option that allows you to specify a write view.
writeview
A string (not to exceed 64 characters) that is the name of the view that enables you to enter data and configure the contents of the agent.
notify
(Optional) The option that allows you to specify a notify view
notifyview
A string (not to exceed 64 characters) that is the name of the view that enables you to specify a notify, inform, or trap.
access
(Optional) The option that enables you to specify an access list.
access-list
A string (not to exceed 64 characters) that is the name of the access list.
Defaults
Table 106 describes default values for the different views.
Table 106 snmp-server group Default Descriptions
Default
Definition
readview Assumed to be every object belonging to the Internet (1.3.6.1) OID space, unless the user uses the read option to override this state. writeview Nothing is defined for the write view (that is, the null OID). You must configure write access. notifyview Nothing is defined for the notify view (that is, the null OID). If a view is specified, any notifications in that view that are generated will be sent to all users associated with the group (provided an SNMP server host configuration exists for the user).
Command Modes
Command History
11.(3)T
Usage Guidelines
When a community string is configured internally, two groups with the name public are autogenerated, one for the v1 security model and the other for the v2c security model. Similarly, deleting a community string will delete a v1 group with the name public and a v2c group with the name public.
Configuring Notify Views
Do not specify a notify view when configuring an SNMP group for the following reasons:

The snmp-server host command autogenerates a notify view for the user, and then adds it to the group associated with that user. Modifying the group's notify view will affect all users associated with that group.
The notifyview option is available for two reasons:

If a group has a notify view that is set using SNMP, you may need to change the notify view. The snmp-server host command may have been configured before the snmp-server group command. In this case, you must either reconfigure the snmp-server host command, or specify the appropriate notify view.
Instead of specifying the notify view for a group as part of the snmp-server group command, use the following commands in global configuration mode:
Step Command Purpose
1.
snmp-server user
Configures an SNMP user.
2.
snmp-server group
Configures an SNMP group, without adding a notify view.
3.
snmp-server host
Autogenerates the notify view by specifying the recipient of a trap operation.
Working with Passwords and Digests
No default values exist for authentication or privacy algorithms when you configure the command. Also, no default passwords exist. The minimum length for a password is one character, although Cisco recommends using eight characters for security. If you forget a password, you cannot recover it and will need to reconfigure the user. You can specify either a plain-text password or a localized MD5 digest. The following example shows how to enter a plain-text password for the string arizona2 for user John in group Johngroup, type the following command line:
snmp-server user John Johngroup v3 auth md5 arizona2
When you enter a show running-config command, you will not see a line for this user. To see if this user has been added to the configuration, type the show snmp user command. If you have the localized MD5 or SHA digest, you can specify that string instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc are hex values. Also, the digest should be exactly 16 octets long. The following example shows how to specify the command with a digest name of 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:
Router(config)# snmp-server user John Johngroup v3 encrypted auth md5 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF
Related Commands
Command Description
show snmp group
Displays the names of groups on the router and the security model, the status of the different views, and the storage type of each group.
snmp-server host
To specify the recipient of a Simple Network Management Protocol (SNMP) notification operation, use the snmp-server host global configuration command. To remove the specified host, use the no form of this command.
snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] no snmp-server host host [traps | informs]
Syntax Description
host-addr Name or Internet address of the host (the targeted recipient).
traps
(Optional) Sends SNMP traps to this host. This is the default.
informs
(Optional) Sends SNMP informs to this host.
version
(Optional) Version of the SNMP used to send the traps. Version 3 is the most secure model, because it allows packet encryption with the priv keyword. If you use the version keyword, one of the following must be specified:

1SNMPv1. This option is not available with informs. 2cSNMPv2C. 3SNMPv3. The following three optional keywords can follow the version 3 keyword:
o o o
auth (Optional). Enables Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) packet authentication noauth (Default). The noAuthNoPriv security level. This is the default if the [auth | noauth | priv] keyword choice is not specified. priv (Optional). Enables Data Encryption Standard (DES) packet encryption (also called "privacy").
communitystring
Password-like community string sent with the notification operation. Though you can set this string using the snmp-server host command by itself, we recommend you define this string using the snmp-server community command prior to using the snmpserver host command.
udp-port port
(Optional) UDP port of the host to use. The default is 162.
notificationtype
(Optional) Type of notification to be sent to the host. If no type is specified, all notifications are sent. The notification type can be one or more of the following keywords:

bgpSends Border Gateway Protocol (BGP) state change notifications. calltrackerSends Call Tracker call-start/call-end notifications. configSends configuration notifications. dspuSends downstream physical unit (DSPU) notifications.
entitySends Entity MIB modification notifications. envmonSends Cisco enterprise-specific environmental monitor notifications when an environmental threshold is exceeded. frame-relaySends Frame Relay notifications. hsrpSends Hot Standby Routing Protocol (HSRP) notifications. isdnSends Integrated Services Digital Network (ISDN) notifications. llc2Sends Logical Link Control, type 2 (LLC2) notifications. repeaterSends standard repeater (hub) notifications. rsrbSends remote source-route bridging (RSRB) notifications. rsvpSends Resource Reservation Protocol (RSVP) notifications. rtrSends SA Agent (RTR) notifications. sdlcSends Synchronous Data Link Control (SDLC) notifications. sdllcSends SDLLC notifications. snmpSends any enabled RFC 1157 SNMP linkUp, linkDown, authenticationFailure, warmStart, and coldStart notifications. stunSends serial tunnel (STUN) notifications. syslogSends error message notifications (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command. ttySends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. voiceSends SNMP poor quality of voice traps, when used with the snmp enable peer-trap poor qov command. x25Sends X.25 event notifications.
Defaults
This command is disabled by default. No notifications are sent. If you enter this command with no keywords, the default is to send all trap types to the host. No informs will be sent to this host. If no version keyword is present, the default is version 1. The no snmp-server host command with no keywords will disable traps, but not informs, to the host. In order to disable informs, use the no snmpserver host informs command.
Note If the community-string is not defined using the snmp-server community command prior to using this command, the default form of the snmp-server community command will automatically be inserted into the configuration. The password (community-string) used for this automatic configuration of the snmp-server community will be the same as specified in the snmp-server host command. This is the default behavior for Cisco IOS Release 12.0(3) and later.
Command Modes
Command History
10.0
12.0(3)T
The following keywords were added:
version 3 [auth | noauth | priv]
hsrp
11.3(1) MA, 12.0(3)T
The voice notification-type keyword was added.
12.1(3)T
The calltracker notification-type keyword was added for the Cisco AS5300 and AS5800 platforms.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send acknowledgments when it receives traps. The sender cannot determine if the traps were received. However, an SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. If the sender never receives the response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination. However, informs consume more resources in the agent and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Also, traps are sent only once, while an inform may be retried several times. The retries increase traffic and contribute to a higher overhead on the network. If you do not enter an snmp-server host command, no notifications are sent. In order to configure the router to send SNMP notifications, you must enter at least one snmp-server host command. If you enter the command with no keywords, all trap types are enabled for the host. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. You can specify multiple notification types in the command for each host. When multiple snmp-server host commands are given for the same host and kind of notification (trap or inform), each succeeding command overwrites the previous command. Only the last snmp-server host command will be in effect. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host, the second command will replace the first. The snmp-server host command is used in conjunction with the snmp-server enable command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled. However, some notification types cannot be controlled with the snmp-server enable command. For example, some notification types are always enabled. Other notification types are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command. A notification-type option's availability depends on the router type and Cisco IOS software features supported on the router. For example, the envmon notification-type is available only if the environmental monitor is part of the system. To see what notification types are available on your system, use the command help ? at the end of the snmp-server host command.
Examples
If you want to configure a unique snmp community string for traps, but you want to prevent snmp polling access with this string, the configuration should include an access-list. In the following example, the community string is named "comaccess" and the access list is numbered 10:
Router(config)# snmp-server community comaccess ro 10
Router(config)# snmp-server host 172.20.2.160 comaccess Router(config)# access-list 10 deny any
The following example sends RFC 1157 SNMP traps to the host specified by the name myhost.cisco.com. Other traps are enabled, but only SNMP traps are sent because only snmp is specified in the snmpserver host command. The community string is defined as comaccess.
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com comaccess snmp
The following example sends the SNMP and Cisco environmental monitor enterprise-specific traps to address 172.30.2.160:
Router(config)# snmp-server enable traps snmp Router(config)# snmp-server enable traps envmon Router(config)# snmp-server host 172.30.2.160 public snmp envmon
The following example enables the router to send all traps to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com public
The following example will not send traps to any host. The BGP traps are enabled for all hosts, but only the ISDN traps are enabled to be sent to a host.
Router(config)# snmp-server enable traps bgp Router(config)# snmp-server host bob public isdn
The following example enables the router to send all inform requests to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com informs version 2c public
The following example sends HSRP MIB informs to the host specified by the name myhost.cisco.com. The community string is defined as public.
Router(config)# snmp-server enable traps hsrp Router(config)# snmp-server host myhost.cisco.com informs version 2c public hsrp
Related Commands
Command Description
snmp-server enable peertrap poor qov
Enable poor quality of voice notifications for applicable calls associated with a specific voice dial peer.
Enables SNMP notifications (traps and informs).
snmp-server informs
Specifies the interface (and hence the corresponding IP address) that an SNMP trap should originate from.
snmp-server trap-timeout
Defines how often to try resending trap messages on the retransmission queue.
snmp-server informs
To specify inform request options, use the snmp-server informs global configuration command. To return the settings to the defaults, use the no form of this command.
snmp-server informs [retries retries] [timeout seconds] [pending pending] no snmp-server informs [retries retries] [timeout seconds] [pending pending]
Syntax Description
retries retries (Optional) Maximum number of times to resend an inform request. The default is 3.
timeout seconds
(Optional) Number of seconds to wait for an acknowledgment before resending. The default is 30 seconds.
pending pending
(Optional) Maximum number of informs waiting for acknowledgments at any one time. When the maximum is reached, older pending informs are discarded. The default is 25.
Defaults
Inform requests are resent three times. Informs are resent after 30 seconds if no response is received. The maximum number of informs waiting for acknowledgments at any one time is 25.
Command Modes
Command History
11.3 T
Examples
The following example increases the pending queue size if you are seeing a large number of inform drops:
snmp-server informs pending 50
The following example increases the default timeout if you are sending informs over slow network links. Because informs will be sitting in the queue for a longer period of time, you may also need to increase the pending queue size.
snmp-server informs timeout 60 pending 40
The following example decreases the default timeout if you are sending informs over very fast links:
snmp-server informs timeout 5
The following example increases the retry count if you are sending informs over unreliable links. Because informs will be sitting in the queue for a longer period of time, you may need to increase the pending queue size.
snmp-server informs retries 10 pending 45
Related Commands
Command Description
Enables a router to send SNMP traps and informs.
snmp-server location
To set the system location string, use the snmp-server location global configuration command. To remove the location string, use the no form of this command.
snmp-server location text no snmp-server location
Syntax Description
text String that describes the system location information.
Defaults
No system location string is set.
Command Modes
Command History
10.0
Examples
The following example illustrates a system location string:
snmp-server location Building 3/Room 214
Related Commands
Command Description
snmp-server contact
Sets the system contact (sysContact) string.
snmp-server manager session-timeout

To set the amount of time before a nonactive session is destroyed, use the snmp-server manager session-timeout global configuration command. To return the value to its default, use the no form of this command.
snmp-server manager session-timeout seconds no snmp-server manager session-timeout
Syntax Description
seconds Number of seconds before an idle session is timed out. The default is 600 seconds.
Defaults
Idle sessions time out after 600 seconds (10 minutes).
Command Modes
Command History
11.3 T
Usage Guidelines
Sessions are created when the SNMP manager in the router sends SNMP requests, such as inform requests, to a host or receives SNMP notifications from a host. One session is created for each destination host. If there is no further communication between the router and host within the session timeout period, the session will be deleted. The router tracks statistics, such as the average round-trip time required to reach the host, for each session. Using the statistics for a session, the SNMP manager in the router can set reasonable timeout periods for future requests, such as informs, for that host. If the session is deleted, all statistics are lost. If another session with the same host is later created, the request timeout value for replies will return to the default value. However, sessions consume memory. A reasonable session timeout value should be large enough such that regularly used sessions are not prematurely deleted, yet small enough such that irregularly used, or one-shot sessions, are purged expeditiously.
Examples
The following example sets the session timeout to a larger value than the default:
snmp-server manager snmp-server manager session-timeout 1000
Related Commands
Command Description
show snmp pending
show snmp sessions
snmp-server manager
snmp-server manager
To start the Simple Network Management Protocol (SNMP) manager process, use the snmp-server manager global configuration command. To stop the SNMP manager process, use the no form of this command.
snmp-server manager no snmp-server manager
Syntax Description
Defaults
Disabled
Command Modes
Command History
11.3 T
Usage Guidelines
The SNMP manager process sends SNMP requests to agents and receives SNMP responses and notifications from agents. When the SNMP manager process is enabled, the router can query other SNMP agents and process incoming SNMP traps. Most network security policies assume that routers will be accepting SNMP requests, sending SNMP responses, and sending SNMP notifications. With the SNMP manager functionality enabled, the router may also be sending SNMP requests, receiving SNMP responses, and receiving SNMP notifications. The security policy implementation may need to be updated prior to enabling this functionality. SNMP requests are typically sent to UDP port 161. SNMP responses are typically sent from UDP port 161. SNMP notifications are typically sent to UDP port 162.
Examples
The following example enables the SNMP manager process:
snmp-server manager
Related Commands
Command Description
show snmp
show snmp pending
show snmp sessions
snmp-server packetsize
To establish control over the largest Simple Network Management Protocol (SNMP) packet size permitted when the SNMP server is receiving a request or generating a reply, use the snmp-server packetsize global configuration command. To restore the default value, use the no form of this command.
snmp-server packetsize byte-count no snmp-server packetsize
Syntax Description
byte-count Integer byte count from 484 to 8192. The default is 1500 bytes.
Defaults
1500 bytes
Command Modes
Command History
10.0
Examples
The following example establishes a packet filtering of a maximum size of 1024 bytes:
snmp-server packetsize 1024
Related Commands
Command Description
To establish the message queue length for each trap host, use the snmp-server queue-length global configuration command.
snmp-server queue-length length
Syntax Description
length Integer that specifies the number of trap events that can be held before the queue must be emptied.
Defaults
10 events
Command Modes
Command History
10.0
Usage Guidelines
This command defines the length of the message queue for each trap host. Once a trap message is successfully transmitted, software will continue to empty the queue, but never faster than at a rate of four trap messages per second. During device bootup, there is a possibility that some traps could be dropped because of trap queue overflow on the device. If you suspect this is occuring, you can increase the size of the trap queue (for example, to 100) to determine if traps are then able to be sent during bootup.
Examples
In the following example, the SNMP notification queue is increased to 50 events:
Router(config)# snmp-server queue-length 50
Related Commands
Command Description
snmp-server packetsize
Establishes control over the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply.
snmp-server system-shutdown
To use the Simple Network Management Protocol (SNMP) message reload feature, the router configuration must include the snmp-server system-shutdown global configuration command. To prevent an SNMP system-shutdown request (from an SNMP manager) from resetting the Cisco agent, use the no form of this command.
snmp-server system-shutdown no snmp-server system-shutdown
Syntax Description
Defaults
This command is not included in the configuration file.
Command Modes
Command History
10.0
Examples
The following example enables the SNMP message reload feature:
snmp-server system-shutdown
snmp-server tftp-server-list
To limit the TFTP servers used via Simple Network Management Protocol (SNMP) controlled TFTP operations (saving and loading configuration files) to the servers specified in an access list, use the snmpserver tftp-server-list global configuration command. To disable this feature, use the no form of this command.
snmp-server tftp-server-list number no snmp-server tftp-server-list
Syntax Description
number Standard IP access list number from 1 to 99.
Defaults
Disabled
Command Modes
Command History
10.2
Examples
The following example limits the TFTP servers that can be used for configuration file copies via SNMP to the servers in access list 44:
snmp-server tftp-server-list 44
snmp-server trap link

To enable linkUp/linkDown Simple Network Management Protocol (SNMP) traps which are compliant with RFC2233, use the snmp-server trap link command in global configuration mode. To disable IETF compliant functionality and revert to the default Cisco implementation of linkUp/linkDown traps, use the no form of this command.
snmp-server trap link ietf no snmp-server trap link ietf
Syntax Description
ietf This required keyword indicates to the command parser that you would like to link functionality of SNMP linkUp/linkDown traps to the Internet Engineering Task Force (IETF) standard (as opposed to the previous Cisco implementation).
Defaults
Command Modes
Command History
12.1(2)T
Usage Guidelines
The snmp-server trap link ietf command is used to configure your router to use the RFC2233 IETF standards-based implementation of linkUp/linkDown traps. This command is disabled by default to allow you to continue using the earlier Cisco implementation of linkUp/linkDown traps if you so choose. However, please note that when using the default Cisco object definitions, linkUp/linkDown traps are not generated correctly for sub-interfaces. In the default implementation an arbitrary value is used for the locIfReason object in linkUp/linkDown traps for sub-interfaces, which may give you unintended results. This is because the locIfReason object is not defined for sub-interfaces in the current Cisco implementation, which uses OLD-CISCO-INTERFACES-MIB.my. If you do not enable this functionality, the link trap varbind list will consist of {ifIndex, ifDescr, ifType, locIfReason}. After you enable this functionality with the snmp-server trap link ietf command, the varbind list will consist of {inIndex, ifAdminStatus,ifOperStatus, if Descr, ifType}. The locIfReason object will also be conditionally included in this list depending on whether meaningful information can be retrieved for that object. A configured sub-interface will generate retrievable information. On non-HWIDB interfaces, there will be no defined value for locIfReason, so it will be omitted from the trap message.
Examples
The following example shows the enabling of the RFC 2233 linkUp/linkDown traps, starting in privileged EXEC mode:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z. Router(config)# snmp-server trap link ietf Router(config)# end Router# more system:running config . . . ! snmp-server engineID local 00000009000000A1616C2056 snmp-server community public RO snmp-server community private RW snmp-server trap link ietf ! . . .
Related Commands
Command Description
debug snmp packets
Displays information about every SNMP packet sent or received by the router for the purposes of troubleshooting.
To specify the interface (and hence the corresponding IP address) that an Simple Network Management Protocol (SNMP) trap should originate from, use the snmp-server trap-source global configuration command. To remove the source designation, use the no form of the command.
snmp-server trap-source interface no snmp-server trap-source
Syntax Description
interface Interface from which the SNMP trap originates. The argument includes the interface type and number in platform-specific syntax (for example, type/slot/port).
Defaults
No interface is specified.
Command Modes
Command History
10.0
Usage Guidelines
When an SNMP trap or inform is sent from a Cisco SNMP server, it has a notification address of whatever interface it happened to go out of at that time. Use this command monitor notifications from a particular interface.
Examples
The following example specifies that the IP address for interface Ethernet 0 is the source for all SNMP notifications:
Router(config)# snmp-server trap-source ethernet 0
The following example specifies that the IP address for the ethernet interface in slot2, port 1 is the source for all SNMP notifications:
Router(config)# snmp-server trap-source ethernet 2/1
Related Commands
Command Description
Enables a router to send SNMP traps and informs.
snmp-server host
snmp-server trap-timeout
To define how often to try resending trap messages on the retransmission queue, use the snmpserver trap-timeout global configuration command.
snmp-server trap-timeout seconds
Syntax Description
seconds Integer that sets the interval (in seconds) for resending the messages.
Defaults
30 seconds
Command Modes
Command History
10.0
Usage Guidelines
Before the Cisco IOS software tries to send a trap, it looks for a route to the destination address. If there is no known route, the trap is saved in a retransmission queue. The server trap-timeout command determines the number of seconds between retransmission attempts.
Examples
The following example sets an interval of 20 seconds to try resending trap messages on the retransmission queue:
snmp-server trap-timeout 20
Related Commands
Command Description
snmp-server host
snmp-server user
To configure a new user to a Simple Network Management Protocol (SNMP) group, use the snmp-server user global configuration command. To remove a user from an SNMP group, use the no form of the command.
snmp-server user username groupname [remote host [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access access-list] no snmp-server user
Syntax Description
username The name of the user on the host that connects to the agent.
groupname
The name of the group to which the user belongs.
remote host
(Optional) Specifies a remote SNMP entity to which the user belongs, and the hostname or IP address of that entity.
udp-port port
(Optional) Specifies the UDP port number of the remote host. The default is UDP port 162.
v1
Specifies that SNMPv1 should be used.
v2c
Specifies that SNMPv2c should be used.
v3
Specifies that the SNMPv3 security model should be used. Allows the use of the encrypted and/or auth keywords.
encrypted
(Optional) Specifies whether the password appears in encrypted format (a series of digits, masking the true characters of the string).
auth
(Optional) Specifies which authentication level should be used.
md5
The HMAC-MD5-96 authentication level.
sha
The HMAC-SHA-96 authentication level.
auth-
A string (not to exceed 64 characters) that enables the agent to receive packets from
password
the host.
access access-list
(Optional) Specifies an access list to be associated with this SNMP user. The accesslist argument represents a value from1 to 99 that is the identifier of the standard IP access list.
Defaults
Table 107 describes default behaviors for encryption, passwords and access lists.
Table 107 snmp-server user Default Descriptions
Characteristic
Default
encryption
Not present by default. The encrypted keyword is used to specify that the auth and priv passwords are MD5 digests and not text passwords. Assumed to be text strings.
passwords
access lists Access from all IP access lists is permitted. remote users All users are assumed to be local to this SNMP engine unless you specify they are remote with the remote keyword.
Command Modes
Command History
12.0(3)T
Usage Guidelines
To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the command snmp-server engineID with the remote option. The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail. SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent's SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.
Related Commands
Command Description
show snmp user
Displays information on each SNMP username in the group username table.
snmp-server view
To create or update a view entry, use the snmp-server view global configuration command. To remove the specified Simple Network Management Protocol (SNMP) server view entry, use the no form of this command.
snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name
Syntax Description
view-name Label for the view record that you are updating or creating. The name is used to reference the record.
oid-tree
Object identifier of the ASN.1 subtree to be included or excluded from the view. To identify the subtree, specify a text string consisting of numbers, such as 1.3.6.2.4, or a word, such as system. Replace a single subidentifier with the asterisk (*) wildcard to specify a subtree family; for example 1.3.*.4.
included | excluded
Type of view. You must specify either included or excluded.
Defaults
No view entry exists.
Command Modes
Command History
10.0
Usage Guidelines
Other SNMP commands require a view as an argument. You use this command to create a view to be used as arguments for other commands that create records including a view. Two standard predefined views can be used when a view is required, instead of defining a view. One is everything, which indicates that the user can see all objects. The other is restricted, which indicates that the user can see three groups: system, snmpStats, and snmpParties. The predefined views are described in RFC 1447. The first snmp-server command that you enter enables both versions of SNMP.
Examples
The following example creates a view that includes all objects in the MIB-II subtree:
snmp-server view mib2 mib-2 included
The following example creates a view that includes all objects in the MIB-II system group and all objects in the Cisco enterprise MIB:
snmp-server view phred system included snmp-server view phred cisco included
The following example creates a view that includes all objects in the MIB-II system group except for sysServices (System 7) and all objects for interface 1 in the MIB-II interfaces group:
snmp-server view agon system included snmp-server view agon system.7 excluded snmp-server view agon ifEntry.*.1 included
Related Commands
Command Description
snmp-server community
Sets up the community access string to permit access to the SNMP protocol.
disconnect ssh
To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh privileged EXEC command.
disconnect ssh [vty] session-id
Syntax Description
vty (Optional) Virtual terminal for remote console access.
session-id
The session-id is the number of connection displayed in the show ip ssh command output.
Command Modes
Privileged EXEC
Usage Guidelines
The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command. When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.
Examples
The following example terminates SSH connection number 1:
disconnect ssh 1
Related Commands
Command Description
clear line vty
Returns a terminal line to idle state using the privileged EXEC command.
ip ssh
To configure Secure Shell (SSH) control parameters on your router, use the ip ssh global configuration command. To restore the default value, use the no form of this command.
ip ssh {[timeout seconds]} | [authentication-retries integer]} no ip ssh {[timeout seconds]} | [authentication-retries integer]}
Syntax Description
timeout (Optional) The time interval that the router waits for the SSH client to respond. This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (04), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.
authenticationretries
(Optional) The number of attempts after which the interface is reset.
seconds
(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.
integer
(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.
Defaults
120 seconds for the timeout timer. 3 authentication-retries.
Command Modes
Usage Guidelines
Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.
Examples
The following examples configure SSH control parameters on your router:
ip ssh timeout 120 ip ssh authentication-retires 3
show ip ssh
To display the version and configuration data for Secure Shell (SSH), use the show ip ssh privileged EXEC command.
show ip ssh
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.
Examples
The following is sample output from the show ip ssh command when SSH has been enabled:
Router# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 The following is sample output from the show ip ssh command when SSH has been disabled: Router# show ip ssh %SSH has not been enabled
Related Commands
Command Description
show ssh
Displays the status of SSH server connections.
show ssh
To display the status of Secure Shell (SSH) server connections, use the show ssh privileged EXEC command.
show ssh
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data; use the show ip ssh command for SSH configuration information such as timeouts and retries.
Examples
The following is sample output from the show ssh command with SSH enabled:
Router# show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started guest
The following is sample output from the show ssh command with SSH disabled: Router# show ssh %No SSH server connections running.
Related Commands
Command Description
show ip ssh
Displays the version and configuration data for SSH.
ssh
To start an encrypted session with a remote networking device, use the ssh user EXEC command.
ssh [-l userid] [-c {des | 3des}] [-o numberofpasswdprompts n] [-p portnum] {ipaddr | hostname} [command]
Syntax Description
-l userid (Optional) Specifies the user ID to use when logging in as on the remote networking device running the SSH server. If no user ID is specified, the default is the current user ID.
-c {des | 3des}
(Optional) Specifies the crypto algorithm, DES or 3DES, to use for encrypting data. To use SSH, you must have an encryption image must be running on the router. Cisco software images that include encryption have the designators "k8" (DES) or "k9" (3DES).
-o numberofpasswdprompts n
(Optional) Specifies the number of password prompts that the software generates before ending the session. The SSH server may also apply a limit to the number of attempts. If the limit set by the server is less than the value specified by the -o numberofpasswdprompts keyword, the limit set by the server takes precedence. The default is 3 attempts, which is also the Cisco IOS SSH server default. The range of values is from 1 to 5.
-p portnum
(Optional) Indicates the desired port number for the remote host. The default port number is 22.
ipaddr | hostname
Specifies the IP address or host name of the remote networking device.
command
(Optional) Specifies the Cisco IOS command that you want to run on the remote networking device. If the remote host is not running Cisco IOS software, this may be any command recognized by the remote host. If the command includes spaces, you must enclose the command in quotation marks.
Defaults
Disabled
Command Modes
User EXEC
Usage Guidelines
The ssh command enables a Cisco router to make a secure, encrypted connection to another Cisco router or device running an SSH Version 1 server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
Note SSH is supported on DES (56-bit) and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.
The ssh command requires that you first enable the SSH server on the router. The SSH client is available only when the SSH server is enabled.
Examples
The following example illustrates initiating a secure session between the local router and the remote host HQhost to run the show users command. The result of the show users command is a list of valid users who are logged in to HQhost. The remote host will prompt for the adminHQ password to authenticate the user adminHQ. If the authentication step is successful, the remote host will return the result of the show users command to the local router and will then close the session.
ssh -l adminHQ HQhost "show users"
The following example illustrates initiating a secure session between the local router and the edge router HQedge to run the show ip route command. In this example, the edge router prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the edge router will return the result of the show ip route command to the local router.
ssh -l adminHQ HQedge "show ip route"
The following example shows the SSH client using 3DES to initiate a secure remote command connection with the HQedge router. The SSH server running on HQedge authenticates the session for the admin7 user on the HQedge router using standard authentication methods. The HQedge router must have SSH enabled for this to work.
ssh -l admin7 -c 3des -o numberofpasswdprompts 5 HQedge
Related Commands
Command Description
ip ssh
Configures SSH server control parameters on the router.
show ip ssh
Displays the version and configuration data for SSH.
show ssh
Displays the status of SSH server connections.
ip tcp intercept connection-timeout

To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout global configuration command. To restore the default, use the no form of this command.
ip tcp intercept connection-timeout seconds no ip tcp intercept connection-timeout [seconds]
Syntax Description
seconds Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86,400 seconds (24 hours).
Defaults
86,400 seconds (24 hours)
Command Modes
Usage Guidelines
Use the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by the TCP intercept after a period of inactivity.
Examples
The following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:
ip tcp intercept connection-timeout 43200
ip tcp intercept drop-mode

To set the TCP intercept drop mode, use the ip tcp intercept drop-mode global configuration command. To restore the default, use the no form of this command.
ip tcp intercept drop-mode [oldest | random] no ip tcp intercept drop-mode [oldest | random]
Syntax Description
oldest (Optional) Software drops the oldest partial connection. This is the default.
random
(Optional) Software drops a randomly selected partial connection.
Defaults
oldest
Command Modes
Usage Guidelines
If the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute exceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving connection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection will be cut in half). Note that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and ip tcp intercept one-minute high commands. Use the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.
Examples
The following example sets the drop mode to random:
ip tcp intercept drop-mode random
Related Commands
Command Description
ip tcp intercept maxincomplete high
Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.
ip tcp intercept maxincomplete low
Defines the number of incomplete connections below which the software leaves aggressive mode.
ip tcp intercept oneminute high
Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.
ip tcp intercept oneminute low
Defines the number of connection requests below which the software leaves aggressive mode.
ip tcp intercept finrst-timeout

To change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout global configuration command. To restore the default, use the no form of this command.
ip tcp intercept finrst-timeout seconds no ip tcp intercept finrst-timeout [seconds]
Syntax Description
seconds Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.
Defaults
5 seconds
Command Modes
Usage Guidelines
Even after the two ends of the connection are joined, the software intercepts packets being sent back and forth. Use this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops intercepting packets.
Examples
The following example sets the software to wait for 10 seconds before it leaves intercept mode:
ip tcp intercept finrst-timeout 10
ip tcp intercept list

To enable TCP intercept, use the ip tcp intercept list global configuration command. To disable TCP intercept, use the no form of this command.
ip tcp intercept list access-list-number no ip tcp intercept list access-list-number
Syntax Description
access-list-number Extended access list number in the range from 100 to 199.
Defaults
Disabled
Command Modes
Usage Guidelines
The TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks, also known as denial-of-service attacks. TCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the ip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections. To have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.
Examples
The following example configuration defines access list 101, causing the software to intercept packets for all TCP servers on the 192.168.1.0/24 subnet:
ip tcp intercept list 101 ! access-list 101 permit tcp any 192.168.1.0 0.0.0.255
Related Commands
Command Description
access-list (IP extended)
Defines an extended IP access list.
ip tcp intercept mode
Changes the TCP intercept mode.
show tcp intercept connections
Displays TCP incomplete and established connections.
show tcp intercept statistics
Displays TCP intercept statistics.
ip tcp intercept max-incomplete high

To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high global configuration command. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete high number no ip tcp intercept max-incomplete high [number]
Syntax Description
number Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.
Defaults
1100 incomplete connections
Command Modes
Command History
11.2 F
Usage Guidelines
If the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

Each new arriving connection causes the oldest partial connection to be deleted. The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half). The watch-timeout is cut in half (from 30 seconds to 15 seconds).
You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.
Note The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.
The software will back off from its aggressive mode when the number of incomplete connections falls below the number specified by the ip tcp intercept max-incomplete low command.
Examples
The following example allows 1500 incomplete connections before the software enters aggressive mode:
ip tcp intercept max-incomplete high 1500
Related Commands
Command
Description
ip tcp intercept dropmode
Sets the TCP intercept drop mode.
ip tcp intercept max-incomplete low

To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low global configuration command. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete low number no ip tcp intercept max-incomplete low [number]
Syntax Description
number Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.
Defaults
900 incomplete connections
Command Modes
Usage Guidelines
When both connection requests and incomplete connections fall below the values of ip tcp intercept oneminute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
See the ip tcp intercept max-incomplete high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000:
ip tcp intercept max-incomplete low 1000
Related Commands
Command Description

To change the TCP intercept mode, use the ip tcp intercept mode global configuration command. To restore the default, use the no form of this command.
ip tcp intercept mode {intercept | watch} no ip tcp intercept mode [intercept | watch]
Syntax Description
intercept Active mode in which the TCP intercept software intercepts TCP packets from clients to servers that match the configured access list and performs intercept duties. This is the default.
watch
Monitoring mode in which the software allows connection attempts to pass through the router and watches them until they are established.
Defaults
intercept
Command Modes
Usage Guidelines
When TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively intercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the software responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way handshake with the server. Then the two half-connections are joined. In watch mode, the software allows connection attempts to pass through the router, but watches them until they become established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.
Examples
The following example sets the mode to watch mode:
ip tcp intercept mode watch
Related Commands
Command Description
ip tcp intercept watch-timeout
Defines how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server.
ip tcp intercept one-minute high

To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high global configuration command. To restore the default, use the no form of this command.
ip tcp intercept one-minute high number no ip tcp intercept one-minute high [number]
Syntax Description
number Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.
Defaults
1100 connection requests
Command Modes
Usage Guidelines
If the number of connection requests exceeds the number value configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

Each new arriving connection causes the oldest partial connection to be deleted. The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half). The watch-timeout is cut in half (from 30 seconds to 15 seconds).
You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.
Examples
The following example allows 1400 connection requests before the software enters aggressive mode:
ip tcp intercept one-minute high 1400
Related Commands
Command
Description
ip tcp intercept drop-mode
ip tcp intercept one-minute low
ip tcp intercept one-minute low

To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low global configuration command. To restore the default, use the no form of this command.
ip tcp intercept one-minute low number no ip tcp intercept one-minute low [number]
Syntax Description
number Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.
Defaults
900 connection requests
Command Modes
Usage Guidelines
When both connection requests and incomplete connections fall below the values of ip tcp intercept oneminute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
See the ip tcp intercept one-minute high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000:
ip tcp intercept one-minute low 1000
Related Commands
Command Description
ip tcp intercept watch-timeout

To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout global configuration command. To restore the default, use the no form of this command.
ip tcp intercept watch-timeout seconds no ip tcp intercept watch-timeout [seconds]
Syntax Description
seconds Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.
Defaults
30 seconds
Command Modes
Command History
11.2 F
Usage Guidelines
Use this command if you have set the TCP intercept to passive watch mode and you want to change the default time the connection is watched. During aggressive mode, the watch timeout time is cut in half.
Examples
The following example sets the software to wait 60 seconds for a watched connection to reach established state before sending a Reset to the server:
ip tcp intercept watch-timeout 60
Related Commands
Command Description
Changes the TCP intercept mode.

To display TCP incomplete and established connections, use the show tcp intercept connections EXEC command.
Syntax Description
Command Modes
EXEC
Usage Guidelines
Use the show tcp intercept connections command to display TCP incomplete and established connections.
Examples
The following is sample output from the show tcp intercept connections command:
Router# show tcp intercept connections Incomplete: Client Server State Create Timeout Mode 172.19.160.17:58190 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I 172.19.160.17:57934 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I Established: Client Server State Create Timeout Mode 171.69.232.23:1045 10.1.1.30:23 ESTAB 00:00:08 23:59:54 I
Table 19 describes significant fields shown in the display.

Table 19 show tcp intercept connections Field Descriptions
Field
Description
Incomplete: Rows of information under "Incomplete" indicate connections that are not yet established. Client Server State IP address and port of the client. IP address and port of the server being protected by TCP intercept. SYNRCVDestablishing with client. SYNSENTestablishing with server. ESTABestablished with both, passing data. Create Timeout Mode Hours:minutes:seconds since the connection was created. Hours:minutes:seconds until the retransmission timeout. Iintercept mode. Wwatch mode.
Established: Rows of information under "Established" indicate connections that are established. The fields are the same as those under "Incomplete" except for the Timeout field described below. Timeout Hours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in which case this indicates the hours:minutes:seconds until the FIN or RESET timeout.
Related Commands
Command Description
Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrsttimeout
Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
Enables TCP intercept.
Displays TCP intercept statistics.

To display TCP intercept statistics, use the show tcp intercept statistics EXEC command.
Syntax Description
Command Modes
EXEC
Usage Guidelines
Use the show tcp intercept statistics command to display TCP intercept statistics.
Examples
The following is sample output from the show tcp intercept statistics command:
Router# show tcp intercept statistics intercepting new connections using access-list 101 2 incomplete, 1 established connections (total 3) 1 minute connection request rate 2 requests/sec
Related Commands
Command Description
Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrsttimeout
Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
Enables TCP intercept.
Displays TCP incomplete and established connections.
ip verify unicast reverse-path

To enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast reverse-path interface configuration command. To disable Unicast RPF, use the no form of this command.
ip verify unicast reverse-path [list]
no ip verify unicast reverse-path [list]
Syntax Description
list (Optional) Specifies a numbered access control list (ACL) in the following ranges:

1 to 99 (IP standard access list)
100 to 199 (IP extended access list)
1300 to 1999 (IP standard access list, expanded range)
2000 to 2699 (IP extended access list, expanded range)
Defaults
Unicast RPF is disabled.
Command Modes
Interface configuration mode
Command History
11.1(CC), 12.0
This command was introduced. This command was not included in Cisco IOS Release 11.2 or 11.3
12.1(2)T
Added ACL support using the list argument. Added per-interface statistics on dropped or suppressed packets.
Usage Guidelines
Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing. When Unicast RPF is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source address appears in the routing table and matches the interface on which the packet was received. This "look backwards" ability is available only when Cisco Express Forwarding (CEF) is enabled on the router because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
The Unicast Reverse Path Forwarding feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If Unicast RPF does not find a reverse path for the packet, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast Reverse Path Forwarding command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF. If no ACL is specified in the Unicast Reverse Path Forwarding command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated. Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast Reverse Path Forwarding command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Note With Unicast RPF, all equal-cost "best" return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist.
To use Unicast RPF, enable CEF switching or distributed CEF (dCEF) switching in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes.
Note It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF.
Unicast RPF should not be used on interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning that there are multiple routes to the source of a packet. Unicast RPF should be applied only where there is natural or configured symmetry. For example, routers at the edge of the network of an Internet service provider (ISP) are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF only at the edge of a network or, for an ISP, at the customer edge of the network.
Examples
The following example shows enabling the Unicast Reverse Path Forwarding feature on a serial interface:
ip cef ! or "ip cef distributed" for RSP+VIP based routers
! interface serial 5/0/0 ip verify unicast reverse-path

The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
ip cef distributed ! interface Serial 5/0/0 description Connection to Upstream ISP ip address 209.165.200.225 255.255.255.252 no ip redirects no ip directed-broadcast no ip proxy-arp ip verify unicast reverse-path ip access-group 111 in ip access-group 110 out ! access-list 110 permit ip 209.165.202.128 0.0.0.31 any access-list 110 deny ip any any log access-list 111 deny ip host 0.0.0.0 any log access-list 111 deny ip 127.0.0.0 0.255.255.255 any log access-list 111 deny ip 10.0.0.0 0.255.255.255 any log access-list 111 deny ip 172.16.0.0 0.15.255.255 any log access-list 111 deny ip 192.168.0.0 0.0.255.255 any log access-list 111 deny ip 209.165.202.128 0.0.0.31 any log access-list 111 permit ip any any
The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL 197 provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet0 to check packets arriving at that interface. For example, packets with a source address of 192.168.201.10 arriving at interface Ethernet0 are dropped because of the deny statement in ACL 197. In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 192.168.201.100 arriving at interface Ethernet0 are forwarded because of the permit statement in ACL 197. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
ip cef distributed ! int eth0/1/1 ip address 192.168.200.1 255.255.255.0 ip verify unicast reverse-path 197 ! int eth0/1/2 ip address 192.168.201.1 255.255.255.0 ! access-list 197 deny ip 192.168.201.0 0.0.0.63 any log-input access-list 197 permit ip 192.168.201.64 0.0.0.63 any log-input access-list 197 deny ip 192.168.201.128 0.0.0.63 any log-input access-list 197 permit ip 192.168.201.192 0.0.0.63 any log-input access-list 197 deny ip host 0.0.0.0 any log-input access-list 197 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 197 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 197 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 197 deny ip 192.168.0.0 0.0.255.255 any log-input Related Commands
Command Description
ip cef
Enables CEF on the route processor card.
C H A P T E R
A through B Commands
aaa accounting
Enable, disable, or view LOCAL, TACACS+, or RADIUS user accounting (on a server designated by the aaa-server command). (Configuration mode.) Configure with the command... aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag Remove with the command... no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag] no aaa accounting match acl_name inbound | outbound | if_name group_tag
aaa accounting match acl_name inbound | outbound | if_name group_tag
Show command options show aaa
Show command output Displays the AAA authentication configuration.
Syntax Description
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server. The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
acctg_service
foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
Cisco PIX Firewall Command Reference 78-13849-01
3-1
Chapter 3 aaa accounting
foreign_mask exclude
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts. The AAA server group tag defined by the aaa-server command. To use the local PIX Firewall user authentication database, enter LOCAL for this parameter. Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. Create a new rule with the specified service to include. Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface. The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated. Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface.
group_tag if_name
include inbound local_ip
local_mask
match acl_name Specify an access-list command statement name. outbound
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are also kept on the designated AAA server. Accounting information is only sent to the active server in a server group. Use the aaa accounting command with the aaa authentication and aaa authorization commands. The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration. For outbound connections, first use the nat command to determine which IP addresses can access the PIX Firewall. For inbound connections, first use the static and access-list command statements to determine which inside IP addresses can be accessed through the PIX Firewall from the outside network. If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Tip
The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.
Cisco PIX Firewall Command Reference
3-2
78-13849-01
Chapter 3
A through B Commands aaa authentication
Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20 aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 aaa accounting include any outbound 0 0 0 0 TACACS+ aaa authentication serial console TACACS+
This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall units serial console requires authentication from the TACACS+ server.
Related Commands
aaa authorization auth-prompt service ssh telnet virtual
aaa authentication
Enable, disable, or view LOCAL, TACACS+, or RADIUS user authentication (on a server designated by the aaa-server command). Additionally, the aaa authentication command has been modified to support PDM authentication. (Configuration mode.) Configure with the command... aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag Remove with the command... no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag] clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag] no aaa authentication match acl_name inbound | outbound | if_name group_tag no aaa authentication [serial | enable | telnet | ssh | http] console group_tag
aaa authentication match acl_name inbound | outbound | if_name group_tag aaa authentication [serial | enable | telnet | ssh | http] console group_tag
3-3
Chapter 3 aaa authentication
Syntax Description
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP, HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.) If the authentication or authorization server is authenticating services other than FTP, HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP, HTTP, and Telnet for authentication and authorization. Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server. When used with the console option, enables or disables authentication service for access to the PIX Firewall console over Telnet or from the Console connector on the PIX Firewall unit. Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server. The aaa authentication command supports HTTP authentication. The PIX Firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the PIX Firewall.
console
Specify that access to the PIX Firewall console require authentication and optionally, log configuration changes to a syslog server. The maximum password length for accessing the console is 16 characters. Access verification for the PIX Firewall units privilege mode. Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts. The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts. Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. The AAA server group tag defined by the aaa-server command. To use the local PIX Firewall user authentication database, enter LOCAL for this parameter.
enable exclude
foreign_ip foreign_mask group_tag
3-4
78-13849-01
Chapter 3
http
Access verification for the HTTP (Hypertext Transfer Protocol) access to the PIX Firewall (via PDM). The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 15 characters. The interface name from which to authenticate users. Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface. Create a new rule with the specified service to include. The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated. Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. Specify an access-list command statement name. Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface. Access verification for the PIX Firewall units serial console. Access verification for the SSH access to the PIX Firewall console. Access verification for the Telnet access to the PIX Firewall console.
if_name inbound
include local_ip
local_mask match acl_name outbound
serial ssh telnet
Defaults
If an aaa authentication http console group_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa commands are defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password. By default, the enable password is not set. PIX Firewall supports authentication usernames up to 127 characters and passwords of up to 63 characters. A password or username may not contain an @ character as part of the password or username string, with a few exceptions.
Tip
The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.
Usage Guidelines
To use the aaa authentication command, you must first designate an authentication server with the aaa-server command. Also, for each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. Use the if_name, local_ip, and foreign_ip variables to define where access is sought and from whom. The address for local_ip is always on the highest security level interface and foreign_ip is always on the lowest. The aaa authentication command is not intended to mandate your security policy. The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The PIX Firewall interacts with FTP, HTTP (Web access), and
3-5
Telnet to display the credentials prompts for logging in to the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree. The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, these aaa authentication command statements will be removed from your configuration.
The aaa authentication console Command
The aaa authentication serial console command allows you to require authentication verification to access the PIX Firewall units serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts. Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command. The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement. Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests timeouts, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
Enabling Authentication
The aaa authentication command enables or disables the following AAA (authentication, authorization, and accounting) features:
User authentication services provided by a TACACS+ or RADIUS server are first designated with the aaa authorization command. A user starting a connection via FTP, Telnet, or over the World Wide Web is prompted for their username and password. If the username and password are verified by the designated TACACS+ or RADIUS authentication server, the PIX Firewall unit will allow further traffic between the authentication server and the connection to interact independently through the PIX Firewall units cut-through proxy feature. Administrative authentication services providing access to the PIX Firewall unit's console via Telnet, SSH, or the serial console. Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.
3-6
78-13849-01
Chapter 3
The prompts users see requesting AAA credentials differ between the three services that can access the PIX Firewall for authentication: Telnet, FTP, and HTTP (Web):
Telnet users see a prompt generated by the PIX Firewall that you can change with the auth-prompt command. The PIX Firewall permits a user up to four chances to log in and then if the username or password still fails, the PIX Firewall drops the connection. FTP users receive a prompt from the FTP program. If a user enters an incorrect password, the connection is dropped immediately. If the username or password on the authentication database differs from the username or password on the remote host to which you are using FTP to access, enter the username and password in these formats:
authentication_user_name@remote_system_user_name authentication_password@remote_system_password
If you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length. Some FTP graphical user interfaces (GUIs) do not display challenge values.
HTTP users see a pop-up window generated by the browser itself. If a user enters an incorrect password, the user is reprompted. When the web server and the authentication server are on different hosts, use the virtual command to get the correct authentication behavior.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication console command:
enable optionAllows three tries before stopping with Access denied. The enable option requests a username and password before accessing privileged mode for serial or Telnet connections. serial optionCauses the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. ssh optionAllows three tries before stopping with "Rejected by Server." The ssh option requests a username and password before the first command line prompt appears. telnet optionCauses the user to be prompted continually until successfully logging in. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection.
You can specify an interface name with the aaa authentication command. In previous versions, if you specified aaa authentication include any outbound 0 0 server, PIX Firewall only authenticated outbound connections and not those to the perimeter interface. PIX Firewall now authenticates any outbound connection to the outside as well as to hosts on the perimeter interface. To preserve the behavior of previous versions, use these commands to enable authentication and to disable authentication from the inside to the perimeter interface:
aaa authentication include any outbound 0 0 server aaa authentication exclude outbound perim_net perim_mask server
When a host is configured for authentication, all users on the host must use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that users must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.
3-7
The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).
HTTP Authentication
When using HTTP authentication to a site running Microsoft IIS that has Basic text authentication or NT Challenge enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: Authorization: Basic=Uuhjksdkfhk== to the HTTP GET commands. This string contains the PIX Firewall authentication credentials. Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied. To solve this problem, PIX Firewall provides the virtual http command, which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested. Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the Authorization: Basic=Uuhjksdkfhk== string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use. As long as the user repeatedly browses the Internet, the browser resends the Authorization: Basic=Uuhjksdkfhk== string to transparently reauthenticate the user. Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS Netmeeting silently start the HTTP service before an H.323 session is established from the inside to the outside. Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
Note
To avoid interfering with these applications, do not enter blanket outgoing aaa command statements for all challenged ports such as using the any option. Be selective with which ports and addresses you use to challenge HTTP, and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs may fail on the PC and may even crash the PC after establishing outgoing sessions from the inside.
TACACS+ and RADIUS servers
Up to 196 TACACS+ or RADIUS servers are permitted (up to 14 servers in each of the up to 14 server groupsset with the aaa-server command). When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds. The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS. For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs. The PIX Firewall displays the same timeout message for both RADIUS and TACACS+. The message aaa server host machine not responding displays when either of the following occurs:

The AAA server system is down. The AAA server system is up, but the service is not running.
3-8
78-13849-01
Chapter 3
Previously, TACACS+ differentiated between the two preceding states and provided two different timeout messages, while RADIUS did not differentiate between the two states and provided one timeout message.
match acl_name Option Usage
The syntax for this command is as follows: aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag An example follows:
show access-list access-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0) show aaa aaa authentication match mylist outbound TACACS+
Similar to IPSec, the keyword permit means yes and deny means no. Therefore, the following command,
aaa authentication match yourlist outbound tacacs
is equal to this command:

aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs
The aaa command statement list is order dependent between access-list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacs
after this command:

aaa authentication match mylist outbound TACACS+
PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group. Old aaa command configuration and functionality stays the same and is not converted to the access-list format. Hybrid configurations; that is, old configurations combined with the new access-list configuration are not recommended.
Examples
The following example shows use of the aaa authentication command:

pixfirewall(config) aaa authentication telnet console radius
3-9
The following example lists the new include and exclude options:
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+ aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+
The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224). This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+
This example enables authentication for connections originated from the inside network to the perimeter network:
This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+
This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+
This example enables authentication for connections originated from the perimeter network to the outside network:
This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the PIX Firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+.
nat (inside) 1 10.0.0.0 255.255.255.0 aaa authentication include any outbound 0 0 tacacs+ aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ any
This example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface.
aaa-server AuthIn protocol tacacs+ aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20 static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224 access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224 access-group acl_out in interface outside aaa authentication include any inbound 0 0 AuthIn
3-10
78-13849-01
Chapter 3
A through B Commands aaa authorization
Related Commands
aaa authorization
Enable or disable LOCAL or TACACS+ user authorization services. (Configuration mode.) Configure with the command... aaa authorization command {LOCAL | tacacs_server_tag} aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask Remove with the command... no aaa authorization command {LOCAL | tacacs_server_tag} no aaa authorization [include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask] clear aaa [authorization [include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask]] no aaa authorization match acl_name inbound | outbound | if_name group_tag
aaa authorization match acl_name inbound | outbound | if_name group_tag
3-11
Chapter 3 aaa authorization
Syntax Description
authorization
Enable or disable TACACS+ user authorization for services (PIX Firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access. The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization. For protocol/port:

author_service
protocolthe protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on). portthe TCP or UDP destination port, or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP the port is not applicable and should not be used. An example port specification follows.
aaa authorization include udp/53-1024 inside 0 0 0 0
This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note
Specifying a port range may produce unexpected results at the authorization server. PIX Firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted.
foreign_ip foreign_mask exclude
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts. Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts. Specifies the AAA server. Enter LOCAL for the group tag value for local AAA services such as local command authorization using privilege levels, or use the AAA server group tag as defined by the aaa-server command. Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. Create a new rule with the specified service to include.
group_tag
if_name
include
3-12
78-13849-01
Chapter 3
A through B Commands aaa authorization
inbound LOCAL local_ip
Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside interface. Specifies to use the PIX Firewall local user database for local command authorization (using privilege levels). The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated. Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host. Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside interface. Specifies to use a TACACS user authentication server.
local_mask
match acl_name Specify an access-list command statement name. outbound tacacs_server _tag
Usage Guidelines
Except for its use with command authorization, the aaa authorization command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of an aaa authorization command. Currently, the aaa authorization command is supported for use with LOCAL and TACACS+ servers but not with RADIUS servers.
Tip
The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form. For each IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type. If the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.
Unable to connect to remote host: Connection timed out
User authorization services control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the PIX Firewall unit to verify the access permissions of the user with the designated AAA server. The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
Note
RADIUS authorization is supported for use with access-list command statements and for use in configuring a RADIUS server with an acl=acl_name vendor-specific identifier. Refer to the access-list command page for more information. Also see the aaa-server radius-authport commands. If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
3-13
Chapter 3 aaa authorization
Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall units serial console requires authentication from the TACACS+ server. The following example enables authorization for DNS lookups from the outside interface:
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0
The following example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0
This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP. The following example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0
Related Commands
3-14
78-13849-01
Chapter 3
A through B Commands aaa proxy-limit
aaa proxy-limit
Specifies the number of concurrent proxy connections allowed per user. (Configuration mode.) Configure with the command... aaa proxy-limit proxy_limit | disable Remove with the command... no aaa-server group_tag (if_name) host server_ip key timeout seconds clear aaa-server [group_tag]
Show command options show aaa proxy-limit
Show command output Displays the number of outstanding authentication requests allowed, or indicates that the proxy limit is disabled if disabled.
Syntax Description
disable group_tag
Disables the proxy limit. Specifies the AAA server. Enter LOCAL for the group tag value for local AAA services such as local command authorization using privilege levels, or use the AAA server group tag as defined by the aaa-server command. Specifies the number of concurrent proxy connections allowed per user, from 1 to 128. (The default value is 3.)
proxy_limit
Usage Guidelines
The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user. By default, this value is set to 3. If a source address is a proxy server, consider excluding this IP address from authentication or increasing the number of allowable outstanding AAA requests.
Examples
The following example shows how to set and display the maximum number of outstanding authentication requests allowed:
pixdoc515(config)# aaa proxy-limit 6 pixdoc515(config)# show aaa proxy-limit aaa proxy-limit 6
3-15
Chapter 3 aaa-server
aaa-server
Specify an AAA server. (Configuration mode.) Configure with the command... aaa-server group_tag (if_name) host server_ip key timeout seconds Remove with the command... no aaa-server group_tag (if_name) host server_ip key timeout seconds clear aaa-server [group_tag] N/A N/A N/A N/A N/A
aaa-server group_tag protocol auth_protocol aaa-server radius-acctport port aaa-server radius-authport port debug radius session show aaa-server
Show command options show aaa-server
Show command output Displays AAA server configuration.
Syntax Description
aaa-server
Specifies an AAA server or up to 14 groups of servers with a maximum of 14 servers each. Certain types of AAA services can be directed to different servers. Services can also be set up to fail over to multiple servers. Sets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646. Sets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645. Captures RADIUS session information and attributes for sent and received RADIUS packets. An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. Up to 14 server groups are permitted. However, LOCAL cannot used with aaa-server command because LOCAL is predefined by the PIX Firewall. The IP address of the TACACS+ or RADIUS server. The interface name on which the server resides. A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are. Unbinds an AAA server from and interface or host.
aaa-server radius-acctport aaa-server radius-authport debug radius session group_tag
host server_ip if_name key
no aaa-server
3-16
78-13849-01
Chapter 3
A through B Commands aaa-server
port
Specifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall. These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:

1645 (authentication), 1646 (accounting) - default for PIX Firewall 1812 (authentication), 1813 (accounting) - alternate
You can view these and other commonly used port number assignments online at the following website: http://www.iana.org/assignments/port-numbers See Ports in Chapter 2, Using PIX Firewall Commands for additional information. protocol auth_protocol The type of AAA server, either tacacs+ or radius. timeout seconds A retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds. For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected.
Usage Guidelines
The aaa-server command lets you specify AAA server groups. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS. AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers. If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are required to reconfigure the PIX Firewall to use ports 1812 and 1813. If accounting is in effect, the accounting information goes only to the active server. If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration.
Usage Notes
1. 2.
The aaa command references the tag group. This is a global setting that takes effect when the RADIUS service is started. The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS.
3-17
Chapter 3 aaa-server
3.
Changing authorization and accounting port settings is possible. By default, PIX Firewall listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses ports 1812 and 1813, you may also reconfigure it to use ports 1812 and 1813 with the aaa-server radius-authport and aaa-server radius-acctport commands. Newer RADIUS servers may use the port numbers 1812 and 1813 as defined in RFC 2138 and RFC 2139. If your server uses ports other than 1645 and 1646, then you should define ports using the aaa-server radius-authport and aaa-server radius-acctport commands prior to starting the RADIUS service with the aaa-server command.
4.
Defaults
By default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting. (The default ports are 1645 for authentication and 1646 for accounting as defined in RFC 2058.) The default configuration provides the following aaa-server protocols:
Examples
This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall units serial console requires authentication from the TACACS+ server. This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections.
aaa-server AuthIn protocol radius aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20 aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4 aaa-server AuthOut protocol radius aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15 aaa authentication include any inbound 0 0 0 0 AuthIn aaa authentication include any outbound 0 0 0 0 AuthOut
The following example lists the commands that can be used to establish an Xauth crypto map:
ip address inside 10.0.0.1 255.255.255.0 ip address outside 168.20.1.5 255.255.255.0 ip local pool dealer 10.1.2.1-10.1.2.254 nat (inside) 0 access-list 80 aaa-server TACACS+ host 10.0.0.2 secret123 crypto ipsec transform-set pc esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set pc crypto map partner-map 20 ipsec-isakmp dynamic cisco
3-18
78-13849-01
Chapter 3
A through B Commands access-group
crypto crypto crypto isakmp isakmp isakmp isakmp isakmp isakmp isakmp
map partner-map client configuration address initiate map partner-map client authentication TACACS+ map partner-map interface outside key cisco1234 address 0.0.0.0 netmask 0.0.0.0 client configuration address-pool local dealer outside policy 8 authentication pre-share policy 8 encryption des policy 8 hash md5 policy 8 group 1 policy 8 lifetime 86400
The aaa-server command is used with the crypto map command to establish an authentication association so that VPN clients are authenticated when they access the PIX Firewall.
Related Commands
crypto ipsec isakmp
access-group
Binds the access list to an interface. (Configuration mode.) Configure with the command... access-group acl_ID in interface interface_name Remove with the command... no access-group acl_ID in interface interface_name clear access-group [acl_ID]
Show command options show access-group [acl_ID]
Show command output Displays the current access list bound to the interfaces.
Syntax Description
acl_ID in interface interface_name
The name associated with a given access list. Filter inbound packets at the given interface. The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID
Always use the access-list command with the access-group command.
3-19
Chapter 3 access-list
Note
The use of access-group command overrides the conduit and outbound command statements for the specified interface_name. The no access-group command unbinds the acl_ID from the interface interface_name. The show access-group command displays the current access list bound to the interfaces. The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:

static (inside,outside) 209.165.201.3 10.1.1.3 access-list acl_out permit tcp any host 209.165.201.3 eq 80 access-group acl_out in interface outside
The static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list, or use downloadable access lists. (Downloadable access lists are supported for RADIUS servers only). (Configuration mode.) Configure with the command... access-list [acl_ID] compiled access-list acl_ID {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} {destination_addr | remote_addr} {destination_mask | remote_mask} icmp_type access-list id {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} | object-group network_obj_grp_id {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id] access-list acl_ID {deny | permit} protocol {source_addr | local_addr} {source_mask | local_mask}[operator port [port] {destination_addr | remote_addr} {destination_mask | remote_mask} [operator port [port] Remove with the command... no access-list [acl_ID] compiled no access-list [acl_ID {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} {destination_addr | remote_addr} {destination_mask | remote_mask} icmp_type] no access-list id {deny | permit} {icmp {source_addr | local_addr} {source_mask | local_mask} | object-group network_obj_grp_id {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]} no access-list acl_ID [{deny | permit} protocol {source_addr | local_addr} {source_mask | local_mask} [operator port [port] {destination_addr | remote_addr} {destination_mask | remote_mask} [operator port [port]]
3-20
78-13849-01
Chapter 3
A through B Commands access-list
Configure with the command... Remove with the command... access-list id {deny | permit}{protocol | no access-list id {deny | permit} {protocol | object-group protocol_obj_grp_id object-group protocol_obj_grp_id {source_addr | local_addr} {source_addr | local_addr} {source_mask | local_mask} | {source_mask | local_mask} | object-group network_obj_grp_id object-group network_obj_grp_id [operator port [port] | object-group [operator port [port] | object-group service_obj_grp_id] {destination_addr | service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_addr} {destination_mask | remote_mask} | object-group remote_mask} | object-group network_obj_grp_id [operator port network_obj_grp_id [operator port [port] | object-group [port] | object-group service_obj_grp_id]} service_obj_grp_id]} debug access-list all | standard | turbo no debug access-list all | standard | turbo N/A clear access-list [acl_ID] N/A clear access-list acl_ID counters
Show command options show access-list [[acl_ID] source_addr]
Show command output Displays the access-list command statements in the configuration, the hit count of the number of times each element has been matched during an access-list command search, and whether or not the list is configured for TurboACL. The source_addr option filters the show output so that only those access-list elements that match the source IP address (or with any as source IP address) are displayed.
Syntax Description
acl_ID compiled
Name of an access list. You can use either a name or number. When used in conjunction with the access-list command, this turns on TurboACL unless the no qualifier is used, in which case the command no access-list acl_ID compiled turns off TurboACL for that access list. To use TurboACL globally, enter the access-list compiled command and to globally turn off TurboACL, enter the no access-list compiled command. After TurboACL has been globally configured, individual access lists or groups can have TurboACL enabled or disabled using individual [no] access-list acl_ID compiled commands. TurboACL is compiled only if the number of access list elements is greater than or equal to 19.
debug
Outputs access list debugging information to the console.
3-21
deny
When used with the access-group command, the deny option does not allow a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, deny does not select a packet for IPSec protection. The deny option prevents traffic from being protected by IPSec in the context of that particular crypto map entry. In other words, it does not allow the policy as specified in the crypto map command statements to be applied to this traffic.
destination_addr IP address of the network or host to which the packet is being sent. Specify a destination_addr when the access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. For inbound and outbound connections, destination_addr is the address before NAT has been performed. destination_mask Netmask bits (mask) to be applied to destination_addr, if the destination address is a network mask. icmp_type For non-IPSec use only, permit or deny access to ICMP message types. Refer to Table 3-1 for a list of message types. Omit this option to mean all ICMP types. ICMP message types are not supported for use with IPSec; that is when the access-list command is used in conjunction with the crypto map command, the icmp_type is ignored. local_addr Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed. Netmask bits (mask) to be applied to local_addr, if the local address is a network mask. Specifies an object group. Refer to the object-group command for information on how to configure object groups. An existing object group.
local_mask object-group obj_grp_id
3-22
78-13849-01
Chapter 3
operator
The operator compares the source IP address (sip) or destination IP address (dip) ports. Possible operands include lt for less than, gt for greater than, eq for equal, neq for not equal, and range for an inclusive range. Use the access-list command the without an operator and port to indicate all ports by default. For example,
access-list acl_out permit tcp any host 209.165.201.1
Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny access only to FTP.
access-list acl_out deny tcp any host 209.165.201.1 eq ftp
Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024).
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025
Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535.
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42
Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535.
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10
Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected. The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created. permit When used with the access-group command, the permit option selects a packet to traverse the PIX Firewall. By default, PIX Firewall denies all inbound or outbound packets unless you specifically permit access. When used with a crypto map command statement, permit selects a packet for IPSec protection. The permit option causes all IP traffic that matches the specified conditions to be protected by IPSec using the policy described by the corresponding crypto map command statements. port Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can view valid port numbers online at the following website: http://www.iana.org/assignments/port-numbers See Ports in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers. protocol Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
3-23
source_addr
Address of the network or host from which the packet is being sent. Use this field when an access-list command statement is used in conjunction with an access-group command statement, or with the aaa match access-list command and the aaa authorization command. Netmask bits (mask) to be applied to source_addr, if the source address is for a network mask. IP address of the network or host remote to the PIX Firewall. Specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpdn group split-tunnel command statement. Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask.
source_mask remote_addr
remote_mask
Usage Guidelines
The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same access list name are referred to as an access list. Access lists associated with IPSec are known as crypto access lists. By default, all access-list commands have an implicit deny unless you explicitly specify permit. In other words, by default, all access in an access list is denied unless you explicitly grant access using a permit statement. specify in an access list is denied. Additionally, you can use the object-group command to group access lists like any other network object. Use the following guidelines for specifying a source, local, or destination address:

Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec. Use host address as an abbreviation for a mask of 255.255.255.255. Do not specify a mask if the address is for a host; if the destination address is for a host, use the host parameter before the address. For example:
access-list acl_grp permit tcp any host 192.168.1.1
Use the following guidelines for specifying a network mask:
If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal format. Place zeros in the bit positions you want to ignore. Remember that you specify a network mask differently than with the Cisco IOS software access-list command. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask. For example:
access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224
If appropriate, after you have defined an access list, bind it to an interface using the access-group command. For IPSec use, bind it with a crypto ipsec command statement. In addition, you can bind an access list with the RADIUS authorization feature (described in the next section). The access-list command supports the sunrpc service.
3-24
78-13849-01
Chapter 3
The show access-list command lists the access-list command statements in the configuration and the hit count of the number of times each element has been matched during an access-list command search. Additionally, it displays the number of access list statements in the access list and indicates whether or not the list is configured for TurboACL. (If the list has less than eighteeen access control entries then it is marked to be turbo-configured but is not actually configured for TurboACL until there are 19 or more entries.) The clear access-list command removes all access-list command statements from the configuration or, if specified, access lists by their acl_ID. The clear access-list acl_ID counters command clears the hit count for the specified access list. The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list, the no access-list command also removes the corresponding access-group command from the configuration.
Note
The aaa, crypto map, and icmp commands make use of the access-list command statements.
RADIUS Authorization
PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message. Additionally, the PIX Firewall allows downloadable access lists from the RADIUS server. For example, you can configure an access list on a Cisco Secure ACS server and download it to the PIX Firewall during RADIUS authorization. After the PIX Firewall authenticates a user, it can then use the CiscoSecure acl attribute returned by the authentication server to identify an access list for a given user group. To maintain consistency, PIX Firewall also provides the same functionality for TACACS+. To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list access-list access-list access-list eng eng eng eng permit ip any server1 255.255.255.255 permit ip any server2 255.255.255.255 permit ip any server3 255.255.255.255 deny ip any any
In this example, the vendor specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The PIX Firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it places in a users uauth entry. When a user tries to open a connection, PIX Firewall checks the access list in the users uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, PIX Firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny. Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify which network services the user is permitted or denied access to. If you want to specify that only users logging in from a given subnet may use the specified services, specify the subnet instead of using any.
Note
An access list used for RADIUS authorization does not require an access-group command to bind the statements to an interface. There is not a radius option to the aaa authorization command.
3-25
Configure the access list specified in Attribute 11 to specify a per-user access list name. Otherwise, remove Attribute 11 from the aaa RADIUS server configuration if no access list is intended for user authentication. If the access list is not configured on the PIX Firewall when the user attempts to login, the login will fail. For more information on how to use RADIUS server authorization, refer to the Cisco PIX Firewall and VPN Configuration Guide, version 6.2 or higher.
TurboACL
On the PIX Firewall, TurboACL is turned on globally with the command access-list compiled (and turned off globally by the command no access-list compiled). The PIX Firewall default mode is TurboACL off (no access-list compiled), and TurboACL is active only on access lists with 19 or more entries. The minimum amount of Flash memory required to run TurboACL is 2.1 MB. If memory allocation fails, the TurboACL lookup tables will not be generated.
Note
Use TurboACL only on PIX Firewall platforms that have 16MB or more of Flash memory. Consequently, TurboACL is not supported on PIX 501 because it has 8MB of Flash memory. If TurboACL is configured, some access control list or access control list group modifications can trigger regeneration of the TurboACL internal configuration. Depending on the extent of TurboACL configuration(s), this could noticeably consume CPU resources. Consequently, we recommend modifying turbo-complied access lists during non-peak system usage hours. For more information on how to use TurboACL, refer to the Cisco PIX Firewall and VPN Configuration Guide, version 6.2 or higher.
Usage Notes
1.
The clear access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map command statements referencing the access list are incomplete. To correct the condition, either define other access-list command statements to complete the crypto map command statements or remove the crypto map command statements that pertain to the access-list command statement. Refer to the crypto map command for more information. Access control lists that are dynamically updated on the PIX Firewall by an AAA server can only be shown using the show access-list command. The write command does not save or display these updated lists. The access-list command operates on a first match basis. If you specify an access-list command statement and bind it to an interface with the access-group command statement, by default, all traffic inbound to that interface is denied. You must explicitly permit traffic. Note that inbound in this context means traffic passing through the interface, rather than the more typical PIX Firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface. Always permit access first and then deny access afterward. If the host entries match, then use a permit statement, otherwise use the default deny statement. You only need to specify additional deny statements if you need to deny specific hosts and permit everyone else. You can view security levels for interfaces with the show nameif command.
2.
3. 4.
5.
6.
3-26
78-13849-01
Chapter 3
7. 8. 9.
The ICMP message type (icmp_type) option is ignored in IPSec applications because the message type cannot be negotiated with ISAKMP. Only one access list can be bound to an interface using the access-group command. If you specify the permit option in the access list, the PIX Firewall continues to process the packet. If you specify the deny option in the access list, PIX Firewall discards the packet and generates the following syslog message.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID
The access-list command uses the same syntax as the Cisco IOS software access-list command except that PIX Firewall uses a subnet mask, whereas Cisco IOS software uses a wildcard mask. (In Cisco IOS software, the mask in this example would be specified with the 0.0.0.255 value.) For example, in the Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as 255.255.255.0 in the PIX Firewall access-list command.
10. We recommend that you do not use the access-list command with the conduit and outbound
commands. While using these commands together will work, the way in which these commands operate may cause debugging issues because the conduit and outbound commands operate from one interface to another whereas the access-list command used with the access-group command applies only to a single interface. If these commands must be used together, PIX Firewall evaluates the access-list command before checking the conduit and outbound commands.
11. Refer to the Chapter 3, "Managing Network Access and Use" in the Cisco PIX Firewall and VPN
Configuration Guide for a detailed description about using the access-list command to provide server access and to restrict outbound user access.
12. Refer to the aaa-server radius-acctport and aaa-server radius-authport commands to verify or
change port settings.

ICMP Message Types
For non-IPSec use only, if you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 3-1 lists possible ICMP types values.
Table 3-1 ICMP Type Literals
ICMP Type 0 3 4 5 6 8 9 10 11 12 13 14 15
Literal echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-reply timestamp-request information-request
3-27
Table 3-1
ICMP Type Literals (continued)
ICMP Type 16 17 18 31 32
Literal information-reply mask-request mask-reply conversion-error mobile-redirect
If you specify an ICMP message type for use with IPSec, PIX Firewall ignores it. For example:
access-list 10 permit icmp any any echo-reply
IPSec is enabled such that a crypto map command references the acl_ID for this access-list command, then the echo-repy ICMP message type is ignored.
Using the access-list Command with IPSec
If an access list is bound to an interface with the access-group command, the access list selects which traffic can traverse the PIX Firewall. When bound to a crypto map command statement, the access list selects which IP traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B. More information is available in the crypto map command section of this guide. The access lists themselves are not specific to IPSec. It is the crypto map command statement referring to the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list. Crypto access lists associated with the IPSec crypto map command statement have these primary functions:

Select outbound traffic to be protected by IPSec (permit = protect). Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations. Process inbound traffic to filter out and discard traffic that IPSec protects. Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for crypto map command statements with the ipsec-isakmp option.) For a peers initiated IPSec negotiation to be accepted, it must specify a data flow that is permitted by a crypto access list associated with an ipsec-isakmp crypto map entry.
You can associate a crypto access list with an interface by defining the corresponding crypto map command statement and applying the crypto map set to an interface. Different access lists must be used in different entries of the same crypto map set. However, both inbound and outbound traffic will be evaluated against the same outbound IPSec access list. Therefore, the access lists criteria are applied in the forward direction to traffic exiting your PIX Firewall and the reverse direction to traffic entering your PIX Firewall.
3-28
78-13849-01
Chapter 3
A through B Commands activation-key
If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies. We recommend that you configure mirror image crypto access lists for use by IPSec and that you avoid using the any keyword. See the Cisco PIX Firewall and VPN Configuration Guide for more information. If you configure multiple statements for a given crypto access list, in general, the first permit statement matched, will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list command statement. Some services such as FTP require two access-list command statements, one for port 10 and another for port 21, to properly encrypt FTP traffic.
Examples
The following example creates a numbered access list that specifies a Class C subnet for the source and a Class C subnet for the destination of IP packets. Because the access-list command is referenced in the crypto map command statement, PIX Firewall encrypts all IP traffic that is exchanged between the source and destination subnets.
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0 access-group 101 in interface outside crypto map mymap 10 match address 101
The next example only lets an ICMP message type of echo-reply be permitted into the outside interface:
access-list acl_out permit icmp any any echo-reply access-group acl_out interface outside
activation-key
Updates the activation key on your PIX Firewall and checks the activation key running on your PIX Firewall against the activation key stored in the Flash memory of the PIX Firewall. (Configuration mode.) Configure with the command... activation-key activation-key-four-tuple Remove with the command... N/A
Show command options show activation-key
Show command output Displays the results of checking the activation key running on the PIX Firewall against the activation key stored in the Flash memory of the PIX Firewall.
3-29
Chapter 3 activation-key
Syntax Description
activation-key
Updates the PIX Firewall activation key unless there is a mismatch between the Flash memory and running PIX Firewall software versions. A four-element hexidecimal string with one space between each element. For example:
0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
activation-key-four-tuple
(The leading 0x specfier is optional; all values are assumed to be hexadecimal.)
Usage Guidelines
Use the activation-key activation-key-four-tuple command to change the activation key on your PIX Firewall.
Caution
Use only an activation key valid for your PIX Firewall software version and platform or your system may not reload after rebooting. The activation-key activation-key-four-tuple command output indicates the status of the activation key as follows:
If the PIX Firewall Flash memory software image version is the same as the running PIX Firewall software version, and the PIX Firewall Flash memory activation key is the same as the running PIX Firewall software activation key, then the activation-key command output reads as follows:
The flash activation key has been modified. The flash activation key is now the SAME as the running key.
If the PIX Firewall Flash memory image version is the same as the running PIX Firewall software, and the PIX Firewall Flash memory activation key is different from the running PIX Firewall activation key, then the activation-key command output reads as follows:
The flash activation key has been modified. The flash activation key is now DIFFERENT from the running key. The flash activation key will be used when the unit is reloaded.
If the PIX Firewall Flash memory image version is not the same as the running PIX Firewall software, then the activation-key command output reads as follows:
The flash image is DIFFERENT from the running image. The two images must be the same in order to modify the flash activation key.
If the PIX Firewall Flash memory image version is the same as the running PIX Firewall software, and the entered activation key is not valid, then the activation-key command output reads as follows:
ERROR: The requested key was not saved because it is not valid for this system.
If the PIX Firewall Flash memory activation key is the same as the entered activation key, then the activation-key command output reads as follows:
The flash activation key has not been modified. The requested key is the SAME as the flash activation key.
3-30
78-13849-01
Chapter 3
A through B Commands activation-key
The show activation-key command output indicates the status of the activation key as follows:
If the activation key in the PIX Firewall Flash memory is the same as the activation key running on the PIX Firewall, then the show activation-key output reads as follows:
The flash activation key is the SAME as the running key.
If the activation key in the PIX Firewall Flash memory is the different from the activation key running on the PIX Firewall, then the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key. The flash activation key takes effect after the next reload.
If the PIX Firewall Flash memory software image version is not the same as the running PIX Firewall software image, then the show activation-key output reads as follows:
The flash image is DIFFERENT from the running image. The two images must be the same in order to examine the flash activation key.
Usage Notes
1. 2.
The PIX Firewall must be rebooted for a new activation key to be enabled. If the PIX Firewall software image is being upgraded to a higher version and the activation key is being updated at the same time, we recommend that you first install the software image upgrade and reboot the PIX Firewall unit, and then update the activation key in the new image and reboot the unit again. If you are downgrading to a lower PIX Firewall software version, we recommend that you ensure that the activation key running on your system is not intended for a higher version before installing the lower version software image. If this is the case, you must first change the activation key to one that is compatible with the the lower version before installing and rebooting. Otherwise, your system may refuse to reload after installation of the new software image.
3.
Examples
The following example shows sample out from the show activation-key command:
pixfirewalll(config)# show activation-key Serial Number: 480221353 (0x1c9f98a9) Running Activation Key: 0x36df4255 0x246dc5fc 0x39d2ec4d 0x09f6288f Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Enabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited The flash activation key is the SAME as the running key. pixfirewall(config)#
3-31
Chapter 3 alias
alias
Administer overlapping addresses with dual NAT. (Configuration mode.) Configure with the command... alias [(if_name)] dnat_ip foreign_ip [netmask] Remove with the command... no alias [[(if_name)] dnat_ip foreign_ip [netmask]] clear alias
Show command options show alias
Show command output Displays the alias command statements in the configuration.
Syntax Description
dnat_ip foreign_ip if_name netmask
An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network. IP address on the external network that has the same address as a host on the internal network. The internal network interface name in which the foreign_ip overlaps. Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
Note
For DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed:
sysopt noproxyarp internal_interface
If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement. After changing or removing an alias command statement, use the clear xlate command. There must be an A (address) record in the DNS zone file for the dnat address in the alias command. The alias command has two uses which can be summarized in the following ways of reading an alias command statement:

If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address. If the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.
3-32
78-13849-01
Chapter 3
A through B Commands alias
The no alias command disables a previously set alias command statement. The show alias command displays the alias command statements in the configuration. The clear alias command removes all alias commands from the configuration. The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently. You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
Note
ActiveX blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command.
Usage Notes
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note.
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255 static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255 access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data access-group acl_out in interface outside
An alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.
Examples
In the following example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the PIX Firewall because the client assumes 209.165.201.29 is on the local inside network. To correct this, use the alias command as follows:
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224 show alias alias 192.168.201.0 209.165.201.0 255.255.255.224
When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal clients query would be altered by the PIX Firewall to be 192.168.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=192.168.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside. In the next example, a web server is on the inside at 10.1.1.11 and a static command statement was created for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
www.example.com. IN A 209.165.201.11
The period at the end of the www.example.com. domain name must be included.
3-33
Chapter 3 arp
The alias command follows:

alias 10.1.1.11 209.165.201.11 255.255.255.255
PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server. The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11
The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet
But with the alias command, use this command:

access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7
You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.example.com
arp
Change or view the ARP cache, and set the timeout value. (Configuration mode.) Configure with the command... Remove with the command... arp if_name ip_address mac_address [alias] no arp if_name ip_address clear arp no arp timeout
arp timeout seconds
Show command options show arp [if_name] [ip_address mac_address alias] show arp timeout
Show command output Displays the entries in the ARP table. Displays the current timeout value.
Syntax Description
alias if_name ip_address seconds
Make this entry permanent. Alias entries do not time out and are automatically stored in the configuration when you use the write command to store the configuration. The internal or external interface name specified by the nameif command. Host IP address for the ARP table entry. Duration that an ARP entry can exist in the ARP table before being cleared.
mac_address Hardware MAC address for the ARP table entry; for example, 00e0.1e4e.3d8b.
Usage Guidelines
The arp command adds an entry to the PIX Firewall ARP cache. ARP is a low-level TCP/IP protocol that resolves a nodes physical address from its IP address through an ARP request asking the node with a particular IP address to send back its physical address. The presence of entries in the ARP cache
3-34
78-13849-01
Chapter 3
A through B Commands auth-prompt
indicates that the PIX Firewall has network connectivity. The clear arp command clears the ARP table but not the alias (permanent) entries. Use the no arp command to remove these entries. The show arp command lists the entries in the ARP table.
Note
You can use the sysopt noproxyarp command to disable proxy-arps on an interface. Use the arp command to add an entry for new hosts you add on your network or when you swap an existing host for another. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information. The no arp timeout command sets the timer to its default value. The show arp timeout command displays the current timeout value.
Defaults
The arp timeout command sets the duration that an ARP entry can stay in the PIX Firewall ARP table before expiring. The timer is known as the ARP persistence timer. The default value is 14,400 seconds (4 hours).
Examples
The following examples illustrate use of the arp and arp timeout commands:
arp inside 192.168.0.42 00e0.1e4e.2a7c arp outside 192.168.0.43 00e0.1e4e.3d8b alias show arp outside 192.168.0.43 00e0.1e4e.3d8b alias inside 192.168.0.42 00e0.1e4e.2a7c clear arp inside 192.168.0.42 arp timeout 42 show arp timeout arp timeout 42 seconds no arp timeout show arp timeout arp timeout 14400 seconds
auth-prompt
Change the AAA challenge text. (Configuration mode.) Configure with the command... auth-prompt [accept | reject | prompt] string Remove with the command... no auth-prompt [accept | reject | prompt] string clear auth-prompt
Show command options show auth-prompt
Show command output Displays the AAA challenge text.
3-35
Chapter 3 auth-prompt
Syntax Description
accept prompt reject string
If a user authentication via Telnet is accepted, display the prompt string. The AAA challenge prompt string follows this keyword. This keyword is optional for backward compatibility. If a user authentication via Telnet is rejected, display the prompt string. A string of up to 235 alphanumeric characters or 31 words, limited by whichever maximum is first reached. Special characters should not be used; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)
Usage Guidelines
The auth-prompt command lets you change the AAA challenge text for HTTP, FTP, and Telnet access. This text displays above the username and password prompts that users view when logging in. If you do not use this command, FTP users view FTP authentication, HTTP users view HTTP Authentication, and challenge text does not appear for Telnet access. If the user authentication occurs from Telnet, you can use the accept and reject options to display different authentication prompts if the authentication attempt is accepted or rejected by the authentication server.
Note
Microsoft Internet Explorer only displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.
Examples
The following example shows how to set the authentication prompt and how users view the prompt:
auth-prompt XYZ Company Firewall Access
After this string is added to the configuration, users view the following:
Example.com Company Firewall Access User Name: Password:
The prompt keyword can be included or omitted. For example:

auth-prompt prompt Hello There!
This command statement is the same as the following:

auth-prompt Hello There!
3-36
78-13849-01
Chapter 3
A through B Commands auto-update
auto-update
Specifies how often to poll an Auto Update Server. (Configuration mode.) Configure with the command... auto-update device-id hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text auto-update poll-period poll_period [retry_count [retry_period]] Remove with the command... no auto-update device-id hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text no auto-update poll_period poll-period [retry_count [retry_period]] clear auto-update no auto-update server url [verify_certificate] clear auto-update no auto-update timeout period clear auto-update
auto-update server url [verify_certificate]
auto-update timeout period
Show command options show auto-update
Show command output Displays the Auto Update Server, poll time, and timeout period.
Syntax Description
device-id hardware-serial hostname if_name ipaddress mac-address period poll_period retry_count retry_period text
The device ID of the PIX Firewall. Specifies to use the hardware serial number of the PIX Firewall to uniquely identify the firewall. Specifies to use the host name of the PIX Firewall to uniquely identify the firewall. Specifies the interface to use (with its corresponding IP or MAC address) to uniquely identify the PIX Firewall. Specifies to use the IP address of the specified PIX Firewall interface to uniquely identify the firewall. Specifies to use the MAC address of the specified PIX Firewall interface to uniquely identify the firewall. Specifies how long to attempt to contact the Auto Update Server, after the last successful contact, before stopping all traffic passing through the PIX Firewall. Specifies how often, in minutes, to poll an Auto Update Server. The default is 720 minutes (12 hours). Specifies how many times to try reconnecting to the Auto Update Server if the first attempt fails. The default is 0. Specifies how long to wait, in minutes, between connection attempts. The default is 5 minutes. Specifies the text string to uniquely identify the PIX Firewall to the Auto Update Server.
3-37
Chapter 3 B Commands
url
Specifies the location of the Auto Update Server using the following syntax: http[s]:[[user:password@] location [:port ]] / pathname See the copy command for variable descriptions. Specifies to verify the certificate returned by the Auto Update Server.
verify_certificate
Usage Guidelines
The clear auto-update command removes the entire auto-update configuration. The auto-update poll-period command specifies how often to poll the Auto Update Server for configuration or software image updates. The no auto-update poll-period command resets the poll period to the default. The auto-update server command specifies the URL of the Auto Update Server. Only one server can be configured. The no auto-update server command disables polling for auto-update updates (by terminating the auto-update daemon). The auto-update timeout command is used to stop all new connections to the PIX Firewall if the Auto Update Server has not been contacted for period minutes. This can be used to ensure that the PIX Firewall has the most recent image and configuration.
Examples
The show auto-update command displays the Auto Update Server, poll time, and timeout period. The following is sample output from the command:
Server: https:pix:********@172.23.58.115:1742/management.cgi?1276 (verify) Poll period: 720, retry count: 2, retry period: 5 Timeout: none
B Commands
There are no commands that start with the letter B in PIX Firewall software version 6.2.
3-38
78-13849-01
C H A P T E R
C Commands
ca
Configure the PIX Firewall to interoperate with a certification authority (CA). (Configuration mode.) Configure with the command... ca authenticate ca_nickname [fingerprint] ca configure ca_nickname ca | ra retry_period retry_count [crloptional] ca crl request ca_nickname ca enroll ca_nickname challenge_password [serial] [ipaddress] ca generate rsa {key | specialkey} key_modulus_size ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address] ca save all N/A Remove with the command... N/A no ca configure ca_nickname no ca crl no ca enroll ca_nickname N/A no ca identity ca_nickname
no ca save all ca zeroize rsa [keypair_name]
Show command options show ca certificate show ca crl
Show command output Displays the certification authoritys (CA) certificate. Displays whether there is a certificate revocation list (CRL) in the PIX Firewall RAM, and where and when the CRL downloaded. Displays the current communication parameter settings stored in the PIX Firewall RAM. Displays the the current certification authority (CA) settings stored in RAM. Displays PIX Firewalls public keys in a DER/BER encoded PKCS#1 representation.
show ca configure show ca identity show ca mypubkey rsa
4-1
Chapter 4 ca
C Commands
Syntax Description
ca_ipaddress ca_nickname
The CAs IP address. The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently, the PIX Firewall supports only one CA at a time. Indicates whether to contact the CA or registration authority (RA) when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.
ca | ra
:ca_script_location
The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
challenge_password
A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length. Allows other peers certificates be accepted by your PIX Firewall even if the appropriate certificate revocation list (CRL) is not accessible to your PIX Firewall. The default is without the crloptional option. A key consisting of alphanumeric characters the PIX Firewall uses to authenticate the CAs certificate. Return the PIX Firewall units IP address in the certificate. Specifies that one general-purpose RSA key pair will be generated. The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes. The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Ciscos PKI protocol. If the CA supports LDAP, query functions may also use LDAP.
crloptional
fingerprint ipaddress key key_modulus_size ldap_ipaddress
retry_count
Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate. Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute. Return the PIX Firewall units serial number in the certificate. This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
retry_period
serial specialkey
4-2
78-13849-01
Chapter 4
C Commands ca
Usage Guidelines
The sections that follow describe each ca command. The PIX Firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft. See Chapter 4, "Basic VPN Configuration" in the Cisco PIX Firewall and VPN Configuration Guide for a list of specific CA server versions the PIX Firewall supports. The lifetime of a certificate and the certificate revocation list (CRL) is checked in UTC, which is the same as GMT. Set the PIX Firewall clock to UTC to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock. The PIX Firewall authenticates the entity certificate (the device certificate). The PIX Firewall assumes the entity certificate is issued by the same trusted point or root (the CA server). As a result, they should have the same root certificate (issuer certificate). Therefore, the PIX Firewall assumes the entity exchanges the entity certificate only, and cannot process a certificate chain that includes both the entity and root certificates.
ca authenticate
The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CAs self-signed certificate, which contains the CAs public key. To authenticate a peers certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the keys fingerprint, which is retrieved in an out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command. If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate. The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the RSA public key chain). To save the public keys permanently to Flash memory, use the ca save all command. To view the CAs certificate, use the show ca certificate command.
Note
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.
Examples
In the following example, a request for the CAs certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CAs certificate by checking the CA certificates fingerprint. Using the fingerprint associated with the CAs certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.
ca authenticate myca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123
4-3
Chapter 4 ca
C Commands
The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
ca authenticate myca 0123456789ABCDEF0123 Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 5432 %Error in verifying the received fingerprint. Type help or ? for a list of available commands.
ca configure
The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA. Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command. The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peers certificates.
ca configure myca ca 5 15 crloptional
ca crl request
The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall. A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your PIX Firewall. The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.) A CRL can be reused with subsequent certificates until the CRL expires. When the CRL does expire, the PIX Firewall automatically updates it by downloading a new CRL and replaces the expired CRL with the new CRL. If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL. The ca crl request command is not saved with the PIX Firewall configuration between reloads. The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:
ca crl request myca
ca enroll
The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall units key pairs. This is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.) Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
4-4
78-13849-01
Chapter 4
C Commands ca
If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall units certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command. The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
This password is not stored anywhere, so you must remember this password. If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate, but will require further manual authentication of the PIX Firewall administrator identity. The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option. The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.
Note
When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command for information about the isakmp identity address command. The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall units serial number to be embedded in the certificate.
ca enroll myca.example.com 1234567890 serial
ca generate rsa
The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairsone public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Before issuing this command, make sure your PIX Firewall has a host name and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a host name and domain name.
4-5
Chapter 4 ca
C Commands
The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device. In this example, one general-purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.
ca generate rsa key 2048
Note
You cannot generate both special usage and general purpose keys; you can only generate one or the other.
ca identity
The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM. The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the previously listed location, include the location and the name of the script within the ca identity command statement. By default, querying of a certificate or a CRL is done via Ciscos PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement. The following example indicates that the CA myca.example.com is declared as the PIX Firewall units supported CA. The CAs IP address of 205.139.94.231 is provided.
ca identity myca.example.com 205.139.94.231
ca save all
The ca save all commands lets you save the PIX Firewall units RSA key pairs, the CA, RA and PIX Firewall units certificates, and the CAs CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall units Flash memory. The ca save command itself is not saved with the PIX Firewall configuration between reloads. To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user can issue this show command.
ca zeroize rsa
The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:
1. 2.
Use the no ca identity command to manually remove the PIX Firewall units certificates from the configuration. This will delete all the certificates issued by the CA. Ask the CA administrator to revoke your PIX Firewall units certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall units certificates using the crypto ca enroll command.
To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.
4-6
78-13849-01
Chapter 4
C Commands ca
Note
You may have more than one pair of RSA keys due to SSH. See the ssh command in Chapter 8, S Commands for more information.
show ca certificate
The show ca certificate command displays the CA Servers subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA servers root certificate and the PIX Firewalls certificates. The following is sample output from the show ca certificate command. The CA certificate stems from a Microsoft CA server previously generated for this PIX Firewall.
show ca certificate RA Signature Certificate Status:Available Certificate Serial Number:6106e08a000000000005 Key Usage:Signature CN = SCEP OU = VSEC O = Cisco L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:17:09 Jul 11 2000 end date:17:27:09 Jul 11 2001
Certificate Status:Available Certificate Serial Number:1f80655400000000000a Key Usage:General Purpose Subject Name Name:pixfirewall.example.com Validity Date: start date:20:06:23 Jul 17 2000 end date:20:16:23 Jul 17 2001
CA Certificate Status:Available Certificate Serial Number:25b81813efe58fb34726eec44ae82365 Key Usage:Signature CN = MSCA OU = Cisco O = VSEC L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:07:34 Jul 11 2000 RA KeyEncipher Certificate Status:Available Certificate Serial Number:6106e24c000000000006 Key Usage:Encryption CN = SCEP
4-7
Chapter 4 ca
C Commands
OU = VSEC O = Cisco L = San Jose ST = CA C = US EA =<16> username@example.com Validity Date: start date:17:17:10 Jul 11 2000 end date:17:27:10 Jul 11 01
Table 4-1 describes strings within the show ca certificate command sample output.
Table 4-1 show ca certicate command Output Strings
Sample Output String CN C EA L ST O OU DC

show ca crl
Description common name country E-mail address locality state or province organization name organizational unit name domain component
The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded. The following is sample output from the show ca crl command. See Table 4-1 for descriptions of the strings within the following sample output.
show ca crl CRL: CRL Issuer Name: CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA =<16> username@example.com LastUpdate:17:07:40 Jul 11 2000 NextUpdate:05:27:40 Jul 19 2000
show ca mypubkey rsa
The show ca mypubkey rsa command displays the PIX Firewall units public keys in a DER/BER encoded PKCS#1 representation.
4-8
78-13849-01
Chapter 4
C Commands ca generate rsa key
The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command.
show ca mypubkey rsa % Key pair was generated at: 15:34:55 Aug 05 1999 Key name: pixfirewall.example.com Usage: Signature Key Key Data: 305c300d 06092a86 4886f70d 01010105 6e7ed9a2 32883ca9 319a4b30 e7470888 6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 % Key pair was generated at: 15:34:55
00034b00 30480241 00c31f4a ad32f60d 87732e83 c909fb17 fb5cae70 3de738cf 90bdb53f 2218cfe7 3f020301 0001 Aug 05 1999
Key name: pixfirewall.example.com Usage: Encryption Key Key Data: 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a 48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98 908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001
ca generate rsa key

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairsone public RSA key and one private RSA key. (Configuration Mode.) Configure with the command... ca generate rsa key modulus Remove with the command... N/A
Syntax Description
ca generate rsa key modulus
Generates an RSA key for the PIX Firewall. Defines the modulus used to generate the RSA key. This is a size measured in bits. You can specify a modulus between 512, 768, 1024, and 2048.
Note
Before issuing this command, make sure your PIX Firewall host name and domain name have been configured (using the hostname and domain-name commands). If a domain name is not configured, the PIX Firewall uses a default domain of ciscopix.com.
Defaults
RSA key modulus default (during PDM setup) is 768. The default domain is ciscopix.com.
Usage Guidelines
If your PIX Firewall already has RSA keys when you issue this command, you are warned and prompted to replace the existing keys with new keys.
Note
The larger the key modulus size you specify, the longer it takes to generate an RSA. We recommend a default value of 768.
4-9
Chapter 4 capture
C Commands
PDM uses the Secure Socket Layer (SSL) communications protocol to communicate with the PIX Firewall. SSL uses the private key generated with the ca generate rsa command. For a certificate, SSL uses the key obtained from a certification authority (CA). If that does not exist, it uses the PIX Firewall self-signed certificate created when the RSA key pair was generated. If there is no RSA key pair when an SSL session is initiated, the PIX Firewall creates a default RSA key pair using a key modulus of 768. The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the show ca my rsa key command.
Examples
The following example demonstrates how one general purpose RSA key pair is generated. The selected size of the key modulus is 1024.
router(config) ca generate rsa key 1024 Key name:pixfirewall.cisco.com Usage:General Purpose Key Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 9f5e0b52 aea931df 04db2872 5c4c0afd 9bd0920b 1047481a 17be5a01 851835f6 18af8e22 45304d53 bb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 e291e4ea 67efbf6c 90348b75 320d7fd3 c573037a
8d003081 5e30de82 12584b9c 7bb44b4c ddb2dde8
89028181 63d834ac 2f48fad5 a64a9cf0 00df782c
00c8ed4c f2e1db1f 31e1be5a efaacd42 39020301 0001
capture
Enables packet capture capabilities for packet sniffing and network fault isolation. (Configuration mode.) Configure with the command... capture capture_name [access-list acl_id][buffer bytes] [ethernet-type type][interface name] [packet-length bytes] Remove with the command... no capture capture_name [access-list] [interface name] clear capture capture_name
Show command options show capture [capture_name] [access-list acl_id] [detail] [dump]
Show command output Displays the capture configuration when no options are specified. If the capture_name is specified, then it displays the capture buffer contents for that capture.
Syntax Description
access-list acl_id buffer bytes
Selects packets based on IP or higher fields. By default, all IP packets are matched. The access list ID. Defines the buffer size used to store the packet. The default size is 512KB. Once the buffer is full, packet capture stops. The number of bytes (b) to allocate.
4-10
78-13849-01
Chapter 4
C Commands capture
capture_name detail dump ethernet-type
A name to uniquely identify the packet capture. Shows additional protocol information for each packet. Shows a hexidecimal dump of the packet transported over the data link transport. (However, the MAC information is not shown in the hex dump.) Selects packets based on the Ethernet type. An exception is the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching. By default, all Ethernet types are accepted. The interface for packet capture. The name of the interface on which to use packet capture. Sets the maximum number of bytes of each packet to store in the capture buffer. By default, the maximum is 68 bytes. An Ethernet type to exclude from capture. The default is 0, so you can restore the default at any time by setting type to 0.
interface name packet-length type
Usage Guidelines
To enable packet capturing, attach the capture to an interface with the interface option. Multiple interface statements attach the capture to multiple interfaces. If the buffer contents are copied to a TFTP server in ASCII format, then only the headers can be seen. The details and hex dump of the packets can not be seen. To see the details and hex dump, transfer the buffer in PCAP format and then read with TCPDUMP or Ethereal using the options to show the detail and hex dump of the packets. The ethernet-type and access-list options select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer. Enter the no capture command with either the access-list or interface option unless you want to clear the capture itself. Entering no capture without options deletes the capture. If the access-list option is specified, the access list is removed from the capture and the capture is preserved. If the interface option is specified, the capture is detached from the specified interface and the capture is preserved. To clear the capture buffer, use the clear capture capture_name command. The short form of clear capture is not supported to prevent accidental destruction of all packet captures.
Note
The capture command is not saved to the configuration, and the capture command is not replicated to the standby unit during failover. Use the copy capture: capture_name tftp://location/path [pcap] command to copy capture information to a remote TFTP server. Use the https://pix-ip-address/capture/capture_name[/pcap] command to view the packet capture information with a web browser. If the pcap option is specified, then a libpcap-format file is downloaded to your web browser and can be saved using your web browser. (A libcap file can be viewed with Tcpdump or Ethereal.)
Output Formats
The decoded output of the packets are dependent on the protocol of the packet. In Table 4-2, the bracketed output is displayed when the detail option is specified.
4-11
Chapter 4 capture
C Commands
Table 4-2
Packet Capture Output Formats
Packet Type 802.1Q ARP IP/ICMP IP/UDP IP/TCP
Capture Output Format HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet HH:MM:SS.ms [ether-hdr] arp-type arp-info HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure] HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length HH:MM:SS.ms ether-hdr: hex-dump
IP/Other Other
Examples
On a web browser, the capture contents for a capture named mycapture can be viewed at the following location: https://171.69.38.95/capture/mycapture/pcap To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:
https://171.69.38.95/capture/http/pcap
In the following example, the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server.
access-list http permit tcp host 10.120.56.15 eq http host 171.71.69.234 access-list http permit tcp host 171.71.69.234 host 10.120.56.15 eq http capture http access-list http packet-length 74 interface inside
To capture ARP packets, enter the following:

pixfirewall(config)# capture arp ethernet-type arp interface outside
To display the packets captured by an ARP capture, enter the following:

pixfirewall(config)# show capture arp 2 packets captured 19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10 19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10 2 packets shown
To capture PPPoE Discovery packets on Multiple Interfaces, enter the following:

pixfirewall(config)# capture pppoed ethernet-type pppoed interface outside pixfirewall(config)# capture pppoed interface inside
The following stores a PPPoED trace to a file name pppoed-dump on a TFTP server at 192.150.49.10. (Some TFTP servers require that the file exists and is world writable, so check your TFTP server for the appropriate permissions and file first.)
pixfirewall(config)# copy capture:pppoed tftp://192.150.49.10/pppoed-dump
4-12
78-13849-01
Chapter 4
C Commands clear
Writing to file '/tftpboot/pppoed-dump' at 192.150.49.10 on outside
To display the capture configuration, use the show capture command without specifying any options as follows:
pixfirewall(config)# show capture capture arp ethernet-type arp interface outside capture http access-list http packet-length 74 interface inside
clear
Removes configuration files and commands from the configuration, or resets command values. (All modes.) However, using the no form of a command is preferred to using the clear form to change your configuration because the no form is usually more precise. Remove files from flash memory with... clear file configuration | pdm | pki Remove a command from your configuration with... clear command no command Table 4-3, Table 4-4, and Table 4-5 list the clear commands available in each mode. Additionally, the clear commands available in less secure modes are available in subsequent (more secure) modes. However, commands from a more secure mode are not available in a less secure mode.
Table 4-3 Unprivileged Mode Clear Commands
Clear Command clear pager
Description Resets the number of displayed lines to 24.
Used in the following command(s) pager
Table 4-4
Privileged Mode Clear Commands
Clear Command clear arp clear auth-prompt clear blocks clear configure clear flashfs clear floodguard clear local-host
Description Clears the ARP table. Removes an auth-prompt command statement from the configuration. Resets the show blocks command statement counters.
Used in the following command(s) arp auth-prompt show blocks / clear blocks
Resets command parameters in the configuration configure to their default values. Clears Flash memory prior to downgrading the PIX Firewall software version. fragment
Removes Flood Defender, which protects against floodguard flood attacks from configuration. Resets the information displayed for the show local-host command. show local-host/clear local host
4-13
Chapter 4 clear
C Commands
Table 4-4
Privileged Mode Clear Commands (continued)
Clear Command clear passwd clear traffic clear uauth
Description Resets the Telnet password back to cisco. Resets the counters for the show traffic command. Deletes one users or all users AAA authorization caches, which forces the users to reauthenticate the next time they create a connection. Clears the contents of the translation slots.
Used in the following command(s) passwd show traffic/clear traffic show uauth/clear uauth
clear xlate
show xlate/clear xlate
Table 4-5
Conguration Mode Clear Commands
Clear Command clear aaa clear aaa-server clear access-group clear access-list
Description Removes aaa command statements from the configuration. Removes aaa-server command statements from the configuration.
Used in the following command(s) aaa accounting aaa authorization
Removes access-group command statements from access-group the configuration. Removes access-list command statements from the configuration. This command also stops all traffic through the PIX Firewall on the affected access-list command statements. Removes alias command statements from the configuration. Removes apply command statements from the configuration. Clears the packet capture. Removes clock command statements from the configuration. Removes conduit command statements from the configuration. Removes dhcpd command statements from the configuration. Removes established command statements from the configuration. Removes filter command statements from the configuration. Resets fixup protocol command statements to their default values. access-list
clear alias clear apply clear capture clear clock clear conduit clear dhcpd clear established clear filter clear fixup
alias outbound / apply capture clock conduit dhcpd established filter fixup protocol
4-14
78-13849-01
Chapter 4
C Commands clear
Table 4-5
Conguration Mode Clear Commands (continued)
Clear Command clear flashfs clear global clear http clear icmp clear ip clear ip address clear ip audit clear ip local pool clear ip verify reverse-path clear [crypto] dynamic-map
Description Clears Flash memory before downgrading to a previous PIX Firewall version. Removes global command statements from the configuration. Removes all HTTP hosts and disables the server. Removes icmp command statements from the configuration. Sets all PIX Firewall interface IP addresses to 127.0.0.1 and stops all traffic. Clears all PIX Firewall interface IP addresses (configuration mode). Clears the IDS signature on the interface (configuration mode). Clears pool of local IP addresses for dynamic assignment to a VPN. Clears RPF IP spoofing protection (configuration mode). Remove crypto dynamic-map command statements from the configuration.The keyword crypto is optional.
Used in the following command(s) fragment global http icmp ip address ip address ip audit ip local pool ip verify reverse-path crypto dynamic-map and dynamic-map
clear [crypto] ipsec sa Delete the active IPSec security associations. The crypto ipsec keyword crypto is optional. clear [crypto] ipsec sa Clear the traffic counters maintained for each counters security association. The keyword crypto is optional. clear [crypto] ipsec sa Delete the active IPSec security association with entry the specified address, protocol, and SPI. The destination-address keyword crypto is optional. protocol spi crypto ipsec
crypto ipsec
clear [crypto] ipsec sa Delete the active IPSec security associations for crypto ipsec map map-name the named crypto map set. The keyword crypto is optional. clear [crypto] ipsec sa Delete the active IPSec security associations for peer the specified peer. The keyword crypto is optional. clear [crypto] isakmp Delete the active IKE security associations. The sa keyword crypto is optional. clear [crypto] map Delete all parameters entered through the crypto map command belonging to the specified map. Does not delete dynamic maps. Remove isakmp command statements from the configuration. crypto ipsec
isakmp crypto map
clear isakmp
isakmp
4-15
Chapter 4 clear
C Commands
Table 4-5
Clear Command clear interface clear logging clear names clear nameif clear nat clear ntp clear outbound clear pdm clear privilege clear rip clear route
Description Clear counters for the show interface command. Clear syslog message queue accumulated by the logging buffered command. Removes name command statements from the configuration. Reverts nameif command statements to default interface names and security levels. Removes nat command statements from the configuration. Removes ntp command statements from the configuration. Removes outbound command statements from the configuration.
Used in the following command(s) interface logging name / names nameif nat ntp outbound / apply
Removes all locations, disables logging and clears pdm the PDM buffer. Internal PDM command. Removes privilege command statements from the privilege configuration. Removes rip command statements from the configuration. Removes route command statements from the configuration that do not contain the CONNECT keyword. Removes service command statements from the configuration. rip route
clear service clear snmp-server clear ssh clear static clear sysopt clear telnet clear tftp-server clear timeout clear url-cache
service
Removes snmp-server command statements from snmp-server the configuration. Removes ssh command statement from the configuration. Removes static command statements from the configuration. Removes sysopt command statements from the configuration. Removes telnet command statements from the configuration. Removes tftp-server command statements from the configuration. Resets timeout command durations to their default values. ssh static sysopt telnet tftp-server timeout
Removes url-cache command statements from the url-cache configuration.
4-16
78-13849-01
Chapter 4
C Commands clear
Table 4-5
Clear Command clear url-server clear username clear virtual clear vpdn clear vpnclient
Description Removes url-server command statements from the configuration. Removes username command statements from the configuration. Removes virtual command statements from the configuration. Removes vpdn command statements from the configuration.
Used in the following command(s) url-server username virtual vpdn
Removes vpnclient command statements from the vpnclient configuration.
4-17
Chapter 4 clock
C Commands
clock
Set the PIX Firewall clock for use with the PIX Firewall Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol. (Configuration mode.) Configure with the command... Remove with the command... clock set hh:mm:ss {day month | month day} clear clock year clock summer-time zone recurring [week no clock summer-time weekday month hh:mm week weekday month hh:mm] [offset] clock summer-time zone date {day month | no clock summer-time month day} year hh:mm {day month | month day} year hh:mm [offset] clock timezone zone hours [minutes] no clock timezone
Show command options show clock [detail]
Show command output Displays the time, time zone, day, and full date.
Syntax Description
date
The date command form is used as an alternative to the recurring form of the clock summer-time command. It specifies that summertime should start on the first date entered and end on the second date entered. If the start date month is after the end date month, the summer time zone is accepted and assumed to be in the Southern Hemisphere. The day of the month to start, from 1 to 31. Displays the clock source and current summertime settings. The hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0. The hours of offset from UTC. The minutes of offset from UTC. The month expressed as the first three characters of the month; for example, apr for April. The number of minutes to add during summertime. The default is 60 minutes. Specifies the start and end dates for local summer daylight savings time. The first date entered is the start date and the second date entered is the end date. (The start date is relative to UTC and the end date is relative to the specified summer time zone.) If no dates are specified, United States Daylight Savings Time is used. If the start date month is after the end date month, the summer time zone is accepted and assumed to be in the Southern Hemisphere. The clock summer-time command displays summertime hours during the specified summertime date range. This command affects the clock display time only. clock timezone sets the clock display to the time zone specified. It does not change internal PIX Firewall time, which remains UTC.
day detail hh:mm:ss hours minutes month offset recurring
summer-time timezone
4-18
78-13849-01
Chapter 4
C Commands clock
week
Specifies the week of the month. The week is 1 through 4 and first or last for partial weeks at the begin or end a month, respectively. For example, week 5 of any month is specified by using last. Specifies the day of the week: Monday, Tuesday, Wednesday, etc. The year expressed as four digits; for example, 2000. The year range supported for the clock command is 1993 to 2035. The name of the time zone.
weekday year zone
Usage Guidelines
The clock command lets you specify the time, month, day, and year for use with time stamped syslog messages, which you can enable with the logging timestamp command. You can view the time with the clock or the show clock command. The clear clock command removes all summertime settings and resets the clock display to UTC. The show clock command outputs the time, time zone, day, and full date.
Note
The lifetime of a certificate and the certificate revocation list (CRL) is checked in UTC, which is the same as GMT. If you are using IPSec with certificates, set the PIX Firewall clock to UTC to ensure that CRL checking works correctly. You can interchange the settings for the day and the month; for example, clock set 21:0:0 1 apr 2000. The maximum date range for the clock command is 1993 through 2035. A time prior to January 1, 1993, or after December 31, 2035, will not be accepted. While the PIX Firewall clock is year 2000 compliant, it does not adjust itself for daylight savings time changes; however, it does know about leap years. The PIX Firewall clock setting is retained in memory when the power is off by a battery on the PIX Firewall units motherboard. Should this battery fail, contact Cisco TAC for a replacement PIX Firewall unit. Ciscos PKI (Public Key Infrastructure) protocol uses the clock to make sure that a certificate revocation list (CRL) is not expired. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Refer to the Cisco PIX Firewall and VPN Configuration Guide for a description of IPSec concepts.
Examples
To enable PFSS time stamp logging for the first time, use the following commands:
clock set 21:0:0 apr 1 2000 show clock 21:00:05 Apr 01 2000 logging host 209.165.201.3 logging timestamp logging trap 5
In this example, the clock command sets the clock to 9 p.m. on April 1, 2000. The logging host command specifies that a syslog server is at IP address 209.165.201.3. The PIX Firewall automatically determines that the server is a PFSS and sends syslog messages to it via TCP and UDP. The logging timestamp command enables sending time stamped syslog messages. The logging trap 5 command in this example specifies that messages at syslog level 0 through 5 be sent to the syslog server. The value 5 is used to capture severe and normal messages, but also those of the aaa authentication enable command.
4-19
Chapter 4 conduit
C Commands
The following clock summer-time command specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m.:
pix_name (config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
If you live in a place where summertime follows the Southern Hemisphere pattern, you can specify the exact date and times. In the following example, daylight savings time (summer time) is configured to start on October 12, 2001, at 2 a.m. and end on April 26, 2002, at 2 a.m.:
pix_name (config)# clock summer-time PDT date 12 October 2001 2:00 26 April 2002 2:00
conduit
Add, delete, or show conduits through the PIX Firewall for incoming connections. However, the conduit command has been superseded by the access-list command. We recommend that you migrate your configuration away from the conduit command to maintain future compatibility. (Configuration mode.) Configure with the command... conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] Remove with the command... no conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] clear conduit clear conduit
conduit permit | deny icmp global_ip global_mask foreign_ip foreign_mask [icmp_type] conduit deny|permit protocol | object-group protocol_obj_grp_id global_ip global_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] foreign_ip foreign_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]
no conduit deny|permit protocol | object-group protocol_obj_grp_id global_ip global_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] foreign_ip foreign_mask | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] clear conduit no conduit deny|permit icmp global_ip global_mask | object-group network_obj_grp_id foreign_ip foreign_mask | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id] clear conduit clear conduit counters
conduit deny|permit icmp global_ip global_mask | object-group network_obj_grp_id foreign_ip foreign_mask | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]
N/A
4-20
78-13849-01
Chapter 4
C Commands conduit
Show command options show conduit
Show command output Displays the conduit command statements in the configuration and the number of times (hit count) an element has been matched during a conduit command search.
Syntax Description
deny foreign_ip
Deny access if the conditions are matched. An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any option. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip. For example:
conduit permit tcp any eq ftp host 209.165.201.2
This example lets foreign host 209.165.201.2 access any global address for FTP. foreign_mask Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip. You can also specify a mask for subnetting. For example: 255.255.255.192. global_ip A global IP address previously defined by a global or static command. You can use any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies the permit or deny parameters to the global addresses. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip. For example:
conduit permit tcp host 209.165.201.1 eq ftp any
This example lets any foreign host access global address 209.165.201.1 for FTP. global_mask Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal; such as, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip. The type of ICMP message. Table 4-6 lists the ICMP type literals that you can use in this command. Omit this option to include all ICMP types. The conduit permit icmp any any command permits all ICMP types and lets ICMP pass inbound and outbound. An existing ICMP type object group. Specifies an object group.
icmp_type
icmp_type _obj_grp_id object-group
4-21
Chapter 4 conduit
C Commands
operator
A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports. For example:
conduit permit tcp any any
Use eq and a port to permit or deny access to just that port. For example use eq ftp to permit or deny access only to FTP:
conduit deny tcp host 192.168.1.1 eq ftp 209.165.201.1
Use lt and a port to permit or deny access to all ports less than the port you specify. For example, use lt 2025 to permit or deny access to the well known ports (1 to 1024).
conduit permit tcp host 192.168.1.1 lt 1025 any
Use gt and a port to permit or deny access to all ports greater than the port you specify. For example, use gt 42 to permit or deny ports 43 to 65535.
conduit deny udp host 192.168.1.1 gt 42 host 209.165.201.2
Use neq and a port to permit or deny access to every port except the ports that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11 to 65535.
conduit deny tcp host 192.168.1.1 neq 10 host 209.165.201.2 neq 42
Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.
conduit deny tcp any range ftp telnet any
By default, all ports are denied until explicitly permitted. network_obj_grp_id permit port An existing network object group. Permit access if the conditions are matched. Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value. For example:
conduit deny tcp any any
This command is the default condition for the conduit command in that all ports are denied until explicitly permitted. You can view valid port numbers online at the following website: http://www.isi.edu/in-notes/iana/assignments/port-numbers See "Ports"in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names in port ranges; for example, ftp h323. You can also specify numbers.
4-22
78-13849-01
Chapter 4
C Commands conduit
protocol
Specify the transport protocol for the connection. Possible literal values are icmp, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at the following website: http://www.isi.edu/in-notes/iana/assignments/protocol-numbers If you specify the icmp protocol, you can permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types. See "Usage Guidelines" for a complete list of the ICMP types.
protocol_obj_grp_id service_obj_grp_id
An existing protocol object group. An existing service (port) object group.
Usage Guidelines
We recommend that you use the access-list command instead of the conduit command because using an access list is a more secure way of enabling connections between hosts. Specifically, the conduit command functions by creating an exception to the PIX Firewall Adaptive Security Algorithm that then permits connections from one PIX Firewall network interface to access hosts on another. The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses. When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access.
Converting conduit Commands to access-list Commands
Follow these steps to convert conduit command statements to access-list commands:

Step 1
View the static command format. This command normally precedes both the conduit and access-list commands. The static command syntax is as follows. static (high_interface,low_interface) global_ip local_ip netmask mask For example:
static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255
This command maps the global IP address 209.165.201.5 on the outside interface to the web server 192.168.1.5 on the inside interface. The 255.255.255.255 is used for host addresses.
Step 2
View the conduit command format. The conduit command is similar to the access-list command in that it restricts access to the mapping provided by the static command. The conduit command syntax is as follows. conduit action protocol global_ip global_mask global_operator global_port [global_port] foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] For example:
conduit permit tcp host 209.165.201.5 eq www any
4-23
Chapter 4 conduit
C Commands
This command permits TCP for the global IP address 209.165.201.5 that was specified in the static command statement and permits access over port 80 (www). The any option lets any host on the outside interface access the global IP address. The static command identifies the interface that the conduit command restricts access to.
Step 3
Create the access-list command from the conduit command options. The acl_name in the access-list command is a name or number you create to associate access-list command statements with an access-group or crypto map command statement. Normally the access-list command format is as follows: access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port However, using the syntax from the conduit command in the access-list command, you can see how the foreign_ip in the conduit command is the same as the src_addr in the access-list command and how the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The access-list command syntax overlaid with the conduit command options is as follows. access-list acl_name action protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port] For example:
access-list acl_out permit tcp any host 209.165.201.5 eq www
This command identifies the access-list command statement group with the acl_out identifier. You can use any name or number for your own identifier. (In this example the identifier, acl is from ACL, which means access control list and out is an abbreviation for the outside interface.) It makes your configuration clearer if you use an identifier name that indicates the interface to which you are associating the access-list command statements. The example access-list command, like the conduit command, permits TCP connections from any system on the outside interface. The access-list command is associated with the outside interface with the access-group command.
Step 4
Create the access-group command using the acl_name from the access-list command and the low_interface option from the static command. The format for the access-group command is as follows. access-group acl_name in interface low_interface For example:
access-group acl_out in interface outside
This command associates with the acl_out group of access-list command statements and states that the access-list command statement restricts access to the outside interface.
More on the conduit Command
If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access.
Note
The conduit command statements are processed in the order they are entered into the configuration.
4-24
78-13849-01
Chapter 4
C Commands conduit
The permit and deny options for the conduit command are processed in the order listed in the PIX Firewall configuration. In the following example, host 209.165.202.129 is not denied access through the PIX Firewall because the permit option precedes the deny option.
conduit permit tcp host 209.165.201.4 eq 80 any conduit deny tcp host 209.165.201.4 host 209.165.202.129 eq 80 any
Note
If you want internal users to be able to ping external hosts, use the conduit permit icmp any any command. After changing or removing a conduit command statement, use the clear xlate command. You can remove a conduit command statement with the no conduit command. The clear conduit command removes all conduit command statements from your configuration. The clear conduit counters command clears the current conduit hit count. If you prefer more selective ICMP access, you can specify a single ICMP message type as the last option in this command. Table 4-6 lists possible ICMP types values.
ICMP Type 0 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Usage Notes
1. 2.
Literal echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-reply timestamp-request information-request information-reply mask-request mask-reply conversion-error mobile-redirect
By default, all ports are denied until explicitly permitted. The conduit command statements are processed in the order entered in the configuration. If you remove a command, it affects the order of all subsequent conduit command statements.
4-25
Chapter 4 conduit
C Commands
3.
To remove all conduit command statements, cut and paste your configuration onto your console computer, edit the configuration on the computer, use the write erase command to clear the current configuration, and then paste the configuration back into the PIX Firewall. If you use Port Address Translation (PAT), you cannot use a conduit command statement using the PAT address to either permit or deny access to ports. Two conduit command statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit command statement for TCP. The two conduit command statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in the following example:
static (dmz2,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255 conduit permit tcp host 209.165.201.5 eq 1723 any conduit permit gre host 209.165.201.5 any
4. 5.
In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 209.165.201.5. The first conduit command statement opens access for the PPTP protocol and gives access to any outside users. The second conduit command statement permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit command statement.
6.
The RPC conduit command support fixes up UDP portmapper and rpcbind exchanges. TCP exchanges are not supported. This lets simple RPC-based programs work; however, remote procedure calls, arguments, or responses that contain addresses or ports will not be fixed up. For MSRPC, two conduit command statements are required, one for port 135 and another for access to the high ports (1024-65535). For Sun RPC, a single conduit command statement is required for UDP port 111. Once you create a conduit command statement for RPC, you can use the following command to test its activity from a UNIX host:
rpcinfo -u unix_host_ip_address 150001
Replace unix_host_ip_address with the IP address of the UNIX host.

7.
You can overlay host statics on top of a net static range to further refine what an individual host can access:
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.0 conduit permit tcp 209.165.201.0 255.255.255.0 eq ftp any static (inside, outside) 203.31.17.3 10.1.1.3 netmask 255.255.255.0 conduit permit udp host 209.165.201.3 eq h323 host 209.165.202.3
In this case, the host at 209.165.202.3 has Intel Internet Phone access in addition to its blanket FTP access.
Examples
1.
The following commands permit access between an outside UNIX gateway host at 209.165.201.2, to an inside SMTP server with Mail Guard at 192.168.1.49. Mail Guard is enabled in the default configuration for PIX Firewall with the fixup protocol smtp 25 command. The global address on the PIX Firewall is 209.165.201.1.
static (inside,outside) 209.165.201.1 192.168.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 209.165.201.1 eq smtp host 209.165.201.2
4-26
78-13849-01
Chapter 4
C Commands configure
To disable Mail Guard, enter the following command:

no fixup protocol smtp 25
2.
You can set up an inside host to receive H.323 Intel Internet Phone calls and allow the outside network to connect inbound via the IDENT protocol (TCP port 113). In this example, the inside network is at 192.168.1.0, the global addresses on the outside network are referenced via the 209.165.201.0 network address with a 255.255.255.224 mask.
static (inside,outside) 209.165.201.0 192.168.1.0 netmask 255.255.255.224 0 0 conduit permit tcp 209.165.201.0 255.255.255.224 eq h323 any conduit permit tcp 209.165.201.0 255.255.255.224 eq 113 any
3.
You can create a web server on the perimeter interface that can be accessed by any outside host as follows:
static (perimeter,outside) 209.165.201.4 192.168.1.4 netmask 255.255.255.255 0 0 conduit permit tcp host 209.165.201.4 eq 80 any
In this example, the static command statement maps the perimeter host, 192.168.1.4. to the global address, 209.165.201.4. The conduit command statement specifies that the global host can be accessed on port 80 (web server) by any outside host.
configure
Clear or merge the current configuration with that on floppy or in Flash memory, start configuration mode, or view the current configuration. For the PIX 501 and PIX 506/506E only, the command restores the factory default configuration. (Privileged mode.) Set with the command... For the PIX 501 and PIX 506/506E only: configure factory-default [inside_ip_address [address_mask]] For older PIX Firewall units that have a floppy drive only: configure floppy configure http[s] :// [user:password@] location [ :port ] / http_pathname configure memory configure net [[server_ip]:[filename]] configure terminal show configure Remove with the command... N/A
clear configure primary | secondary | all
no configure http[s] :// [user:password@] location [ :port ] / http_pathname clear configure primary | secondary | all clear configure primary | secondary | all clear configure primary | secondary | all N/A
Show command options show configure
Show command output Displays the startup configuration of the PIX Firewall.
Syntax Description
address_mask all
Specifies the address mask for the inside interface IP address. The default address mask is 255.255.255.0. Combines the primary and secondary options.
4-27
Chapter 4 configure
C Commands
clear factory-default
Clears aspects of the current configuration in RAM. Use the write erase command to clear the complete configuration. Specifies to clear the current configuration and regenerate the default, factory-loaded configuration. This command is supported for the PIX 501 and PIX 506/506E only in PIX Firewall software version 6.2. A filename you specify to qualify the location of the configuration file on the TFTP server named in server_ip. If you set a filename with the tftp-server command, do not specify it in the configure command; instead just use a colon ( : ) without a filename. Merges the current configuration with that on diskette. The name of the HTTP server path that contains the PIX Firewall configuration to copy. Specifies to retrieve configuration information from an HTTP server. (SSL is used when https is specified.) Specifies the inside IP address. The default inside interface IP address is 192.168.1.1. The IP address (or defined name) of the HTTP server to log into. Merges the current configuration with that in Flash memory. Loads the configuration from a TFTP server and the path you specify. The password for logging into the HTTP server. The name of the resource that contains the PIX Firewall configuration to copy. Specifies the port to contact on the HTTP server. It defaults to 80 for http and 443 for https. Sets the interface, ip, mtu, nameif, and route commands to their default values. In addition, interface names are removed from all commands in the configuration. Removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from your configuration. Merges the current configuration with that available across the network at another location, which is defined with the tftp-server command. Starts configuration mode to enter configuration commands from a terminal. Exit configuration mode by entering the quit command. The username for logging into the HTTP server.
filename
floppy http_pathname http[s] inside_ip_address location memory net password pathname port primary
secondary server_ip terminal user
Usage Guidelines
The clear configure command resets a configuration to its default values. Use this command to create a template configuration or when you want to clear all values. The clear configure primary command resets the default values for the interface, ip, mtu, nameif, and route commands. This command also deletes interface names in the configuration. On the PIX 501 and PIX 506/506E, the configure factory-default command reinstates the factory default configuration. (This command is not supported on other PIX Firewall platforms at this time.) Use this command carefully because, before reinstating the factory default configuration, this command has the same effect as the clear configure all command; it clears all existing configuration information. With no options specified, the configure factory-default command gives a default IP address of 192.168.1.1, and a netmask of 255.255.255.0, to the PIX Firewall inside interface.
4-28
78-13849-01
Chapter 4
C Commands configure
With the configure factory-default ip-address command, if you specify an inside IP address but no netmask, the default address mask is derived from the specified IP address and is based on the IP address class. With the configure factory-default ip-address netmask command, the specified IP address and netmask are assigned to PIX inside interface. The DHCP pool size under the factory default configuration is as follows:

For the PIX 501, either a 10-user license that is limited to a pool size of 32 addresses, or a 50-user license is limited to a pool size of 128 addresses. The PIX 506/506E is limited to a pool size of 256 addresses.
The configure http[s] command retrieves configuration information from an HTTP server for remotely managing a PIX Firewall configuration. The configuration can be either a text file or an XML file. Text files merge regardless of errors that may be in the cofiguration. XML files require the use of the message config-data in the XML file to explicitly control merging and error handling. The clear configure secondary command removes the aaa-server, alias, access-list, apply, conduit, global, outbound, static, telnet, and url-server command statements from the configuration. However, the clear configure secondary command does not remove tftp-server command statements.
Note
Save your configuration before using the clear configure command. The clear configure secondary command does not prompt you before deleting lines from your configuration. The configure net command merges the current running configuration with a TFTP configuration stored at the IP address you specify and from the file you name. If you specify both the IP address and path name in the tftp-server command, you can specify :filename as simply a colon ( : ). For example:
configure net :
Use the write net command to store the configuration in the file. If you have an existing PIX Firewall configuration on a TFTP server and store a shorter configuration with the same filename on the TFTP server, some TFTP servers will leave some of the original configuration after the first :end mark. This does not affect the PIX Firewall because the configure net command stops reading when it reaches the first :end mark. However, this may cause confusion if you view the configuration and see extra text at the end of the configuration. This does not occur if you are using Cisco TFTP Server version 1.1 for Windows NT.
Note
Many TFTP servers require the configuration file to be world-readable to be accessible. The configure floppy command merges the current running configuration with the configuration stored on diskette. This command assumes that the diskette was previously created by the write floppy command. The configure memory command merges the configuration in Flash memory into the current configuration in RAM. The configure terminal command starts configuration mode. Exit configuration mode with the quit command. After exiting configuration mode, use the write memory command to store your changes in Flash memory or write floppy to store the configuration on diskette. Use the write terminal command to display the current configuration.
4-29
Chapter 4 configure
C Commands
Each command statement from diskette (with configure floppy), Flash memory (with configure memory), or TFTP transfer (with configure net) is read into the current configuration and evaluated in the same way as commands entered from a keyboard with the following rules:

If the command on diskette or Flash memory is identical to an existing command in the current configuration, it is ignored. If the command on diskette or Flash memory is an additional instance of an existing command, such as if you already have one telnet command for IP address 10.2.3.4 and the diskette configuration has a telnet command for 10.7.8.9, then both commands appear in the current configuration. If the command redefines an existing command, the command on diskette or Flash memory overwrites the command in the current configuration in RAM. For example, if you have the hostname ram command in the current configuration and the hostname floppy command on diskette, the command in the configuration becomes hostname floppy and the command line prompt changes to match the new hostname when that command is read from diskette.
Examples
The following example shows how to configure the PIX Firewall using a configuration retrieved with TFTP:
configure net 10.1.1.1:/tftp/config/pixconfig
The pixconfig file is stored on the TFTP server at 10.1.1.1 in the tftp/config folder. The following example shows how to configure the PIX Firewall from a diskette:
configure floppy
The following example shows how to configure the PIX Firewall from the configuration stored in Flash memory:
configure memory
The following example shows the commands you enter to access configuration mode, view the configuration, and save it in Flash memory. Access privileged mode with the enable command and configuration mode with the configure terminal command. View the current configuration with the write terminal command and save your configuration to Flash memory using the write memory command.
pixfirewall> enable password: pixfirewall# configure terminal pixfirewall(config)# write terminal : Saved current configuration : End write memory
When you enter the configure factory-default command on a platform other than the PIX 501 or PIX 506/506E, the PIX Firewall displays a not supported error message. On the PIX 515, for example, the following message is displayed:
pixdfirewall(config)# configure factory default 'config factory-default' is not supported on PIX-515
4-30
78-13849-01
Chapter 4
C Commands copy
copy
Change software images without requiring access to the TFTP monitor mode. (Configuration mode.) Download with the command... Remove with the command... copy capture: capture_name N/A tftp://location/path [pcap] copy http[s]://[user:password@] location N/A [:port ] / http_pathname flash [: [image | pdm] ] copy tftp[:[[//location] [/tftp_pathname]]] N/A flash[:[image | pdm]]
Syntax Description
copy capture capture_name copy http[s] copy tftp flash http_pathname image location password pdm port tftp_pathname
Specifies to copy capture information to a remote TFTP server. capture_name is a unique name that identifies the capture. Specifies to retrieve configuration information from an HTTP server. (SSL is used when https is specified.) Download Flash memory software images via TFTP without using monitor mode. The name of the resource that contains the PIX Firewall software image or PDM file to copy. Download the selected PIX Firewall image to Flash memory. An image you download is made available to the PIX Firewall on the next reload (reboot). Either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism. The password for logging into the HTTP server. Download the selected PDM image files to Flash memory. These files are available to the PIX Firewall immediately, without a reboot. Specifies the port to contact on the HTTP server. It defaults to 80 for http and 443 for https. PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration. The pathname can include any directory names in addition to the actual last component of the path to the file on the server. The username for logging into the HTTP server.
user
Usage Guidelines
The copy tftp flash command lets you download a software image via TFTP. You can use the copy tftp flash command with any PIX Firewall model running version 5.1 or higher. The image you download is made available to the PIX Firewall on the next reload (reboot). The command syntax is as follows: copy tftp[:[[//location][/pathname]]] flash
4-31
Chapter 4 copy
C Commands
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input. The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism (currently static mappings via the name and names commands). PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address command, the route command, or also RIP, depending upon your configuration. The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the copy tftp flash command. If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename. For example, if you want to download the pix512.bin file from the D: partition on a Windows system (IP address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu and enter the filename path in the TFTP server root directory edit box; for example, D:\pix_images. To copy the file to the PIX Firewall, use the following copy tftp command.
copy tftp://10.1.1.5/pix512.bin flash
The TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.
Note
Images prior to version 5.1 cannot be retrieved using this mechanism.
Examples
copy capture
The following example shows the prompts provided when you enter the copy capture command without specifying the full path:
copy capture:abc tftp Address or name of remote host [171.68.11.129]? Source file name [username/cdisk]? copying capture to tftp://171.68.11.129/username/cdisk: [yes|no|again]? y !!!!!!!!!!!!!
Alternately, you can specify the full path as follows:

copy capture:abc tftp:171.68.11.129/tftpboot/abc.cap pcap
If the TFTP server is already configured, the location or file name can be left unspecified as follows:
tftp-server outside 171.68.11.129 tftp/cdisk copy capture:abc tftp:/tftp/abc.cap
The following example shows how to use the defaults of the preconfigured TFTP server in the copy capture command:
copy capture:abc tftp:pcap
4-32
78-13849-01
Chapter 4
C Commands copy
copy http
The following example shows how to copy the PIX Firewall software image from a public HTTP server into the Flash memory of your PIX Firewall:
copy http://171.68.11.129/auto/cdisk flash:image
The following example show how to copy the PDM software image through HTTPS (HTTP over SSL), where the SSL authentication is provided by the username alice and the password xyz:
copy https://alice:xyz@171.68.11.129/auto/pdm.bin flash:pdm
The following example show how to copy the PIX Firewall software image from an HTTPS server running on a non-standard port, where the file is copied into the software image space in Flash memory by default:
copy https://alice:zyx@171.68.11.129:8080/auto/cdisk flash
The following examples copy files from 192.133.219.25, which is the IP address for www.cisco.com, to the Flash memory of your PIX Firewall. To use these examples, replace the username and password "cco-username:cco-password" with your CCO username and password. Also note that the URL contains a '?'. To enter this while using the PIX Firewall CLI, it must be preceded by typing Ctrl-v. To copy PIX Firewall software version 6.2.2 into the Flash memory of your PIX Firewall from Cisco.com, enter the following command:
copy http://cco-username:cco-password@198.133.219.25/cgi-bin/Software/Tablebuild/ download.cgi/pix622.bin?&filename=cisco/ciscosecure/pix/pix622.bin flash:image
To copy PDM version 2.0.2 into the Flash memory of your PIX Firewall from Cisco.com, enter the following command:
copy http://cco-username:cco-password@198.133.219.25/cgi-bin/Software/Tablebuild/ download.cgi/pdm-202.bin?&filename=cisco/ciscosecure/pix/pdm-202.bin flash:pdm
copy tftp
The following example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download:
copy tftp flash Address or name of remote host [127.0.0.1]? 10.1.1.5 Source file name [cdisk]? pix512.bin copying tftp://10.1.1.5/pix512.bin to flash [yes|no|again]? yes !!!!!!!!!!!!!!!!!!!!!!! Received 1695744 bytes. Erasing current image. Writing 1597496 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed.
4-33
Chapter 4 crypto dynamic-map
C Commands
The next example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface. The example sets the filename and location from the tftp-server command, saves memory, and then downloads the image to Flash memory.
tftp-server outside 10.1.1.5 pix512.bin Warning: 'outside' interface has a low security level (0). write memory Building configuration... Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99 [OK] copy tftp: flash copying tftp://10.1.1.5/pix512.bin to flash !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The next example overrides the information in the tftp-server command to let you specify alternate information about the filename and location. If you have not set the tftp-server command, you can also use the copy tftp flash command to specify all information as shown in the second example that follows.
copy tftp:/pix512.bin flash copy tftp://10.0.0.1/pix512.bin flash
The next example maps an IP address to the tftp hostname with the name command and uses the tftp-host name in the copy commands:
name 10.1.1.6 tftp-host copy tftp://tftp-host/pix512.bin flash copy tftp://tftp-host/tftpboot/pix512.bin flash
crypto dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.) Configure with the command... crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2] crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [ transform-set-name9] N/A Remove with the command... no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address no crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs no crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds | kilobytes no crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [ transform-set-name9] clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]
4-34
78-13849-01
Chapter 4
C Commands crypto dynamic-map
Show command options show crypto dynamic-map [tag dynamic-map-name]
Show command output Displays the dynamic crypto map set.
Syntax Description
dynamic-map-name dynamic-seq-num subcommand tag map-name
Specify the name of the dynamic crypto map set. Specify the sequence number that corresponds to the dynamic crypto map entry. Various subcommands (match address, set transform-set, and so on). (Optional) Show the crypto dynamic map set with the specified map-name.
Note
The crypto dynamic-map subcommands, such as match address, set peer, and set pfs are described with the crypto map command. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peers offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.
Usage Guidelines
The sections that follow describe each crypto dynamic-map command.

crypto dynamic-map
The crypto dynamic-map command lets you create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto maps sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command lets you view a dynamic crypto map set. Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peers IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map lets you accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.) When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map. The dynamic crypto map accepts wildcard parameters for any parameters not explicitly stated in the dynamic crypto map entry. This lets you set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the wildcard IPSec security association negotiation parameters.) If the PIX Firewall accepts the peers request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto
4-35
Chapter 4 crypto dynamic-map
C Commands
map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed. The crypto dynamic-map command statements are used for determining whether or not traffic should be protected. The only parameter required in a crypto dynamic-map command statement is the set transform-set. All other parameters are optional.
Examples
The following example configures an IPSec crypto map set: Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow permitted by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped in the following example.
crypto crypto crypto crypto crypto crypto crypto crypto crypto map mymap 10 ipsec-isakmp map mymap 10 match address 101 map mymap 10 set transform-set my_t_set1 map mymap 10 set peer 10.0.0.1 10.0.0.2 map mymap 20 ipsec-isakmp map mymap 20 match address 102 map mymap 20 set transform-set my_t_set1 my_t_set2 map mymap 20 set peer 10.0.0.3 dynamic-map mydynamicmap 10 match address 103
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap
The following is sample output for the show crypto dynamic-map command:
show crypto dynamic-map Crypto Map Template "dyn1" 10 access-list 152 permit ip host 172.21.114.67 any Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ tauth, t1, }
4-36
78-13849-01
Chapter 4
C Commands crypto ipsec
The following partial configuration was in effect when the preceding show crypto dynamic-map command was issued:
crypto ipsec security-association lifetime seconds 120 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto ipsec transform-set tauth ah-sha-hmac crypto dynamic-map dyn1 set transform-set tauth t1 crypto dynamic-map dyn1 match address 152 crypto map to-firewall local-address Ethernet0 crypto map to-firewall 10 ipsec-isakmp crypto map to-firewall 10 set peer 172.21.114.123 crypto map to-firewall 10 set transform-set tauth t1 crypto map to-firewall 10 match address 150 crypto map to-firewall 20 ipsec-isakmp dynamic dyn1 access-list 150 permit ip host 172.21.114.67 host 172.21.114.123 access-list 150 permit ip host 15.15.15.1 host 172.21.114.123 access-list 150 permit ip host 15.15.15.1 host 8.8.8.1 access-list 152 permit ip host 172.21.114.67 any
crypto dynamic-map match address
See the crypto map match address command within the crypto map command for information about this command.
crypto dynamic-map set peer
See the crypto map set peer command within the crypto map command for information about this command.
crypto dynamic-map set pfs
See the crypto map set pfs command within the crypto map command for information about this command.
crypto dynamic-map set security-association lifetime
See the crypto map set security-association lifetime command within the crypto map command for information about this command.
crypto dynamic-map set transform-set
See the crypto map set transform-set command within the crypto map command for information about this command.
Note
The crypto map set transform-set command is required for dynamic crypto map entries.
crypto ipsec
Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets. (Configuration mode.)
4-37
Chapter 4 crypto ipsec
C Commands
Configure with the command... crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes
Remove with the command... no crypto ipsec security-association lifetime seconds | kilobytes clear [crypto] ipsec sa clear [crypto] ipsec sa counters clear [crypto] ipsec sa entry destination-address protocol spi clear [crypto] ipsec sa map map-name clear [crypto] ipsec sa peer no crypto ipsec transform-set transform-set-name
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] crypto ipsec transform-set transform-set-name mode transport
Show command options show crypto ipsec security-association lifetime show crypto ipsec transform-set [tag transform-set-name] show crypto ipsec sa [map map-name | address | identity] [detail]
Show command output Displays the security-association lifetime value configured for a particular crypto map entry. Displays the configured transform sets. Displays the settings used by current security associations.
Syntax Description
address
(Optional) Show all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP). Specify the IP address of your peer or the remote peer. (Optional) Show detailed error counters. (Optional) Show only the flow information. It does not show the security association information. Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes (10 megabytes per second for one hour). The name of the crypto map set. Specifies the transform set to accept transport mode requests in addition to the tunnel mode request. Specify either the AH or ESP protocol. Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours). The number you assign to the crypto map entry.
destination-address detail identity kilobytes kilobytes
map map-name mode transport protocol seconds seconds seq-num
4-38
78-13849-01
Chapter 4
spi
Specify the Security Parameter Index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF). (Optional) Show only the transform sets with the specified transform-set-name. Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use. Specify the name of the transform set to create or modify.
tag transform-set-name transform1 transform2 transform3 transform-set-name
Usage Guidelines
The sections that follow describe each crypto ipsec command.

crypto ipsec security-association lifetime
The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command lets you view the security-association lifetime value configured for a particular crypto map entry. IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a timed lifetime and a traffic-volume lifetime. The security association expires after the first of these lifetimes is reached. If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information. To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed. To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key. Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry). The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
4-39
C Commands
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).
crypto ipsec security-association lifetime seconds 2700 crypto ipsec security-association lifetime kilobytes 2304000
The following is sample output for the show crypto ipsec security-association lifetime command:
show crypto ipsec security-association lifetime Security-association lifetime: 4608000 kilobytes/120 seconds
The following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set
The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command. A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entrys access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peers IPSec security associations. When security associations are established manually, a single transform set must be used. The transform set is not negotiated. Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command. To define a transform set, you specify one to three transformseach transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you can specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. Examples of acceptable transform combinations are as follows:
4-40
78-13849-01
Chapter 4
ah-md5-hmac esp-des esp-des and esp-md5-hmac ah-sha-hmac and esp-des and esp-sha-hmac
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. For more information about transform sets, see Chapter 4, Basic VPN Configuration in the Cisco PIX Firewall and VPN Configuration Guide. This example defines one transform set (named standard), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example.
crypto ipsec transform-set standard esp-des esp-md5-hmac
The following is sample output for the show crypto ipsec transform-set command:
show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac will negotiate = { Tunnel, }, Transform set combined-des-md5: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t1: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t100: { will negotiate = { ah-sha-hmac Tunnel, }, } } }
The following configuration was in effect when the preceding show crypto ipsec transform-set command was issued:
crypto crypto crypto crypto crypto ipsec ipsec ipsec ipsec ipsec transform-set transform-set transform-set transform-set transform-set combined-des-sha esp-des esp-sha-hmac combined-des-md5 esp-des esp-md5-hmac t1 esp-des esp-md5-hmac t100 ah-sha-hmac t2 ah-sha-hmac esp-des
crypto ipsec transform-set transform-set-name mode transport
This command specifies IPSec transport mode for a transform set. The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode must be selected on the transform set. The default is tunnel mode. For PIX Firewall version 6.0 and higher, L2TP is the only protocol that can use the IPSec transport mode. All other types of packets using IPSec transport mode will be discarded by the PIX Firewall. Use the no form of the command to reset the mode to the default value of tunnel mode.
4-41
C Commands
Note
A transport mode transform can only be used on a dynamic crypto map, and the PIX Firewall CLI will display an error if you attempt to tie a transport-mode transform to a static crypto map.
clear [crypto] ipsec sa
The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed. If the security associations are manually established, the security associations are deleted. If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.) If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.) If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. The peer keyword deletes any IPSec security associations for the specified peer. The map keyword deletes any IPSec security associations for the named crypto map set. The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI. If any of the previous commands cause a particular security association to be deleted, all the sibling security associationsthat were established during the same IKE negotiationare deleted as well. The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves. If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.
Note
If you make significant changes to an IPSec configuration such as access-list or peers, the clear [crypto] ipsec sa command will not be enough to activate the new configuration. In such a case, rebind the crypto map to the interface with the crypto map interface command. If the PIX Firewall is processing active IPSec traffic, we recommend that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail. The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.
4-42
78-13849-01
Chapter 4
The following example clears (and re initializes if appropriate) all IPSec security associations at the PIX Firewall:
clear crypto ipsec sa
The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto ipsec sa entry 10.0.0.1 AH 256
show crypto ipsec sa
The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).
Note
While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid. Output of the show crypto ipsec sa command lists the PCP protocol. This is a compression protocol supplied with the Cisco IOS software code on which the PIX Firewall IPSec implementation is based; however, the PIX Firewall does not support the PCP protocol. The following is sample output for the show crypto ipsec sa command:
show crypto ipsec sa interface: outside Crypto map tag: firewall-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: firewall-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: firewall-alice
4-43
C Commands
sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas: interface: inside Crypto map tag: firewall-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: firewall-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: firewall-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas:
4-44
78-13849-01
Chapter 4
C Commands crypto map
crypto map
Create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.) Configure with the command... crypto map map-name client [token] authentication aaa-server-name Remove with the command... no crypto map map-name client [token] authentication aaa-server-name clear crypto map map-name no crypto map map-name client configuration address initiate | respond clear crypto map map-name no crypto map map-name interface interface-name clear crypto map map-name no crypto map map-name seq-num
crypto map map-name client configuration address initiate | respond
crypto map map-name interface interface-name
crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name] crypto map map-name seq-num match address acl_name crypto map map-name seq-num set peer hostname | ip-address crypto map map-name seq-num set pfs [group1 | group2] crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes crypto map map-name seq-num set session-key inbound | outbound ah spi hex-key-string crypto map map-name seq-num set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string] crypto map map-name seq-num set transform-set transform-set-name1 [ transform-set-name6]
no crypto map map-name seq-num match address acl_name no crypto map map-name seq-num set peer hostname | ip-address no crypto map map-name seq-num set pfs no crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes no crypto map map-name seq-num set session-key inbound | outbound ah no crypto map map-name seq-num set session-key inbound | outbound esp
no crypto map map-name seq-num set transform-set transform-set-name1 [ transform-set-name6]
Show command options Show command output show crypto map [interface interface-name Displays the crypto map configuration. | tag map-name]
4-45
Chapter 4 crypto map
C Commands
Syntax Description
aaa-server-name
The name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS. Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched. Set the IPSec session key for the AH protocol. Specify ah when the crypto map entrys transform set includes an AH transform. AH protocol provides authentication via MD5-HMAC and SHA-HMAC. (Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entrys transform set includes an ESP authentication transform. Indicate that the key string to use with the ESP encryption transform. (Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map. (Optional) Specify the name of the dynamic crypto map set to be used as the policy template. Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entrys transform set includes an ESP transform. ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.
acl_name ah
authenticator
cipher dynamic dynamic-map-name esp
group1 group2 hex-key-string
Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes the following:

DES algorithm, specify at least 16 hexadecimal digits per key. MD5 algorithm, specify at least 32 hexadecimal digits per key. SHA algorithm, specify 40 hexadecimal digits per key.
Longer key sizes are simply hashed to the appropriate length. hostname inbound initiate interface interface-name Specify a peer by its host name. This is the peers host name concatenated with its domain name. For example, myhost.example.com. Set the inbound IPSec session key. (You must set both inbound and outbound keys.) Indicate that the PIX Firewall will attempt to set IP addresses for each peer. Specify the identifying interface to be used by the PIX Firewall to identify itself to peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates. ip-address ipsec-isakmp Specify a peer by its IP address. Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
4-46
78-13849-01
Chapter 4
ipsec-manual kilobytes kilobytes
Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. Specify the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires. The default is 4,608,000 kilobytes. The name of the crypto map set. Specify an access list for a crypto map entry. Set the outbound IPSec session key. (You must set both inbound and outbound keys.) Indicate that the PIX Firewall will accept requests for IP addresses from any requesting peer. Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours). The number you assign to the crypto map entry. Specify an IPSec peer in a crypto map entry. Specify that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
map map-name match address outbound respond seconds seconds seq-num set peer set pfs
set security-association lifetime set session-key set transform-set spi
Set the lifetime a security association will last in either seconds or kilobytes. For use with either seconds or kilobyte keywords. Manually specify the IPSec session keys within a crypto map entry. Specify which transform sets can be used with the crypto map entry. Specify the Security Parameter Index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the PIX Firewall if inbound, the peer if outbound.
tag map-name token transform1 transform2 transform3 transform-set-name
(Optional) Show the crypto map set with the specified map name. Indicate a token-based server for user authentication is used. Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use. The name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.
4-47
C Commands
Usage Guidelines
The sections that follow describe each crypto map command.
Note
The PIX 506/506E does not support use of the crypto map map-name client authentication aaa-group-tag command. Also, only four ISAKMP peers can be specified for the PIX 506/506E. The Cisco VPN Client version 3.x does not support the crypto map map-name client configuration address initiate | respond command.
crypto map client authentication
The crypto map client authentication command enables the Extended Authentication (Xauth) feature, which lets you prompt for a TACACS+/RADIUS username and password during IKE authentication. You must first have your basic AAA server set up to use this feature. This command tells the PIX Firewall during Phase 1 of IKE to use the Xauth (RADIUS/TACACS+) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted. Use the no crypto map client authentication command to restore the default value. The Xauth feature is not enabled by default.
Note
Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement. The crypto map client token authentication command enables the PIX Firewall to interoperate with a Cisco VPN 3000 Client that is set up to use a token-based server for user authentication. The keyword token tells the PIX Firewall that the AAA server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.
Note
The remote user must be running one of the following: Cisco VPN Client version 3.x Cisco VPN 3000 Client version 2.5/2.6 or higher Cisco Secure VPN Client version 1.1 or higher
crypto map client configuration address
Use the crypto map client configuration address command to configure the IKE Mode Configuration on your PIX Firewall. IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With the crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer. Use the no crypto map client configuration address command to restore the default value. IKE Mode Configuration is not enabled by default. The keyword initiate indicates that the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the PIX Firewall will accept requests for IP addresses from any requesting peer.
4-48
78-13849-01
Chapter 4
Note
If you use IKE Mode Configuration on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. Cisco IOS Release 12.0(6)T and higher supports the IKE Mode Configuration. See Chapter 4, "Basic VPN Configuration" of the Cisco PIX Firewall and VPN Configuration Guide for more information about IKE Mode Configuration. The following examples show how to configure IKE Mode Configuration on your PIX Firewall:
crypto map mymap client configuration address initiate crypto map mymap client configuration address respond
crypto map interface
The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration. Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
The use of the crypto map interface command re-initializes the security association database causing any currently established security associations to be deleted. The following example assigns the crypto map set mymap to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the mymap set. When outbound traffic matches an access list in one of the mymap crypto map entries, a security association (if IPSec) will be established per that crypto map entrys configuration (if no security association or connection already exists).
crypto map mymap interface outside
The following is sample output from the show crypto map command:
show crypto map Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123 Crypto Map "firewall-alice" 10 ipsec-isakmp Peer = 172.21.114.67 access-list 141 permit ip host 172.21.114.123 host 172.21.114.67 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ t1, }
4-49
C Commands
The following configuration was in effect when the preceding show crypto map command was issued:
crypto crypto crypto crypto map map map map firewall-alice firewall-alice firewall-alice firewall-alice 10 10 10 10 ipsec-isakmp set peer 172.21.114.67 set transform-set t1 match address 141
The following is sample output for the show crypto map command when manually established security associations are used:
show crypto map Crypto Map "multi-peer" 20 ipsec-manual Peer = 172.21.114.67 access-list 120 permit ip host 1.1.1.1 host 1.1.1.2 Current peer: 172.21.114.67 Transform sets={ t2, } Inbound esp spi: 0, cipher key: , auth_key: , Inbound ah spi: 256, key: 010203040506070809010203040506070809010203040506070809, Outbound esp spi: 0 cipher key: , auth key: , Outbound ah spi: 256, key: 010203040506070809010203040506070809010203040506070809,
The following configuration was in effect when the preceding show crypto map command was issued:
crypto map multi-peer 20 ipsec-manual crypto map multi-peer 20 set peer 172.21.114.67 crypto map multi-peer 20 set session-key inbound ah 256 010203040506070809010203040506070809010203040506070809 crypto map multi-peer 20 set session-key outbound ah 256 010203040506070809010203040506070809010203040506070809 crypto map multi-peer 20 set transform-set t2 crypto map multi-peer 20 match address 120
crypto map ipsec-manual | ipsec-isakmp
To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.
Note
The crypto map command without a keyword creates an ipsec-isakmp entry by default. After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces. Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic. IPSec crypto maps link together definitions of the following:

What traffic should be protected Which IPSec peer(s) the protected traffic can be forwarded tothese are the peers with which a security association can be established
4-50
78-13849-01
Chapter 4
Which transform sets are acceptable for use with the protected traffic How keys and security associations should be used/managed (or what the keys are, if IKE is not used)
A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num. The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority. The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:
crypto crypto crypto crypto map map map map mymap mymap mymap mymap 10 ipsec-isakmp 10 match address 101 set transform-set my_t_set1 set peer 10.0.0.1
The following example shows the minimum required crypto map configuration when the security associations are manually established:
crypto crypto crypto crypto crypto crypto crypto crypto crypto transform-set someset ah-md5-hmac esp-des map mymap 10 ipsec-manual map mymap 10 match address 102 map mymap 10 set transform-set someset map mymap 10 set peer 10.0.0.5 map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654 map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc map mymap 10 set session-key inbound esp 256 cipher 0123456789012345 map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd
crypto map ipsec-isakmp dynamic
To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command. Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map. Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set. To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set. The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set. Crypto map mymap 10 allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map mymap 20 allows either of two transform sets to be negotiated with the peer for traffic matching access list 102. Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified
4-51
C Commands
in mydynamicmap for a flow permitted by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer. The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped. The following example shows the configuration using mydynamicmap:
crypto crypto crypto crypto crypto crypto crypto crypto crypto crypto crypto crypto crypto map mymap 10 ipsec-isakmp map mymap 10 match address 101 map mymap 10 set transform-set my_t_set1 map mymap 10 set peer 10.0.0.1 map mymap 10 set peer 10.0.0.2 map mymap 20 ipsec-isakmp map mymap 10 match address 102 map mymap 10 set transform-set my_t_set1 my_t_set2 map mymap 10 set peer 10.0.0.3 dynamic-map mydynamicmap 10 dynamic-map mydynamicmap 10 match address 103 dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3 map mymap 30 ipsec-isakmp dynamic mydynamicmap
crypto map match address
To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry. This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended. Use the access-list command to define this access list. The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
Note
The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access-group command makes that determination. The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interfaces crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interfaces crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.) The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general). In the inbound case, the data flow identity specified by the peer must be permitted by the crypto access list.
4-52
78-13849-01
Chapter 4
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)
crypto crypto crypto crypto map map map map mymap mymap mymap mymap 10 10 10 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1
crypto map set peer
Use the crypto map set peer command to specify an IPSec peer in a crypto map entry. Use the no crypto map set peer command to remove an IPSec peer from a crypto map entry. This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown. For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list. For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer. The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto crypto crypto crypto map map map map mymap mymap mymap mymap 10 10 10 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 10.0.0.2
crypto map set pfs
The crypto map set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. By default, PFS is not requested. With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised. During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peers offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer. The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
4-53
C Commands
Note
IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with the clear [crypto] isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command. The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map mymap 10:
crypto map mymap 10 ipsec-isakmp crypto map mymap 10 set pfs group2
crypto map set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command. The crypto map's security associations are negotiated according to the global lifetimes. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a timed lifetime and a traffic-volume lifetime. The session keys/security association expires after the first of these lifetimes is reached. If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details. To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed. To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key. Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time.
4-54
78-13849-01
Chapter 4
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry). The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes).
crypto map mymap 10 ipsec-isakmp set security-association lifetime seconds 2700
crypto map set session-key
To manually specify the IPSec session keys within a crypto map entry, use the crypto map set session-key command. Use the no crypto map set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries. If the crypto maps transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto maps transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto maps transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic. When you define multiple IPSec session keys within a single crypto map, you can assign the same Security Parameter Index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You may have to coordinate SPI assignment with the peers network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination. Security associations established using this command do not expire (unlike security associations established using IKE). The PIX Firewall units session keys must match its peers session keys. If you change a session key, the security association using the key will be deleted and reinitialized. The following example shows a crypto map entry for manually established security associations. The transform set t_set includes only an AH protocol.
crypto ipsec transform-set t_set ah-sha-hmac crypto map mymap 20 ipsec-manual crypto map mymap 20 match address 102 crypto map mymap 20 set transform-set t_set crypto map mymap 20 set peer 10.0.0.21 crypto map mymap 20 set session-key inbound ah 300 1111111111111111111111111111111111111111 crypto map mymap 20 set session-key outbound ah 300 2222222222222222222222222222222222222222
4-55
C Commands
The following example shows a crypto map entry for manually established security associations. The transform set someset includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.
crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac crypto map mymap 10 ipsec-manual crypto map mymap 10 match address 101 crypto map mymap 10 set transform-set someset crypto map mymap 10 set peer 10.0.0.1 crypto map mymap 10 set session-key inbound ah 300 9876543210987654321098765432109876543210 crypto map mymap 10 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345 authenticator 0000111122223333444455556666777788889999 crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd authenticator 9999888877776666555544443333222211110000
crypto map set transform-set
To specify which transform sets can be used with the crypto map entry, use the crypto map set transform-set command. Use the no crypto map set transform-set command to remove all transform sets from a crypto map entry. This command is required for all static and dynamic crypto map entries. For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first. If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry. The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic. For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peers crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic. If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.
4-56
78-13849-01
Chapter 4
Examples
The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.
ip address inside 10.0.0.1 255.255.255.0 ip address outside 168.20.1.5 255.255.255.0 dealer 10.1.2.1-10.1.2.254 nat (inside) 0 access-list 80 aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 10.0.0.2 secret123 crypto ipsec transform-set pc esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set pc crypto map partner-map 20 ipsec-isakmp dynamic cisco crypto map partner-map client configuration address initiate crypto map partner-map client authentication TACACS+ crypto map partner-map interface outside isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local dealer outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 1 isakmp policy 8 lifetime 86400
The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.
ip address inside 10.0.0.1 255.255.255.0 ip address outside 168.20.1.5 255.255.255.0 ip local pool dealer 10.1.2.1-10.1.2.254 nat (inside) 0 access-list 80 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.2 secret123 crypto ipsec transform-set pc esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set pc crypto map partner-map 20 ipsec-isakmp dynamic cisco crypto map partner-map client configuration address initiate crypto map partner-map client token authentication RADIUS crypto map partner-map interface outside isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local dealer outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 1 isakmp policy 8 lifetime 86400
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)
crypto crypto crypto crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac map mymap 10 ipsec-isakmp map mymap 10 match address 101
4-57
C Commands
crypto map mymap 10 set transform-set my_t_set1 my_t_set2 crypto map mymap set peer 10.0.0.1 10.0.0.2
In this example, when traffic matches access list 101 the security association can use either transform set my_t_set1 (first priority) or my_t_set2 (second priority), depending on which transform set matches the remote peer's transform sets.
4-58
78-13849-01
C H A P T E R
D through F Commands
debug
You can debug packets or ICMP tracings through the PIX Firewall. The debug command provides information that helps troubleshoot protocols operating with and through the PIX Firewall. (Configuration mode.) Start logging with the command... Stop logging with the command... debug access-list all | standard | turbo no debug access-list all | standard | turbo debug crypto ca [level] no debug crypto ca [level] debug crypto ipsec [level] no debug crypto ipsec [level] debug crypto isakmp [level] no debug crypto isakmp [level] debug dhcpc detail | error | packet no debug dhcpc detail | error | packet debug dhcpd event | packet no debug dhcpd event | packet debug dns {resolver | all} no debug dns {resolver | all} debug fixup {udp | tcp} no debug fixup {udp | tcp} debug fover option no debug fover option debug h323 h225 [asn | event] no debug h323 h225 [asn | event] debug h323 h225 [h245 | ras event | asn] no debug h323 h225 [h245 | ras event | asn] debug h323 h245 [asn | event] no debug h323 h245 [asn | event] debug h323 ras [asn | event] no debug h323 ras [asn | event] debug icmp trace no debug icmp trace debug ils no debug ils debug ntp [adjust | authentication | events | no debug ntp [adjust | authentication | loopfilter | packets | params | select | events | loopfilter | packets | params | sync | validity] select | sync | validity] debug packet if_name [src source_ip no debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] udp [sport src_port] [dport dest_port]] [rx | tx | both] [rx | tx | both] debug pdm history no debug pdm history debug ppp error | io | uauth | upap | chap | no debug ppp error | io | uauth | upap | chap negotiation | negotiation
5-1
Chapter 5 debug
Start logging with the command... Stop logging with the command... debug pppoe event | error | packet no debug pppoe event | error | packet debug radius [session | all | user username] no debug radius [session | all | user username] debug rip no debug rip debug route no debug route debug rtsp no debug rtsp debug sip no debug sip debug skinny no debug skinny debug sqlnet no debug sqlnet debug ssh no debug ssh debug ssl [cypher | device] no debug ssl [cypher | device] debug vpdn event | error | packet no debug vpdn event | error | packet
Show command options show debug
Show command output Displays the commands currently being debugged.
Syntax Description
access-list adjust all authentication both chap crypto ca crypto ipsec crypto isakmp cypher device dhcpc detail dhcpc error dhcpc packet dhcpd event dhcpd packet dns {resolver | all} dport dest_port dst dest_ip events fixup {udp | tcp} fover option
Displays access list configuration information. Displays NTP clock adjustments. Displays both standard and TurboACL access list information. Displays NTP clock authentication. Displays both received and transmitted packets. Displays CHAP/MS-CHAP authentication. Displays information about certification authority (CA) traffic. Displays information about IPSec traffic. Displays information about IKE traffic. Display information about the cipher negotiation between the HTTP server and the client. Displays information about the SSL device including session initiation and ongoing status. Displays detailed information about the DHCP client packets. Displays error messages associated with the DHCP client. Displays packet information associated with the DHCP client. Displays event information associated with the DHCP server. Displays packet information associated with the DHCP server. Displays DNS debugging information. The resolver option collects DNS resolution information, and the all option collects all DNS information. Destination port. Destination IP address. Displays NTP event information. Displays fixup information, either using UDP or TCP. Displays failover information. Refer to Table 5-1 for the options.
5-2
78-13849-01
Chapter 5
D through F Commands debug
h225 asn h225 events h245 asn h245 events h323 icmp if_name ils level
Displays the output of the decoded PDUs. Displays the events of the H.225 signalling, or turn both traces on. Displays the output of the decoded PDUs. Displays the events of the H.245 signalling, or turn both traces on. Displays information about the packet-based multimedia communications systems standard. Displays information about ICMP traffic. Interface name from which the packets are arriving; for example, to monitor packets coming into the PIX Firewall from the outside, set if_name to outside. Displays Internet Locator Service (ILS) fixup information (used in LDAP services). The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to the following events:

Level 1: Interesting events Level 2: Normative and interesting events Level 3: Diminutive, normative, and interesting events
Refer to the Examples section at the end of this command page for an example of how the debugging level appears within the show debug command. loopfilter negotiation netmask mask packet packets params pdm history ppp ppp error ppp io ppp uauth pppoe error pppoe event pppoe packet proto icmp proto tcp proto udp radius all radius session ras asn Displays NTP loop filter information. Equivalent of the error, uauth, upap and chap debug command options. Network mask. Displays packet information. Displays NTP packet information. Displays NTP clock parameters. Turns on the PDM history metrics debugging information. The no version of this command disables PDM history metrics debugging. Debugs L2TP or PPTP trafc, which is congured with the vpdn command. Displays L2TP or PPTP PPP virtual interface error messages. Display the packet information for L2TP or PPTP PPP virtual interface. Displays the L2TP or PPTP PPP virtual interface AAA user authentication debugging messages. Displays PPPoE error messages. Displays PPPoE event information. Displays PPPoE packet information. Displays ICMP packets only. Displays TCP packets only. Displays UDP packets only. Enables all RADIUS debug options. Logs RADIUS session information and the attributes of sent and received RADIUS packets. Displays the output of the decoded PDUs.
5-3
Chapter 5 debug
ras events route rx select sip skinny sport src_port sqlnet src source_ip ssh ssl standard sync turbo tx upap user username validity vpdn error vpdn event vpdn packet
Displays the events of the RAS signalling, or turn both traces on. Displays information from the PIX Firewall routing module. Displays only packets received at the PIX Firewall. Displays NTP clock selections. Debug the fixup Session Initiation Protocol (SIP) module. Debugs SCCP protocol activity. (Using this option is system-resources intensive and may impact performance on high traffic network segments.) Source port. See the Ports section in "Chapter 2, Using PIX Firewall Commands for a list of valid port literal names. Debugs SQL*Net traffic. Source IP address. Debug information and error messages associated with the ssh command. Debug information and error messages associated with the ssl command. Displays non-TurboACL access list information. Displays NTP clock synchronization. Displays TurboACL access list information. Displays only packets that were transmitted from the PIX Firewall. Displays PAP authentication. Specifies to display information for an individual username only. Displays NTP peer clock validity. Display L2TP or PPTP protocol error messages. Display L2TP or PPTP tunnel event change information. Display L2TP or PPTP packet information about PPTP traffic.
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command. When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output. Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session. The debug dhcpc detail command displays detailed packet information about the DHCP client. The debug dhcpc error command displays DHCP client error messages. The debug dhcpc packet command displays packet information about the DHCP client. Use the no form of the debug dhcpc command to disable debugging. The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging. The debug h323 command lets you debug H.323 connections. Use the no form of the command to disable debugging. This command works when the fixup protocol h323 command is enabled.
5-4
78-13849-01
Chapter 5
Note
The debug h323 command, particularly the debug h323 h225 asn, debug h323 h245 asn, and debug h323 ras asn commands, might delay the sending of messages and cause slower performance in a real-time environment. The debug icmp trace command shows ICMP packet information, the source IP address, and the destination address of packets arriving, departing, and traversing the PIX Firewall including pings to the PIX Firewall units own interfaces. The debug sqlnet command reports on traffic between Oracle SQL*Net clients and servers through the PIX Firewall. The debug ssh command reports on information and error messages associated with the ssh command. The debug ppp and debug vpdn commands provide information about PPTP traffic. PPTP is configured with the vpdn command. Use of the debug commands can slow down busy networks. Table 5-1 lists the options for the debug fover command.
Table 5-1 debug fover Command Options
Option cable fail fmsg get ifc lanrx lanretx lantx lancmd open put rx rxdmp rxip tx txdmp txip verify switch
Description Failover cable status Failover internal exception Failover message IP network packet received Network interface status trace LAN-based failover receive process messages LAN-based failover retransmit process messages LAN-based failover transmit process messages LAN-based failover main thread messages Failover device open IP network packet transmitted Failover cable receive Cable recv message dump (serial console only) IP network failover packet received Failover cable transmit Cable xmit message dump (serial console only) IP network failover packet transmit Failover message verify Failover Switching status
5-5
Chapter 5 debug
Trace Channel Feature
The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session. If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default. The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:

If you are only using the PIX Firewall serial console, all debug commands display on the serial console. If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug commands, the output displays on the Telnet console session. If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session becomes the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.
The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.
Note
The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug command output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug command output, which may be unexpected. If you are using the serial console and debug command output is not appearing, use the who command to see if a Telnet console session is running.
Additional debug Command Information
Note
Use of the debug packet command on a PIX Firewall experiencing a heavy load may result in the output displaying so fast that it may be impossible to stop the output by entering the no debug packet command from the console. You can enter the no debug packet command from a Telnet session. To let users ping through the PIX Firewall, add the access-list acl_grp permit icmp any any command statement to the configuration and bind it to each interface you want to test with the access-group command. This lets pings go outbound and inbound. To stop a debug packet trace command, enter the following command:
no debug packet if_name
Replace if_name with the name of the interface; for example, inside, outside, or a perimeter interface name. To stop a debug icmp trace command, enter the following command:
no debug icmp trace
5-6
78-13849-01
Chapter 5
Examples
The following is partial sample output from the debug dhcpc packet and the debug dhcpc detail commands. The ip address dhcp setroute command was configured after entering the debug dhcpc commands to obtain debugging information.
debug dhcpc packet debug dhcpc detail ip address outside dhcp setroute DHCP:allocate request DHCP:new entry. add to queue DHCP:new ip lease str = 0x80ce8a28 DHCP:SDiscover attempt # 1 for entry: Temp IP addr:0.0.0.0 for peer on Interface:outside Temp sub net mask:0.0.0.0 DHCP Lease server:0.0.0.0, state:1 Selecting DHCP transaction id:0x8931 Lease:0 secs, Renewal:0 secs, Rebind:0 secs Next timer fires after:2 seconds Retry count:1 Client-ID:cisco-0000.0000.0000-outside DHCP:SDiscover:sending 265 byte length DHCP packet DHCP:SDiscover 265 bytes DHCP Broadcast to 255.255.255.255 from 0.0.0.0 DHCP client msg received, fip=10.3.2.2, fport=67 DHCP:Received a BOOTREP pkt DHCP:Scan:Message type:DHCP Offer DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB DHCP:Scan:Server ID Option:10.1.1.69 = 450A44AB DHCP:Scan:Lease Time:259200 DHCP:Scan:Subnet Address Option:255.255.254.0 DHCP:Scan:DNS Name Server Option:10.1.1.70, 10.1.1.140 DHCP:Scan:Domain Name:example.com DHCP:Scan:NBNS Name Server Option:10.1.2.228, 10.1.2.87 DHCP:Scan:Router Address Option:10.3.2.1 DHCP:rcvd pkt source:10.3.2.2, destination: 255.255.255.255 ...
The following example executes the debug icmp trace command:

debug icmp trace
When you ping a host through the PIX Firewall from any interface, trace output displays on the console. The following example shows a successful ping from an external host (209.165.201.2) to the PIX Firewall units outside interface (209.165.201.1).
Inbound ICMP echo reply (len 32 Outbound ICMP echo request (len Inbound ICMP echo reply (len 32 Outbound ICMP echo request (len Inbound ICMP echo reply (len 32 Outbound ICMP echo request (len Inbound ICMP echo reply (len 32 NO DEBUG ICMP TRACE ICMP trace off id 32 id 32 id 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2 id 1 seq 512) 209.165.201.2 > 209.165.201.1 1 seq 512) 209.165.201.1 > 209.165.201.2 id 1 seq 768) 209.165.201.2 > 209.165.201.1 1 seq 768) 209.165.201.1 > 209.165.201.2 id 1 seq 1024) 209.165.201.2 > 209.165.201.1 1 seq 1024) 209.165.201.1 > 209.165.201.2
This example shows that the ICMP packet length is 32 bytes, the ICMP packet identifier is 1, and the ICMP sequence number. The ICMP sequence number starts at 0 and is incremented each time a request is sent.
5-7
Chapter 5 debug
The following is sample output from the show debug command output:
show debug debug ppp error debug vpdn event debug crypto ipsec 1 debug crypto isakmp 1 debug crypto ca 1 debug icmp trace debug packet outside both debug sqlnet
The preceding sample output includes the debug crypto commands. You can debug the contents of packets with the debug packet command:
debug packet inside --------- PACKET ---------- IP -4.3.2.1 ==> 255.3.2.1 ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x60 id = 0x3902 flags = 0x0 frag off=0x0 ttl = 0x20 proto=0x11 chksum = 0x5885 -- UDP -source port = 0x89 dest port = 0x89 len = 0x4c checksum = 0xa6a0 -- DATA -00000014: 00 01 .... 00000024: 00 00 00 01 20 45 49 45 50 45 47 45 47 45 .. EIEPEGEGEFF 00000034: 43 43 4e 46 41 45 44 43 41 43 41 43 41 43 NFAEDCACACACAC 00000044: 41 43 41 41 41 00 00 20 00 01 c0 0c 00 20 AAA.. ..... .. 00000054: 00 04 93 e0 00 06 60 00 01 02 03 04 00 ....`...... --------- END OF PACKET ---------
00 00 | 46 46 | .. 41 43 | CC 00 01 | AC | ..
This display lists the information as it appears in a packet. The following is sample output from the show debug command:
show debug debug icmp trace off debug packet off debug sqlnet off
5-8
78-13849-01
Chapter 5
D through F Commands dhcpd
dhcpd
The dhcpd command controls the DHCP server feature. (Configuration mode.) Configure with the command... dhcpd address ip1[-ip2] [if_name] dhcpd auto_config [client_ifx_name] dhcpd dns dns1 [dns2] dhcpd wins wins1 [wins2] dhcpd lease lease_length dhcpd domain domain_name dhcpd enable [if_name] dhcpd option 66 ascii {server_name | server_ip_str} dhcpd option 150 ip server_ip1 [ server_ip2] dhcpd ping_timeout timeout N/A debug dhcpd event debug dhcpd packet Remove with the command... no dhcpd address no dhcpd auto_config no dhcpd dns no dhcpd wins no dhcpd lease no dhcpd domain no dhcpd enable no dhcpd option code
no dhcpd ping_timeout clear dhcpd [binding|statistics] no debug dhcpd event no debug dhcpd packet
Show command options show dhcpd [binding|statistics]
Show command output Displays the binding and statistics information associated with the dhcpd commands.
Syntax Description
address ip1 [ip2]
The IP pool address range. The size of the pool is limited to 32 addresses with a 10 user license and 128 addresses with a 50 user license on the PIX 501. All other PIX Firewall platforms support 256 addresses. Note that if the address pool range is larger than 253 addresses, the netmask of the PIX Firewall interface cannot be a Class C (for example 255.255.255.0) and hence needs to be something larger, for example, 255.255.254.0. Enable PIX Firewall to automatically configure DNS, WINS and domain name values from the DHCP client to the DHCP server. If the user also specifies dns, wins, and domain parameters, then the CLI parameters overwrite the auto_config parameters. The binding information for a given server IP address and its associated client hardware address and lease length. This optional argument supports only the outside interface at this time. When more interfaces are supported, this argument will specify which interface supports the DHCP auto_config feature. Specifies the DHCP option code, either 66 or 150. The IP addresses of the DNS servers for the DHCP client. Specifies that DNS A (address) resource records that match the static translation are rewritten. A second server address is optional.
auto_config
binding client_ifx_name
code dns dns1 [dns2]
5-9
Chapter 5 dhcpd
domain domain_name if_name
The DNS domain name. For example, example.com. Name of the PIX Firewall interface. The default is the inside interface. Currently, the PIX Firewall DHCP server daemon can only be enabled on the inside interface. The length of the lease, in seconds, granted to DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds. Specifies the TFTP server IP address(es) designated for Cisco IP phones in dotted decimal format. DHCP option 150 is site-specific; it gives the IP addresses of a list of TFTP servers. Specifies the TFTP server IP address designated for Cisco IP phones and gives the IP address or the hostname of a single TFTP server. Allows the configuration of the timeout value of a ping, in milliseconds, before assigning an IP address to a DHCP client. Specifies the IP address(es) of a TFTP server. Specifies the TFTP server in dotted decimal format, such as 1.1.1.1, but is treated as a character string by the PIX DHCP server. Specifies an ASCII character string representing the TFTP server. Statistical information, such as address pool, number of bindings, malformed messages, sent messages, and received messages. The IP addresses of the Microsoft NetBios name servers (WINS server). The second server address is optional.
lease lease_length
option 150
option 66 ping_timeout server_ip(1,2) server_ip_str server_name statistics wins wins1 [wins2]
Usage Guidelines
A DHCP server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use the DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network. See the Cisco PIX Firewall and VPN Configuration Guide for information on how to implement the DHCP server feature into the PIX Firewall.
Note
The PIX Firewall DHCP server does not support BOOTP requests and failover configurations. The dhcpd address command specifies the DHCP server address pool. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled. In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10 user license and 128 addresses with a 50 user license on the PIX 501. All other PIX Firewall platforms support 256 addresses. The default for the PIX Firewall interface name is the inside interface, which is the only interface currently supported. The dhcpd address command cannot use names with a - (dash) character in them because the - character is interpreted as a range specifier instead of as part of the object name. The no dhcpd address command removes the DHCP server address pool you congured. The dhcpd dns command specifies the IP address(es) of the DNS server(s) for DHCP client. You have the option to specify two DNS servers. The no dhcpd dns command removes the DNS IP address(es) from your configuration.
5-10
78-13849-01
Chapter 5
D through F Commands dhcpd
The dhcpd wins command specifies the addresses of the WINS server for the DHCP client. The no dhcpd dns command removes the WINS server IP address(es) from your configuration. The dhcpd lease command specifies the length of the lease in seconds granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address the DHCP granted. The no dhcpd lease command removes the lease length that you specified from your configuration and replaces this value with the default value of 3600 seconds. The dhcpd domain command specifies the DNS domain name for the DHCP client. For example, example.com. The no dhcpd domain command removes the DNS domain server from your configuration. The dhcpd enable command enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface. DHCP must be enabled to use this command. Use the dhcpd enable command to turn on DHCP.
Note
With version 5.2 or higher, the PIX Firewall DHCP server daemon can only be enabled on the inside interface, and does not support clients that are not directly connected to the inside interface. The dhcpd option 66 | 150 command retrieves TFTP server address information for IP Phone connections. When a dhcpd option command request arrives at the PIX Firewall DHCP server, the PIX Firewall places the value(s) specified by the dhcpd option 66 | 150 in the response. Use the dhcpd option code command as follows:

If the TFTP server for IP Phone connections is located on the inside interface, use the local IP address of the TFTP server in the dhcpd option command. If the TFTP server is located on a less secure interface, create a group of NAT, global and access-list statements for the inside IP phones, and use the actual IP address of the TFTP server in the dhcpd option command. If the TFTP server is located on a more secure interface, create a group of static and access-list statements for the TFTP server and use the global IP address of the TFTP server in the dhcpd option command.
Because the PIX Firewall DHCP server can be enabled only on the inside interface, clients on the outside of the PIX Firewall cannot get their IP addresses or the TFTP server IP addresses from the PIX Firewall. If outside clients need to connect to the inside TFTP server, then a group of static and access-list statements has to be created for the TFTP server instead of using the dhcpd option command. The show dhcpd command displays dhcpd commands, binding and statistics information associated with all of the dhcpd commands. The clear dhcpd command clears all of the dhcpd commands, binding, and statistics information. The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
5-11
Chapter 5 dhcpd
Examples
The following partial configuration example shows use of the dhcpd address, dhcpd dns, and dhcpd enable commands. In this example, an address pool for the DHCP clients is defined, a DNS server address is specified for the DHCP client, and the inside interface of the PIX Firewall is enabled for the DHCP server function.
dhcpd address 10.0.1.100-10.0.1.108 dhcpd dns 209.165.200.226 dhcpd enable
The following partial configuration example shows how to define a DHCP pool of 256 addresses and use the auto_config command to configure the DNS, WINS, and DOMAIN parameters. Note the netmask of the inside interface is 255.255.254.0.
ip address inside 10.0.1.1 255.255.254.0 dhcpd address 10.0.1.2-10.0.1.257 dhcpd auto_config dhcpd enable
The following partial configuration example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment:
! use dhcp to configure the outside interface and default route ip address outside dhcp setroute ! enable dhcp server daemon on the inside interface ip address inside 10.0.1.2 255.255.255.0 dhcpd address 10.0.1.101-10.0.1.110 dhcpd dns 209.165.201.2 209.165.202.129 dhcpd wins 209.165.201.5 dhcpd lease 3000 dhcpd domain example.com dhcpd enable ! use outside interface IP as PAT global address nat (inside) 1 0 0 global (outside) 1 interface
The following is sample output from the show dhcpd command:

pixfirewall(config)# show dhcpd dhcpd address 10.0.1.100-10.0.1.108 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd dns 192.23.21.23 dhcpd enable inside
The following is sample output from the show dhcpd binding command:
pixfirewall(config)# show dhcpd binding IP Address Hardware Address Lease Expiration Type 10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic
5-12
78-13849-01
Chapter 5
D through F Commands disable
The following is sample output from the show dhcpd statistics command:
show dhcpd statistics Address Pools 1 Automatic Bindings 1 Expired Bindings 1 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 2 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 1
Related Commands
ip address
disable
Exit privileged mode and return to unprivileged mode. (Privileged mode.) Enter privileged mode with the command... enable Exit privileged mode with the command... disable
Syntax Description
enable disable
Enter this at the PIX Firewall command-line interface prompt to enter privileged mode. Enter this at the PIX Firewall command-line interface prompt to exit privileged mode.
Usage Guidelines
Use the enable command to enter privileged mode. The disable command exits privileged mode and returns you to unprivileged mode.
Examples
The following example shows how to enter privileged mode:

pixfirewall> enable pixfirewall#
The following example shows how to exit privileged mode:

pixfirewall# disable pixfirewall>
5-13
Chapter 5 domain-name
domain-name
Change the IPSec domain name. (Configuration mode.) Change with the command... domain-name name Remove with the command... N/A
Syntax Description
name
A domain name.
Usage Guidelines
The domain-name command lets you change the IPSec domain name.
Note
The change of the domain name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs using the ca zeroize rsa command, and delete related certificates using the no ca identity ca_nickname command.
Examples
The following example shows use of the domain-name command:

domain-name example.com
dynamic-map
View or delete a dynamic crypto map entry. (Configuration mode.) Configure with the command... N/A Remove with the command... clear dynamic-map
Show command options show dynamic-map
Show command output Displays the dynamic-map commands in the configuration.
Usage Guidelines
The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.
Note
The dynamic-map command is the same as the crypto dynamic-map command. Refer to the crypto dynamic-map command page for more information such as examples and other command options.
5-14
78-13849-01
Chapter 5
D through F Commands eeprom
eeprom
This command applies only to PIX 525 models with serial numbers 44480380055 through 44480480044. Displays and updates the contents of the EEPROM non-volatile storage devices used for low-level Ethernet interface configuration information. (Configuration mode.) Configure with the command... eeprom update Remove with the command... N/A
Show command options show eeprom
Show command output Displays the current EEPROM register settings.
Syntax Description
eeprom update
Modifies the EEPROM register settings, if necessary, after checking the contents of EEPROM registers 6 and 10 to ensure they contain the hexadecimal values 0x4701 and 0x40c0, respectively. If these registers contain different values, then all EEPROM register settings, except the MAC address registers, which were not affected by the problem, are reset to the correct values.
Usage Guidelines
The eeprom commands added in version 5.2(4) and later fix a caveat (CSCds76768) involving corruption of the eeprom on the onboard Ethernet interfaces. For additional information, see the December 20, 2000 Field Notice, Cisco Secure PIX Firewall: PIX-525 Ethernet EEPROM Programming Issue. This field notice is available at the following website: http://www.cisco.com/warp/public/770/fn13021.shtml The problem is summarized as follows: If you configure the onboard Ethernet interfaces (ethernet0 and ethernet1) on a PIX 525 with a serial number of 44480380055 through 44480480044 to full duplex, interface errors and throughput reductions may occur. If you configure the interfaces to half duplex or to auto-sense, the speed and duplex function normally without error. The eeprom command is designed to fix the problem and performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode. The two variants of the eeprom command are the show eeprom command and eeprom update command. The eeprom update command performs the same function as the "eedisk" utility without requiring access to the ROM monitor mode, whereas the show eeprom command indicates whether the Ethernet EEPROM programming is correct or not. The show eeprom command displays the current EEPROM setting, and the eeprom update command modifies the settings if necessary. If the eeprom command does update the EEPROM settings, a reboot of the PIX Firewall is recommended. The eeprom command verifies the EEPROM register settings and updates them if they are not set to the recommended values. The eeprom command does not update the settings if they are correct and does not recommend a reboot unless the settings are changed.
5-15
Chapter 5 eeprom
The eeprom update command checks the contents of EEPROM registers 6 and 10 to ensure they contain the hexadecimal values 0x4701 and 0x40c0, respectively. If these registers contain different values, then all EEPROM register settings except the MAC address registers, which were not affected by the problem causing CSCds76768, are reset to the correct values. Each register is 16 bits. The correct register values are as follows: Register Register 0 to 2 Register 3 Register 5 Register 6 Register 10 Register 12 Name MAC address Compatibility Bits Controller and connector type Onboard PHY type Onboard Prom ID Vendor ID, where 8086 is Intel Value Differs on each system (unique) 0x3 0x201 0x4701 0x40C0 0x8086
Examples
The show eeprom command will display the current EEPROM register settings:
pix525# show eeprom eeprom settings for ifc0: reg0: 0x5000 reg1: 0xfe54 reg2: 0x65f6 reg3: 0x3 reg5: 0x201 reg6: 0x4702 reg10: 0x40c0 reg12: 0x8086 eeprom settings for ifc1: reg0: 0x5000 reg1: 0xfe54 reg2: 0x66f6 reg3: 0x3 reg5: 0x201 reg6: 0x4702 reg10: 0x40c0 reg12: 0x8086reg12: 0x8086
If the command is run on a unit that is not a PIX 525, the following will be seen:
pix515# show eeprom This unit is not a PIX-525. Type help or '?' for a list of available commands.
5-16
78-13849-01
Chapter 5
D through F Commands enable
If the update needs to be run on the PIX 525, the eeprom update command returns the following:
pix525# eeprom update eeprom settings on ifc0 are being reset to defaults: reg0: 0x5000 reg1: 0xfe54 reg2: 0x65f6 reg3: 0x3 reg5: 0x201 reg6: 0x4701 reg10: 0x40c0 reg12: 0x8086 eeprom settings on ifc1 are being reset to defaults: reg0: 0x5000 reg1: 0xfe54 reg2: 0x66f6 reg3: 0x3 reg5: 0x201 reg6: 0x4701 reg10: 0x40c0 reg12: 0x8086 *** WARNING! *** WARNING! *** WARNING! *** WARNING! *** The system should be restarted as soon as possible. *** WARNING! *** WARNING! *** WARNING! *** WARNING! ***
If the update has been run successfully, the eeprom command output will appear as follows:
pix525# eeprom update eeprom settings on ifc0 are already up to date: reg0: 0x5000 reg1: 0xfe54 reg2: 0x65f6 reg3: 0x3 reg5: 0x201 reg6: 0x4701 reg10: 0x40c0 reg12: 0x808 eeprom settings on ifc1 are already up to date: reg0: 0x5000 reg1: 0xfe54 reg2: 0x66f6 reg3: 0x3 reg5: 0x201 reg6: 0x4701 reg10: 0x40c0 reg12: 0x80866
enable
Start privileged mode or access privilege levels. (Unprivileged mode for enable, and Configuration mode for enable password.) Enter privileged mode with the command... enable [priv_1evel] enable password [pw] [level priv_1evel] [encrypted] Exit or remove with the command... disable [priv_1evel] no enable password [level priv_1evel]
5-17
Chapter 5 enable
Show command options show enable
Show command output Displays the password configuration for privilege levels.
Syntax Description
enable enable priv_level encrypted level priv_level password pw
Specifies to activate a process, mode, or privilege level. Specifies to enable the privilege level, from 0 to 15. Specifies that the provided password is already encrypted. Specifies to set the privilege level, from 0 to 15. Specifies to configure privilege levels. The privilege level password string.
Usage Guidelines
The enable command starts privileged mode(s). The PIX Firewall prompts you for your privileged mode password. By default, a password is not requiredpress the Enter key at the Password prompt to start privileged mode. Use the disable command to exit privileged mode. Use the enable password command to change the password. The enable password command changes the privileged mode password, for which you are prompted after you enter the enable command. When the PIX Firewall starts and you enter privileged mode, the password prompt appears. There is not a default password (press the Enter key at the Password prompt). You can return the enable password to its original value (press the Enter key at prompt) by entering the following command:
pixfirewall# enable password pixfirewall#
Note
If you change the password, write it down and store it in a manner consistent with your sites security policy. Once you change this password, you cannot view it again. Also, ensure that all who access the PIX Firewall console are given this password. Use the passwd command to set the password for Telnet access to the PIX Firewall console. The default passwd value is cisco. See the passwd command page for more information. If no privilege level name is specified, then the highest privilege level is assumed.
Examples
The following example shows how to start privileged mode with the enable command and then configuration mode with the configure terminal command.
pixfirewall> enable Password: pixfirewall# configure terminal pixfirewall(config)#
5-18
78-13849-01
Chapter 5
D through F Commands enable
The following examples show how to start privileged mode with the enable command, change the enable password with the enable password command, enter configuration mode with the configure terminal command, and display the contents of the current configuration with the write terminal command:
pixfirewall> enable Password: pixfirewall# enable password w0ttal1fe pixfirewall# configure terminal pixfirewall(config)# write terminal Building configuration... ... enable password 2oifudsaoid.9ff encrypted ...
The following example shows the use of the encrypted option:

enable password 1234567890123456 encrypted show enable password enable password 1234567890123456 encrypted enable password 1234567890123456 show enable password enable password feCkwUGktTCAgIbD encrypted
The following example shows how to configure enable passwords for levels other than the default level of 15:
pixfirewall(config)# enable password cisco level 10 pixfirewall(config)# show enable enable password wC38a.EQklqK3ZqY level 10 encrypted enable password 8Ry2YjIyt7RRXU24 encrypted pixfirewall(config)# enable password wC38a.EQklqK3ZqY level 12 encrypted pixfirewall(config)# show enable enable password wC38a.EQklqK3ZqY level 10 encrypted enable password wC38a.EQklqK3ZqY level 12 encrypted enable password 8Ry2YjIyt7RRXU24 encrypted pixfirewall(config)# no enable password level 12 pixfirewall(config)# show enable enable password wC38a.EQklqK3ZqY level 10 encrypted enable password 8Ry2YjIyt7RRXU24 encrypted pixfirewall(config)# no enable password level 10 pixfirewall(config)# show enable enable password 8Ry2YjIyt7RRXU24 encrypted
However, notice that defining privilege levels 10 and 12 does not change or remove the level 15 password.
5-19
Chapter 5 established
established
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.) Configure with the command... established dest_protocol [src_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]] Remove with the command... no established dest_protocol [src_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]] clear established
Show command options show established
Show command output Displays the established commands in the configuration.
Syntax Description
dest_port
Specifies the destination port to use for the established connection lookup. This is the originating traffic's destination port and may be specified as 0 if the protocol does not specify which destination port(s) will be used. Use wildcard ports (0) only when necessary. Used to specify the return traffic's protocol and from which source port(s) the traffic will be permitted. Used to specify the return traffic's protocol and to which destination port(s) the traffic will be permitted. Specifies the source port to use for the established connection lookup. This is the originating traffic's source port and may be specified as 0 if the protocol does not specify which source port(s) will be used. Use wildcard ports (0) only when necessary.
permitfrom permitto src_port
Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host. The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Note
We recommend that you always specify the established command with the permitto and permitfrom options. Without these options, the use of the established command opens a security hole that can be exploited for attack of your internal systems. See the Security Problem section that follows for more information. The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall. The permitfrom option lets you specify a new protocol or port at the remote server. The no established command disables the established feature. The clear established command removes all establish command statements from your configuration.
5-20
78-13849-01
Chapter 5
D through F Commands established
Note
For the established command to work properly, the client must listen on the port specified with the permitto option. You can use the established command with the nat 0 command statement (where there are no global command statements).
Note
The established command cannot be used with Port Address Translation (PAT). The established command works as shown in the following format:
established A B C permitto D E permitfrom D F
This command works as though it were written If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E. For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059
In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059. For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535
In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not. The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command. For example:
established tcp 0 4000
In this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
established tcp 0 0
(Same as previous releases established tcp 0 command.)
5-21
Chapter 5 exit
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242
The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454
XDMCP Support
PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command. XDMCP is on by default, but will not complete the session unless the established command is used. For example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535
This enables the internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value.
setenv DISPLAY hostname:displaynumber.screennumber
The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.
exit
Exit an access mode. (All modes.) Quit current mode with the command... exit Enter another mode with the command... enable
Syntax Description
exit enable
Exits the current access mode. Enables privilege mode.
Usage Guidelines
Use the exit command to exit from an access mode. This command is the same as the quit command.
5-22
78-13849-01
Chapter 5
D through F Commands failover
Examples
The following example shows how to exit configuration mode and then privileged mode:
pixfirewall(config)# exit pixfirewall# exit pixfirewall>
failover
Change or view access to the optional failover feature. (Configuration mode.) Configure with the command... failover [active] failover ip address if_name ip_address failover lan unit primary | secondary failover lan interface if_name failover lan key key_secret failover lan enable failover link [stateful_if_name] failover mac address mif_name act_mac stn_mac failover poll seconds failover replicate http failover reset Remove with the command... no failover [active] N/A no failover lan unit primary | secondary no failover lan interface if_name no failover lan key key_secret no failover lan enable no failover link no failover mac address mif_name act_mac stn_mac N/A no failover replicate http N/A
Show command options show failover [lan [detail]]
Show command output Displays failover configuration information, including which unit it active.
Syntax Description
act_mac active
The interface MAC address for the active PIX Firewall. Make a PIX Firewall the active unit. Use this command when you need to force control of the connection back to the unit you are accessing, such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the primary unit. Either enter the no failover active command on the secondary unit to switch service to the primary or the failover active command on the primary unit. Displays LAN-based failover configuration information. Enables LAN-based failover; otherwise, serial cable failover is used. The interface name for the failover IP address. The IP address used by the standby unit to communicate with the active unit. Use this IP address with the ping command to check the status of the standby unit. This address must be on the same network as the system IP address. For example, if the system IP address is 192.159.1.3, set the failover IP address to 192.159.1.4. Enables encryption and authentication of LAN-based failover messages between PIX Firewalls.
detail enable if_name ip_address
key
5-23
Chapter 5 failover
key_secret lan lan interface link mif_name poll seconds
The shared secret key. Specifies LAN-based failover. Specifies the interface parameters for LAN-based failover. Specify the interface where a fast LAN link is available for Stateful Failover. The name of the interface to set the MAC address. Specify how long failover waits before sending special failover hello packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly. Specifies the primary PIX Firewall to use for LAN-based failover. The [no] failover replicate http command allows the stateful replication of HTTP sessions in a Stateful Failover environment. The no form of this command disables HTTP replication in a Stateful Failover configuration. When HTTP replication is enabled, the show failover command displays the failover replicate http command configuration. Force both units back to an unfailed state. Use this command once the fault has been corrected. The failover reset command can be entered from either unit, but it is best to always enter commands at the active unit. Entering the failover reset command at the active unit will unfail the standby unit. Specifies the secondary PIX Firewall to use for LAN-based failover. In addition to the failover cable, a dedicated fast LAN link is required to support Stateful Failover. The default interface is the highest LAN port with failover configured. The interface MAC address for the standby PIX Firewall.
primary replicate http
reset
secondary stateful_if_name
stn_mac
Usage Guidelines
The default failover setup uses serial cable failover. LAN-based failover requires explicit LAN-based failover configuration. Additionally, for LAN-based failover, you must install a dedicated 100 Mbps or Gigabit Ethernet, full-duplex VLAN switch connection for failover operations. Failover is not supported using a crossover Ethernet cable between two PIX Firewall units.
Note
The PIX 506/506E cannot be used for failover in any configuration. The primary unit in the PIX 515/515E, PIX 525, or PIX 535 failover pair must have an Unrestricted (UR) license. The secondary unit can have Failover (FO) or UR license. However, the failover pair must be two otherwise identical units with the same PIX Firewall hardware and software. For a Stateful Failover link, use the mtu command to set the interface maximum transmission unit (MTU) to 1500 bytes or greater. For serial cable failover, use the failover command without an argument after you connect the optional failover cable between your primary PIX Firewall and a secondary PIX Firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
5-24
78-13849-01
Chapter 5
For LAN-based failover, use the failover lan commands. The show failover lan command displays LAN-based failover information (only), and show failover lan detail supplies debugging information for your LAN-based failover configuration.
Note
See Chapter 8, Using PIX Firewall Failover, in the Cisco PIX Firewall and VPN Configuration Guide for configuration information. For failover, the PIX Firewall requires that you configure any unused interfaces with one of the following methods:

Set the IP address to 127.0.0.1 and failover ip address to 0. Disable the interface.
Set the speed of the Stateful Failover dedicated interface to 100full for a Fast Ethernet interface or 1000fullsx for a Gigabit Ethernet interface. Use the failover active command to initiate a failover switch from the standby unit, or the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit off line for maintenance. Because the standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients. Use the failover link command to enable Stateful Failover. Enter the no failover link command to disable the Stateful Failover feature. If a failover IP address has not been entered, the show failover command will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in waiting state. A failover IP address must be set for failover to work. The failover mac address command enables you to configure a virtual MAC address for a PIX Firewall failover pair. The failover mac address command sets the PIX Firewall to use the virtual MAC address stored in the PIX Firewall configuration after failover, instead of obtaining a MAC address by contacting its failover peer. This enables the PIX Firewall failover pair to maintain the correct MAC addresses after failover. If a virtual MAC address is not specified, the PIX Firewall failover pair uses the burned in network interface card (NIC) address as the MAC address. However, the failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the PIX Firewall pair. If the virtual MAC address is added when there are active connections, then those connections will stop. Also, you must write the complete PIX Firewall configuration, including the failover mac address command, into the Flash memory of the secondary PIX Firewall for the virtual MAC addressing to take effect. The failover poll seconds command lets you determine how long failover waits before sending special failover hello packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, PIX Firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly. When a failover cable connects two PIX Firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two PIX Firewall units and you entered the no failover command, failover would automatically re-enable after 15 seconds.
5-25
Chapter 5 failover
You can also view the information from the show failover command using SNMP. Refer to Using the Firewall and Memory Pool MIBs in Chapter 7, PIX Firewall System Management of the Cisco PIX Firewall and VPN Configuration Guide for more information. A failover configuration example is provided in Chapter 8, Using PIX Firewall Failover of the Cisco PIX Firewall and VPN Configuration Guide.
Usage Notes
1.
LAN-based failover requires a dedicated interface, but the same interface can also be used for Stateful Failover. However, the interface needs enough capacity to handle both the LAN-based failover and Stateful Failover traffic; otherwise, use two separate dedicated interfaces. If you reboot the PIX Firewall without entering the write memory command and the failover cable is connected, failover mode automatically enables.
2.
Examples
Serial Cable (Default) Failover
The following sample output shows that failover is enabled, and that the primary unit state is active:
show failover pixfirewall (config)# show failover Failover On Cable status:Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds failover replication http This host:Secondary - Standby Active time:0 (sec) Interface FailLink (172.16.31.2):Normal Interface 4th (172.16.16.1):Normal Interface int5 (192.168.168.1):Normal Interface intf2 (192.168.1.1):Normal Interface outside (209.165.200.225):Normal Interface inside (10.1.1.4):Normal Other host:Primary - Active Active time:242145 (sec) Interface FailLink (172.16.31.1):Normal
The rest of command output is omitted. The Cable status has these values: NormalIndicates that the active unit is working and that the standby unit is ready.

WaitingIndicates that monitoring of the other units network interfaces has not yet started. FailedIndicates that the PIX Firewall has failed.
The Stateful Obj has these values: XmitIndicates the number of packets transmitted.

XerrIndicates the number of transmit errors. RcvIndicates the number of packets received. RcvIndicates the number of receive errors. GeneralThe sum of all stateful objects. Sys cmdRefers to logical update system commands, such as login or stay alive.
Each row is for a particular object static count:

5-26
78-13849-01
Chapter 5
Up timeThe value for PIX Firewall up time which the active PIX Firewall unit will pass on to the standby unit. XlateThe PIX Firewall translation information. Tcp connThe PIX Firewall dynamic TCP connection information. Udp connThe PIX Firewall dynamic UDP connection information. ARP tblThe PIX Firewall dynamic ARP table information. RIF tblThe dynamic router table information.
The Standby Logical Update Statistics output displayed when you use the show failover command only describes Stateful Failover. The xerrs value does not indicate an error in failover, but rather the number of packet transmit errors. You can view the IP addresses of the standby unit with the show ip address command:
show ip address System IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0 Current IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0
The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.
LAN-Based Failover
To make sure LAN-based failover starts properly, follow these configuration steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Configure the primary PIX Firewall unit before connecting the failover LAN interface. Save the primary unit configuration to Flash memory. Configure the PIX Firewall secondary unit using the appropriate failover lan commands before connecting the LAN-based failover interface. Save the secondary unit configuration to Flash memory. Reboot both units and connect the LAN-based failover interfaces to the designated failover switch, hub, or VLAN. If any item in a failover lan command needs to be changed, then disconnect the LAN-based failover interface, and repeat the preceeding steps.
Note
When properly configured, the LAN-based failover configurations for your primary and secondary PIX Firewall units should be different, reflecting which is primary and which is secondary. The following example outlines how to configure LAN-based failover between two PIX Firewall units. Primary PIX Firewall configuration: :
pix(config)# nameif ethernet0 outside security0
5-27
Chapter 5 failover
pix(config)# nameif ethernet1 inside security100 pix(config)# nameif ethernet2 stateful security20 pix(config)# nameif ethenret3 lanlink security30
:
pix(config)#interface pix(config)#interface pix(config)#interface pix(config)#interface pix(config)#interface ethernet0 ethernet1 ethernet2 ethenret3 ethernet4 100full 100full 100full 100full 100full
:
pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# ip address outside 172.23.58.70 255.255.255.0 ip address inside 10.0.0.2 255.255.255.0 ip address stateful 10.0.1.2 255.255.255.0 ip address lanlink 10.0.2.2 255.255.255.0 failover ip address outside 172.23.58.51 failover ip address inside 10.0.0.4 failover ip address stateful 10.0.1.4 failover ip address lanlink 10.0.2.4 failover failover poll 15 failover lan unit primary failover lan interface lanlink failover lan key 12345678 failover lan enable
: Secondary PIX Firewall configuration:

Pix2(config)# pix2(config)# pix2(config)# pix2(config)# pix2(config)# pix2(config)# pix2(config)# pix2(config)# pix2(config)# nameif ethernet3 lanlink security30 interface ethernet3 100full ip address lanlink 10.0.2.2 255.255.255.0 failover ip address lanlink 10.0.2.4 failover failover lan unit secondary (optional) failover lan interface lanlink failover lan key 12345678 failover lan enable
The following example illustrates how to use the failover mac address command:
ip address outside 172.23.58.50 255.255.255.224 ip address inside 192.168.2.11 255.255.255.0 ip address intf2 192.168.10.11 255.255.255.0 failover failover ip address outside 172.23.58.51 failover ip address inside 192.168.2.12 failover ip address intf2 192.168.10.12 failover mac address outside 00a0.c989.e481 00a0.c969.c7f1 failover mac address inside 00a0.c976.cde5 00a0.c922.9176 failover mac address intf2 00a0.c969.87c8 00a0.c918.95d8 failover link intf2 ...:
The output of the show failover command includes a section for LAN-based failover if it is enabled as follows:
pix(config)# show failover Failover On Cable status: Unknown Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: Primary - Standby Active time: 255 (sec)
5-28
78-13849-01
Chapter 5
D through F Commands filter
Interface outside (192.168.1.232): Normal Interface inside (192.168.5.2): Normal Other host: Secondary - Active Active time: 256305 (sec) Interface outside (192.168.1.231): Normal Interface inside (192.168.5.1): Normal Stateful Failover Logical Update Statistics Link : Unconfigured. Lan Based Failover is Active interface dmz (171.69.39.200): Normal, peer (171.69.39.201): Normal
The show failover lan command displays only the LAN-based failover section, as follows:
pix(config)# show failover lan Lan Based Failover is Active interface dmz (171.69.39.200): Normal, peer (171.69.39.201): Normal
The show failover lan detail command is used mainly for debugging purposes and displays information similar to the following:
pix(config)# show failover lan detail Lan Failover is Active This Pix is Primary Command Interface is dmz Peer Command Interface IP is 171.69.39.201 My interface status is 0x1 Peer interface status is 0x1 Peer interface downtime is 0x0 Total msg send: 103093, rcvd: 103031, droped: 0, retrans: 13, send_err: 0 Total/Cur/Max of 51486:0:5 msgs on retransQ msgs on retransQ if any LAN FO cmd queue, count: 0, head: 0x0, tail: 0x0 Failover config state is 0x5c Failover config poll cnt is 0 Failover pending tx msg cnt is 0 Failover Fmsg cnt is 0 :
filter
Enables, disables, or displays URL, Java, or ActiveX filtering. (Configuration mode.) Configure with the command... filter activex port local_ip mask foreign_ip mask filter java port[-port] local_ip mask foreign_ip mask filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate] filter url except local_ip local_mask foreign_ip foreign_mask Remove with the command... no filter activex port local_ip mask foreign_ip mask no filter java port[-port] local_ip mask foreign_ip mask no filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate] no filter url except local_ip local_mask foreign_ip foreign_mask
5-29
Chapter 5 filter
Configure with the command... filter url port | except local_ip mask foreign_ip mask [allow][proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate] N/A
Remove with the command... no filter url port | except local_ip mask foriegn_ip mask [allow][proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate] clear filter
Show command options show filter
Show command output Displays all filter commands in the configuration.
Syntax Description
activex allow
Block outbound ActiveX, Java applets, and other HTML <object> tags from outbound packets. filter url only: When the server is unavailable, let outbound connections pass through PIX Firewall without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, PIX Firewall stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line. Sends a CGI script as an URL. filter url only; creates an exception to a previous filter condition. The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts. Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts. Specifies port 80. You can enter http or www instead of 80 to specify port 80.) Specifies to filter out Java applets returning from an outbound connection. The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts. Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available. Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit. Any mask. The port that receives Internet traffic on the PIX Firewall. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80. Prevents users from connecting to an HTTP proxy server. Filter Universal Resource Locators (URLs) from data moving through the PIX Firewall.
cgi_truncate except foreign_ip foreign_mask http java local_ip local_mask longurl-deny longurl-truncate mask port proxy-block url
5-30
78-13849-01
Chapter 5
D through F Commands filter
Usage Guidelines
The clear filter command removes all filter commands from the configuration.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers. This feature blocks the HTML <object> tag and comments it out within the HTML web page.
Note
The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the filter activex command. If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the PIX Firewall cannot block the tag. ActiveX blocking does not occur when users access an IP address referenced by the alias command. To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0
This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter java
The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
Note
If Java applets are known to be in <object> tags, use the filter activex command to remove them. To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0
This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application. The allow option to the filter command determines how the PIX Firewall behaves in the event that the N2H2 or Websense server goes off line. If you use the allow option with the filter command and the N2H2 or Websense server goes offline, port 80 traffic passes through the PIX Firewall without filtering. Used without the allow option and with the server off line, PIX Firewall stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
5-31
Chapter 5 filter
Note
With the allow option set, PIX Firewall now passes control to an alternate server if the N2H2 or Websense server goes off line. The N2H2 or Websense server works with the PIX Firewall to deny users from access to websites based on the company security policy. Websense protocol version 4 enables group and username authentication between a host and a PIX Firewall. The PIX Firewall performs a username lookup, and then Websense server handles URL filtering and username logging. The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense. Websense protocol version 4 contains the following enhancements:

URL filtering allows the PIX Firewall to check outgoing URL requests against the policy defined on the Websense server. Username logging tracks username, group, and domain name on the Websense server. Username lookup enables the PIX Firewall to use the user authentication table to map the host's IP address to the username.
Follow these steps to filter URLs:

Step 1 Step 2 Step 3
Designate an N2H2 or Websense server with the appropriate vendor-specific form of the url-server command. Enable filtering with the filter command. If needed, improve throughput with the url-cache command. However, this command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command. Use the show url-cache stats and the show perfmon commands to view run information.
Step 4
Information on Websense is available at the following website: http://www.websense.com/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1 filter url 80 0 0 0 0 filter url except 10.0.2.54 255.255.255.255 0 0
The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
filter url 8080 0 0 0 0 proxy-block
5-32
78-13849-01
Chapter 5
D through F Commands fixup protocol
fixup protocol
Modifies PIX Firewall protocol fixups to add, delete, or change services and feature defaults. (Configuration mode.) Configure with the command... fixup protocol ftp [strict] [port] fixup protocol http [port[-port] fixup protocol h323 {h225 | ras} port [-port] fixup protocol ils [port[-port]] fixup protocol rsh [514] fixup protocol rtsp [port] fixup protocol sip [5060] fixup protocol skinny [2000] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] fixup protocol skinny port [-port] Remove with the command... no fixup protocol [protocol_name] [port] clear fixup no fixup protocol h323 {h225 | ras} port [-port]
Show command options show fixup show fixup protocol protocol [protocol] show conn state [sip] show timeout sip
Show command output Displays the current fixup configuration and port values. Displays the port values for the individual protocol specified. Displays the connection state of the designated protocol. Displays the timeout value of the designated protocol.
Syntax Description
fixup protocol protocol [protocol] [port[-port]] fixup protocol ils ftp h323 ras
Modifies PIX Firewall protocol fixups to add, delete, or change services and feature defaults. Provides support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server. Specifies to change the ftp port number. Specifies to use RAS with H.323 to enable dissimilar communication devices to communicate with each other. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods.
5-33
Chapter 5 fixup protocol
h323 h225
Specifies to use H.225, the ITU standard that governs H.225.0 session establishment and packetization, with H.323. H.225.0 actually describes several different protocols: RAS, use of Q.931, and use of RTP. The default port for HTTP is 80. Use the port option to change the HTTP port, or the port-port option to specify a range of HTTP ports. Specifies the Internet Locator Service. The default port is TCP LDAP server port 389. Disables the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After removing all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration. Specify the port number or range for the application protocol. The default ports are: TCP 21 for ftp, TCP LDAP server port 389 for ils, TCP 80 for http, TCP 1720 for h323 h225, UDP 1718-1719 for h323 ras, TCP 514 for rsh, TCP 554 for rtsp, TCP 2000 for skinny, TCP 25 for smtp, TCP 1521 for sqlnet, and TCP 5060 for sip. The default port value for rsh cannot be changed, but additional port statements can be added. See the Ports section in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names. The port over which the designated protocol travels. Specifies the protocol to fix up. The protocol name. Registration, admission, and status (RAS) is a signaling protocol that performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper. Enable SIP. Enable SCCP. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals. Prevent web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.
http [port[-port] ils no
port
protocol protocol_name ras
sip skinny
strict
Defaults
The default ports for the PIX Firewall fixup protocols are as follows:
fixup fixup fixup fixup fixup fixup fixup fixup fixup fixup fixup protocol protocol protocol protocol protocol protocol protocol protocol protocol protocol protocol ftp 21 http 80 h323 h225 1720 h323 ras 1718-1719 ils 389 rsh 514 rtsp 554 smtp 25 sqlnet 1521 sip 5060 skinny 2000
(These are the defaults that are enabled on a PIX Firewall running software version 6.2.)
5-34
78-13849-01
Chapter 5
Usage Guidelines
The fixup protocol commands let you view, change, enable, or disable the use of a service or protocol through the PIX Firewall. The ports you specify are those that the PIX Firewall listens at for each respective service. You can change the port value for each service except rsh and sip. The fixup protocol commands are always present in the configuration and are enabled by default. The fixup protocol command performs the Adaptive Security Algorithm based on different port numbers other than the defaults. This command is global and changes things for both inbound and outbound connections, and cannot be restricted to any static command statements. The clear fixup command resets the fixup configuration to its default. It does not remove the default fixup protocol commands. You can disable the fixup of a protocol by removing all fixups of the protocol from the configuration using the no fixup command. After you remove all fixups for a protocol, the no fixup form of the command or the default port is stored in the configuration.
fixup protocol ftp
Use the fixup protocol ftp command to specify the listening port or ports for the File Transfer Protocol (FTP). The following describes the features and usage of this command:

The PIX by default listens to port 21 for FTP. Mutliple ports can be specified. Only specify the port for the FTP control connection and not the data connection. The PIX stateful inspection will dynamically prepare the data connection as necessary. For instance, the following is incorrect: INCORRECT
fixup protocol ftp 21 fixup protocol ftp 20
CORRECT
fixup protocol ftp 21
Use caution when moving FTP to a higher port. For example, if you set the FTP port to 2021 by entering fixup protocol ftp 2021 all connections that initiate to port 2021 will have their data payload interpreted as FTP commands.
The following is an example of a fixup protocol ftp configuration that uses multiple FTP fixups:
: : For a PIX Firewall with two interfaces : ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 : : There is an inside host 10.1.1.15 that will be : exported as 192.168.1.15. This host runs the FTP : services at port 21 and 1021 : static (inside, outside) 192.168.1.15 10.1.1.15 : : Construct an access list to permit inbound FTP traffic to : port 21 and 1021 : access-list outside permit tcp any host 192.168.1.15 eq ftp access-list outside permit tcp any host 192.168.1.15 eq 1021 access-group outside in interface outside : : Specify that traffic to port 21 and 1021 are FTP traffic
5-35
: fixup protocol ftp 21 fixup protocol ftp 1021
If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled. The strict option to the fixup protocol ftp command prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
fixup protocol h323 {h225 | ras}
The fixup protocol h323 {h225 | ras} command provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. Version 5.3 and higher supports H.323 version 2. H.323 version 2 adds the following functionality to the PIX Firewall:

Fast Connect or Fast Start Procedure for faster call setup H.245 tunneling for resource conservation, call synchronization, and reduced set up time
PIX Firewall software versions 6.2 and higher support PAT for H.323. When upgrading from any pre-PIX Firewall software version 6.2 release, the following will be added to the configuration:
fixup protocol h323 ras 1718-1719
Additionally, fixup protocol h323 port becomes fixup protocol h323 h225 port. You can disable H.225 signalling or RAS fixup (or both) with the no fixup protocol h323 {h225 | ras} port [-port] command.
fixup protocol http
The fixup protocol http command sets the port for Hypertext Transfer Protocol (HTTP) traffic. The default port for HTTP is 80. Use the port option to change the default port assignments from 80. Use the port-port option to apply HTTP application inspection to a range of port numbers.
Note
The no fixup protocol http command statement also disables the filter url command. HTTP inspection performs several functions:

URL logging of GET messages URL screening through N2H2 or Websense Java and ActiveX filtering
The latter two features must be configured in conjuction with the filter command.
fixup protocol ils
The fixup protocol ils command provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LightWeight Directory Access Protocol (LDAP) to exchange directory information with an for Internet Locator Service (ILS) server.
5-36
78-13849-01
Chapter 5
fixup protocol rtsp
The fixup protocol rtsp command lets PIX Firewall pass Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554:
fixup protocol rtsp 554 fixup protocol rtsp 8554
The following restrictions apply to the fixup protocol rtsp command:

1. 2. 3. 4.
This PIX Firewall will not fix RTSP messages passing through UDP ports. PAT is not supported with the fixup protocol rtsp command. PIX Firewall does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages. PIX Firewall cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages. Packets could be fragmented and PIX Firewall cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of NATs the PIX Firewall performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses). You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network. When using RealPlayer, it is important to properly configure transport mode. For the PIX Firewall, add an access-list command statement from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options>Preferences>Transport>RTSP Settings. If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the PIX Firewall, there is no need to configure the fixup. If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the PIX Firewall, add a fixup protocol rtsp port command statement.
5.
6.
7.
fixup protocol sip
Session Initiation Protocol (SIP), as defined by the Internet Engineering Task Force (IETF), enables call handling sessions and two-party audio conferences (calls). SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateway or VoIP proxy server. SIP and SDP are defined in the following RFCs:

SIP: Session Initiation Protocol, RFC 2543 SDP: Session Description Protocol, RFC 2327
To support SIP, calls through the PIX Firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected. This is because while the signaling is sent over a well known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Therefore, SIP is a text-based protocol and contains the IP addresses throughout the text. The packets are inspected and NAT is provided for the IP addresses. PIX Firewall software version 6.2 and higher support PAT for SIP. The fixup protocol sip command enables SIP on the interface.
5-37
The SIP fixup is always in effect when UDP signaling is used, even if the command no fixup procol sip 5060 is issued. With TCP signaling, the fixup can be disabled with the command no fixup protocol sip 5060. For additional information about the SIP protocol see RFC 2543. For additional information about the Session Description Protocol (SDP), see RFC 2327.
Note
If Cisco CallManager is configured for NAT and outside phones register to it via TFTP, the connection will fail because PIX Firewall currently does not support NAT TFTP messages.
fixup protocol skinny
Skinny Client Control Protocol (SCCP or skinny) protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.
fixup protocol smtp
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. This results in a message such as 500 Command unknown: 'XXX'. Incomplete commands are discarded.
Note
During an interactive SMTP session, various SMTP security rules may reject or deadlock your telnet session. These rules include the following: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. As of PIX Firewall software version 5.1 and higher, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the 2, 0, 0 characters. Carriage return (CR) and linefeed (LF) characters are ignored. In PIX Firewall software version 4.4, all characters in the SMTP banner are converted to asterisks.
fixup protocol sqlnet
PIX Firewall uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net; however, this value does not agree with IANA port assignments.
Examples
The following example enables access to an inside server running Mail Guard:
static (inside,outside) 209.165.201.1 192.168.42.1 netmask 255.255.255.255 access-list acl_out permit tcp host 209.165.201.1 eq smtp any access-group acl_out in interface outside fixup protocol smtp 25
The following example shows the commands to disable Mail Guard:

static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255 access-list acl_out permit tcp host 209.165.201.1 eq smtp any access-group acl_out in interface outside no fixup protocol smtp 25
5-38
78-13849-01
Chapter 5
D through F Commands flashfs
In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
flashfs
Clear, display, or downgrade filesystem information. (Configuration mode.) Configure with the command... flashfs downgrade {4.x | 5.0 | 5.1} Remove with the command... clear flashfs
Show command options show flashfs
Show command output Displays the size in bytes of each filesystem sector and the current state of the filesystem.
Syntax Description
downgrade 4.x downgrade 5.0 | 5.1
Clear the filesystem information from Flash memory before downgrading to PIX Firewall software version 4.0, 4.1, 4.2, 4.3, or 4.4. Write the filesystem to Flash memory before downgrading to the appropriate PIX Firewall software version 5.0 or higher.
Usage Guidelines
The clear flashfs and the flashfs downgrade 4.x commands clear the filesystem part of Flash memory in the PIX Firewall. Versions 4.n cannot use the information in the filesystem; it needs to be cleared to let the earlier version operate correctly. The flashfs downgrade 5.x command reorganizes the filesystem part of Flash memory so that information stored in the filesystem can be accessed by the earlier version. The PIX Firewall maintains a filesystem in Flash memory to store system information, IPSec private keys, certificates, and CRLs. It is crucial that you clear or reformat the filesystem before downgrading to a previous PIX Firewall version. Otherwise, your filesystem will get out of sync with the actual contents of the Flash memory and cause problems when the unit is later upgraded. You only need to use the flashfs downgrade 5.x command if your PIX Firewall has 16 MB of Flash memory, if you have IPSec private keys, certificates, or CRLs stored in Flash memory, and you used the ca save all command to save these items in Flash memory. The flashfs downgrade 5.x command fails if the filesystem indicates that any part of the image, configuration, or private data in the Flash memory device is unusable. The clear flashfs and flashfs downgrade commands do not affect the configuration stored in Flash memory. The clear flashfs command is the same as the flashfs downgrade 4.x command. The show flashfs command displays the size in bytes of each filesystem sector and the current state of the filesystem. The data in each sector is as follows:

file 0PIX Firewall binary image, where the .bin file is stored. file 1PIX Firewall configuration data that you can view with the show config command.
5-39
Chapter 5 floodguard
file 2PIX Firewall datafile that stores IPSec key and certificate information. file 3flashfs downgrade information for the show flashfs command. file 4The compressed PIX Firewall image size in Flash memory.
Examples
The following is sample output from the show flashfs command:

pixfirewall(config)# show flashfs flash file system: version:2 magic:0x12345679 file 0: origin: 0 length:1511480 file 1: origin: 2883584 length:3264 file 2: origin: 0 length:0 file 3: origin: 3014656 length:4444164 file 4: origin: 8257536 length:280
Use the following command to write the filesystem to Flash memory before downgrading to a lower version of software:
pixfirewall(config)# flashfs downgrade 5.3
The following commands display the filesystem sector sizes:

pixfirewall(config)# show flashfs flash file system: version:1 magic:0x12345679 file 0: origin: 0 length:1794104 file 1: origin: 2095104 length:1496 file 2: origin: 0 length:0 file 3: origin: 2096640 length:140 file 4: origin: 8257536 length:280 pixfirewall(config)#flashfs downgrade 5.3 pixfirewall(config)#show flashfs flash file system: version:0 magic:0x0 file 0: origin: 0 length:0 file 1: origin: 0 length:0 file 2: origin: 0 length:0 file 3: origin: 0 length:0 file 4: origin: 8257536 length:280
The origin values are integer multiples of the underlying filesystem sector size.
floodguard
Enable or disable Flood Defender to protect against flood attacks. (Configuration mode.) Configure with the command... floodguard enable Remove with the command... floodguard disable clear floodguard
Show command options show floodguard
Show command output Displays the floodguard command in the configuration.
5-40
78-13849-01
Chapter 5
D through F Commands fragment
Syntax Description
enable disable
Enable Flood Defender. Disable Flood Defender.
Usage Guidelines
The floodguard command lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources. When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of tcpusers. If the PIX Firewall uauth subsystem is depleted, TCP user resources in different states are reclaimed depending on urgency in the following order:
1. 2. 3. 4.
Timewait FinWait Embryonic Idle
The floodguard command is enabled by default.
Examples
The following example enables the floodguard command and lists the floodguard command statement in the configuration:
floodguard enable show floodguard floodguard enable
fragment
The fragment command provides additional management of packet fragmentation and improves compatibility with NFS. (Configuration Mode.) Configure with the command... fragment size database-limit [interface] fragment chain chain-limit [interface] fragment timeout seconds [interface] Remove with the command... clear fragment
Show command options show fragment [interface]
Show command output Displays the states of the fragment databases. If the interface name is specified, only displays information for the database residing at the specified interface.
5-41
Chapter 5 fragment
Syntax Description
chain chain-limit clear
Specifies the maximum number of packets into which a full IP packet can be fragmented. The default is 24. The default is 24. The maximum is 8200. Resets the fragment databases and defaults. All fragments currently waiting for reassembly are discarded and the size, chain, and timeout options are reset to their default values. The default is 200. The maximum is 1,000,000 or the total number of blocks. The PIX Firewall interface. If not specified, the command will apply to all interfaces. The default is 5 seconds. The maximum is 30 seconds.

database-limit interface seconds show
Displays the state of the fragment database: SizeMaximum packets set by the size option. ChainMaximum fragments for a single packet set by the chain option. TimeoutMaximum seconds set by the timeout option. QueueNumber of packets currently awaiting reassembly. AssembleNumber of packets successfully reassembled. FailNumber of packets which failed to be reassembled. OverflowNumber of packets which overflowed the fragment database.
size timeout
Sets the maximum number of packets in the fragment database. The default is 200. Specifies the maximum number of seconds that a packet fragment will wait to be reassembled after the first fragment is received before being discarded. The default is 5 seconds.
Usage Guidelines
By default the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented. If a large percentage of the network traffic through the PIX Firewall is NFS, additional tuning may be necessary to avoid database overflow. See system log message 209003 for additional information. In an environment where the MTU between the NFS server and client is small, such as a WAN interface, the chain option may require additional tuning. In this case, NFS over TCP is highly recommended to improve efficiency. Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool. See the show block command for more details. The default values will limit DoS due to fragment flooding to that interface only.
Examples
For example, to prevent fragmented packets on the outside and inside interfaces enter:
pixfirewall(config)# fragment chain 1 outside pixfirewall(config)# fragment chain 1 inside
5-42
78-13849-01
Chapter 5
D through F Commands fragment
Continue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets. The following example configures the outside fragment database to limit a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
pixfirewall(config)# pixfirewall(config)# fragment outside size 2000 pixfirewall(config)# fragment outside chain 45 pixfirewall(config)# fragment outside timeout 10 pixfirewall(config)#
The clear fragment command resets the fragment databases. Specifically, all fragments awaiting re-assembly are discarded. In addition, the size is reset to 200; the chain limit is reset to 24; and the timeout is reset to 5 seconds. The show fragment command display the states of the fragment databases. If the interface name is specified, only the database residing at the specified interface is displayed.
pixfirewall(config)# show fragment outside Interface:outside Size:2000, Chain:45, Timeout:10 Queue:1060, Assemble:809, Fail:0, Overflow:0
The preceding example shows that the "outside" fragment database has the following:

A database size limit of 2000 packets. The chain length limit of 45 fragments. A timeout of ten seconds. 1060 packets is currently awaiting re-assembly. 809 packets has been fully reassembled. No failure. No overflow.
This fragment database is under heavy usage. The PIX Firewall also includes FragGuard for additional IP fragmentation protection. For more information refer to the Cisco PIX Firewall and VPN Configuration Guide at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm#1046527
5-43
Chapter 5 fragment
5-44
78-13849-01
C H A P T E R
G through L Commands
global
Create or delete entries from a pool of global addresses. (Configuration mode.) Configure with the command... global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface Remove with the command... no global [(if_name)] nat_id [global_ip [-global_ip] [netmask global_mask]] | [interface] clear global global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface}
global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface}
Show command options show global
Show command output Displays the global command statements in the configuration.
Syntax Description
clear global_ip
Removes global command statements from the configuration. One or more global IP addresses that the PIX Firewall shares among its connections. If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-). You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.
global_mask The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1-209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address will not be included in the pool of global addresses. if_name interface The external network where you use these global addresses. Specifies PAT using the IP address at the interface.
6-1
Chapter 6 global
nat_id
A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647. Reserved word that prefaces the network global_mask variable.
netmask
Usage Guidelines
The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id. The global command cannot use names with a - (dash) character in them because the - character is interpreted as a range specifier instead of as part of the object name. The following command form is used for Port Address Translation (PAT) only: global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface} After changing or removing a global command statement, use the clear xlate command. Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id.
Usage Notes
1.
You can enable the Port Address Translation (PAT) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the PIX Firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool. When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address is available, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT. For example:
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224 global (outside) 1 209.165.201.22 netmask 255.255.255.224
2.
3.
PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the PIX Firewall. Multimedia applications can conflict with port mappings provided by PAT. PAT does not work with the established command. PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL filtering, and outbound traceroute. However, for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:
fixup protocol ftp strict ftp access-list acl_in permit tcp any any eq ftp access-group acl_in in interface inside nat (inside) 1 0 0 global (outside) 1 209.165.201.5 netmask 255.255.255.224
4. 5.
6-2
78-13849-01
Chapter 6
G through L Commands global
6.
IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX Firewall. To create reverse DNS mappings, use a DNS PTR record in the address-to-name mapping file for each global address. For more information on DNS, refer to DNS and BIND, by Paul Albitz and Cricket Liu, OReilly & Associates, Inc., ISBN 1-56592-010-4. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the PIX Firewall is pix.example.com, the PTR record would be as follows.
1.201.165.209.in-addr.arpa. IN PTR pix.example.com
7.
A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT. Instead, a static command statement must be added to map the DNS server to a global address on the outside interface. For example, PAT is enabled with these commands:
nat (inside) 1 192.168.1.0 255.255.255.0 global (inside) 1 209.165.202.128 netmask 255.255.255.224
However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130. To ensure that the inside DNS server can access the root name server, insert the following static command statement:
static (inside,outside) 209.165.202.129 192.168.1.5
The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.
8.
To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command. The following example enables PAT using the IP address at the outside interface in global configuration mode:
ip address outside 192.150.49.1 nat (inside) 1 0 0 global (outside) 1 interface
The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT. When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.
9.
To track usage among different subnets, you can specify multiple PATs using the following supported configurations: The following example maps hosts on the internal network 10.1.0.0/24 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/24 to global address 209.165.200.225 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.255.0 nat (inside) 2 10.1.1.0 255.255.255.0 global (outside) 1 192.168.1.1 netmask 255.255.255.0 global (outside) 2 209.165.200.225 netmask 255.255.255.224
6-3
Chapter 6 help
The following example configures two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.0.0 global (outside) 1 209.165.200.225 netmask 255.255.255.224 global (outside) 1 192.168.1.1 netmask 255.255.255.0
With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.
Examples
The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224 global (outside) 1 209.165.201.12 netmask 255.255.255.224 Global 209.165.201.12 will be Port Address Translated nat (inside) 1 0 0 clear xlate
The next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:
global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240 global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240 nat (perimeter) 1000 0 0
help
Display help information. (Unprivileged, Privileged, and Configuration modes.) Display command help with... help command ? Remove with the command... N/A N/A
Syntax Description
? command help
Displays all commands available in the current privilege level and mode. Specifies the PIX Firewall command for which to display the PIX Firewall command-line interface (CLI) help. If no command name is specified, displays all commands available in the current privilege level and mode; otherwise, displays the PIX Firewall CLI help for the command specified.
Usage Guidelines
The help or ? command displays help information about all commands. You can view help for an individual command by entering the command name followed by a ?(question mark). If the pager command is enabled and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->
The More prompt uses syntax similar to the UNIX more command:
To view another screenful, press the Space bar.
6-4
78-13849-01
Chapter 6
G through L Commands hostname
To view the next line, press the Enter key. To return to the command line, press the q key.
Examples
The following example shows how you can display help information by following the command name with a question mark:
enable ? usage: enable password <pw> [encrypted]
Help information is available on the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
? aaa Enable, disable, or view TACACS+ or RADIUS user authentication, authorization and accounting
hostname
Change the host name in the PIX Firewall command line prompt. (Configuration mode.) Set with the command... hostname newname Change with the command... hostname newname
Syntax Description
newname
New host name for the PIX Firewall prompt. This name can be up to 16 alphanumeric characters and mixed case.
Usage Guidelines
The hostname command changes the host name label on prompts. The default host name is pixfirewall.
Note
The change of the host name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs with the ca zeroize rsa command and delete related certificates with the no ca identity ca_nickname command.
Examples
The following example shows how to change a host name:

pixfirewall(config)# hostname spinner spinner(config)# hostname pixfirewall pixfirewall(config)#
6-5
Chapter 6 http
http
Enables the PIX Firewall HTTP server and specifies the clients that are permitted to access it. Additionally, for access, the Cisco PIX Device Manager (PDM) requires that the PIX Firewall have an enabled HTTP server. (Configuration mode.) Configure with the command... http ip_address [netmask] [if_name] Remove with the command... no http ip_address netmask if_name clear http [no] http server enable clear http
http server enable
Show command options show http
Show command output Displays the allowed hosts and whether or not the HTTP server is enabled.
Syntax Description
clear http http http server enable if_name ip_address netmask
Removes all HTTP hosts and disables the server. Relating to the Hypertext Transfer Protocol. Enables the HTTP server required to run PDM. PIX Firewall interface name on which the host or network initiating the HTTP connection resides. Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall. Specifies the network mask for the http ip_address.
Defaults
If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of IP address. The default if_name is inside.
Usage Guidelines
Access from any host will be allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask.
Examples
The following http command example is used for one host:

http 16.152.1.11 255.255.255.255 outside
The following http command example is used for any host:

http 0.0.0.0 0.0.0.0 inside
6-6
78-13849-01
Chapter 6
G through L Commands icmp
icmp
Enable or disable pinging to an interface. (Configuration mode.) Configure with the command... icmp permit | deny [host] src_addr [src_mask] [type] int_name Remove with the command... no icmp permit | deny [host] src_addr [src_mask] [type] int_name clear icmp
Show command options show icmp
Show command output Displays the ICMP commands in the configuration.
Syntax Description
deny int_name permit src_addr src_mask type
Disables the ability to ping a PIX Firewall interface. The interface name. Enables the ability to ping a PIX Firewall interface. Address that is either permitted or denied ability to ping an interface. Use host src_addr to specify a single host. (Optional) Specifies to use a network mask with the network address entered. ICMP message type as described in Table 6-1.
Usage Guidelines
By default the PIX Firewall denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX Firewall to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX Firewall. If no ICMP control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at any interface (including the outside interface). The icmp deny command disables pinging to an interface, and the icmp permit command enables pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected on the network. This is also referred to as configurable proxy pinging. For traffic that is routed through the PIX Firewall only, you can use the access-list or access-group commands to control the ICMP traffic routed through the PIX Firewall. We recommend that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery. If an ICMP control list is configured, then the PIX Firewall uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP control list is not configured; in that case, a permit is assumed. The syslog message is as follows: %PIX-3-313001: Denied ICMP type=type, code=code from source_address on interface interface_number
6-7
Chapter 6 icmp
If this message appears, contact the peers administrator.

ICMP Message Types
Table 6-1 lists possible ICMP type values.

ICMP Type 0 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Literal echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-reply timestamp-request information-request information-reply mask-request mask-reply conversion-error mobile-redirect
Examples
1.
For example, to deny all ICMP traffic, including ping requests, to the outside interface enter:
icmp deny any outside
Continue entering the icmp deny any interface command for each additional interface on which you want to deny ICMP traffic.
2.
Deny all ping requests and permit all unreachable messages at the outside interface:
icmp deny any echo-reply outside icmp permit any unreachable outside
3.
Permit host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
icmp permit host 172.16.2.15 echo-reply outside icmp permit 171.22.1.0 255.255.255.0 echo-reply outside icmp permit any unreachable outside
6-8
78-13849-01
Chapter 6
G through L Commands igmp
igmp
Refer to the multicast command for the igmp subcommands. The Internet Group Management Protocol (IGMP) enables IP hosts to report their multicast group memberships to an adjacent multicast router. On the PIX Firewall, IGMP support is implemented as a subcommand to the multicast command.
interface
Identify network interface speed and duplex. (Configuration mode.) Configure with the command... interface hardware_id [hardware_speed] [shutdown] Remove with the command... clear interface
Show command options show interface hardware_id [hardware_speed] [shutdown]
Show command output Displays detailed interface information, including the packet drop count of Unicast RPF for each interface and buffer counters for Ethernet interfaces.
6-9
Chapter 6 interface
Syntax Description
hardware_id
Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernetn, or gb-ethernetn depending on how many network interfaces are in the PIX Firewall. Possible Ethernet values are: 10basetSet for 10 Mbps Ethernet half-duplex communication. 10fullSet for 10 Mbps Ethernet full-duplex communication. 100basetxSet for 100 Mbps Ethernet half-duplex communication. 100fullSet for 100 Mbps Ethernet full-duplex communication. 1000sxfullSet for 1000 Mbps Gigabit Ethernet full-duplex operation. 1000basesxSet for 1000 Mbps Gigabit Ethernet half-duplex operation. 1000autoSet for 1000 Mbps Gigabit Ethernet to auto-negotiate full or half duplex. We recommend that you do not use this option to maintain compatibility with switches and other devices in your network. auiSet 10 for Mbps Ethernet half-duplex communication with an AUI cable interface. autoSet Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card. We recommend that you do not use this option to maintain compatibility with switches and other devices in your network. bncSet for 10 Mbps Ethernet half-duplex communication with a BNC cable interface.
hardware_speed Network interface speed (optional).
shutdown
Disable an interface.
Usage Guidelines
The interface command identifies the speed and duplex settings of the network interface boards. After changing an interface command, use the clear xlate command.
Note
For Stateful Failover to work properly, set the Stateful Failover dedicated interface to 100 Mbps full duplex using the 100full option to the interface command. The clear interface command clears all interface statistics except the number of input bytes. This command no longer shuts down all system interfaces. The clear interface command works with all interface types except Gigabit Ethernet. The clear interface command also clears the packet drop count of Unicast RPF for all interfaces. The shutdown option lets you disable an interface. When you first install PIX Firewall, all interfaces are shut down by default. You must explicitly enable an interface by entering the command without the shutdown option. If the shutdown option does not exist in the command, packets are passed by the driver to and from the card. If the shutdown option does exist, packets are dropped in either direction. Inserting a new card defaults to the default interface command containing the shutdown option. (That is, if you add a new card and then enter the write memory command, the shutdown option is saved into Flash memory for the interface.) When upgrading from a previous version to the current version, interfaces are enabled.
6-10
78-13849-01
Chapter 6
G through L Commands interface
The configuration of the interface affects buffer allocation (the PIX Firewall will allocate more buffers for higher line speeds). Buffer allocation can be checked with the show blocks command.
Note
Even though the default is to set automatic speed sensing for the interfaces with the interface hardware_id auto command, we recommend that you specify the speed of the network interfaces; for example, 10baset or 100basetx. This lets PIX Firewall operate in network environments that may include switches or other devices that do not handle auto sensing correctly.
show interface Notes
The show interface command lets you view network interface information for Ethernet. This is one of the first commands you should use when establishing network connectivity after installing a PIX Firewall. The information in the show interface command display is as follows:
The Ethernet string indicates that you have used the interface command to configure the interface. The statement indicates either outside or inside, and whether the interface is available (up) or not available (down). line protocol up means a working cable is plugged into the network interface. If the message is line protocol down, either the cable is incorrect or not plugged into the interface connector. Network interface type. Interrupt vector. It is acceptable for interface cards to have the same interrupts. MAC address. Intel cards start with i and 3Com cards with 3c. Maximum transmission unit (MTU). The size, in bytes, that data can best be sent over the network. nn packets input Indicates that packets are being received in the PIX Firewall. nn packets output Indicates that packets are being sent from the PIX Firewall. Line duplex status: Half duplex indicates that the network interface switches back and forth between sending and receiving information; full duplex indicates that the network interface can send or receive information simultaneously. Line speed: 10baset is listed as 10,000 Kb; 100basetx is listed as 100,000 Kb. Interface problems:
no buffer, the PIX Firewall is out of memory or slowed down due to heavy traffic and cannot
keep up with the received data.

runts are packets with less information than expected. giants are packets with more information than expected. input errors. CRC (cyclic redundancy check) are packets that contain corrupted data (checksum error). frame errors are framing errors. overruns occur when the network interface card is overwhelmed and cannot buffer received
information before more needs to be sent.

ignored and aborted errors are provided for future use, but are not currently checked; the
PIX Firewall does not ignore or abort frames.

underruns occur when the PIX Firewall is overwhelmed and cannot get data fast enough to the
network interface card.
6-11
Chapter 6 interface
Unicast RPF dropsWhen packets are sent to a single network destination using Unicast RPF
are dropped.
output errors(maximum collisions). The number of frames not transmitted because the
configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
collisions(single and multiple collisions). The number of messages retransmitted due to an
Ethernet collision. This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
interface resetsThe number of times an interface has been reset. If an interface is unable to
transmit for three seconds, PIX Firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.
babblesUnused. (babble means that the transmitter has been on the interface longer than
the time taken to transmit the largest frame.)

late collisionsThe number of frames that were not transmitted because a collision occurred
outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send on the Ethernet while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
deferredThe number of frames that were deferred before transmission due to activity on the
link.
lost carrierThe number of times the carrier signal was lost during transmission. no carrierUnused.
Gigabit interface cards do not provide information for the extended show interface command counters introduced in version 5.0(3). The show interface command reports line protocol down for BNC cable connections and for 3Com cards. The show interface command has been enhanced to include eight additional status counters. The new counters are only valid for Ethernet interfaces. The following example shows the new output:
show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 00aa.0000.003b IP address 209.165.201.7, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit half duplex 1184342 packets input, 1222298001 bytes, 0 no buffer Received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort 1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1)
6-12
78-13849-01
Chapter 6
G through L Commands interface
output queue (curr/max blocks): hardware (0/2) software (0/1)
The counters in lines 9 to 11 are as follows:

output errors(maximum collisions). The number of frames not transmitted because the
configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
collisions(single and multiple collisions). The number of messages retransmitted due to an
Ethernet collision. This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
interface resetsThe number of times an interface has been reset. If an interface is unable to
transmit for three seconds, PIX Firewall resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.
babblesUnused. (babble means that the transmitter has been on the interface longer than
the time taken to transmit the largest frame.)

late collisionsThe number of frames that were not transmitted because a collision occurred
outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait.
If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet
while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
deferredThe number of frames that were deferred before transmission due to activity on the
link.
lost carrierThe number of times the carrier signal was lost during transmission. no carrierUnused.
The counters in the last two lines are as follows:
Input queueThe input (receive) hardware and software queue.

Hardware(current and maximum blocks). The number of blocks currently present on the
input hardware queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 128 blocks on the input hardware queue, and the maximum number of blocks ever present on this queue was 128.
Software(current and maximum blocks). The number of blocks currently present on the input
software queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the input software queue, and the maximum number of blocks ever present on this queue was 1.
Output queueThe output (transmit) hardware and software queue.

Hardware(current and maximum blocks). The number of blocks currently present on the
output hardware queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the output hardware queue, and the maximum number of blocks ever present on this queue was 2.
6-13
Chapter 6 ip address
Software(current and maximum blocks). The number of blocks currently present on the
output software queue, and the maximum number of blocks previously present on that queue. In the example, there are currently 0 blocks on the output software queue, and the maximum number of blocks ever present on this queue was 1. For Fast Ethernet and Gigabit Ethernet interfaces, the current and maximum count for the number of blocks on the input (receive) queue will always be the same. Currently the count is 128 for Fast Ethernet and 63 for Gigabit Ethernet. The number of blocks on the receive queue is always fixed.
Examples
The following example assigns names to each interface, enables auto detection for the interface parameters, and then shows interface activity:
show interface interface ethernet0 outside is up, line protocol is up Hardware is i82557 ethernet, irq 10, address is 0060.7380.2f16 IP address 209.165.201.1, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier interface ethernet1 DMZ is up, line protocol is up Hardware is i82557 ethernet, irq 9, address is 00a0.c95d.0282 IP address 127.0.0.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns, 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier
ip address
Identifies addresses for network interfaces, and enables you to set the number of times the PIX Firewall will poll for DHCP information. (Configuration mode.) Configure with the command... ip address if_name ip_address [netmask] ip address outside dhcp [setroute] [retry retry_cnt] ip address if_name pppoe [setroute] ip address if_name ip_address netmask pppoe [setroute] Remove with the command... clear ip clear ip clear ip clear ip
6-14
78-13849-01
Chapter 6
G through L Commands ip address
Show command options show ip show ip address if_name dhcp show ip address if_name pppoe
Show command output Displays IP addresses assigned to the network interfaces. Displays detailed information about the DHCP lease. Displays detailed information about the PPPOE connection.
Syntax Description
clear ip dhcp if_name ip_address netmask outside pppoe retry retry_cnt setroute
Resets all interface IP addresses to 127.0.0.1. The clear ip command does not affect the ip local pool or ip verify reverse-route commands. Specifies PIX Firewall will use DHCP to poll for information. Enables the DHCP client feature on the specified interface. The internal or external interface name designated by the nameif command. PIX Firewall units network interface IP address. Network mask of ip_address. Interface from which the PIX Firewall will poll for information. Specifies to use Point-to-Point Protocol over Ethernet (PPPoE) to assign an IP address. Enables PIX Firewall to retry a poll for DHCP information. Specifies the number of times PIX Firewall will poll for DHCP information. The values available are 4 to 16. If no value is specified, the default is 4. This option tells the PIX Firewall to set the default route using the default gateway parameter the DHCP or PPPoE server returns.
Defaults
By default the PIX Firewall will not retry to poll for DHCP information. The default value for retry_cnt is 4.
Usage Guidelines
The ip address command lets you assign an IP address to each interface. Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, re-enter the command with the correct information. The clear ip command resets all interface IP addresses to 127.0.0.1. The clear ip command does not affect the ip local pool or ip verify reverse-route commands.
Note
The clear ip command stops all traffic through the PIX Firewall unit. After changing an ip address command, use the clear xlate command. Always specify a network mask with the ip address command. If you let PIX Firewall assign a network mask based on the IP address, you may not be permitted to enter subsequent IP addresses if another interfaces address is in the same range as the first address. For example, if you specify an inside interface address of 10.1.1.1 without specifying a network mask and then try to specify 10.1.2.2 for a perimeter interface mask, PIX Firewall displays the error message, Sorry, not allowed to enter IP address on same network as interface n. To fix this problem, reenter the first command specifying the correct network mask.
6-15
Chapter 6 ip address
Do not set the netmask to all 255s, such as 255.255.255.255. This stops access on the interface. Instead, use a network address of 255.255.255.0 for Class C addresses, 255.255.0.0 for Class B addresses, or 255.0.0.0 for Class A addresses. The default address for an interface is 127.0.0.1. PIX Firewall configurations using failover require a separate IP address for each network interface on the standby unit. The system IP address is the address of the active unit. When the show ip command is executed on the active unit, the current IP address is the same as the system IP address. When the show ip command is executed on the standby unit, the system IP address is the failover IP address configured for the standby unit.
DHCP client
The ip address dhcp command enables the DHCP client feature within the PIX Firewall. This command allows the PIX Firewall to be a DHCP client to a DHCP server that provides configuration parameters to the client. In this case, the configuration parameters the DHCP server provides is an IP address and a subnet mask to the interface on which the DHCP client feature is enabled. The optional setroute argument tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns. If the setroute argument is configured, the show route command output shows the default route as being set by a DHCP server. To reset the interface and delete the DHCP lease from PIX Firewall, configure a static IP address with the ip address if_name ip_address [netmask] or ip address if_name pppoe | dhcp [setroute] command, or use the clear ip command. The ip address dhcp and pppoe command options are mutually exclusive.
Note
Do not configure the PIX Firewall with a default route when using the setroute argument of the ip address dhcp or ip address pppoe command.
PPPoE client
The PPPoE client functionality is turned off by default, and you must first use the vpdn commands to configure the PIX Firewall for PPPoE; the vpdn commands set the username, password, and authentication protocol for PPPoE access. PPPoE is only supported on the PIX Firewall outside interface in PIX Firewall software version 6.2. The ip address pppoe command enables the PPPoE client feature within the PIX Firewall. (You can also use this command to clear and restart a PPPoE session; the current session shuts down and a new one restarts after entering this command.) You must enter the PPPoE configuration using the vpdn commands before enabling PPPoE with the ip address pppoe command. You can also enable PPPoE by manually entering the IP address, using the ip address if_name ip_address netmask pppoe command. This command sets the PIX Firewall to use the specified address instead of negotiating with the PPPoE server to assign an address. The ip address setroute command enables an access concentrator to set the default routes for the PPPoE client. The ip address pppoe and dhcp command options are mutually exclusive.
For more information
See the Cisco PIX Firewall and VPN Conguration Guide for more information about the DHCP and PPPoE client features.
6-16
78-13849-01
Chapter 6
G through L Commands ip audit
Examples
The following is sample output from the show ip command:

show ip System IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0 Current IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0
The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit. The following is sample output from the show ip address dhcp command:
show ip address outside dhcp Temp IP Addr:209.165.201.57 for peer on interface:outside Temp sub net mask:255.255.255.224 DHCP Lease server:209.165.200.225, state:3 Bound DHCP Transaction id:0x4123 Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs Temp default-gateway addr:209.165.201.1 Next timer fires after:111797 secs Retry count:0, Client-ID:cisco-0000.0000.0000-outside ip address outside dhcp retry 10
Related Commands
dhcpd vpdn
ip audit
Configures IDS signature use. (Configuration mode.) Configure with the command... Remove with the command... ip audit attack [action [alarm] [drop] no ip audit attack [reset]] ip audit info [action [alarm] [drop] [reset]] no ip audit info ip audit interface if_name audit_name no ip audit interface [if_name] ip audit name audit_name attack [action no ip audit name audit_name [attack] [alarm] [drop] [reset]] ip audit name audit_name info [action no ip audit name audit_name [info] [alarm] [drop] [reset]] ip audit signature signature_number no ip audit signature signature_number disable N/A clear ip audit [name | signature | interface | attack | info]
6-17
Chapter 6 ip audit
Show command options show ip audit attack show ip audit info show ip audit interface show ip audit name [name [info | attack]]
Show command output Displays the default attack actions. Displays the default informational actions. Displays the interface configuration. Displays all audit policies or specific policies referenced by name and possibly type.
show ip audit signature [signature_number] Displays disabled signatures.
Syntax Description
action actions
The alarm option indicates that when a signature match is detected in a packet, PIX Firewall reports the event to all configured syslog servers. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm. Specify the default actions to be taken for attack signatures. Specify the default actions to be taken for informational signatures. Apply an audit specification or policy (via the ip audit name command) to an interface. Specify informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy. Specify which messages to display, attach a global policy to a signature, and disable or exclude a signature from auditing. Audit policy name viewed with the show ip audit name command. Resets name, signature, interface, attack, info to their default values. IDS signature number.
audit attack audit info audit interface audit name audit signature audit_name clear signature_number
Usage Guidelines
Cisco Intrusion Detection System (Cisco IDS) provides the following for IP-based systems:

Traffic auditing. Application-level signatures will only be audited as part of an active session. Applies the audit to an interface. Supports different audit policies. Traffic matching a signature triggers a range of configurable actions. Disables the signature audit. Enables IDS and still disables actions of a signature class (informational, attack).
Auditing is performed by looking at the IP packets as they arrive at an input interface, if a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. PIX Firewall supports both inbound and outbound auditing. For a complete list of supported Cisco IDS signatures, their wording, and whether they are attack or informational messages, refer to Cisco PIX Firewall System Log Messages. Refer to the Cisco Secure Intrusion Detection System Version 2.2.1 User Guide for detailed information on each signature. You can view the NSDB and Signatures chapter of this guide at the following website: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/sigs.htm
6-18
78-13849-01
Chapter 6
G through L Commands ip audit
The ip audit commands are described in the sections that follow.

ip audit attack
The ip audit attack [action [alarm] [drop] [reset]] command specifies the default actions to be taken for attack signatures. An audit policy (audit rule) defines the attributes for all signatures that can be applied to an interface along with a set of actions. Using an audit policy may limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies; one for informational signatures and one for attack signatures. If a policy is defined without actions, then the configured default actions will take effect. Each policy requires a different name. The no ip audit attack command resets the action to be taken for attack signatures to the default action.
ip audit info
The ip audit info [action [alarm] [drop] [reset]] command specifies the default action to be taken for signatures classified as informational signatures. The no ip audit info command sets the action to be taken for signatures classified as informational and reconnaissance to the default action. To cancel event reactions, specify the ip audit info command without an action option.
ip audit interface
The ip audit interface if_name audit_name command applies an audit specification or policy (via the ip audit name command) to an interface. The no ip audit interface [if_name] command removes a policy from an interface.
ip audit name
The ip audit name audit_name info [action [alarm] [drop] [reset]] command specifies the informational signatures except those disabled or excluded by the ip audit signature command that are considered part of the policy. The no ip audit name audit_name [info] command removes the audit policy audit_name.
ip audit signature
The ip audit signature signature_number disable command specifies which messages to display, attaches a global policy to a signature, and disables or excludes a signature from auditing. The no ip audit signature signature_number command removes the policy from a signature. It is used to reenable a signature.
Supported IDS Signatures
PIX Firewall lists the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190. All signature messages are not supported by PIX Firewall in this release. IDS syslog messages all start with %PIX-4-4000nn and have the following format:
%PIX-4-4000nn IDS:sig_num sig_msg from faddr to laddr on interface int_name
where the options are as follows: sig_num sig_msg faddr The signature number. The signature messageapproximately the same as the Cisco IDS signature message. The IP address of the foreign host initiating the attack. (Foreign is relative; attacks can be perpetrated either from outside to an inside host, or from the inside to an outside host.)
6-19
Chapter 6 ip local pool
laddr
The IP address of the local host to which the attack is directed. (Local is relative; attacks can be perpetrated either from the outside to an inside host, or from the inside to an outside host.) The name of the interface on which the signature originated.
int_name
For example:
%PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz %PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface outside
Examples
The following example disables the signature 6102 globally:

ip audit signature 6102 disable
The following example specifies default informational actions:

ip audit name attack1 info
The following example specifies an attack policy:

ip audit name attack2 attack action alarm drop reset
The following example applies a policy to an interface:

ip audit interface outside attack1 ip audit interface inside attack2
ip local pool
Identify addresses for a local pool. (Configuration mode.) Configure with the command... ip local pool pool_name pool_start-address[-pool_end-address] Remove with the command... no ip local pool pool_name pool_start-address[-pool_end-address] clear ip local pool pool_name ip_address[-ip_address]
Show command options show ip local pool pool_name ip_address[-ip_address]
Show command output Displays usage information about the pool of local addresses.
Syntax Description
clear ip local pool Resets IP addresses in a local pool to their default values. ip local pool Creates a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. Single IP address or used with -ip_address to specify a list of IP addresses. Optional ending IP address. Deletes a local address pool.
ip_address -ip_address no ip local pool
6-20
78-13849-01
Chapter 6
G through L Commands ip verify reverse-path
pool_name
Local pool name.
pool_start_address Local pool IP address range. pool_end_address
Usage Guidelines
The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. When a pool of addresses set by the ip local pool command is empty, the following syslog message appears:
%PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname
To reference this pool of local addresses, use the isakmp client configuration address-pool command. Refer to the Cisco PIX Firewall and VPN Configuration Guide for information on the isakmp command.
Examples
The following example creates a pool of IP addresses and then displays the pool contents:
ip local pool mypool 10.0.0.10-10.0.0.20 show ip local pool mypool Pool mypool Begin 10.0.0.10 End 10.0.0.20 Free 11 In use 0
Available Addresses: 10.0.0.10 10.0.0.11 10.0.0.12 10.0.0.13 10.0.0.14 10.0.0.15 10.0.0.16 10.0.0.17 10.0.0.18 10.0.0.19 10.0.0.20
ip verify reverse-path
Implements Unicast RPF IP spoofing protection. (Configuration mode.) Configure with the command... ip verify reverse-path interface int_name Remove with the command... no ip verify reverse-path interface int_name clear ip verify reverse-path interface int_name clear ip verify
6-21
Chapter 6 ip verify reverse-path
Show command options show ip verify [reverse-path [interface int_name]] show ip verify statistics
Show command output Displays a list of the ip verify commands in the configuration, including ip verify reverse-path for one or all interfaces. Displays the number of packets that have been dropped, based on a route lookup of the source address, because there is no route found for the packet or the route found does not match the interface on which the packet arrived.
Syntax Description
clear ip verify clear ip verify reverse-path interface int_name ip verify reverse-path interface no ip verify reverse-path interface
Removes ip verify commands from the configuration. Removes ip verify reverse-path commands for an individual interface from the configuration. Name of an interface you want to protect from a DoS attack. Protects an individual interface against IP spoofing by enabling both ingress and egress filtering to verify addressing and route integrity. This command depends upon a default route previously defined in the configuration. See RFC 2267 for more information. Disables ip verify reverse-path filtering for an individual interface from the configuration.
Usage Guidelines
The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding. With this command enabled, packets are dropped if there is no route found for the packet or the route found does not match the interface on which the packet arrived. The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall. The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened. Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.
Note
The ip verify reverse-path command depends on the existence of a default route statement in the configuration for the outside interface that has 0.0.0.0 0.0.0.0 in the route command statement for the IP address and network mask.
6-22
78-13849-01
Chapter 6
G through L Commands ip verify reverse-path
The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity, and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, then it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network. Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside of the local domain because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing the origin of an attack much easier. When employed, egress filtering enforces what IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and are therefore easily traceable. Unicast RPF is implemented as follows:

ICMP packets have no session, so each packet is checked. UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.
Note
Before using this command, add static route command statements for every network that can be accessed on the interfaces you wish to protect. Only enable this command if routing is fully specified. Otherwise, PIX Firewall will stop traffic on the interface you specify if routing is not in place. Use the show interface command to view the number dropped packets, which appears in the unicast rpf drops counter.
Examples
The following example protects traffic between the inside and outside interfaces and provides route command statements for two networks, 10.1.2.0 and 10.1.3.0, that connect to the inside interface via a hub:
ip address inside 10.1.1.1 255.255.0.0 route inside 10.1.2.0 255.255.0.0 10.1.1.1 1 route inside 10.1.3.0 255.255.0.0 10.1.1.1 1 ip verify reverse-path interface outside ip verify reverse-path interface inside
The ip verify reverse-path interface outside command statement protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command statement protects the inside interface from network egress attacks from users on the internal network. The following is sample output from the show ip verify statistics and clear ip verify statistics commands:
pixfirewall(config)# show ip verify statistics interface outside: 2 unicast rpf drops interface inside: 1 unicast rpf drops interface intf2: 3 unicast rpf drops pixfirewall(config)# clear ip verify statistics
6-23
Chapter 6 isakmp
pixfirewall(config)# show ip verify statistics interface outside: 0 unicast rpf drops interface inside: 0 unicast rpf drops interface intf2: 0 unicast rpf drops
isakmp
Negotiates IPSec security associations and enables IPSec secure communications. (Configuration mode.) Configure with the command... Remove with the command... isakmp client configuration address-pool no isakmp client configuration address-pool local pool-name [interface-name] local pool-name isakmp enable interface-name no isakmp enable interface-name isakmp identity address | hostname no isakmp identity address | hostname isakmp lifetime seconds [retry_seconds] N/A isakmp keepalive seconds [retry_seconds] N/A isakmp key keystring address peer-address no isakmp key keystring address [netmask mask] [no-xauth] peer-address [netmask mask][no-xauth] [no-config-mode] [no-config-mode] isakmp peer fqdn fqdn no-xauth no isakmp peer fqdn fqdn no-xauth no-config-mode no-config-mode isakmp policy priority authentication no isakmp policy priority authentication pre-share | rsa-sig pre-share | rsa-sig isakmp policy priority encryption des | 3des no isakmp policy priority encryption des | 3des isakmp policy priority group 1 | 2 no isakmp policy priority group 1 | 2 isakmp policy priority hash md5 | sha no isakmp policy priority hash md5 | sha isakmp policy priority lifetime seconds no isakmp policy priority lifetime seconds N/A clear [crypto] isakmp sa N/A clear isakmp
Show command options show isakmp policy show isakmp sa
Show command output Displays parameters for each IKE policy, including defaults. Displays all current IKE security associations between the PIX Firewall and its peer.
Syntax Description
address peer-address authentication pre-share
Specify the IPSec peers IP address for the pre-shared key. Specify pre-shared keys as the authentication method.
6-24
78-13849-01
Chapter 6
G through L Commands isakmp
authentication rsa-sig
Specify RSA signatures as the authentication method. RSA signatures provide non-repudiation for the IKE negotiation. This basically means you can prove to a third party whether you had an IKE negotiation with the peer. Specify that the Triple DES encryption algorithm is to be used in the IKE policy. Specify 56-bit DES-CBC as the encryption algorithm to be used in the IKE policy. The fully qualified domain name of the peer. This is used to identify a peer that is a security gateway. Specify that the 768-bit Diffie-Hellman group is to be used in the IKE policy. This is the default value. Specifies that the 1024-bit Diffie-Hellman group 2 be used in the IKE policy. Specify MD5 (HMAC variant) as the hash algorithm to be used in the IKE policy. Specify SHA-1 (HMAC variant) as the hash algorithm to be used in the IKE policy. This is the default hash algorithm. The name of the interface on which to enable ISAKMP negotiation.
encryption 3des encryption des fqdn fqdn group 1 group 2 hash md5 hash sha interface-name
keepalive seconds The keepalive interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive interval. key keystring lifetime seconds netmask mask Specify the authentication pre-shared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers. Specify how many seconds each security association should exist before expiring. Use an integer from 120 to 86,400 seconds (one day). (Optional) The netmask of 0.0.0.0. can be entered as a wildcard indicating the key could be used for any peer that does not have a key associated with its specific IP address. This is only to be used if you enabled the IKE Mode Configuration feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the IKE Mode Configuration feature enabled by the crypto map client configuration address command. This is only to be used if you enabled the Xauth feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the Xauth feature enabled by the crypto map client authentication command. Specify the IP address of the IPSec peer. Specify the host name of the IPSec peer. Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest. Specify the name of a local address pool to allocate the dynamic client IP. Uniquely identifies the Internet Key Exchange (IKE) policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.
no-config-mode
no-xauth
peer-address peer-hostname policy priority pool-name priority
6-25
Chapter 6 isakmp
retry_seconds seconds
Specifies the time interval before a keepalive message is sent if a keepalive response is not received from the previous request. Specifies the time interval (keepalive lifetime) for sending the keepalive message to the peer.
Usage Guidelines
The sections that follow describe each isakmp command.

isakmp client configuration address-pool local
The isakmp client configuration address-pool local command is used to configure the IP address local pool to reference IKE. Use the no crypto isakmp client configuration address-pool local command to restore to the default value. Before using this command, use the ip local pool command to define a pool of local addresses to be assigned to a remote IPSec peer.
Examples
The following example references IP address local pools to IKE with mypool as the pool-name:
isakmp client configuration address-pool local mypool outside
isakmp enable
The isakmp enable command is used to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Firewall. ISAKMP is enabled by default. Use the no isakmp enable command to disable IKE.
Examples
The following example shows how to disable IKE on the inside interface:
no isakmp enable inside
isakmp identity address | hostname
To define the ISAKMP identity the PIX Firewall uses when participating in the IKE protocol, use the isakmp identity address | hostname command. Use no isakmp identity address | hostname command to reset the ISAKMP identity to the default value of IP address. When two peers use IKE to establish IPSec security associations, each peer sends its ISAKMP identity to the remote peer. It will send either its IP address or host name depending on how each has its ISAKMP identity set. By default, the PIX Firewall units ISAKMP identity is set to the IP address. As a general rule, set the PIX Firewall and its peers identities in the same way to avoid an IKE negotiation failure. This failure could be due to either the PIX Firewall or its peer not recognizing its peers identity.
Note
If you are using RSA signatures as your authentication method in your IKE policies, we recommend that you set each participating peers identity to hostname. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail. The following example uses pre-shared keys between the two PIX Firewall units (PIX Firewall 1 and PIX Firewall 2) that are peers, and sets both their ISAKMP identities to host name. At the PIX Firewall 1, the ISAKMP identity is set to hostname:
isakmp identity hostname
6-26
78-13849-01
Chapter 6
At the PIX Firewall 2, the ISAKMP identity is set to hostname:

isakmp identity hostname
isakmp lifetime seconds [retry seconds]
The keepalive lifetime interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive lifetime interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive lifetime interval.
isakmp key address
To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name, use the isakmp key address command. Use the no isakmp key address command to delete a pre-shared authentication key and its associated IPSec peer address. You would configure the pre-shared key at both peers whenever you specify pre-shared key in an IKE policy. Otherwise, the policy cannot be used because it will not be submitted for matching by the IKE process. A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.
Note
The PIX Firewall or any IPSec peer can use the same authentication key with multiple peers, but this is not as secure as using a unique authentication key between each pair of peers. Configure a pre-shared key associated with a given security gateway to be distinct from a wildcard, pre-shared key (pre-shared key plus a netmask of 0.0.0.0) used to identify and authenticate the remote VPN clients. The no-xauth or no-config-mode command options are to be used only if the following criteria are met:

You are using the pre-shared key authentication method within your IKE policy. The security gateway and VPN client peers terminate on the same interface. The Xauth or IKE Mode Configuration feature is enabled for VPN client peers.
The isakmp key keystring address ip-address [no-xauth] [no-config-mode] command lets you configure a pre-shared authentication key, associate the key with a given security gateways address, and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer. Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features. If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment. Use the no key keystring address ip-address [no-xauth] [no-config-mode] command to disable the key keystring address ip-address [no-xauth] [no-config-mode] command that you previously enabled. See the crypto map client authentication command within the crypto map command page for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page for more information about the IKE Mode Config feature.
6-27
Chapter 6 isakmp
The following example shows sharedkeystring as the authentication key to share between the PIX Firewall and its peer specified by an IP address of 10.1.0.0:
isakmp key sharedkeystring address 10.1.0.0
The following example shows use of a wildcard, pre-shared key. The sharedkeystring is the authentication key to share between the PIX Firewall and its peer (in this case a VPN client) specified by an IP address of 0.0.0.0. and a netmask of 0.0.0.0.
isakmp key sharedkeystring address 0.0.0.0 netmask 0.0.0.0
The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. The example shows each security gateway peer has a unique pre-shared key to share with the PIX Firewall. The peers IP addresses are 10.1.1.1, 10.1.1.2, 10.1.1.3, and the netmask of 255.255.255.255 is specified.
isakmp key secretkey1234 address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode isakmp key secretkey4567 address 10.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp key secretkey7890 address 10.1.1.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp peer fqdn no-xauth | no-config-mode
The isakmp peer fqdn fqdn no-xauth | no-config-mode command is to be used only if the following criteria are met:

You are using the RSA signatures authentication method within your IKE policy. The security gateway and VPN client peers terminate on the same interface. The Xauth or IKE Mode Configuration feature is enabled for VPN client peers.
The isakmp peer fqdn fqdn no-xauth | no-config-mode command lets you identify a peer that is a security gateway and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer. Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration feature enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features. If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.
Note
If you are using RSA signatures as your authentication method in your IKE policies, we recommend that you set each participating peers identity to hostname using the isakmp identity hostname command. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail. Use the no isakmp peer fqdn fqdn no-xauth | no-config-mode command to disable the isakmp peer fqdn fqdn no-xauth | no-config-mode command that you previously enabled. See the crypto map client authentication within the crypto map command page for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page for more information about the IKE Mode Config feature.
6-28
78-13849-01
Chapter 6
The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. Each security gateway peers fully qualified domain name is specified.
isakmp peer fqdn hostname1.example.com no-xauth no-config-mode isakmp peer fqdn hostname2.example.com no-xauth no-config-mode isakmp peer fqdn hostname3.example.com no-xauth no-config-mode
isakmp policy
The isakmp policy command lets you negotiate IPSec security associations and enable IPSec secure communications. The following is an example of the isakmp policy command:
isakmp policy 93 group 2
isakmp policy authentication
The isakmp policy authentication command lets you specify the authentication method within an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation. If you specify RSA signatures, you must configure the PIX Firewall and its peer to obtain certificates from a CA. If you specify pre-shared keys, you must separately configure these pre-shared keys within the PIX Firewall and its peer. Use the no isakmp policy authentication command to reset the authentication method to the default value of RSA signatures. The following example shows use of the isakmp policy authentication command. This example sets the authentication method of rsa-signatures to be used within the IKE policy with the priority number of 40.
isakmp policy 40 authentication rsa-sig
isakmp policy encryption
To specify the encryption algorithm within an IKE policy, use the isakmp policy encryption command. IKE policies define a set of parameters to be used during IKE negotiation. DES and 3DES are the two encryption algorithm options available. Use the no isakmp policy encryption command to reset the encryption algorithm to the default value, which is des. The following example shows use of the isakmp policy encryption command. This example sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 encryption 3des
isakmp policy group
Use the isakmp policy group command to specify the Diffie-Hellman group to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation. There are two group options: 768-bit or 1024-bit. The 1024-bit Diffie Hellman provides stronger security, but it requires more CPU time to execute. Use the no isakmp policy group command to reset the Diffie-Hellman group identifier to the default value of group 1 (768-bit Diffie Hellman).
6-29
Chapter 6 isakmp
The following example shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.
isakmp policy 40 group 2
Note
Cisco VPN Client version 3.x uses Diffie-Hellman group 2 and Cisco VPN Client 3000 version 2.5/2.6 uses Diffie-Hellman group 1. If you are using Cisco VPN Client version 3.x, configure Diffie-Hellman group 2 by using the isakmp policy group 2 command.
isakmp policy hash
Use the isakmp policy hash command to specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation. There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. To reset the hash algorithm to the default value of SHA-1, use the no isakmp policy hash command. The following example shows use of the isakmp policy hash command. This example sets the MD5 hash algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 hash md5
isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command. Use the no isakmp policy lifetime command to reset the security association lifetime to the default value of 86,400 seconds (one day). When IKE begins negotiations, it looks to agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by a security association at each peer. The security association is retained by each peer until the security associations lifetime expires. Before a security association expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec security associations. New security associations are negotiated before current security associations expire. To save setup time for IPSec, configure a longer IKE security association lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.
Note
When PIX Firewall initiates an IKE negotiation between itself and an IPSec peer, an IKE policy can be selected only if the lifetime of the peers policy is shorter than or equal to the lifetime of its policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. The following example shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.
isakmp policy 40 lifetime 50400
show isakmp policy
To view the parameters for each IKE policy including the default parameters, use the show isakmp policy command. The following is sample output from the show isakmp policy command after two IKE policies were configured (with priorities 70 and 90 respectively):
6-30
78-13849-01
Chapter 6
G through L Commands isakmp policy
show isakmp policy Protection suite priority 70 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 5000 seconds, no volume limit Protection suite priority 90 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Note
Although the output shows no volume limit for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds); volume limit lifetimes are not currently configurable.
show isakmp sa
To view all current IKE security associations between the PIX Firewall and its peer, use the show isakmp sa command. The following is sample output from the show isakmp sa command after IKE negotiations were successfully completed between the PIX Firewall and its peer:
show isakmp sa dst 16.132.40.2 src 16.132.30.2 state QM_IDLE pending 0 created 1
clear isakmp
The clear isakmp command removes all isakmp command statements from the configuration.
clear [crypto] isakmp sa
The clear [crypto] isakmp sa command deletes active IKE security associations. The keyword crypto is optional.
isakmp policy
The isakmp policy commands are included with the isakmp commands. Please refer to the isakmp commands for usage information on the isakmp policy commands.
kill
Terminate a Telnet session. (Privileged mode.)
6-31
Chapter 6 logging
Configure with the command... N/A
Remove with the command... kill telnet_id
Syntax Description
telnet_id
Telnet session ID.
Usage Guidelines
The kill command terminates a Telnet session. Use the who command to view the Telnet session ID value. When you kill a Telnet session, the PIX Firewall lets any active commands terminate and then drops the connection without warning the user.
Examples
The following is sample output from the show who command, which is used to list the active Telnet sessions, and the use of the kill command to end Telnet session 2:
show who 2: From 10.10.54.0 kill 2
Related Commands
who telnet
logging
Enable or disable syslog and SNMP logging. (Configuration mode.) Configure with the command... logging on logging buffered level logging console level logging facility facility logging history level logging host [in_if_name] ip_address [protocol /port] logging message syslog_id logging monitor level logging queue queue_size logging standby logging timestamp logging trap level N/A Remove with the command... no logging on no logging buffered no logging console no logging facility facility no logging history level no logging host [in_if_name] ip_address no logging message syslog_id no logging monitor level N/A no logging standby no logging timestamp no logging trap level clear logging [disable]
6-32
78-13849-01
Chapter 6
G through L Commands logging
Show command options show logging
Show command output Displays which logging options are enabled. If the logging buffered command is in use, the show logging command lists the current message buffer. Displays the current number of messages in the queue, highest number recorded, and the number of messages discarded because block memory is unavailable to process them. Displays suppressed syslog messages.
show logging queue
show logging disabled
Syntax Description
buffered
Send syslog messages to an internal buffer that can be viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. Clear the buffer for use with the logging buffered command. Specify that syslog messages appear on the PIX Firewall console as each message occurs. You can limit the types of messages that appear on the console with level. We recommend that you do not use this command in production mode because its use degrades PIX Firewall performance. Clear or display suppressed messages. You can suppress messages with the no logging message command. Specify the syslog facility. The default is 20. Eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message. Set the SNMP message level for sending syslog traps. Specify a syslog server that will receive the messages sent from the PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. However, a server can only be specified to receive either UDP or TCP, not both. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server (PFSS). Interface on which the syslog server resides. Syslog servers IP address. Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are:

clear console
disabled facility facility history host
in_if_name ip_address level
0emergenciesSystem unusable messages 1alertsTake immediate action 2criticalCritical condition 3errorsError message 4warningsWarning message 5notificationsNormal but significant condition 6informationalInformation message 7debuggingDebug messages and log FTP commands and WWW URLs
6-33
Chapter 6 logging
message
Specify a message to be allowed. Use the no logging message command to suppress a syslog message. Use the clear logging disabled command to reset the disallowed messages to the original set. Use the show message disabled command to list the suppressed messages. All syslog messages are permitted unless explicitly disallowed. The PIX Startup begin message cannot be blocked and neither can more than one message per command statement. Specify that syslog messages appear on Telnet sessions to the PIX Firewall console. Start sending syslog messages to all output locations. Stop all logging with the no logging on command. The port from which the PIX Firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server listens. For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535. For the TCP port, the default is 1470, and the allowable range is 1025 through 65535. TCP ports only work with the PIX Firewall Syslog Server. The protocol over which the syslog message is sent; either tcp or udp. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server. You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listingthe TCP protocol is listed as 6 and the UDP protocol is listed as 17. Species the size of the queue for storing syslog messages. Use this parameter before the syslog messages are processed. The queue parameter defaults to 512 messages, 0 (zero) indicates unlimited (subject to available block memory), and the minimum is one message. Let the failover standby unit also send syslog messages. This option is disabled by default. You can enable it to ensure that the standby units syslog messages stay synchronized should failover occur. However, this option causes twice as much traffic on the syslog server. Disable with the no logging standby command. Specify a message number to disallow or allow. If a message is listed in syslog as %PIX-1-101001, use 101001 as the syslog_id. Refer to Cisco PIX Firewall System Log Messages for message numbers. Specify that syslog messages sent to the syslog server should have a time stamp value on each message. Set logging level only for syslog messages.
monitor on port
protocol
queue queue_size
standby
syslog_id
timestamp trap
Usage Guidelines
The logging command lets you enable or disable sending informational messages to the console, to a syslog server, or to an SNMP management station. Set the SNMP message level with the logging history command, and set the syslog message level with the logging trap command. If you are using TCP as the logging transport protocol, the PIX Firewall stops passing traffic as a security measure if any of the following error conditions occur: the PIX Firewall is unable to reach the syslog server; the syslog server is misconfigured (such as with PFSS, for example); or the disk is full. (UDP-based logging does not prevent the PIX Firewall from passing traffic if the syslog server fails.) To enable the PIX Firewall to pass traffic again, do the following:
Step 1 Step 2
Identify and correct the syslog server connectivity, misconfiguration, or disk space error condition. Enter the command
logging host inside 10.1.1.1 tcp/1468
to enable the logging again.
6-34
78-13849-01
Chapter 6
G through L Commands logging
Alternately, you can change the logging to default logging on UDP/514 by issuing the command logging host inside 10.1.1.1. UDP-based logging passes traffic even if the syslog server fails.
The logging queue command lets you specify the size of the syslog message queue for the messages waiting to be processed. When traffic is heavy, messages may be discarded. The show logging queue command lists:

Number of messages in the queue Highest number of messages recorded in the queue Number of messages discarded because block memory was not available to process them
The logging standby command lets the failover standby unit send syslog messages. This option is disabled by default. You can enable it to ensure that the standby units syslog messages stay synchronized should failover occur. However, this option causes twice as much traffic on the syslog server. Disable with the no logging standby command. For more information on syslog and the use of the logging command, refer to Cisco PIX Firewall System Log Messages. You can also use Cisco PIX Firewall System Log Messages to get the message numbers that can be individually suppressed with the logging message command. Important Notes
1.
Do not use the logging console command when the PIX Firewall is in production mode because it degrades system performance. By default, this command is disabled. Instead, use the logging buffered command to start logging, the show logging command to view the messages, and the clear logging command to clear the buffer to make viewing the most current messages easier. PIX Firewall provides more information in messages sent to a syslog server than at the console, but the console provides enough information to permit effective troubleshooting. The logging timestamp command requires that the clock command be set.
Beginning operation.
2. 3. 4. 5.
The no logging message command cannot block the %PIX-6-199002: syslog message.
PIX startup completed.
The aaa accounting authentication enable console command causes syslog messages to be sent (at syslog level 4) each time the configuration is changed from the serial console.
Examples
The following example shows how to start console logging and view the results:
logging buffered debugging show logging Syslog logging: enabled Timestamp logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 37 messages logged Trap logging: disabled 305001: Portmapped translation built for gaddr 209.165.201.5/0 laddr 192.168.1.2/256 ...
The line of output starting with 305001 shows a translation to a PAT global through global address 209.165.201.5 from a host at 192.168.1.2. The 305001 identifies a syslog message for creating a translation through a PAT global. Refer to Cisco PIX Firewall System Log Messages for more information on syslog messages.
6-35
Chapter 6 logging device-id
The next example lists the output of the logging queue and show logging queue commands:
logging queue 0 show logging queue Logging Queue length limit : Unlimited Current 5 msg on queue, 3513 msgs most on queue, 1 msg discard.
In this example, the logging queue command is set to 0, which means you want an unlimited number of messages; in other words, all syslog messages, to be processed. The show logging queue command shows that 5 messages are queued, 3513 messages was the greatest number of messages in the queue at one time since the PIX Firewall was last booted, and that 1 message was discarded. Even though set for unlimited, should the amount of block memory be exhausted, messages can still be discarded. The following is an example of the show logging command output when the TCP syslog server is unreachable. Consequently, the PIX Firewall stops passing traffic and logging to the inside is set as disabled:
pixfirewall(config)# show log Syslog logging: enabled Timestamp logging: enabled Standby logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 827 messages logged Trap logging: level debugging, facility 20, 840 messages logged Logging to inside 10.1.1.1 tcp/1468 disabled
Related Commands
clear telnet terminal
logging device-id
Displays a unique device ID in all syslog messages. (Configuration mode.) Congure with the command... logging device-id {hostname | ipaddress if_name | string text} Remove with the command... no logging device-id
Syntax Description
device-id hostname if_name ipaddress text
The device ID of the PIX Firewall to include in the syslog message. Specifies to use the host name of the PIX Firewall to uniquely identify the syslog messages from the PIX Firewall. Specifies the interface name to use to uniquely identify the syslog messages from the PIX Firewall. Specifies to use the IP address of the specified PIX Firewall interface to uniquely identify the sylog messages from the PIX Firewall. Specifies the text string to uniquely identify the syslog messages from the PIX Firewall. The maximum length is 16 characters with no whitespace (blanks) allowed.
6-36
78-13849-01
Chapter 6
G through L Commands login
Defaults
Command History
Release 6.2.2.115
Modification Added to the PIX Firewall operating system.
Usage Guidelines
If enabled, the PIX Firewall displays the device ID in all non-EMBLEM-formatted syslog messages. However, it does not affect the syslog message text that is in EMBLEM format. If the ipaddress option is used, the device ID becomes the specified PIX Firewall interface IP address, regardless of the interface from which the message is sent. This provides a single consistent device ID for all messages sent from the device. The clear logging command removes the entire logging configuration.
Examples
pixfirewall-1(config)# logging device-id hostname pixfirewall-1(config)# show logging Syslog logging: disabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Console logging: level debugging, 0 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: disabled Trap logging: disabled History logging: disabled Device ID: hostname "pixfirewall-1"
Related Commands
auto-update logging
login
Initiates the log-in prompt on the PIX Firewall for starting a session, accessing another privilege level, or command mode as a specific user. (Unprivileged mode.) Start with the command... login Remove with the command... N/A
Syntax Description
login
Specifies to log in as a particular user.
Usage Guidelines
The login command logs the user into the PIX Firewall, another privilege level, or command mode using the local user authentication database created with the username command. This command is available in unprivileged mode.
6-37
Chapter 6 login
A user who has logged in can use the logout, exit, or quit commands to go back to unprivileged mode.
Examples
The following example shows the prompt after you enter the login command:
pixfirewall> login Username:
Related Commands
privilege username
6-38
78-13849-01
C H A P T E R
M through R Commands
mroute
Configures a static multicast route. (Configuration mode.) Configure with the command... mroute src smask in-if-name dst dmask out-if-name Remove with the command... no mroute src smask in-if-name dst dmask out-if-name
Show command options show mroute [dst [src]]
Show command output Displays the current multicast route table.
Syntax escription D
dmask dst in-if-name out-if-name smask src
The destination network address mask. The Class D address of the multicast group. The input interface name to pass multicast traffic. The output interface name to pass multicast traffic. The multicast source network address mask. The IP address of the multicast source.
Usage Guidelines
The mroute command supports routing multicast traffic through the PIX Firewall.
Examples
In the following example, the multicast sources are the inside interface and DMZ with no internal receivers:
multicast interface outside multicast interface inside multicast interface dmz mroute 1.1.1.1 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside mroute 2.2.2.2 255.255.255.255 dmz 230.1.1.2 255.255.255.255 outside
7-1
Chapter 7 multicast
multicast
Enables multicast traffic to pass through the PIX Firewall. Includes an igmp subcommand mode for multicast support. (Configuration mode.) Configure with the command... multicast interface interface_name [max-groups number] Subcommands to the multicast command: igmp forward interface interface_name igmp access-group acl_id igmp version {1 | 2} igmp join-group group igmp query-interval seconds igmp query-max-response-time seconds Remove with the command... no multicast interface interface_name clear multicast Subcommands to the multicast command: no igmp clear igmp [group | interface interface_name]
Show command options show igmp [group | interface interface_name] [detail] show multicast [interface interface_name]
Show command output Displays the IGMP information for a multicast group, whether statically configured or dynamically created. Displays all or per-interface multicast settings. Also displays the IGMP configuration for any interface that is specified.
Syntax Description
acl_id detail group igmp interface_name join-group max-groups number query-interval query-maxresponse-time seconds
Access control list ID. Displays all information in the IGMP table. The address of the multicast group. Internet Group Management Protocol. The name of the interface on which to enable multicast traffic. The multicast group to join. Specifies the maximum number of groups, from 0 to 2000. The default value is 500. The maximum number of groups that can be joined. The query response time interval. The maxium query response time interval. Specifies the number of seconds to wait.
7-2
78-13849-01
Chapter 7
M through R Commands mtu
Usage Guidelines
The multicast command supports routing multicast traffic through the PIX Firewall. The PIX Firewall igmp commands are subcommands of the multicast command. The clear igmp [group | interface interface_name] command clears IGMP entries.
Note
The PIX Firewall acts as an IGMP proxy but is not a multicast router.
Examples
The following example shows use of the multicast command with corresponding igmp subcommands:
multicast interface outside multicast interface inside igmp forward interface outside igmp join-group 224.1.1.1
The following is an example of the show igmp command:

pixfirewall(config)# show igmp IGMP is enabled on interface inside Current IGMP version is 2 IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds Last member query response interval is 1 seconds Inbound IGMP access group is IGMP activity: 0 joins, 0 leaves IGMP querying router is 10.1.3.1 (this system) IGMP Connected Group Membership Group Address Interface
Uptime
Expires
Last Reported
mtu
Specify the maximum transmission unit (MTU) for an interface. (Configuration mode.) Configure with the command... mtu if_name bytes Remove with the command... no mtu [if_name bytes]
Show command options show mtu
Show command output Displays the current block size.
Syntax Description
bytes if_name
The number of bytes in the MTU, in the range of 64 to 65,535 bytes. The value specified depends on the type of network connected to the interface. The internal or external network interface name.
7-3
Chapter 7 name/names
Usage Guidelines
The mtu command sets the size of data sent on a connection. Data larger than the maximum transmission unit (MTU) value is fragmented before being sent. The minimum value for bytes is 64 and the maximum is 65,535 bytes. For PIX Firewall software version 6.2, MTU size must be greater than or equal to 1500 for the Stateful Failover link and greater than or equal to 576 for the LAN-based failover link. For PIX Firewall software versions 5.2 through 6.1, MTU size must be greater than or equal to 256 bytes for the Stateful Failover link. PIX Firewall supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path. Sometimes a PIX Firewall is unable to forward a datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface), but the don't fragment (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host will have to fragment packets for the destination so that they fit the smallest packet size of all the links along the path. For Ethernet interfaces, the default MTU is 1500 bytes in a block, which is also the maximum. This value is sufficient for most applications, but you can pick a lower number if network conditions warrant it. The no mtu command resets the MTU block size to 1500 for Ethernet interfaces. The show mtu command displays the current block size. The show interface command also shows the MTU value.
Examples
The following example shows the use of the mtu command with Ethernet:
interface ethernet0 auto mtu inside 8192 show mtu mtu outside 1500 mtu inside 8192
name/names
Associate a name with an IP address. (Configuration mode.) Configure with the command... name ip_address name Remove with the command... no name [ip_address name] clear names no names clear names
names
Show command options show names
Show command output Displays the name command statements in the configuration.
7-4
78-13849-01
Chapter 7
M through R Commands name/names
Syntax Description
ip_address name
The IP address of the host being named. The name assigned to the IP address. Allowable characters are a to z, A to Z, 0 to 9, a dash, and an underscore. The name cannot start with a number. If the name is over 16 characters long, the name command fails.
Usage Guidelines
Use the name command to identify a host by a text name. The names you define become like a host table local to the PIX Firewall. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessingit makes configurations much more readable but introduces another level of abstraction to administer; not only do you have to add and delete IP addresses to your configuration as you do now, but with this command, you mustyou must ensure that the host names either match existing names or you have a map to list the differences. The name command maps text strings to IP addresses. The clear names command clears the list of names from the PIX Firewall configuration. The no names command disables the use of the text names, but does not remove them from the configuration. The show names command lists the name command statements in the configuration.
Usage Notes
1. 2. 3. 4. 5.
You must first use the names command before using the name command. Use the name command immediately after the names command and before you use the write memory command. To disable displaying name values, use the no names command. Only one name can be associated with an IP address. Both the name and names command statements are saved in the configuration. While the name command will let you assign a name to a network mask, no other PIX Firewall command requiring a mask will let you use the name as a mask value. For example, the following command is accepted.
name 255.255.255.0 class-C-mask
Note
None of the commands in which a mask is required can process the class-C-mask as an accepted network mask.
Examples
In the example that follows, the names command enables use of the name command. The name command substitutes pix_inside for references to 192.168.42.3, and pix_outside for 209.165.201.3. The ip address commands use these names while assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command restores their display.
pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# names name 192.168.42.3 pix_inside name 209.165.201.3 pix_outside ip address inside pix_inside 255.255.255.0 ip address outside pix_outside 255.255.255.224
pixfirewall(config)# show ip address System IP Addresses: inside ip address pix_inside mask 255.255.255.0 outside ip address pix_outside mask 255.255.255.224
7-5
Chapter 7 nameif
pixfirewall(config)# no names pixfirewall(config)# show ip address System IP Addresses: inside ip address 192.168.42.3 mask 255.255.255.0 outside ip address 209.165.201.3 mask 255.255.255.224 pixfirewall(config)# names pixfirewall(config)# show ip address System IP Addresses: inside ip address pix_inside mask 255.255.255.0 outside ip address pix_outside mask 255.255.255.224 pixfirewall(config)# show names System IP Addresses: name 192.168.42.3 pix_inside name 209.165.201.3 pix_outside
nameif
Name interfaces and assign security level. (Configuration mode.) Configure with the command... nameif hardware_id if_name security_level Remove with the command... clear nameif
Show command options show nameif
Show command output Displays interface names.
Syntax Description
hardware_id
The hardware name for the network interface that specifies the interfaces slot location on the PIX Firewall motherboard. For more information on PIX Firewall hardware configuration, refer to the Cisco PIX Firewall Hardware Installation Guide. A logical choice for an Ethernet interface is ethernetn. These names can also be abbreviated with any leading characters in the name, for example, ether1 or e2.
if_name
A name for the internal or external network interface of up to 48 characters in length. By default, PIX Firewall names the inside interface inside, the outside interface outside, and any perimeter interface intfn where n is 2 through 5. Enter 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. By default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0. The first perimeter interface is initially set to security10, the second to security15, the third to security20, and the fourth perimeter interface to security25 (a total of 6 interfaces are permitted, with a total of 4 perimeter interfaces permitted). For access from a higher security to a lower security level, nat and global commands or static commands must be present. For access from a lower security level to a higher security level, static and access-list commands must be present. Interfaces with the same security level cannot communicate with each other. We recommend that every interface have a unique security level.
security_level
7-6
78-13849-01
Chapter 7
M through R Commands nat
Usage Guidelines
The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.
Usage Notes
1.
If you change the hardware_id of the outside interface; for example, from ethernet0 to ethernet1, PIX Firewall changes every reference to the outside interface in your configuration to inside, which can cause problems with route, ip, and other command statements that affect the flow of traffic through the PIX Firewall. After changing a nameif command, use the clear xlate command. The inside interface cannot be renamed or given a different security level. The outside interface can be renamed, but not given a different security level. An interface is always external with respect to another interface that has a higher security level.
2. 3. 4.
Examples
The following example shows use of the nameif command:

nameif ethernet2 perimeter1 sec50 nameif ethernet3 perimeter2 sec20
Related Commands
interface
nat
Associate a network with a pool of global IP addresses. (Configuration mode.) Configure with the command... nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]] nat [(if_name)] 0 access-list acl_name Remove with the command... no nat [(if_name)] id address [netmask [outside]
no nat [(if_name)] 0 [access-list acl_name]
Show command options show nat
Show command output Displays the nat command statements in the current configuration.
Syntax Description
access-list acl_name clear nat
Associates access-list command statements to the nat 0 command and exempts traffic that matches the access-list from NAT processing. The access list name. Removes nat command statements from the configuration.
7-7
Chapter 7 nat
conn_limit dns em_limit hh:mm:ss id if_name local_ip max_conns nat_id
The connection time limit. Specifies that DNS replies that match the xlate are translated. The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems. The timeout interval for the translation slot. However, timeout only occurs if no TCP or UDP connection is actively using the translation. The id number to match with the global address pool. The internal network interface name. Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0. The maximum TCP connections permitted from the interface you specify. nat_id values can be 0, 0 access list acl_name, or a number greater than zero (0). A nat_id that is 0 specifies the inside hosts for identity translation. Identity translations are translations that map an address to itself. The restriction is that the traffic must initiate from an inside host. A nat_id that is 0 access list acl_name specifies the traffic to exempt from NAT processing, based on the access list specified by acl_name. This is useful in Virtual Private Network (VPN) configuration where traffic between private networks should be exempted from NAT. A nat_id that is a number greater than zero (0) specifies the inside hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command, so the nat_id number must match the global_id number of the global address pool you want to use for dynamic address translation.
netmask
Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0. Do not randomize the TCP packets sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Using this option disables TCP Initial Sequence Number (ISN) randomization protection. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking. Specifies that the nat command apply to the outside interface address. For access control, IPSec, and AAA use the real outside address. Sets the idle timeout value for the translation slot.
norandomseq
outside timeout
Usage Guidelines
The nat command lets you enable or disable address translation for one or more internal addresses. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows your network to have any IP addressing scheme and the PIX Firewall protects these addresses from visibility on the external network. The nat outside option lets you enable or disable address translation for the external addresses. The nat if_name 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access. The if_name is the higher security level interface name. The acl_name is the name you use to identify the access-list command statement.
7-8
78-13849-01
Chapter 7
M through R Commands nat
With PIX Firewall software version 5.3 and higher, there is no longer a restriction on having the nat 0 command (Identity NAT) and the nat 0 access-list command configured at the same time. Both the nat 0 command and the nat 0 access-list command may be configured concurrently. The access-list option changes the behavior of the nat 0 command. (Without the access-list option, the command is backward compatible with previous versions.) The nat 0 command implemented the identity feature; this new version of the command disables NAT. Specifically, the new behavior disables proxy ARPing for the IP addresses in the nat 0 command statement.
Note
The access list you specify with the nat 0 access-list command will not work with an access-list command statement that contains a port specification. The following sample command statements will not work.
access-list no-nat permit tcp host xx.xx.xx.xx nat (inside) 0 access-list no-nat host
yy.yy.yy.yy
After changing or removing a nat command statement, use the clear xlate command. The connection limit lets you set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up. You can use the no nat command to remove a nat command statement. Table 7-1 helps you decide when to use the nat or static commands for access between the various interfaces in the PIX Firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.
Table 7-1 Interface Access Commands by Interface
From This Interface inside inside inside dmz1 dmz1 dmz1
To This Interface outside dmz1 dmz2 outside dmz2 inside
Use This Command nat nat nat nat static static
From This Interface dmz2 dmz2 dmz2 outside outside outside
To This Interface outside dmz1 inside dmz1 dmz2 inside
Use This Command nat nat static static static static
The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.
Usage Notes
1.
You can enable identity address translation with the nat 0 command. Use this command when you have IP addresses that are the same as those used on more than one interface. Adaptive Security remains in effect with the nat 0 command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.
7-9
Chapter 7 nat
Addresses on each interface must be on a different subnet. See Appendix D TCP/IP Reference Information of the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting. The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat command statements appear in the configuration.
2.
The nat 1 0 0 command means that all outbound connections can pass through the PIX Firewall with address translation. If you use the nat (inside) 1 0 0 command, users can start connections on any interface with a lower security level, on the both perimeter interfaces and the outside interface. With NAT in effect, you must also use the global command statement to provide a pool of addresses through which translated connections pass. In effect, you use the nat command statement to specify from which interface connections can originate and you use the global command statement to determine at which interface connections can occur. The NAT ID must be the same on the nat and global command statements. The nat 1 10.2.3.0 command means that only outbound connections originating from the inside host 10.2.3.0 can pass through the PIX Firewall to go to their destinations with address translation. The PIX Firewall does not support outside NAT for non-H.323 multimedia applications or between overlapping network addresses.
3. 4.
Examples
The nat 0 command requires that traffic initiates from an inside host. If you want the addresses to be visible from the outside network, use the static command as follows:
nat (inside) 0 209.165.201.0 255.255.255.224 static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224 access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp access-group acl_out in interface outside nat (inside) 0 209.165.202.128 255.255.255.224 static (inside, outside) 209.165.202.128 209.165.202.128 netmask 255.255.255.224 access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftp access-group acl_out in interface outside
The following example shows use of the nat 0 access-list command to permit internal host 10.1.1.15, accessible through the inside interface, inside, to bypass NAT when connecting to outside host 10.2.1.3.
access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3 nat (inside) 0 access-list no-nat
The following commands will disable all NAT on a PIX Firewall with three interfaces:
access-list all-ip-packet permit ip 0 0 0 0 nat (dmz) 0 access-list all-ip-packet nat (inside) 0 access-list all-ip-packet
The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 3.3.3.0 inside networks can start outbound connections.
7-10
78-13849-01
Chapter 7
M through R Commands ntp
The global command statements create a pool of global addresses as follows:

nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 209.165.201.25-209.165.201.27 netmask 255.255.255.224 global (outside) 1 209.165.201.30 nat (inside) 3 10.3.3.0 255.255.255.0 global (outside) 3 209.165.201.10-209.165.201.25 netmask 255.255.255.224
Related Commands
global outbound / apply
ntp
Synchronizes the PIX Firewall with a network time server using the Network Time Protocol (NTP). (Configuration mode.) Configure with the command... ntp authenticate ntp authentication-key number md5 value ntp server ip_address [key number] source if_name [prefer] ntp trusted-key number N/A Remove with the command... no ntp authenticate no ntp authentication-key number md5 value no ntp server ip_address no ntp trusted-key number clear ntp
Show command options show ntp show ntp associations [detail]
Show command output Displays the current NTP configuration. Displays the configured network time server associations. (Detailed descriptions of the information displayed can be found in the NTP specification, RFC 1305.) Displays the NTP clock information.
show ntp status
Syntax escription D
associations authenticate authentication-key detail if_name ip_address key md5 number
The network time server associations. Enables NTP authentication. If enabled, the PIX Firewall requires authentication before synchronizing with an NTP server. Defines the authentication keys for use with other NTP commands. Provides additional detail on the network time servers. Specifies the interface to use to send packets to the network time server. The IP address of the network time server with which to synchronize. Specifies the authentication key. The encryption algorithm. The authentication key number (1 to 4294967295).
7-11
Chapter 7 ntp
prefer server source status trusted-key value
Designates the network time server specified as the preferred server with which to synchronize time. The network time server. Specifies the network time source. Displays NTP clock information. Specifies the trusted key against which to authenticate. The key value, an arbitrary string of up to 32 characters. The key value is displayed as *********** when the configuration is viewed by the write terminal or show tech-support commands.
Usage Guidelines
The ntp command synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set. The ntp authenticate command enables NTP authentication. The clear ntp command removes the NTP configuration, including disabling authentication and removing all authentication keys and NTP server designations.
Usage Notes
1. 2.
The authentication keys for the ntp commands are defined in the ntp authentication-key command. If authentication is used, the PIX Firewall and NTP server must be configured with the same key. If authentication is enabled, use the ntp trusted-key command to define one or more key numbers that the NTP server needs to provide in its NTP packets for the PIX Firewall to accept synchronization with the NTP server. The PIX Firewall listens for NTP packets (port 123) only on interfaces that have an NTP server configured through the ntp server command. NTP packets that are not responses from a request by the PIX Firewall are dropped.
3.
Examples
The following are examples of the show ntp commands. Detailed descriptions of the information displayed by the show ntp commands can be found in the NTP specification (RFC 1305). The following is sample output from the show ntp command:
pixfirewall(config)# show ntp ntp authentication-key 1234 md5 ******** ntp authenticate ntp trusted-key 1234 ntp server 10.10.1.2 key 1234 source inside prefer pixfirewall(config)#
The following is sample output from the show ntp associations command:
pixfirewall(config)# show ntp associations address ref clock st when poll reach delay offset disp *~172.23.56.249 172.23.56.225 4 113 128 177 4.5 -0.24 125.2 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
The following is sample output from the show ntp associations detail command:
pixfirewall(config)# show ntp associations detail 172.23.56.249 configured, our_master, sane, valid, stratum 4 ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
7-12
78-13849-01
Chapter 7
M through R Commands object-group
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021 delay 4.47 msec, offset -0.2403 msec, dispersion 125.21 precision 2**19, version 3 org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002) rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002) xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002) filtdelay = 4.47 4.58 4.97 5.63 4.79 5.52 5.87 filtoffset = -0.24 -0.36 -0.37 0.30 -0.17 0.57 -0.74 filterror = 0.02 0.99 1.71 2.69 3.66 4.64 5.62
0.00 0.00 16000.0
The following is sample output from the show ntp status command:
pixfirewall(config)# show ntp status Clock is synchronized, stratum 5, reference is 172.23.56.249 nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6 reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002) clock offset is -0.2403 msec, root delay is 42.51 msec root dispersion is 135.01 msec, peer dispersion is 125.21 msec
Related Commands
clear debug show
object-group
Defines object groups that you can use to optimize your configuration. Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group. (Configuration mode.) Configure with the commands... object-group grp_id object-group description description_text Remove with the command... no object-group grp_id no object-group description description_text no object-group grp_id no object-group icmp-type grp_id no icmp-group icmp_type no object-group grp_id no object-group network grp_id no network-object host host_addr no network-object host_addr netmask no object-group grp_id no object-group protocol grp_id no protocol-object protocol no object-group grp_id
object-group icmp-type grp_id icmp-group icmp_type
object-group network grp_id network-object host host_addr network-object host_addr netmask
object-group protocol grp_id protocol-object protocol
7-13
Chapter 7 object-group
Configure with the commands... object-group service grp_id {tcp | udp | tcp-udp} port-object eq service port-object range begin_service end_service
Remove with the command... no object-group service grp_id {tcp | udp | tcp-udp} no port-object eq service port-object range begin_service end_service no object-group grp_id no object-group grp_id clear object-group [grp_type]
N/A
Show command options show object-group [id grp_id | grp_type]
Show command output Displays object groups in the configuration.
Syntax escription D
begin_service description description_text
Used with the range keyword, the decimal number or name of a TCP or UDP port that is the beginning value for a range of services. A subcommand of the object-group command that enables users to add a description of up to 200 characters to an object-group. The starting position of the description text is the character right after the whitespace (a blank or a tab) following the description keyword. Used with the range keyword, the decimal number or name of a TCP or UDP port that is the ending value for a range of services. Specifies the decimal number or name of a TCP or UDP port for a particular service object. The group-object subcommand is used to add a group of objects that are themselves members of another object group. Required parameter that identifies the object group (one to 64 characters). Can be any combination of letters, digits, and the _, -, . characters. The type of group, either ICMP type, network, protocol, or service. Keyword used with the host_addr parameter to define a host object. The host IP address or host name (if the host name is already defined using the name command). The object-group icmp-type subcommand used to add ICMP objects to an ICMP-type object group. Defines a group of ICMP types such as echo and echo-reply. After entering the main object-group icmp-type command, add ICMP objects to the ICMP type group with the icmp-object and the group-object subcommand. The decimal number or name of an ICMP type. The network address. Used with netmask to define a subnet object. The netmask. Used with net_addr to define a subnet object. Defines a group of hosts or subnet IP addresses. After entering the main object-group network command, add network objects to the network group with the network-object and the group-object subcommand. The object-group network subcommand used to add network objects to a network object group.
end_service eq service group-object grp_id grp_type host host_addr icmp-object icmp-type
icmp_type net_addr netmask network
network-object
7-14
78-13849-01
Chapter 7
obj_grp_id
The name of a previously defined object group. For object groups to be grouped together, they must be of the same type. For example, you can group two or more network object groups together, but you cannot group a protocol group and a network group together. The main object grouping command. The keyword after it specifies the type of object group that is being defined. After entering this main command with the type indicator keyword, you are in subcommand mode where you explicitly define individual group members using the object-group subcommands. The object-group service subcommand used to add port objects to a service object group. Defines a group of protocols such as TCP and UDP. After entering the main object-group protocol command, add protocol objects to the protocol group with the protocol-object and the group-object subcommand. The protocol name or number. (For example, UDP is 17 and TCP is 6.) The object-group protocol subcommand used to add protocol objects to a protocol object group. Keyword indicating that the range parameters follow. Defines a group of TCP/UDP port specifications such as eq smtp and range 2000 2010. After entering the main object-group service command, add port objects to the service group with the port-object and the group-object subcommand. Specifies that service group is used for TCP. Specifies that service group can be used for TCP and UDP. Specifies that service group is used for UDP.
object-group
port-object protocol
protocol protocol-object range service
tcp tcp-udp udp
Usage Guidelines
When a group is defined with the object-group command and then used in a PIX Firewall command, the command applies to every item in that group. This can significantly reduce your configuration size. Once an object group is defined, the keyword object-group must be used before the group name in all applicable PIX Firewall commands. For example,
show object-group
group_name
where group_name is the name of the group. The following are two examples of the use of an object group once it is defined:
conduit permit tcp object-group group_name any access-list acl_name permit tcp any object-group group_name
Additionally, the access-list and conduit command parameters can be grouped as follows in Table 7-2.
Table 7-2 Object Groups to Replace Individual Parameters
Instead of using individual parameters... protocol host and subnet service icmp_type
...use the following object group: object-group protocol object-group network object-group service object-group icmp_type
7-15
You can group commands hierarchically; an object group can be a member of another object group. To use object groups, you must do the following:
The keyword object-group must be used before the object group name in all commands. For example:
access-list acl permit tcp object-group remotes object-group locals object-group eng_svc
where remotes and locals are sample object group names.

The object group must be non-empty. An object group cannot be removed or emptied if it is currently being used in a command.
After a main object-group command is entered, the command mode changes to its corresponding subcommand mode. The object group is then defined in the subcommand mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:
pix_name (config)#
where pix_name is the name of the PIX Firewall. However, when the object-group command is entered, the prompt appears as follows:
pix_name (config-type)#
where pix_name is the name of the PIX Firewall and type is the object-group type. Use exit, quit, or any valid config-mode command such as access-list to close an object-group subcommand mode and exit the object-group main command. Use the no object-group command form to remove a group of previously defined object-group commands. The clear object-group command form can also be used. The show object-group command displays all defined object groups by their grp_id when the show object-group id grp_id command form is entered, and by their group type when the show object-group grp_type command form is entered. When you enter show object-group without a parameter, all defined object groups are shown. When entered without a parameter, the clear object-group command removes all defined object groups that are not being used in a command. Using grp_type parameter removes all defined object groups that that are not being used in a command for that group type only. For use in the object-group icmp-type command, Table 7-3 lists ICMP type numbers and names:
Table 7-3 ICMP Types
Number 0 3 4 5 6 8 9 10
Name of ICMP Type echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation
7-16
78-13849-01
Chapter 7
Table 7-3
ICMP Types (continued)
Number 11 12 13 14 15 16 17 18 31 32
Usage Notes
1. 2. 3. 4.
Name of ICMP Type time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply address-mask-request adress-mask-reply conversion-error mobile-redirect
You can use all other PIX Firewall commands in subcommand mode, including the show and clear commands. Subcommands appear indented when displayed or saved by the show config, write, or config commands. Subcommands have the same command privilege level as the main command. When more than one object group is used in an access-list or conduit command, the elements of all object groups used in the command are cross-concatenated together, starting with the first groups elements concatenated the second groups elements, then the first and second groups elements concatentated together with the third groups elements, and so on.
Examples
The following example shows how to use the object-group icmp-type subcommand mode to create a new icmp-type object group:
(config)# object-group icmp-type icmp-allowed (config-icmp-type)#icmp-object echo (config-icmp-type)#icmp-object time-exceeded (config-icmp-type)#exit
The following example shows how to use the object-group network subcommand to create a new network object group:
(config)# object-group network sjc_eng_ftp_servers (config-network)#network-object host sjc.eng.ftp.servcers (config-network)#network-object host 172.23.56.194 (config-network)#network-object 192.1.1.0 255.255.255.224 (config-network)#exit
The following example shows how to use the object-group network subcommand to create a new network object group and map it to a existing object-group:
(config)# object-group network sjc_ftp_servers (config-network)#network-object host sjc.ftp.servers (config-network)#network-object host 172.23.56.195 (config-network)#network-object 193.1.1.0 255.255.255.224
7-17
(config-network)#group-object sjc_eng_ftp_servers (config-network)#exit
The following example shows how to use the object-group protocol subcommand mode to create a new protocol object group.
(config)# object-group protocol proto_grp_1 (config-protocol)#protocol-object udp (config-protocol)#protocol-object ipsec (config-protocol)#exit (config)# object-group protocol proto_grp_2 (config-protocol)#protocol-object tcp (config-protocol)#group-object proto_grp_1 (config-protocol)#exit
The following example shows how to use the object-group service subcommand mode to create a new port (service) object group.
(config)# object-group service eng_service tcp (config-service)#group-object eng_www_service (config-service)#port-object eq ftp (config-service)#port-object range 2000 2005 (config-service)#exit
The following example shows how to use the group-object subcommand mode to create a new object group that consists of previously defined objects:
(config)# object-group network host_grp_1 (config-network)# network-object host 192.168.1.1 (config-network)# network-object host 192.168.1.2 (config-network)# exit (config)# object-group network host_grp_2 (config-network)# network-object host 172.23.56.1 (config-network)# network-object host 172.23.56.2 (config-network)# exit (config)# object-group network all_hosts (config-network)# group-object host_grp_1 (config-network)# group-object host_grp_2 (config-network)# exit (config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp (config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp (config)# access-list all permit tcp object-group all_hosts any eq www
As shown in this example, without the group-object command the all_hosts group has to be defined to include all the IP addresses that have already defined in host_grp_1 and host_grp_2, but with the group-object command, the duplicated definitions of the hosts are eliminated. The following example illustrates how use object groups to simplify access list configuration:
object-group network remote network-object host kqk.suu.dri.ixx network-object host kqk.suu.pyl.gnl object-group network locals network-object host 172.23.56.10 network-object host 172.23.56.20 network-object host 172.23.56.194 network-object host 172.23.56.195 object-group service eng_svc ftp
7-18
78-13849-01
Chapter 7
M through R Commands outbound/apply
port-object eq www port-object eq smtp port-object range 25000 25100
This grouping then enables the access list to be configured in one line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:
access-list acl permit tcp object-group remote object-group locals object-group eng_svc
Note
The show config and write commands display the access list as configured with the object group names. However, the show access-list command displays the access list entries expanded out into individual statements without their object groupings.
outbound/apply
Create an access list for controlling Internet use. (Configuration mode.) Configure with the command... apply [(if_name)] list_ID outgoing_src | outgoing_dest Remove with the command... no apply [[(if_name)] list_ID outgoing_src | outgoing_dest] clear apply no outbound [list_ID permit | deny ip_address [netmask [port[-port]] [protocol]] clear outbound no outbound [list_ID except ip_address [netmask [port[-port]] [protocol]]
outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]
outbound list_ID except ip_address [netmask [port[-port]] [protocol]
Show command options show apply [(if_name)] [list_ID outgoing_src | outgoing_dest] show outbound
Show command output Displays the apply command statements in the configuration. Displays the outbound command statements in the configuration.
Syntax Description
apply
Specifies whether the access control list applies to inside users ability to start outbound connections with apply commands outgoing_src option, or whether the access list applies to inside users ability to access servers on the outside network with the apply commands outgoing_dest option. Removes all the apply command statements from the configuration. Removes all outbound command statements from the configuration. Deny the access list access to the specified IP address and port.
clear apply clear outbound deny
7-19
Chapter 7 outbound/apply
except
Create an exception to a previous outbound command. An except command statement applies to permit or deny command statements only with the same access list ID. When used with apply outgoing_src, the IP address of an except command statement applies to the destination address. When used with apply outgoing_dest, the IP address of an except command statement applies to the source address. See Outbound List Rules for more information.
if_name ip_address list_ID
The network interface originating the connection. The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0. A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number from 1 to 1599. This number can be the same as what you use with the nat and global commands. This number is just an arbitrary number that groups outbound command statements to an apply command statement. List_IDs are processed sequentially in descending order. For more information, see Outbound List Rules. The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0. Removes a single outbound command statement from the configuration. Removes a single apply command statement from the configuration. The outbound command, in conjunction with the apply command, uses access lists to control a filtering function on outgoing packets from the PIX Firewall. The filters can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command lets you specify whether the access control list applies to inside users ability to start outbound connections with the apply commands outgoing_src option, or whether the access list applies to inside users ability to access servers on the outside network with the apply commands outgoing_dest option. For more information, see Outbound List Rules and the access-list command. The outbound command has been superseded by the access-list command.
netmask
no outbound no apply outbound
outgoing_dest outgoing_src permit port
Deny or permit access to an external IP address using the service(s) specified in the outbound command. Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command. Allow the access list to access the specified IP address and port. A port or range of ports that the access list is permitted or denied access to. See the Ports section in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names. Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.
protocol
7-20
78-13849-01
Chapter 7
Usage Guidelines
The outbound command creates an access list that lets you specify the following:

Whether inside users can create outbound connections Whether inside users can access specific outside servers What services inside users can use for outbound connections and for accessing outside servers Whether outbound connections can execute Java applets on the inside network
Outbound lists are filters on outgoing packets from the PIX Firewall. The filter can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command enables you to specify whether the access control list applies to inside users ability to start outbound connections with apply commands outgoing_src option, or whether the access list applies to inside users ability to access servers on the outside network with the apply commands outgoing_dest option.
Note
The outbound command has been superseded by the access-list command. We recommend that you migrate your outbound command statements to access-list command statements to maintain future compatibility. The java option has been replaced by the filter java command. After adding, removing, or changing outbound command statements, use the clear xlate command. Use the no outbound command to remove a single outbound command statement from the configuration. Use the clear outbound command to remove all outbound command statements from the configuration. The show outbound command displays the outbound command statements in the configuration. Use the no apply command to remove a single apply command statement from the configuration. Use the clear apply command statement to remove all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.
Outbound List Rules
Rules, written as outbound list_ID command statements are global to the PIX Firewall, they are activated by apply list_ID outgoing_src | outgoing_dest command statements. When applied to outgoing_src, the source IP address, the destination port, and protocol are filtered. When applied to outgoing_dest, the destination IP address, port, and protocol are filtered. The outgoing_src option and outgoing_dest outbound lists are filtered independently. If any one of the filters contain the deny option, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match. If there is a tie, a permit option overrides a deny option. Rules are grouped by a list_ID. Within each list_ID, except rules (that is, outbound n except ) can be set. The except option reverses the best matched rule of deny or permit. In addition, PIX Firewall filters the specified IP address and mask in the rule for the destination IP address of the outbound packet if the list is applied to the outbound_src. Alternatively, PIX Firewall filters the source IP address if the list is applied to the outgoing_dest. Furthermore, the except rules only apply to rules with the same list_ID. A single except rule within a list_ID without another permit or deny rule has no effect. If multiple except rules are set, the best match is checked for which except to apply. The outbound command rules are now sorted by the best match checking. Use the show outbound command to see how the best match is judged by the PIX Firewall.
7-21
Chapter 7 outbound/apply
Usage Notes
1. 2. 3.
If outbound commands are not specified, the default behavior is to permit all outbound traffic and services from inside hosts. After adding, changing, or removing an outbound and apply command statement group, use the clear xlate command to make the IP addresses available in the translation table. The outbound commands are processed linearly within a list_ID. In addition, list_IDs are processed sequentially in descending order. For example, the first command statement you specify in an outbound list is processed first, then the next outbound command statement in that list, and so on. Similarly, list_ID 10 is processed before list_ID 20, and so on. When using outbound commands, it is often helpful to deny or permit access to the many before you deny or permit access to the specific. Start with an interface-wide specification such as the following command that denies all hosts from starting connections.
outbound 1 deny 0 0 0 apply (inside) 1 outgoing_src
4.
Then add command statements that permit or deny hosts access to specific ports. For example:
outbound 1 deny 0 0 0 outbound 1 permit 10.1.1.1 255.255.255.255 23 tcp outbound 1 permit 10.1.1.1 255.255.255.255 80 tcp apply (inside) 1 outgoing_src
You could state this same example as follows with the except option:
outbound 1 deny 0 0 0 outbound 1 except 209.165.201.11 255.255.255.255 23 tcp outbound 1 except 209.165.201.11 255.255.255.255 80 tcp apply (inside) 1 outgoing_src
In the preceding outbound except command statement, IP address 209.165.201.11 is the destination IP address, not the source address. This means that everyone is denied outbound access, except those users going to 209.165.201.11 via Telnet (port 23) or HTTP (port 80).
5. 6. 7. 8.
If you permit access to port 80 (http), this also permits Java applets to be downloaded. You must have a specific deny command statement to block Java applets. The maximum number of outbound list entries in a configuration is 1599. Outbound lists have no effect on access-list command statement groups. The use of the access-group command statement overrides the conduit and outbound command statements for the specified interface name.
Examples
In the following example, the first outbound group sets inside hosts so that they can only see and Telnet to perimeter hosts, and do DNS lookups. The perimeter network address is 209.165.201.0 and the network mask is 255.255.255.224.
outbound 9 deny 0.0.0.0 0.0.0.0 0 0 outbound 9 except 209.165.201.0 255.255.255.224 23 tcp outbound 9 except 0.0.0.0 0.0.0.0 53 udp
7-22
78-13849-01
Chapter 7
The next outbound group lets hosts 10.1.1.11 and 10.1.1.12 go anywhere:
outbound outbound outbound outbound outbound 11 11 11 11 11 deny 0.0.0.0 0.0.0.0 0 0 permit 10.1.1.11 255.255.255.255 0 0 permit 10.1.1.12 255.255.255.255 0 0 permit 0.0.0.0 0.0.0.0 21 tcp permit 10.3.3.3 255.255.255.255 143 tcp
This last outbound group lets hosts on the perimeter only access TCP ports 389 and 30303 and UDP port 53 (DNS). Finally, the apply command statements set the outbound groups so that the permit and deny rules affect access to all external addresses.
outbound outbound outbound outbound 13 deny 0.0.0.0 0.0.0.0 0 0 13 permit 0.0.0.0 0.0.0.0 389 tcp 13 permit 0.0.0.0 0.0.0.0 30303 tcp 13 permit 0.0.0.0 0.0.0.0 53 udp
apply (inside) 9 outgoing_src apply (inside) 11 outgoing_src apply (perim) 13 outgoing_src
Controlling Outbound Connections
The following example prevents all inside hosts from starting outbound connections:
outbound 1 deny 0 0 0 apply (inside) 1 outgoing_src
The 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero). Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created):
outbound 1 permit 0 0 0 apply (inside) 1 outgoing_src
Controlling Inside Hosts Access to Outbound Services
The following example prevents inside host 192.168.1.49 from accessing the World Wide Web (port 80):
outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp apply (inside) 11 outgoing_src
Controlling Inside Hosts Access to Outside Servers
If your employees are spending too much time examining GIF images on a particular website with two web servers, you can use the following example to restrict this access:
outbound 12 deny 192.168.146.201 255.255.255.255 80 tcp outbound 12 deny 192.168.146.202 255.255.255.255 80 tcp apply (inside) 12 outgoing_dest
7-23
Chapter 7 pager
Using except Command Statements
An except command statement only provides exception to items with the same list_ID, as shown in the following example:
outbound outbound outbound outbound outbound outbound outbound outbound outbound outbound outbound outbound 9 deny 0.0.0.0 0.0.0.0 0 0 9 except 10.100.0.0 255.255.0.0 23 tcp 9 except 0.0.0.0 0.0.0.0 53 udp 11 deny 0.0.0.0 0.0.0.0 0 0 11 permit 10.1.1.11 255.255.255.255 0 0 11 permit 10.1.1.12 255.255.255.255 0 0 11 permit 0.0.0.0 0.0.0.0 21 tcp 11 permit 10.3.3.3 255.255.255.255 143 tcp 13 deny 0.0.0.0 0.0.0.0 0 0 13 permit 0.0.0.0 0.0.0.0 389 tcp 13 permit 0.0.0.0 0.0.0.0 30303 tcp 13 permit 0.0.0.0 0.0.0.0 53 udp
In the preceding examples, the following two command statements work against other command statements in list 9 but not in lists 11 and 13:
outbound 9 except 10.100.0.0 255.255.0.0 23 tcp outbound 9 except 0.0.0.0 0.0.0.0 53 udp
In the following example, the set of deny, permit, and except option command statements denies everybody from connecting to external hosts except for DNS queries and Telnet connections to hosts on 10.100.0.0. The host with IP address 10.1.1.11 is permitted outbound access, and has access to everywhere except to 10.100.0.0 via Telnet and anywhere to use DNS.
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp outbound 1 permit 10.1.1.11 255.255.255.255 0 tcp outbound 1 except 10.100.0.0 255.255.0.0 23 tcp outbound 1 except 0.0.0.0 0.0.0.0 53 udp apply (inside) outgoing_src
pager
Enable or disable screen paging. (Privileged mode.) Set with the command... pager [lines number] Remove with the command... clear pager no pager
Show command options show pager
Show command output Displays pager status.
Syntax Description
number
The number of lines before the ---more--- prompt appears. The minimum is 1. Use 0 to disable paging.
7-24
78-13849-01
Chapter 7
M through R Commands passwd
Usage Guidelines
The pager lines command let you specify the number of lines in a page before the ---more--- prompt appears. The pager command enables display paging, and the no pager command disables paging and lets output display completely without interruption. If you set the pager lines command to some value and want to revert back to the default, enter the pager command without options. The clear pager command resets the number of lines in a page to 24. When paging is enabled, the following prompt appears:
<--- more --->
The ---more--- prompt uses syntax similar to the UNIX more command:

To view another screenful, press the Space bar. To view the next line, press the Enter key. To return to the command line, press the q key.
Use the pager 0 command to disable paging.
Examples
The following example shows use of the pager command:

pixfirewall# pager lines 2 pixfirewall# ping inside 10.0.0.42 10.0.0.42 NO response received -- 1010ms 10.0.0.42 NO response received -- 1000ms <--- more --->
passwd
Set password for Telnet access to the PIX Firewall console. (Privileged mode.) Set with the command... passwd password [encrypted] Remove with the command... clear passwd
Show command options show passwd
Show command output Displays the Telnet password.
Syntax Description
encrypted password
Specifies that the password you entered is already encrypted. The password you specify with the encrypted option must be 16 characters in length. A case-sensitive password of up to 16 alphanumeric and special characters. Any character can be used in the password except a question mark and a space.
Usage Guidelines
The passwd command sets a password for Telnet access to the PIX Firewall console. An empty password is also changed into an encrypted string. However, any use of a write command displays or writes the passwords in encrypted form. Once passwords are encrypted, they are not reversible back to plain text. The clear passwd command resets the password to cisco.
7-25
Chapter 7 pdm
Note
Write down the new password and store it in a manner consistent with your sites security policy. Once you change this password, you cannot view it again.
Examples
The following example shows use of the passwd command:

passwd watag00s1am show passwd passwd jMorNbK0514fadBh encrypted
Related Commands
enable
pdm
These commands support communication between the PIX Firewall and a browser running the Cisco PIX Device Manager (PDM). (Configuration mode.) Display with the command... show pdm sessions Remove with the command... pdm disconnect session_id clear pdm no pdm history enable no pdm history [view {all | 12h | 5d | 60m | 10m}] [snapshot] [feature {all | blocks | cpu | failover | ids | interface if_name | memory | perfmon | xlates}] [pdmclient] clear pdm no pdm logging
pdm history enable pdm history [view {all | 12h | 5d | 60m | 10m}] [snapshot] [feature {all | blocks | cpu | failover | ids | interface if_name | memory | perfmon | xlates}] [pdmclient] pdm location ip_address netmask if_name pdm logging [level [messages]]
Show command options show pdm history show pdm logging show pdm sessions
Show command output Displays the contents of the PDM history buffer. Displays the contents of the PDM buffer within PDM. Displays a session_id for each active PDM session to the PIX Firewall, beginning with session number 0.
Syntax Description
12h | 5d | 60m | 10m | all blocks
Specifies the PDM history view to display: 12 hours (12h), 5 days (5d), 60 minutes (60m),10 minutes (10m), or all history contents in the PDM history buffer. History for system buffers. Similar to output of the show blocks command.
7-26
78-13849-01
Chapter 7
M through R Commands pdm
clear pdm cpu failover feature history enable
Removes all locations, disables logging, and clears the PDM buffer. Internal PDM command. History for CPU usage. Similar to output of the show cpu usage command. History for failover. Similar to output of the show failover command. This specifies to display history for a single feature (selected with one of the following). Otherwise, all of them are displayed. Internal PDM command. Take a data sample and store the sample data to the PDM history buffer. The no version of this command disables PDM data sampling. History for IDS (Intrusion Detection System). Specifies the interface name on which PDM resides. Specifies the host or network on which PDM resides. Specifies the priority level of syslog messages displayed in the PDM syslog option. Internal PDM command. Associates an interface with an IP address on which PDM resides. Internal PDM command. Specifies the type and number of syslog messages displayed through the PDM syslog option. History for memory. Similar to output of the show memory command. Specifies the number of messages stored in the PDM buffer. Once the buffer is full, old messages will be discarded. Specifies the network mask for the pdm location ip_address. Specifies the Cisco PIX Device Manager. Disconnects the specified PDM session from the PIX Firewall. Displays the PDM history in PDM-display format. History for performance. Similar to output of show perfmon command. PDM session ID number available from the show pdm sessions command. Displays only the last PDM history data point. History for translation slot information. Similar to output of the show xlate command.
ids if_name ip_address level location logging memory messages netmask pdm pdm disconnect pdmclient perfmon session_id snapshot xlates
Defaults
Default PDM syslog level is 0. Default logging messages is 100 and the maximum is 512.
Usage Guidelines
The pdm disconnect command and the show pdm sessions command are accessible through the command line. The clear pdm, pdm history commands, pdm location, and pdm logging commands may appear in your configuration and are available through the CLI, but they are designed to work as internal PDM-to-PIX Firewall commands accessible through PDM. The pdm disconnect command lets you disconnect a specific PDM session using a session_id obtained with the show pdm sessions command. The show pdm sessions command lists all the open PDM sessions going to a PIX Firewall. The pdm location command can only associate one interface to an ip_address /netmask pair. Specifying an existing pair will replace the old definition. The PDM syslog messages are stored separately from the PIX Firewall syslog accessed through the logging buffered command.
7-27
Chapter 7 pdm
The clear pdm location command will remove all of the PDM locations. The clear pdm logging command will clear the PDM log without disabling it.
Examples
The following example shows how to report the last data point in PDM-display format:
pix(config)# pdm history enable pix(config)# show pdm history view 10m snapshot pdmclient INTERFACE|outside|up|IBC|0|OBC|1088|IPC|0|OPC|0|IBR|17|OBR|0|IPR|0|OPR|0|IERR|1|NB|0|RB|0| RNT|0|GNT|0|CRC|0|FRM|0|OR|0|UR|0|OERR|0|COLL|0|LCOLL|0|RST|0|DEF|0|LCR|0:PIXoutsideINTERF ACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|1952|METRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY |SNAP|IPR|VIEW|10|17|METRIC_HISTORY|SNAP|OPR|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0| METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PIXinsideINTERFACE:METRIC_HISTORY|SNAP|IBR|VIEW|10|0|M ETRIC_HISTORY|SNAP|OBR|VIEW|10|64|METRIC_HISTORY|SNAP|IPR|VIEW|10|0|METRIC_HISTORY|SNAP|OP R|VIEW|10|1|METRIC_HISTORY|SNAP|IERR|VIEW|10|0|METRIC_HISTORY|SNAP|OERR|VIEW|10|0|:PixSYS: METRIC_HISTORY|SNAP|MEM|VIEW|10|52662272|METRIC_HISTORY|SNAP|BLK4|VIEW|10|1600|METRIC_HIST ORY|SNAP|BLK80|VIEW|10|400|METRIC_HISTORY|SNAP|BLK256|VIEW|10|998|METRIC_HISTORY|SNAP|BLK1 550|VIEW|10|676|METRIC_HISTORY|SNAP|XLATES|VIEW|10|0|METRIC_HISTORY|SNAP|CONNS|VIEW|10|0|M ETRIC_HISTORY|SNAP|TCPCONNS|VIEW|10|0|METRIC_HISTORY|SNAP|UDPCONNS|VIEW|10|0|METRIC_HISTOR Y|SNAP|URLS|VIEW|10|0|METRIC_HISTORY|SNAP|WEBSNS|VIEW|10|0|METRIC_HISTORY|SNAP|TCPFIXUPS|V IEW|10|0|METRIC_HISTORY|SNAP|TCPINTERCEPTS|VIEW|10|0|METRIC_HISTORY|SNAP|HTTPFIXUPS|VIEW|1 0|0|METRIC_HISTORY|SNAP|FTPFIXUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAAUTHENUPS|VIEW|10|0|MET RIC_HISTORY|SNAP|AAAAUTHORUPS|VIEW|10|0|METRIC_HISTORY|SNAP|AAAACCOUNTS|VIEW|10|0|
The following example shows how to report the data, formatted for the PIX Firewall CLI:
pix(config)# pdm history enable pix(config)# show pdm history view 10m snapshot Available 4 byte Blocks: [ 10s] : 1600 Used 4 byte Blocks: [ 10s] : 0 Available 80 byte Blocks: [ 10s] : 400 Used 80 byte Blocks: [ 10s] : 0 Available 256 byte Blocks: [ 10s] : 500 Used 256 byte Blocks: [ 10s] : 0 Available 1550 byte Blocks: [ 10s] : 931 Used 1550 byte Blocks: [ 10s] : 385 Available 1552 byte Blocks: [ 10s] : 0 Used 1552 byte Blocks: [ 10s] : 0 Available 2560 byte Blocks: [ 10s] : 0 Used 2560 byte Blocks: [ 10s] : 0 Available 4096 byte Blocks: [ 10s] : 0 Used 4096 byte Blocks: [ 10s] : 0 Available 8192 byte Blocks: [ 10s] : 0 Used 8192 byte Blocks: [ 10s] : 0 Available 16384 byte Blocks: [ 10s] : 0 Used 16384 byte Blocks: [ 10s] : 0 Available 65536 byte Blocks: [ 10s] : 0 Used 65536 byte Blocks: [ 10s] : 0 CPU Utilization: [ 10s] : 0 IP Options Bad: [ 10s] : 0 Record Packet Route: [ 10s] : 0 IP Options Timestamp: [ 10s] : 0 Provide s,c,h,tcc: [ 10s] : 0 Loose Source Route: [ 10s] : 0 SATNET ID: [ 10s] : 0 Strict Source Route: [ 10s] : 0 IP Fragment Attack: [ 10s] : 0 Impossible IP Attack: [ 10s] : 0 IP Teardrop: [ 10s] : 0 ICMP Echo Reply: [ 10s] : 0 ICMP Unreachable: [ 10s] : 0 ICMP Source Quench: [ 10s] : 0 ICMP Redirect: [ 10s] : 0
7-28
78-13849-01
Chapter 7
M through R Commands pdm
ICMP Echo Request: [ 10s] : 0 ICMP Time Exceeded: [ 10s] : 0 ICMP Parameter Problem: [ 10s] : 0 ICMP Time Request: [ 10s] : 0 ICMP Time Reply: [ 10s] : 0 ICMP Info Request: [ 10s] : 0 ICMP Info Reply: [ 10s] : 0 ICMP Mask Request: [ 10s] : 0 ICMP Mask Reply: [ 10s] : 0 Fragmented ICMP: [ 10s] : 0 Large ICMP: [ 10s] : 0 Ping of Death: [ 10s] : 0 No Flags: [ 10s] : 0 SYN & FIN Only: [ 10s] : 0 FIN Only: [ 10s] : 0 FTP Improper Address: [ 10s] : 0 FTP Improper Port: [ 10s] : 0 Bomb: [ 10s] : 0 Snork: [ 10s] : 0 Chargen: [ 10s] : 0 DNS Host Info: [ 10s] : 0 DNS Zone Transfer: [ 10s] : 0 DNS Zone Transfer High Port: [ 10s] : 0 DNS All Records: [ 10s] : 0 Port Registration: [ 10s] : 0 Port Unregistration: [ 10s] : 0 RPC Dump: [ 10s] : 0 Proxied RPC: [ 10s] : 0 ypserv Portmap Request: [ 10s] : 0 ypbind Portmap Request: [ 10s] : 0 yppasswd Portmap Request: [ 10s] : 0 ypupdated Portmap Request: [ 10s] : 0 ypxfrd Portmap Request: [ 10s] : 0 mountd Portmap Request: [ 10s] : 0 rexd Portmap Request: [ 10s] : 0 rexd Attempt: [ 10s] : 0 statd Buffer Overflow: [ 10s] : 0 Input KByte Count: [ 10s] : 41804 Output KByte Count: [ 10s] : 526456 Input KPacket Count: [ 10s] : 364 Output KPacket Count: [ 10s] : 450 Input Bit Rate: [ 10s] : 0 Output Bit Rate: [ 10s] : 0 Input Packet Rate: [ 10s] : 0 Output Packet Rate: [ 10s] : 0 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 90076 Runts: [ 10s] : 0 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 8895 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 3138 Lost Carrier: [ 10s] : 0 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0
7-29
Chapter 7 pdm
Input KByte Count: [ 10s] : 61835 Output KByte Count: [ 10s] : 26722 Input KPacket Count: [ 10s] : 442 Output KPacket Count: [ 10s] : 418 Input Bit Rate: [ 10s] : 0 Output Bit Rate: [ 10s] : 0 Input Packet Rate: [ 10s] : 0 Output Packet Rate: [ 10s] : 0 Input Error Packet Count: [ 10s] : 0 No Buffer: [ 10s] : 0 Received Broadcasts: [ 10s] : 308607 Runts: [ 10s] : 0 Giants: [ 10s] : 0 CRC: [ 10s] : 0 Frames: [ 10s] : 0 Overruns: [ 10s] : 0 Underruns: [ 10s] : 0 Output Error Packet Count: [ 10s] : 0 Collisions: [ 10s] : 0 LCOLL: [ 10s] : 0 Reset: [ 10s] : 0 Deferred: [ 10s] : 2 Lost Carrier: [ 10s] : 707 Hardware Input Queue: [ 10s] : 128 Software Input Queue: [ 10s] : 0 Hardware Output Queue: [ 10s] : 0 Software Output Queue: [ 10s] : 0 Available Memory: [ 10s] : 45293568 Used Memory: [ 10s] : 21815296 Xlate Count: [ 10s] : 0 Connection Count: [ 10s] : 0 TCP Connection Count: [ 10s] : 0 UDP Connection Count: [ 10s] : 0 URL Filtering Count: [ 10s] : 0 URL Server Filtering Count: [ 10s] : 0 TCP Fixup Count: [ 10s] : 0 TCP Intercept Count: [ 10s] : 0 HTTP Fixup Count: [ 10s] : 0 FTP Fixup Count: [ 10s] : 0 AAA Authentication Count: [ 10s] : 0 AAA Authorzation Count: [ 10s] : 0 AAA Accounting Count: [ 10s] : 0 Current Xlates: [ 10s] : 0 Max Xlates: [ 10s] : 0 ISAKMP SAs: [ 10s] : 0 IPSec SAs: [ 10s] : 0 L2TP Sessions: [ 10s] : 0 L2TP Tunnels: [ 10s] : 0 PPTP Sessions: [ 10s] : 0 PPTP Tunnels: [ 10s] : 0
Related Commands
copy http setup
7-30
78-13849-01
Chapter 7
M through R Commands perfmon
perfmon
View performance information. (Privileged mode.) Display with the command... perfmon verbose perfmon interval seconds perfmon settings Remove with the command... perfmon quiet
N/A
Show command options show perfmon
Show command output Displays PIX Firewall performance information. (However, this command output does not display in a Telnet console session.)
Syntax Description
interval seconds quiet settings verbose
Specify the number of seconds the performance display is refreshed on the console. The default is 120 seconds. Disable performance monitor displays. Displays the interval and whether it is quiet or verbose. Enable displaying performance monitor information at the PIX Firewall console.
Usage Guidelines
The perfmon command lets you monitor the PIX Firewall units performance. Use the show perfmon command to view the information immediately. Use the perfmon verbose command to display the information every two minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds you specify. Use the perfmon quiet command to disable the display. An example of the performance information follows: PERFMON STATS: Xlates Connections TCP Conns WebSns Req TCP Fixup HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account Current 33/s 110/s 50/s 4/s 20/s 5/s 7/s 10/s 9/s 3/s Average 20/s 10/s 42/s 2/s 15/s 5/s 4/s 5/s 5/s 3/s
7-31
Chapter 7 ping
This information lists the number of translations, connections, Websense requests, address translations (called fixups), and AAA transactions that occur each second.
Examples
The following commands display the performance monitor statistics every 30 seconds on the PIX Firewall console:
perfmon interval 30 perfmon verbose
ping
Determine if other IP addresses are visible from the PIX Firewall. (Privileged mode.) Test with the command... ping [if_name] ip_address Remove with the command... N/A
Syntax Description
if_name ip_address
The internal or external network interface name. The address of the specified interface is used as the source address of the ping. The IP address of a host on the inside or outside networks.
Usage Guidelines
The ping command determines if the PIX Firewall has connectivity or if a host is available on the network. The command output shows if the response was received; that is, that a host is participating on the network. If a host is not responding, ping displays NO response received. Use the show interface command to ensure that the PIX Firewall is connected to the network and is passing traffic. If you want internal hosts to be able to ping external hosts, you must create an ICMP access-list command statement for echo reply; for example, to give ping access to all hosts, use the access-list acl_grp permit icmp any any command and bind the access-list command statement to the interface you want to test using an access-group command statement. If you are pinging through PIX Firewall between hosts or routers, but the pings are not successful, use the debug icmp trace command to monitor the success of the ping. If pings are both inbound and outbound, they are successful. The PIX Firewall ping command no longer requires an interface name. If an interface name is not specified, PIX Firewall checks the routing table to find the address you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent. An example of the usage follows:
ping 10.0.0.1 10.0.0.1 response received -- 10ms 10.0.0.1 response received -- 10ms 10.0.0.1 response received -- 0ms
Or you can still enter the command specifying the interface:

ping outside 10.0.0.1 10.0.0.1 response received -- 10ms 10.0.0.1 response received -- 10ms 10.0.0.1 response received -- 0ms
7-32
78-13849-01
Chapter 7
M through R Commands privilege
Examples
In the following example, the ping command makes three attempts to reach an IP address:
ping 192.168.42.54 192.168.42.54 response received -- 0Ms 192.168.42.54 response received -- 0Ms 192.168.42.54 response received -- 0Ms
privilege
Configures or displays command privilege levels. (Configuration mode.) Set with the command... privilege [show | clear | configure] level level [mode enable | configure] command command Remove with the command... no privilege [show | clear| config] level level [mode enable | configure] command command
Show command options show curpriv show privilege [all | command command | level level]
Show command output Displays the current privileges for a user. Displays the privileges for a command or set of commands.
Syntax Description
clear command command configure configure curpriv detail enable level level show
Sets the privilege level for the clear command corresponding to the command specified. The command to allow. (Use the no command form to disallow.) The command on which to set the privilege level. Sets the privilege level for the configure command corresponding to the command specified. For commands with both enable and configure modes, this indicates that the level is for the configure mode of the command. Displays the current privilege level. Displays privilege debugging information. For commands with both enable and configure modes, this indicates that the level is for the enable mode of the command. The privilege level, from 0 to 15. (Lower numbers are lower privilege levels.) Specifies the privilege level. Sets the privilege level for the show command corresponding to the command specified.
Usage Guidelines
The privilege command sets user-defined privilege levels for PIX Firewall commands. This is especially useful for setting different privilege levels for related configuration, show, and clear commands. However, be sure to verify privilege level changes in your commands with your security policies before implementing the new privilege levels.
7-33
Chapter 7 privilege
When commands have privilege levels set, and users have privilege levels set, then the two are compared to determine if a given user can execute a given command. If the user's privilege level is lower than the privilege level of the command, the user is prevented from executing the command. This is modeled after Cisco IOS software. To change between privilege levels, use the login command to access another privilege level and the appropriate logout, exit, or quit command to exit that level.
Note
Your aaa authentication and aaa authorization commands need to include any new privilege levels you define before you can use them in your AAA server configuration.
Examples
You can set the privilege level 5 for an individual user as follows:
username intern1 password pass1 privilege 5
Also, you can also define a set of show commands with the privilege level 5 as follows:
level: privilege privilege privilege privilege privilege show show show show show level level level level level 5 5 5 5 5 command command command command command alias apply arp auth-prompt blocks
The following examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. Username indicates the name the user entered when he or she logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates the user has entered the config terminal command.
pixfirewall(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV P_CONF pixfirewall(config)# exit pixfirewall# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV pixfirewall# exit pixfirewall> show curpriv Username : enable_1 Current privilege level : 1 Current Mode/s : P_UNPR pixfirewall>
The following is an example of applying a privilege level of 11 to a complete AAA authorization configuration:
privilege privilege privilege privilege privilege privilege privilege privilege configure configure configure configure configure configure configure configure level level level level level level level level 11 11 11 11 11 11 11 11 command command command command command command command command aaa aaa-server access-group access-list activation-key age alias apply
7-34
78-13849-01
Chapter 7
M through R Commands quit
Related Commands
aaa authentication login object-group username
quit
Exit configuration or privileged mode. (All modes.) Exit with the command... quit Access with the command... login
Syntax Description
quit
Exits the current privilege level or mode.
Usage Guidelines
Use the quit command to exit configuration or privileged mode.
Examples
The following example shows use of the quit command:

pixfirewall(config)# quit pixfirewall# quit pixfirewall>
reload
Reboot and reload the configuration. (Privileged mode.) Reset with the command... reload reload noconfirm Remove with the command... N/A
Syntax Description
noconfirm reload
Permits the PIX Firewall to reload without user confirmation. Reboot and reload configuration.
Usage Guidelines
The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy disk or, if a diskette is not present, from Flash memory. The PIX Firewall does not accept abbreviations to the keyword noconfirm. You are prompted for confirmation before starting with Proceed with reload?. Any response other than n causes the reboot to occur.
7-35
Chapter 7 rip
Note
Configuration changes not written to Flash memory are lost after reload. Before rebooting, store the current configuration in Flash memory with the write memory command.
Examples
The following example shows use of the reload command:

reload Proceed with reload? Rebooting... PIX Bios V2.7 ... [confirm] y
rip
Change RIP settings. (Configuration mode.) Configure with the command... Remove with the command... rip if_name default | passive [version [1 | 2]] no rip if_name default | passive [version [1 | [authentication [text | md5 key 2]] [authentication [text | md5 key (key_id)]] (key_id)]] clear rip N/A
debug rip [if_name]
Show command options show rip [if_name]
Show command output Displays the current RIP settings.
Syntax Description
authentication default if_name key
Enable RIP version 2 authentication. Broadcast a default route on the interface. The internal or external network interface name. Key to encrypt RIP updates. This value must be the same on the routers and any other device that provides RIP version 2 updates. The key is a text string of up to 16 characters in length. Key identification value. The key_id can be a number from 1 to 255. Use the same key_id that is in use on the routers and any other device that provides RIP version 2 updates. Send RIP updates using MD5 encryption. Enable passive RIP on the interface. The PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables. Send RIP updates as clear text (not recommended). RIP version. Use version 2 for RIP update encryption. Use version 1 to provide backward compatibility with the older version.
key_id
md5 passive text version
7-36
78-13849-01
Chapter 7
M through R Commands rip
Usage Guidelines
The rip command enables IP routing table updates from received Routing Information Protocol (RIP) broadcasts. Use the no rip command to disable the PIX Firewall IP routing table updates. The default is to enable IP routing table updates. If you specify RIP version 2, you can encrypt RIP updates using MD5 encryption. The clear rip command removes all the rip commands from the configuration. Ensure that the key and key_id values are the same as in use on any other device in your network that makes RIP version 2 updates. The PIX Firewall cannot pass RIP updates between interfaces. When RIP version 2 is configured in passive mode with PIX Firewall software version 5.3 and higher, the PIX Firewall accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. For RIP version 2 default mode, the PIX Firewall will transmit default route updates using an IP destination of 224.0.0.9. Configuring RIP version 2 registers the multicast address 224.0.0.9 on the respective interface to be able to accept multicast RIP version 2 updates. Only Intel 10/100 and Gigabit interfaces support multicasting. When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from the interface card.
Examples
The following is sample output from the version 1 show rip and rip inside default commands:
show rip rip outside passive no rip outside default rip inside passive no rip inside default rip inside default show rip rip outside passive no rip outside default rip inside passive rip inside default
The next example combines version 1 and version 2 commands and shows listing the information with the show rip command after entering the RIP commands that do the following:

rip rip rip rip
Enable version 2 passive RIP using MD5 authentication on the outside interface to encrypt the key used by the PIX Firewall and other RIP peers, such as routers. Enable version 1 passive RIP listening on the inside interface of the PIX Firewall. Enable version 2 passive RIP listening on the dmz interface of the PIX Firewall.
outside passive version 2 authentication md5 thisisakey 2 outside default version 2 authentication md5 thisisakey 2 inside passive dmz passive version 2
show rip rip outside passive version 2 authentication md5 thisisakey 2 rip outside default version 2 authentication md5 thisisakey 2 rip inside passive version 1 rip dmz passive version 2
7-37
Chapter 7 route
The next example shows how use of the clear rip command clears all the previous rip commands from the current configuration:
clear rip show rip
The following example shows use of the version 2 feature that passes the encryption key in text form:
rip out default version 2 authentication text thisisakey 3 show rip rip outside default version 2 authentication text thisisakey 3
route
Enter a static or default route for the specified interface. (Configuration mode.) Configure with the command... route if_name ip_address netmask gateway_ip [metric] Remove with the command... clear route [if_name ip_address [netmask gateway_ip]] no route [if_name ip_address [netmask gateway_ip]]
Show command options show route
Show command output Displays the routes in the configuration.
Syntax Description
gateway_ip if_name ip_address metric
Specify the IP address of the gateway router (the next hop address for this route). The internal or external network interface name. The internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. Specify the number of hops to gateway_ip. If you are not sure, enter 1. Your network administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if a metric is not specified. Specify a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
netmask
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it is saved. The clear route command removes route command statements from the configuration that do not contain the CONNECT keyword. Create static routes to access networks connected outside a router on any interface. The effect of a static route is like stating to send a packet to the specified network, give it to this router. For example, PIX Firewall sends all packets destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route command statement.
route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1
7-38
78-13849-01
Chapter 7
M through R Commands route
The routing table automatically specifies the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, PIX Firewall creates a route statement entry that is not deleted when you use the clear route command. If the route command statement uses the IP address from one of the PIX Firewall units interfaces as the gateway IP address, PIX Firewall will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address. The following steps show how PIX Firewall handles routing:
PIX Firewall receives a packet from the inside interface destined to IP address X. Because a default route is set to itself, PIX Firewall sends out an ARP for address X. Any Cisco router on the outside interface LAN which has a route to address X (Cisco IOS software has proxy ARP enabled by default) replies back to the PIX Firewall with its own MAC address as the next hop. PIX Firewall sends the packet to router (just like a default gateway). PIX Firewall adds the entry to its ARP cache for IP address X with the MAC address being that of the router.
Step 4 Step 5
The CONNECT route entry is supported. (This identifier appears when you use the show route command.) The CONNECT identifier is assigned to an interfaces local network and the interface IP address, which is in the IP local subnet. PIX Firewall will ARP for the destination address. The CONNECT identifier cannot be removed, but changes when you change the IP address on the interface. If you enter duplicate routes with different metrics for the same gateway, PIX Firewall changes the metric for that route and updates the metric for the route. For example, if the following command statement is in the configuration:
route inside 10.0.0.0 255.0.0.0 10.0.0.2 2 OTHER
If you enter the following statement:

route inside 10.0.0.0 255.0.0.0 10.0.0.2 3
PIX Firewall converts the command statement to the following:

route inside 10.0.0.0 255.0.0.0 10.0.0.2 3 OTHER
Examples
Specify one default route command statement for the outside interface, which in this example is for the router on the outside interface that has an IP address of 209.165.201.1:
route outside 0 0 209.165.201.1 1
For static routes, if two networks, 10.1.2.0 and 10.1.3.0 connect via a hub to the dmz1 interface router at 10.1.1.4, add these static route command statements to provide access to the networks:
route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1 route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1
7-39
Chapter 7 route
7-40
78-13849-01
C H A P T E R
S Commands
service
Reset inbound connections. (Configuration mode.) Configure with the command... service resetinbound service resetoutside Remove with the command... no service resetinbound clear service
Show command options show service
Show command output Displays service commands in the configuration.
Syntax Description
resetinbound resetoutside
Reset inbound connections. Reset connections on the outside interface.
Usage Guidelines
The service command works with all inbound TCP connections to statics whose access lists or uauth (user authorization) do not allow inbound. One use is for resetting IDENT connections. If an inbound TCP connection is attempted and denied, you can use the service resetinbound command to return an RST (reset flag in the TCP header) to the source. Without the option, the PIX Firewall drops the packet without returning an RST. For use with IDENT, the PIX Firewall sends a TCP RST to the host connecting inbound and stops the incoming IDENT process so that email outbound can be transmitted without having to wait for IDENT to time out. In this case, the PIX Firewall sends a syslog message stating that the incoming connection was a denied connection. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection. However, outside hosts keep retransmitting the SYN until the IDENT times out. When an IDENT connection is timing out, you will notice that connections slow down. Perform a trace to determine that IDENT is causing the delay and then invoke the service command. The service resetinbound command provides a safer way to handle an IDENT connection through the PIX Firewall. Ranked in order of security from most secure to less secure are these methods for handling IDENT connections:
1.
Use the service resetinbound command.
8-1
Chapter 8 setup
S Commands
2. 3.
Use the established command with the permitto tcp 113 options. Enter static and access-list command statements to open TCP port 113.
When using the aaa command, if the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows:
Unable to connect to remote host: Connection timed out
Examples
The following example shows use of the service resetinbound command:

service resetinbound show service service resetinbound
If you use the resetoutside command, the PIX Firewall actively resets denied TCP packets that terminate at the PIX Firewall units least-secure interface. By default, these packets are silently discarded. The resetoutside option is highly recommended with dynamic or static interface Port Address Translation (PAT). The static interface PAT is available with PIX Firewall version 6.0 and higher. This option allows the PIX Firewall to quickly terminate the identity request (IDENT) from an external SMTP or FTP server. Actively resetting these connections avoids the thirty-second time-out delay. If you wish to remove service command statements from the configuration, use the clear service command.
setup
The setup command prompts you to enter the information needed to use the Cisco PIX Device Manager (PDM) with a new PIX Firewall. (Configuration Mode.) Start configuration with the command... setup Remove with the command... N/A
Syntax Description
setup
Asks for the information needed to start using a new PIX Firewall unit if no configuration is found in the Flash memory.
Usage Guidelines
The PIX Firewall requires some pre-configuration before PDM can connect to it. (The setup dialog automatically appears at boot time if there is no configuration in the Flash memory. Once you enter the setup command, you will be asked for the setup information in Table 8-1.
Table 8-1 PIX Firewall Setup Information
Prompt
Enable password:
Description Specify an enable password for this PIX Firewall. (The password must be at least three charaters long.) Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time). Specify current year, or default to the year stored in the host computer.
Clock (UTC)
Year [system year]:
8-2
78-13849-01
Chapter 8
S Commands setup
Table 8-1
PIX Firewall Setup Information (continued)
Month [system month]: Day [system day]: Time [system time]
Specify current month, or default to the month stored in the host computer. Specify current day, or default to the day stored in the host computer. Specify current time in hh:mm:ss format, or default to the time stored in the host computer. Network interface IP address of the PIX Firewall. A network mask that applies to the inside IP address must be a valid mask such as 255.0.0.0, 255.255.0.0, or 255.255.x.x, etc. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0. The host name you want to display in the PIX Firewall command line prompt. The DNS domain name of the network on which the PIX Firewall runs, for example example.com. IP address on which PDM connects to the PIX Firewall.
Inside IP address: Inside network mask:
Host name:
Domain name:
IP address of host running PIX Device Manager: Use this configuration and write to flash?
Store the new configuration to Flash memory. Same as the write memory command. If the answer is yes, the inside interface will be enabled and the requested configuration will be written to Flash memory. If the user answers anything else, the setup dialog repeats using the values already entered as the defaults for the questions.
The host and domain names are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.
Examples
The following example shows how to complete the setup command prompts.
router (config)# setup Pre-configure PIX Firewall now through interactive prompts [yes]? y Enable Password [<use current password>]: ciscopix Clock (UTC) Year [2001]: 2001 Month [Aug]: Sep Day [27]: 12 Time [22:47:37]: <Enter> Inside IP address: 192.168.1.1 Inside network mask: 255.255.255.0 Host name: accounting_pix Domain name: example.com IP address of host running PIX Device Manager: 192.168.1.2 The following configuration will be used: Enable Password: ciscopix Clock (UTC): 22:47:37 Sep 12 2001 Inside IP address: ...192.168.1.1 Inside network mask: ...255.255.255.0 Host name: ...accounting_pix Domain name: ...example.com IP address of host running PIX Device Manager: ...192.168.1.2 Use this configuration and write to flash? y
8-3
Chapter 8 session
S Commands
Related Commands
aaa authentication ca copy http
session
Access an embedded AccessPro router console; only use this command if you have an AccessPro router installed in your PIX Firewall. (Privileged mode.) Start with the command... session enable End with the command... no session
Show command options show session
Show command output Displays sessions.
Note
The PIX 506/506E and PIX 515/515E do not support use of the session command.
Syntax Description
enable
Enable the session command for communications with the AccessPro router.
Usage Guidelines
The session command lets you specify Cisco IOS software commands on an AccessPro router console when the router is installed in your PIX Firewall. Use COM port 4 on the AccessPro router to communicate with the PIX Firewall. Exit the router console session by entering tilde-dot (~.). Press the tilde key and when you hear a bell sound from your terminal, press the dot key. While a router console session is occurring, the PIX Firewall disables failover because they both require the same interrupts.
8-4
78-13849-01
Chapter 8
S Commands show
Examples
The following example enables an AccessPro session, starts the session, and then disables it:
session enable Session has been enabled. session Warning: FAILOVER has been disabled!!! Attempting session with embedded router, use ~. to quit! acpro> ~. no session Session has been disabled session Session is not enabled
show
View command information. (All modes.) Show command options show command show ? Show command output Runs the show command option specified. See individual commands for their show options. Displays a list of all commands available on the PIX Firewall.
Syntax Description
command
Any argument or list of arguments that specifies the information to display. Most commands have a show command form where the command name is used as show argument. For example, the global command has an associated show global command.
Usage Guidelines
Explanations for the show form of specific commands are with the command. For example, the show arp command description is included with the arp command.
Examples
The following is sample output from the show ? command:

pixfirewall(config)# show ? aaa Enable, disable, or view TACACS+, RADIUS or LOCAL user authentication, authorization and accounting aaa-server Define AAA Server group access-group Bind an access-list to an interface to filter inbound traffic access-list Add an access list activation-key Modify activation-key. age This command is deprecated. See ipsec, isakmp, map, ca commands alias Administer overlapping addresses with dual NAT. apply Apply outbound lists to source or destination IP addresses arp Change or view the arp table, and set the arp timeout value auth-prompt Customize authentication challenge, reject or acceptance prompt blocks Show system buffer utilization ca CEP (Certificate Enrollment Protocol) Create and enroll RSA key pairs into a PKI (Public Key Infrastr. capture Capture inbound and outbound packets on one or more interfaces
8-5
Chapter 8 show
S Commands
checksum chunkstat clock conduit configure
View configuration information cryptochecksum Display chunk stats Show and set the date and time of PIX Add conduit access to higher security level network or ICMP Configure from terminal, floppy, memory, network, or factory-default. The configuration will be merged with the active configuration except for factory-default in which case the active configuration is cleared first. conn Display connection information cpu Display cpu usage crypto Configure IPsec, IKE, and CA curpriv Display current privilege level debug Debug packets or ICMP tracings through the PIX Firewall. dhcpd Configure DHCP Server domain-name Change domain name dynamic-map Specify a dynamic crypto map template eeprom show or reprogram the 525 onboard i82559 devices enable Configure enable passwords established Allow inbound connections based on established connections failover Enable/disable PIX failover feature to a standby PIX filter Enable, disable, or view URL, Java, and ActiveX filtering fixup Add or delete PIX service and feature defaults flashfs Show, destroy, or preserve filesystem information fragment Configure the IP fragment database global Specify, delete or view global address pools, or designate a PAT(Port Address Translated) address h225 Show the current h225 data stored for each connection. h245 List the h245 connections. h323-ras Show the current h323 ras data stored for each connection. history Display the session command history http Configure HTTP server icmp Configure access for ICMP traffic that terminates at an interfae interface Identify network interface type, speed duplex, and if shutdown igmp Clear or display IGMP groups ip Set the ip address and mask for an interface Define a local address pool Configure Unicast RPF on an interface Configure the Intrusion Detection System ipsec Configure IPSEC policy isakmp Configure ISAKMP policy local-host Display or clear the local host network information logging Enable logging facility map Configure IPsec crypto map memory System memory utilization mroute Configure a multicast route mtu Specify MTU(Maximum Transmission Unit) for an interface multicast Configure multicast on an interface name Associate a name with an IP address nameif Assign a name to an interface names Enable, disable or display IP address to name conversion nat Associate a network with a pool of global IP addresses object-group Create an object group for use in 'access-list', 'conduit', etc ntp Configure Network Time Protocol outbound Create an outbound access list pager Control page length for pagination passwd Change Telnet console access password pdm Configure Pix Device Manager privilege Configure/Display privilege levels for commands processes Display processes remote-managementConfigure remote management support rip Broadcast default route or passive RIP route Enter a static route for an interface username Configure user authentication local database service Enable system services
8-6
78-13849-01
Chapter 8
S Commands show blocks/clear blocks
session shun snmp-server split-dns ssh static sysopt tech-support telnet terminal tftp-server timeout traffic uauth url-cache url-block url-server version virtual vpdn vpnclient vpngroup who xlate
Access an internal AccessPro router console Manages the filtering of packets from undesired hosts Provide SNMP and event information Configure split DNS resolution. Add SSH access to PIX console, set idle timeout, display list of active SSH sessions & terminate a SSH session Configure one-to-one address translation rule Set system functional option Tech support Add telnet access to PIX console and set idle timeout Set terminal line parameters Specify default TFTP server address and directory Set the maximum idle times Counters for traffic statistics Display or clear current user authorization information Enable URL caching Enable URL pending block buffer and long URL support Specify a URL filter server Display PIX system software version Set address for authentication virtual servers Configure VPDN (PPTP, L2TP, PPPoE) Policy Configure VPN Client Configure a policy group for VPN clients Show active administration sessions on PIX Display current translation and connection slot information
show blocks/clear blocks

Show system buffer utilization. (Privileged mode.) Display with the command... show blocks Clear buffers with the command... clear blocks
Syntax Description
blocks
The blocks in the preallocated system buffer.
Usage Guidelines
The show blocks command lists preallocated system buffer utilization. In the show blocks command listing, the SIZE column displays the block type. The MAX column is the maximum number of allocated blocks. The LOW column is the fewest blocks available since last reboot. The CNT column is the current number of available blocks. A zero in the LOW column indicates a previous event where memory exhausted. A zero in the CNT column means memory is exhausted now. Exhausted memory is not a problem as long as traffic is moving through the PIX Firewall. You can use the show conn command to see if traffic is moving. If traffic is not moving and the memory is exhausted, a problem may be indicated. The clear blocks command keeps the maximum count to whatever number is allocated in the system and equates the low count to the current count. You can also view the information from the show blocks command using SNMP.
8-7
Chapter 8 show checksum
S Commands
Examples
The following is sample output from the show blocks command:

show blocks SIZE MAX 4 1600 80 100 256 80 1550 788 65536 8 LOW 1600 97 79 402 8 CNT 1600 97 79 404 8
show checksum
Display the configuration checksum. (Unprivileged mode.) Show command options show checksum Show command output Displays four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration.
Syntax Description
checksum
The hexadecimal numbers that act as a digital summary of the contents of the configuration.
Usage Guidelines
The show checksum command displays four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration. This same information stores with the configuration when you store it in Flash memory. By using the show config command and viewing the checksum at the end of the configuration listing and using the show checksum command, you can compare the numbers to see if the configuration has changed. The PIX Firewall tests the checksum to determine if a configuration has not been corrupted.
Examples
The following is sample output from the show checksum command:

show checksum Cryptochecksum: 1a2833c0 129ac70b 1a88df85 650dbb81
8-8
78-13849-01
Chapter 8
S Commands show conn
show conn
Display all active connections. (Privileged mode.) Show command options show conn [detail] [count] [foreign | local ip [-ip2]] [netmask mask] [protocol tcp | udp | protocol] [fport | lport port1 [-port2]] [state [up [,finin] [,finout] [,http_get] [,sip] [,smtp_data] [,smtp_banner] [,smtp_incomplete] [,nojava] [,data_in] [,data_out] [,sqlnet_fixup_data] [,conn_inbound] [,rpc] [,h323] [,dump]] show conn [detail] [count] | [protocol tcp|udp] [foreign|local ip1[-ip2] [netmask mask]] [lport|fport port1[-port2]] [state up [,finin] [,finout] [,http_get] [,smtp_data] [,nojava] [,data_in] [,data_out] [,rpc] [,h323] [,sqlnet_fixup_data] [,conn_inbound] [,sip]] show conn state [detail] up [,finin] [,finout] [,http_get] [,smtp_data] [,nojava] [,data_in] [,data_out] [,rpc] [,h323] [,sqlnet_fixup_data] [,conn_inbound] [,sip] ] Show command output Displays the number of, and information about, the active connections for the options specified.
Displays the number of, and information about, the active connections for the options specified.
Displays the number of, and information about, the active connections for the options specified.
Syntax Description
count
Display only the number of used connections. The precision of the displayed count may vary depending on traffic volume and the type of traffic passing through the PIX Firewall unit. If specified, displays translation type and interface information. Display active connections by the foreign IP address or by local IP address. Qualify foreign or local active connections by network mask. Display foreign or local active connections by port. See Ports in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names. Display active connections by protocol type. protocol is a protocol specified by number. See Protocols in Chapter 2, Using PIX Firewall Commands for a list of valid protocol literal names. Display active connections by their current state: up (up), FIN inbound (finin), FIN outbound (finout), HTTP get (http_get), SMTP mail data (smtp_data), SIP connection (sip), SMTP mail banner (smtp_banner), incomplete SMTP mail connection (smtp_incomplete), an outbound command denying access to Java applets (nojava), inbound data (data_in), outbound data (data_out), SQL*Net data fix up (sqlnet_fixup_data), inbound connection (conn_inbound), RPC connection (rpc), H.323 connection (h323), dump clean up connection (dump).
detail foreign | local ip [-ip2] netmask mask fport | lport port1 [-port2] protocol tcp | udp | protocol state
8-9
Chapter 8 show conn
S Commands
Usage Guidelines
The show conn command displays the number of, and information about, active TCP connections. You can also view the connection count information from the show conn command using SNMP. The show conn detail command displays the following information: {UDP | TCP} outside_ifc:real_addr/real-port [(map_addr/port)] inside_ifc:real_addr/real_port [(map-addr/port)] flags flags The connection flags are defined in Table 8-2.
Table 8-2 Connection Flags
Flag U f F r R s S M H T --I O q d P E G p a A B R H T m t D
Description up inside FIN outside FIN inside acknowledged FIN outside acknowledged FIN awaiting outside SYN awaiting inside SYN SMTP data HTTP get (not used) TCP SIP connection SKINNY (not used) inbound data outbound data SQL*Net data dump inside back connection outside back connection group replicated (unused) awaiting outside ACK to SYN awaiting inside ACK to SYN initial SYN from outside RPC H.323 UDP SIP connection SIP media connection SIP transient connection DNS
8-10
78-13849-01
Chapter 8
S Commands show cpu usage
Examples
The following example shows a TCP session connection from inside host 10.1.1.15 to the outside telnet server at 192.150.49.10. Because there is no B flag, the connection is initated from the inside. The "U", "I", and "O" flags denote that the connection is active and has received inbound and outbound data.
pixfirewall(config)# show conn 2 in use, 2 most used TCP out 192.150.49.10:23 in 10.1.1.15:1026 idle 0:00:22 Bytes 1774 flags UIO UDP out 192.150.49.10:31649 in 10.1.1.15:1028 idle 0:00:14 flags D-
The following example shows a UDP connection from outside host 192.150.49.10 to inside host 10.1.1.15. The D flag denotes that this is a DNS connection. The number 1028 is the DNS ID over the connection.
pixfirewall(config)# show conn detail 2 in use, 2 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, D - DNS, d - dump, E - outside back connection, f - inside FIN, F - outside FIN, G - group, H - H.323, I - inbound data, M - SMTP data, O - outbound data, P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, U - up TCP outside:192.150.49.10/23 inside:10.1.1.15/1026 flags UIO UDP outside:192.150.49.10/31649 inside:10.1.1.15/1028 flags dD
The following is sample output from the show conn command:

show conn 6 in use, TCP out TCP out TCP out TCP out TCP out TCP out UDP out UDP out UDP out 6 most used 209.165.201.1:80 209.165.201.1:80 209.165.201.1:80 209.165.201.1:80 209.165.201.1:80 209.165.201.1:80 209.165.201.7:24 209.165.201.7:23 209.165.201.7:22
in in in in in in in in in
10.3.3.4:1404 10.3.3.4:1405 10.3.3.4:1406 10.3.3.4:1407 10.3.3.4:1403 10.3.3.4:1408 10.3.3.4:1402 10.3.3.4:1397 10.3.3.4:1395
idle idle idle idle idle idle idle idle idle
0:00:00 0:00:00 0:00:01 0:00:01 0:00:00 0:00:00 0:01:30 0:01:30 0:01:30
Bytes Bytes Bytes Bytes Bytes Bytes
11391 3709 2685 2683 15199 2688
In this example, host 10.3.3.4 on the inside has accessed a website at 209.165.201.1. The global address on the outside interface is 209.165.201.7.
show cpu usage

The show cpu usage command displays CPU utilization. (Privileged or configuration mode.) Show command options show cpu usage Show command output Displays central processing unit (CPU) utilization information.
Syntax Description
cpu usage
The central processing unit (CPU) usage data.
8-11
Chapter 8 show history
S Commands
Usage Guidelines
The show cpu usage command displays the central processing unit (CPU) usage information.
Examples
The following example shows the show cpu usage command output:
CPU utilization for 5 seconds: p1%; 1 minute: p2%; 5 minutes: p3%
The percentage usage prints as NA (not applicable) if the usage is unavailable for the specified time interval. This can happen if the user asks for CPU usage before the 5-second, 1-minute, or 5-minute time interval has elapsed.
show history
Display previously entered commands. (Privileged mode.) Show command options show history Show command output Displays the previously entered commands.
Syntax Description
history
The list of previous entries.
Usage Guidelines
The show history command displays previously entered commands. You can examine commands individually with the up and down arrows or by entering ^p to view previously entered lines or ^n to view the next line.
Examples
The following is sample output from the show history command:

show history enable ...
show local-host/clear local host

View local host network states. (Privileged mode (show), configuration mode (clear).) Display with the command... show local-host Clear with the command... clear local-host [ip_address]
Show command options show local-host [ip_address]
Show command output Displays the network states of local hosts, and the the number of hosts that are counted toward license limits if applicable.
Syntax Description
ip_address
Local host IP address.
8-12
78-13849-01
Chapter 8
S Commands show local-host/clear local host
Usage Guidelines
The show local-host command lets you view the network states of local hosts. Local hosts are any hosts on the same subnet as an internal PIX Firewall interface (not the outside interface). Hosts beyond the next hop routers are not affected by this command. This command lets you show the translation and connection slots for the local hosts, or stop all traffic on these hosts. This command provides information for hosts configured with the nat 0 command when normal translation and connection states may not apply. The show local-host detail command displays more information about active xlates and connections. Use the ip_address option to limit the display to a single host. The clear local-host command clears the information displayed for the local host. On a PIX 501, cleared hosts are released from the license limit. You can view the number of hosts that are counted toward the license limit with the show local-host command.
Note
Clearing the network state of a local host stops all connections and xlates associated with the local hosts.
Examples
The following is sample output from the show local-host command:

show local-host 10.1.1.15 local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0 Xlate(s): PAT Global 172.16.3.200(1024) Local 10.1.1.15(55812) PAT Global 172.16.3.200(1025) Local 10.1.1.15(56836) PAT Global 172.16.3.200(1026) Local 10.1.1.15(57092) PAT Global 172.16.3.200(1027) Local 10.1.1.15(56324) PAT Global 172.16.3.200(1028) Local 10.1.1.15(7104) Conn(s): TCP out 192.150.49.10:23 in 10.1.1.15:1246 idle 0:00:20 Bytes 449 flags UIO TCP out 192.150.49.10:21 in 10.1.1.15:1247 idle 0:00:10 Bytes 359 flags UIO
The xlate describes the translation slot information and the Conn is the connection state information. The following is sample command output from the show local-host command:
pixfirewall(config)# show local-host local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0 Xlate(s): PAT Global 192.150.49.1(1024) Local 10.1.1.15(516) PAT Global 192.150.49.1(0) Local 10.1.1.15 ICMP id 340 PAT Global 192.150.49.1(1024) Local 10.1.1.15(1028) Conn(s): TCP out 192.150.49.10:23 in 10.1.1.15:1026 idle 0:00:25 Bytes 1774 flags UIO UDP out 192.150.49.10:31649 in 10.1.1.15:1028 idle 0:00:17 flags D-
For comparision, the following is sample command output from the show local-host detail command:
pixfirewall(config)# show local-host detail local host: <10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0 Xlate(s): TCP PAT from inside:10.1.1.15/1026 to outside:192.150.49.1/1024 flags ri ICMP PAT from inside:10.1.1.15/21505 to outside:192.150.49.1/0 flags ri UDP PAT from inside:10.1.1.15/1028 to outside:192.150.49.1/1024 flags ri
8-13
Chapter 8 show memory
S Commands
Conn(s): TCP outside:192.150.49.10/23 inside:10.1.1.15/1026 flags UIO UDP outside:192.150.49.10/31649 inside:10.1.1.15/1028 flags dD
The next example shows how the clear local-host command clears the local host information:
clear local-host 10.1.1.15 show local-host 10.1.1.15
Once the information is cleared, nothing more displays until the hosts reestablish their connections, which were stopped by the clear local-host command, and more data is produced.
show memory
Show system memory utilization. (Privileged mode.) Show command options show memory Show command output Displays system memory utilization information.
Syntax Description
memory
The system memory data.
Usage Guidelines
The show memory command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in the PIX Firewall is allocated as needed. You can also view the information from the show memory command using SNMP.
Examples
The following is sample output from the show memory command:

show memory nnnnnnnn bytes total, nnnnnnn bytes free
show processes
Display processes. (Privileged mode.) Show command options show processes Show command output Displays a list of the running processes.
Syntax Description
processes
The processes running on the PIX Firewall.
8-14
78-13849-01
Chapter 8
S Commands show running-config
Usage Guidelines
The show processes command displays a list of the running processes. Processes are lightweight threads requiring only a few instructions. In the listing, PC is the program counter, SP is the stack pointer, STATE is the address of a thread queue, Runtime is the number of milliseconds that the thread has been running, SBASE is the stack base address, Stack is the current number of bytes used and the total size of the stack, and Process lists the threads function.
Examples
The following is sample output from the show processes command:

show processes PC SP STATE Lsi 800125de 803603d0 80075ba0 ... Runtime SBASE Stack Process 0 8035f410 4004/4096 arp_timer
show running-config
Display the PIX Firewall running configuration. (Privileged mode.) Show command options show running-config Show command output Displays the configuration currently running on the PIX Firewall.
Syntax Description
running-config
The configuration running on the PIX Firewall.
Usage Guidelines
The show running-config command displays the current running configuration. The keyword running-config is used to the match Cisco IOS software command. The show running-config command output is the same as the pre-existing PIX Firewall write terminal command. The running-config keyword can be used only in the show running-config command. It cannot be used with no or clear, or as a standalone command. If it is, the CLI treats it as a non-supported command. Also, for this reason, when ?, no ?, or clear ? are entered, a running-config option is not listed in the command list.
Examples
The following is sample output from the show running-config command:

pixfirewall# show running-config : Saved : PIX Version 6.2(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixdoc515 domain-name cisco.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389
8-15
Chapter 8 show running-config
S Commands
fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.2.0 access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255. access-list outside_cryptomap_40 permit ip any any access-list 101 permit ip any any pager lines 24 logging on interface ethernet0 10baset interface ethernet1 100full interface ethernet2 100full shutdown icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 172.23.59.230 255.255.0.0 pppoe ip address inside 10.1.3.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.0 multicast interface inside ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 pdm location 10.1.2.1 255.255.255.255 outside pdm location 10.1.2.0 255.255.255.0 outside pdm logging alerts 100 pdm history enable arp timeout 14400 global (inside) 6 192.168.1.2-192.168.1.3 global (inside) 3 192.168.4.1 nat (inside) 0 access-list inside_outbound_nat0_acl access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 172.23.59.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 172.23.59.231 crypto map outside_map 20 set transform-set ESP-DES-SHA
8-16
78-13849-01
Chapter 8
S Commands show startup-config
crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer 123.5.5.5 isakmp key ******** address 172.23.59.231 netmask 255.255.255.255 no-xauth no-c isakmp peer fqdn no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication rsa-sig isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:4d600490f46b5d335c0fbf2eda0015a2 : end
show startup-config
Display the PIX Firewall startup configuration. (Privileged mode.) Show command options show startup-config Show command output Displays the configuration of the PIX Firewall at startup.
Syntax Description
startup-config
The configuration present at startup on the PIX Firewall.
Usage Guidelines
The show startup-config command displays the startup configuration of the PIX Firewall. The keyword startup-config is used to the match Cisco IOS software command. The show startup-config command output is the same as the pre-existing PIX Firewall show configure command. The show startup-config command is not needed for PDM but is provided for compatibility with Cisco IOS software. The startup-config keyword can be used only in the show startup-config command. It cannot be used with no or clear, or as a standalone command. If it is, the CLI treats it as a non-supported command. Also, for this reason, when ?, no ?, or clear ? are entered, a startup-config option is not listed in the command list.
Examples
The following is sample output from the show startup-config command:

pixfirewall# show startup-config : Saved : Written by enable_15 at 17:14:09.092 UTC Tue Apr 9 2002 PIX Version 6.2(0)227 nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixdoc515
8-17
Chapter 8 show startup-config
S Commands
domain-name cisco.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.2.0 access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255. access-list outside_cryptomap_40 permit ip any any access-list 101 permit ip any any pager lines 24 logging on interface ethernet0 10baset interface ethernet1 100full interface ethernet2 100full shutdown icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 172.23.59.230 255.255.0.0 pppoe ip address inside 10.1.3.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.0 multicast interface inside ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 pdm location 10.1.2.1 255.255.255.255 outside pdm location 10.1.2.0 255.255.255.0 outside pdm logging alerts 100 pdm history enable arp timeout 14400 global (inside) 6 192.168.1.2-192.168.1.3 global (inside) 3 192.168.4.1 nat (inside) 0 access-list inside_outbound_nat0_acl access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 172.23.59.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec
8-18
78-13849-01
Chapter 8
S Commands show tech-support
no sysopt route dnat crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 172.23.59.231 crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer 123.5.5.5 isakmp key ******** address 172.23.59.231 netmask 255.255.255.255 no-xauth no-c isakmp peer fqdn no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication rsa-sig isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 telnet timeout 5 ssh timeout 5
show tech-support
View information to help a support analyst. (Privileged mode.) Show command options show tech-support Show command output Displays information that technical support analysts need to help diagnose PIX Firewall problems.
Syntax Description
tech-support
The data used for diagnosis by technical support analysts.
Usage Guidelines
The show tech-support command lists information that technical support analysts need to help you diagnose PIX Firewall problems. This command combines the output from the show commands that provide the most information to a technical support analyst.
Examples
The following is sample output from the show tech-support command:

show tech-support PIX Version 6.0(n)nnn Compiled on Fri 28-May-99 04:08 by pixbuild PIX Bios V2.7
pixfirewall up 100 days 6 hours 17 mins ...
8-19
Chapter 8 show traffic/clear traffic
S Commands
show traffic/clear traffic

Shows interface transmit and receive activity. (Privileged mode.) Configure with the command... N/A Remove with the command... clear traffic
Show command options show traffic
Show command output Displays the number of packets and bytes moving through each interface.
Syntax Description
traffic
The packets and bytes moving through an interface.
Usage Guidelines
The show traffic command lists the number of packets and bytes moving through each interface. The number of seconds is the duration the PIX Firewall has been online since the last reboot. The clear traffic command clears counters for the show traffic command output.
Examples
The following is sample output from the show traffic command:

show traffic outside: received (in 3786 secs): 97 packets 6191 bytes 42 pkts/sec 1 bytes/sec transmitted (in 3786 secs): 99 packets 10590 bytes 0 pkts/sec 2 bytes/sec
show uauth/clear uauth

Delete all authorization caches for a user. (Privileged mode.) Display with the command... show uauth Clear with the command... clear uauth [username]
Show command options show uauth [username]
Show command output Displays one or all currently authenticated users, the host IP to which they are bound, and, if applicable, any cached IP and port authorization information.
Syntax Description
username
Clear or view user authentication information by username.
8-20
78-13849-01
Chapter 8
S Commands show uauth/clear uauth
Usage Guidelines
The show uauth command displays one or all currently authenticated users, the host IP to which they are bound, and, if applicable, any cached IP and port authorization information. The clear uauth command deletes one users, or all users, AAA authorization and authentication caches, which forces the user or users to reauthenticate the next time they create a connection. The show uauth command also lists CiscoSecure 2.1 and later idletime and timeout values, which can be set for different user groups. This command is used in conjunction with the timeout command. Each user hosts IP address has an authorization cache attached to it. If the user attempts to access a service that has been cached from the correct host, the firewall considers it preauthorized and immediately proxies the connection. This means that once you are authorized to access a website, for example, the authorization server is not contacted for each of the images as they are loaded (assuming they come from the same IP address). This significantly increases performance and reduces load on the authorization server. The cache allows up to 16 address and service pairs for each user host. The output from the show uauth command displays the username provided to the authorization server for authentication and authorization purposes, the IP address that the username is bound to, and whether the user is authenticated only, or has cached services. Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle. Use the clear uauth command to delete all authorization caches for all users, which will cause them to have to reauthenticate the next time they create a connection.
Examples
The following is sample output from the show uauth command when no users are authenticated and one user authentication is in progress:
pixfirewall(config)# show uauth Current Authenticated Users 0 Authen In Progress 0 Most Seen 0 1
The following is sample output from the show uauth command when three users are authenticated and authorized to use services through the PIX Firewall:
pixfirewall(config)# show uauth user pat from 209.165.201.2 authenticated user robin from 209.165.201.4 authorized to: port 192.168.67.34/telnet 192.168.67.11/http 192.168.67.56/tcp/25 192.168.67.42/ftp user terry from 209.165.201.7 authorized to: port 192.168.1.50/http 209.165.201.8/http
192.168.67.33/tcp/8001
In this example, Pat has authenticated with the server but has not completed authorization. Robin has preauthorized connections to the Telnet, Web (HTTP), sendmail, FTP services, and to TCP port 8001 on 192.168.67.33. Terry has been browsing the Web and is authorized for Web browsing to the two sites shown. The next example causes Pat to reauthenticate:
clear uauth pat
8-21
Chapter 8 show version
S Commands
Related Commands
aaa authorization timeout
show version
View the PIX Firewall operating information. (Unprivileged mode.) Show command options show version Show command output Displays the PIX Firewall units software version, operating time since last reboot, processor type, Flash memory type, interface boards, serial number (BIOS ID), activation key value, and timestamp for when the configuration was last modified.
Syntax Description
version
The PIX Firewall software version, hardware configuration, license key, and related uptime data.
Usage Guidelines
Use the show version command to display the PIX Firewall units software version, operating time since last reboot, processor type, Flash memory type, interface boards, serial number (BIOS ID), and activation key value. The serial number listed with the show version command in PIX Firewall software version 5.3 and higher is for the Flash memory BIOS. This number is different from the serial number on the chassis. When you get a software upgrade, you will need the serial number that appears in the show version command, not the chassis number. For PIX Firewall software version 6.2 and higher, the show version command output appears as follows:
Running Activation Key: activation-key-four-tuple
to indicate the activation key that is currently running PIX Firewall image. In the following examples, the amount of Flash memory (2 MB or 16 MB) is identified as follows:
i28F020 AT29C040A atmel i28F640J5 strata E28F128J3 512 kB 2 MB 2 MB 8 MB - PIX 506 16 MB - all other PIXes 16 MB 16 MB
Examples
The following is sample output from the show version command:

pixfirewall(config)# show version Cisco PIX Firewall Version 6.2(1) Cisco PIX Device Manager Version 2.0(1) Compiled on Wed 17-Apr-02 21:18 by morlee
8-22
78-13849-01
Chapter 8
S Commands show xlate/clear xlate
pixdoc515 up 9 days 3 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.3772, irq 10 1: ethernet1: address is 0050.54ff.3773, irq 7 2: ethernet2: address is 00d0.b792.409d, irq 11 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Enabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited Serial Number: 480221353 (0x1c9f98a9) Running Activation Key: 0x36df4255 0x246dc5fc 0x39d2ec4d 0x09f6288f Configuration last modified by enable_15 at 12:15:28.311 UTC Wed May 1 2002 pixfirewall(config)#
show xlate/clear xlate

View or clear translation slot information. (Privileged mode.) Display with the command... show xlate Clear with the command... clear xlate [global | local ip1[-ip2] [netmask mask]] lport | gport port[-port]] [interface if1[,if2][,ifn]] [state static [,dump] [,portmap] [,norandomseq] [,identity]]
Show command options show xlate [detail] [global | local ip1 [-ip2] [netmask mask]] lport | gport port [-port]] [interface if1 [,if2] [,ifn]] [state static [,dump] [,portmap] [,norandomseq] [,identity]]
Show command output Displays the contents of only the translation slots.
Syntax Description
detail [global | local ip1 [-ip2] [netmask mask] interface if1 [,if2] [,ifn]
If specified, displays translation type and interface information. Display active translations by global IP address or local IP address using the network mask to qualify the IP addresses. Display active translations by interface.
8-23
Chapter 8 show xlate/clear xlate
S Commands
lport | gport port [-port]
Display active translations by local and global port specifications. See Ports in Chapter 2, Using PIX Firewall Commands for a list of valid port literal names. Display active translations by state; static translation (static), dump (cleanup), PAT global (portmap), a nat or static translation with the norandomseq setting (norandomseq), or the use of the nat 0, identity feature (identity).
state
Usage Guidelines
The clear xlate command clears the contents of the translation slots. (xlate means translation slot.) The show xlate command displays the contents of only the translation slots. Translation slots can persist after key changes have been made. Always use the clear xlate command after adding, changing, or removing the aaa-server, access-list, alias, conduit, global, nat, route, or static commands in your configuration. The show xlate detail command displays the following information: {ICMP|TCP|UDP} PAT from interface:real-address/real-port to interface:mapped-address/mapped-port flags translation-flags NAT from interface:real-address/real-port to interface:mapped-address/mapped-port flags translation-flags The translation flags are defined in Table 8-3.
Table 8-3 Translation Flags
Flag s d r n o i D I
Description static translation slot dump translation slot on next cleaning cycle portmap translation (Port Address Translation) no randomization of TCP sequence number outside address translation inside address translation DNS A RR rewrite identity translation from nat 0
Examples
The following is sample output from the show xlate command with three active Port Address Translations (PATs):
pixfirewall(config)# show xlate 3 in use, 3 most used PAT Global 192.150.49.1(0) Local 10.1.1.15 ICMP id 340 PAT Global 192.150.49.1(1024) Local 10.1.1.15(1028) PAT Global 192.150.49.1(1024) Local 10.1.1.15(516)
The following is sample output from the show xlate detail command with three active Port Address Translations (PATs):
pixfirewall(config)# show xlate detail
8-24
78-13849-01
Chapter 8
S Commands shun
3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside:10.1.1.15/1026 to outside:192.150.49.1/1024 flags ri UDP PAT from inside:10.1.1.15/1028 to outside:192.150.49.1/1024 flags ri ICMP PAT from inside:10.1.1.15/21505 to outside:192.150.49.1/0 flags ri
The first entry is a TCP Port Address Translation for host-port (10.1.1.15, 1025) on the inside network to host-port (192.150.49.1, 1024) on the outside network. The flag "r" denotes the translation is a Port Address Translation. The "i" flags denotes that the translation applies to the inside address-port. The second entry is a UDP Port Address Translation for host-port (10.1.1.15, 1028) on the inside network to host-port (192.150.49.1, 1024) on the outside network. The flag "r" denotes the translation is a Port Address Translation. The "i" flags denotes that the translation applies to the inside address-port. The third entry is an ICMP Port Address Translation for host-ICMP-id (10.1.1.15, 21505) on the inside network to host-ICMP-id (192.150.49.1, 0) on the outside network. The flag "r" denotes the translation is a Port Address Translation. The "i" flags denotes that the translation applies to the inside address-ICMP-id. The inside address fields appear as source addresses on packets traversing from the more secure interface to the less secure interface. Conversely, they appear as destination addresses on packets traversing from the less secure interface to the more secure interface. The following is sample output from two static translations, the first with two associated connections (called nconns) and the second with four.
show xlate Global 209.165.201.10 Local 209.165.201.10 static nconns 1 econns 0 Global 209.165.201.30 Local 209.165.201.30 static nconns 4 econns 0
Related Commands
show conn timeout show uauth/clear uauth
shun
The shun command enables a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. (Configuration Mode.) Configure with the command... shun src_ip [dst_ip sport dport [protocol]] Remove with the command... no shun src_ip [dst_ip sport dport [protocol]] clear shun [statistics]
Show command options show shun [src_ip | statistics]
Show command output Displays all shuns currently enabled in the exact format specified.
8-25
Chapter 8 snmp-server
S Commands
Syntax Description
clear dport dst_ip no protocol shun sport src_ip statistics
Disable all shuns currently enabled and clears shun statistics. Specifying statistics only clears the counters for that interface. The destination port of the connection causing the shun. The address of the of the target host. Disable a shun based on src_ip, the actual address used by the PIX Firewall for shun lookups. The optional IP protocol, such as UDP or TCP. Enable a blocking function (shun) based on src_ip. The source port of the connection causing the shun. The address of the attacking host. Clear only interface counters.
Usage Guidelines
The shun command applies a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host will be dropped and logged until the blocking function is removed manually or by the Cisco IDS master unit. No traffic from the IP source address will be allowed to traverse the PIX Firewall unit and any remaining connections will time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active. If the shun command is used only with the source IP address of the host, then the other defaults will be 0. No further traffic from the offending host will be allowed. Because the shun command is used to block attacks dynamically, it is not displayed in your PIX Firewall configuration.
Examples
In the following example, the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the PIX Firewall connection table reads: 10.1.1.27, 555-> 10.2.2.89, 666 PROT TCP If the shun command is applied in the following way:
shun 10.1.1.27 10.2.2.89 555 666 tcp
The preceding command would delete the connection from the PIX Firewall connection table, and it would also prevent packets from 10.1.1.27 from going through the PIX Firewall. The offending host can be inside or outside of the PIX Firewall.
snmp-server
Provide PIX Firewall event information through SNMP. (Conguration mode.) Configure with the command... snmp-server community key snmp-server {contact | location} text snmp-server host [if_name] ip_addr [trap | poll] Disable with the command... no snmp-server community key no snmp-server {contact | location} no snmp-server [if_name] ip_addr
8-26
78-13849-01
Chapter 8
S Commands snmp-server
Configure with the command... snmp-server enable traps N/A
Disable with the command... no snmp-server enable traps clear snmp-server
Show command options show snmp-server
Show command output Displays the SNMP configuration.
Syntax Description
community key
Enter the password key value in use at the SNMP management station. The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. PIX Firewall uses the key to determine if the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, firewall, and the management station with this same string. The PIX Firewall then honors SNMP requests using this string and does not respond to requests with an invalid community string. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default is public if key is not set. Consequently, it is important to specify a (new) value for key for security reasons.
contact text
Supply your name or that of the PIX Firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Enable or disable sending log messages as SNMP trap notifications. Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to five SNMP management stations. Use with these parameters:

enable traps host
if_nameThe interface name where the SNMP management station resides. ip_addrThe IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come.
if_name ip_addr location text
The interface name where the SNMP management station resides. The IP address of a host to which SNMP traps should be sent and/or from which the SNMP requests come. Specify your PIX Firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Specify an IP address of the SNMP management station to which traps should be sent and/or from which the SNMP requests come. You can specify up to 32 SNMP management stations. Specify whether traps, polls, or both are acted upon. Use with these parameters:

snmp-server host trap | poll
trapOnly traps will be sent. This host will not be allowed to poll. pollTraps will not be sent. This host will be allowed to poll.
The default allows both traps and polls to be acted upon.
8-27
Chapter 8 snmp-server
S Commands
Usage Guidelines
Use the snmp-server command to identify site, management station, community string, and user information.
Note
In the snmp-server community key command, the default value for key is public. Consequently, it is important to specify a (new) value for key for security reasons. The clear snmp-server and no snmp-server commands disable the SNMP commands in the configuration as follows:
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps
In understanding SNMP use, the PIX Firewall is considered the SNMP agent or SNMP server. The management station is the system running the SNMP program that receives and processes the SNMP information that the PIX Firewall sends. An SNMP object ID (OID) for PIX Firewall displays in SNMP event traps sent from the PIX Firewall. The OIDs for the PIX Firewall platforms are listed in Table 8-4.
Table 8-4 System OID in PIX Firewall Platforms
PIX Firewall Platform PIX 506 PIX 506E PIX 515 PIX 515E PIX 520 PIX 525 PIX 535 Others
System OID .1.3.6.1.4.1.9.1.389 .1.3.6.1.4.1.9.1.450 .1.3.6.1.4.1.9.1.390 .1.3.6.1.4.1.9.1.451 .1.3.6.1.4.1.9.1.391 .1.3.6.1.4.1.9.1.392 .1.3.6.1.4.1.9.1.393 .1.3.6.1.4.1.9.1.227
Use the trap and poll command options to configure hosts to participate only in specific SNMP activities. Poll responses and traps are sent only to the configured entities. Hosts configured with the trap command option will have traps sent to them, but will not be allowed to poll. Hosts configured with the poll command option will be allowed to poll, but will not have traps sent to them. Refer to the Cisco PIX Firewall and VPN Configuration Guide for more information on how to access and monitor the PIX Firewall using SNMP traps. Accessibility to PIX Firewall Management Information Bases (MIBs) is based on configuration, MIB support, and authentication based on the community string. Unsuccessful polling attempts, except for failed community string authentication, are not logged or otherwise indicated. Community authentication failures result in a trap where applicable.
MIB Support
You can browse the System and Interface groups of MIB-II. All SNMP values in the PIX Firewall are read only (RO). The PIX Firewall does not support browsing of the Cisco syslog MIB.
8-28
78-13849-01
Chapter 8
S Commands snmp-server
Browsing a MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. Traps are different; they are unsolicited comments from the managed device to the management station for certain events, such as link up, link down, syslog event generated, and so on. The Cisco Firewall MIB, Cisco Memory Pool MIB, Cisco Process MIB provide the following PIX Firewall information through SNMP:

Buffer usage from the show block command Connection count from the show conn command CPU usage through the show cpu usage command Failover status Memory usage from the show memory command
Receiving SNMP Requests from an SNMP Management Station
To receive SNMP requests from a management station, perform the following steps:
Identify the management station with an snmp-server host command statement. Specify snmp-server command options for the location, contact, and community. Start the SNMP software on the management station and begin issuing SNMP requests to the PIX Firewall.
Defaults
If you do not specify an option, the snmp-server host command behaves as in previous versions. The polling is permitted from all configured hosts on the affected interface. Traps are sent to all configured hosts on the affected interface.
Examples
The following example shows commands you would enter to start receiving SNMP requests from a management station:
snmp-server snmp-server snmp-server snmp-server community wallawallabingbang location Building 42, Sector 54 contact Sherlock Holmes host perimeter 10.1.2.42
The next example is sample output from the show snmp-server command:
show snmp snmp-server snmp-server snmp-server snmp-server host perimeter 10.1.2.42 location Building 42, Sector 54 contact Sherlock Holmes community wallawallabingbang
8-29
Chapter 8 ssh
S Commands
ssh
Specify a host for PIX Firewall console access through Secure Shell (SSH). (Configuration mode.) Configure with the command... ssh ip_address [netmask] [interface_name] ssh timeout mm N/A N/A Remove with the command... no ssh ip_address [netmask] [interface_name] N/A ssh disconnect session_id clear ssh
Show command options show ssh [sessions [ip_address]] show ssh timeout
Show command output Displays active (all or host-specific) SSH sessions on the PIX Firewall. Displays SSH timeout information.
Syntax Description
interface_name ip_address mm netmask session_id
PIX Firewall interface name on which the host or network initiating the SSH connection resides. IP address of the host or network authorized to initiate an SSH connection to the PIX Firewall. The duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. The allowable range is from 1 to 60 minutes. Network mask for ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of ip_address. SSH session ID number, viewable with the show ssh sessions command.
Usage Guidelines
The ssh ip_address command specifies the host or network authorized to initiate an SSH connection to the PIX Firewall. The ssh timeout command lets you specify the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. Use the show ssh sessions command to list all active SSH sessions on the PIX Firewall. The ssh disconnect command lets you disconnect a specific session you observed from the show ssh sessions command. Use the clear ssh command to remove all ssh command statements from the configuration. Use the no ssh command to remove selected ssh command statements from the configuration.
Note
You must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. After generating the RSA key-pair, save the key-pair using the ca save all command. To use SSH, your PIX Firewall must have a DES or 3DES activation key. To gain access to the PIX Firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the passwd command; the default Telnet password is cisco. To authenticate using the AAA server instead, configure the aaa authenticate ssh console command.
8-30
78-13849-01
Chapter 8
S Commands ssh
SSH permits up to 100 characters in a username and up to 50 characters in a password. When starting an SSH session, a dot (.) displays on the PIX Firewall console before the SSH user authentication prompt appears. The dot appears as follows:
pixfirewall(config)# . pixfirewall(config)# .
The display of the dot does not affect the functionality of SSH. The dot appears on at the console when generating a server key or decrypting a message using private keys during SSH key exchange, before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.
show ssh sessions Command
The show ssh sessions command provides the following display:

Session ID 0 1 2 Client IP 172.16.25.15 172.16.38.112 172.16.25.11 Version 1.5 1.5 1.5 Encryption 3DES DES 3DES State 4 6 4 Username pix -
The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption the SSH client is using. The State column lists the progress the client is making as it interacts with the PIX Firewall. The Username column lists the login username that has been authenticated for the session. The "pix" username appears when non-AAA authentication is used. The following table lists the SSH states that appear in the State column: Number 0 1 2 3 4 5 6 7 8 9 10 SSH State SSH_CLOSED SSH_OPEN SSH_VERSION_OK SSH_SESSION_KEY_RECEIVED SSH_KEYS_EXCHANGED SSH_AUTHENTICATED SSH_SESSION_OPEN SSH_TERMINATE SSH_SESSION_DISCONNECTING SSH_SESSION_DISCONNECTED SSH_SESSION_CLOSED
SSH Syslog Messages
Syslog messages 315001, 315002, 315003, 315004, 315005, and 315011 were added for SSH. Refer to Cisco PIX Firewall System Log Messages for more information.
8-31
Chapter 8 ssh
S Commands
Obtaining an SSH Client
The following sites let you download an SSH v1.x client. Because SSH version 1.x and 2 are entirely different protocols and are not compatible, be sure you download a client that supports SSH v1.x.
Windows 3.1, Windows CE, Windows 95, and Windows NT 4.0download the free Tera Term Pro SSH v1.x client from the following website: http://hp.vector.co.jp/authors/VA002416/teraterm.html The TTSSH security enhancement for Tera Term Pro is available at the following website: http://www.zip.com.au/~roca/ttssh.html
Note
You must download TTSSH to use Tera Term Pro with SSH. TTSSH provides a Zip file you copy to your system. Extract the zipped files into the same folder that you installed Tera Term Pro. For a Windows 95 system, by default, this would be the C:\Program Files\Ttempro folder.
Linux, Solaris, OpenBSD, AIX, IRIX, HP/UX, FreeBSD, and NetBSDdownload the SSH v1.x client from the following website: http://www.openssh.com Macintosh (international users only)download the Nifty Telnet 1.1 SSH client from the following website: http://www.lysator.liu.se/~jonasw/freeware/niftyssh/
Changed aaa Command for SSH
The aaa command adds the ssh option for use with SSH: aaa authentication [serial | enable | telnet | ssh] console group_tag The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement. Similar to the Telnet model, if the aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication request times out, this implies that the AAA server may be down or not available. You can gain access to the PIX Firewall using the username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the enable password is empty (null), even if you enter the password correctly, you are not granted access to the SSH session. The user authentication attempt limit is set to 3. Note that the Linux version of the SSH version 1 client available from http://www.openssh.com only allows one user authentication attempt.
8-32
78-13849-01
Chapter 8
S Commands static
Examples
Create an RSA key-pair with a modulus size of 1024 bits (recommended for use with Cisco IOS software):
hostname cisco-pix domain-name example.com ca generate rsa key 1024 show ca mypubkey rsa ca save all
These command statements set the host name and domain name for the PIX Firewall, generate the RSA key-pair, display the RSA key-pair, and save the RSA key-pair to Flash memory. Start an SSH session so clients on the outside interface can access the PIX Firewall console remotely over a secure shell:
ssh 10.1.1.1 255.255.255.255 outside ssh timeout 60
Configure the PIX Firewall to perform user authentication using AAA servers. The protocol is the protocol used by the AAA-server to perform the authentication. The following example uses the TACACS+ authentication protocol.
aaa-server ssh123 (inside) host 10.1.1.200 mysecure aaa-server ssh123 protocol tacacs+ aaa authenticate ssh console ssh123
Related Commands
aaa accounting ca domain-name hostname passwd
static
Configure a persistent one-to-one address translation rule by mapping a local IP address to a global IP address. This is also known as Static Port Address Translation (Static PAT). (Configuration mode.) Configure with the command... Remove with the command... static [(prenat_interface, postnat_interface)] no static [(prenat_interface, {mapped_address| interface} postnat_interface)] {mapped_address| real_address [dns] [netmask mask] interface} real_address [dns] [netmask [norandomseq] [connection_limit mask] [norandomseq] [max_conns [em_limit]] [em_limit]] static [(internal_if_name, no static [(internal_if_name, external_if_name)] {tcp | external_if_name)] {tcp | udp}{global_ip | interface} global_port udp}{global_ip | interface} global_port local_ip local_port [netmask local_ip local_port [netmask mask][max_conns [emb_limit mask][max_conns [emb_limit [norandomseq]]] [norandomseq]]]
8-33
Chapter 8 static
S Commands
Show command options show static
Show command output Displays static commands in the configuration.
Syntax Description
dns em_limit
Specifies that DNS replies that match the xlate are translated. The embryonic connection limit. An embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections.
external_if_name The external network interface name. The lower security level interface you are accessing. global_ip interface A global IP address. This address cannot be a Port Address Translation (PAT) IP address. The IP address on the lower security level interface you are accessing. Specifies to overload the global address from interface.
internal_if_name The internal network interface name. The higher security level interface you are accessing. local_ip mapped_address mapped_port mask or network_mask The local IP address from the inside network. The IP address on the higher security level interface you are accessing. The address real_address is translated into. The port real_port is translated into. The network mask pertains to both global_ip and local_ip. For host addresses, always use 255.255.255.255. For network addresses, use the appropriate class mask or subnet mask; for example, for Class A networks, use 255.0.0.0. An example subnet mask is 255.255.255.224. The maximum number of connections permitted through the static at the same time. Reserve word required before specifying the network mask. Do not randomize the TCP/IP packets sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.
max_conns netmask norandomseq
postnat_interface The outside interface when prenat_interface is the inside interface. However, if the outside interface is used for prenat_interface, then the translation is applied to the outside address and the postnat_interface is the inside interface. prenat_interface real_address real_port Usually the inside interface, in which case the translation is applied to the inside address. The address to be mapped. The port to be mapped.
Usage Guidelines
The static command creates a persistent, one-to-one address translation rule (called a static translation slot or xlate). This translation can be between a local IP address and a global IP address (static NAT) or between ports (static PAT). Additionally, the PIX Firewall dynamically creates a secondary xlate using the global address in the static command. The following example redirects the FTP service from address 198.168.1.1 to inside host 10.1.1.1, where the address translation slots (xlates) necessary for FTP data transfer are automatically created from the global address 192.168.1.1 by the fixup application inspection:
static (inside, outside) tcp 192.168.1.1 ftp 10.1.1.1 ftp fixup protocol ftp 21
8-34
78-13849-01
Chapter 8
S Commands static
For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host; this can also be done using a nat 0 access-list address translation rule. Without the persistent translation rule, the translation cannot occur. You can use the static and access-list commands when you are accessing the interface of a higher security level from an interface of a lower security level; for example, when accessing the inside from a perimeter or the outside interface.
Static Port Address Translation (Static PAT)
Static PAT is a many-to-one port mapping that is constant over time. For example, static PAT lets you redirect inbound TCP and UDP services. Using the static command interface option, you can use Static PAT to permit external hosts access TCP or UDP services residing on an internal host. (As always, though, an access list should also be in place to control access to the internal host.) Static PAT supports all applications that are supported by (regular) PAT, including the same application constraints. Like PAT, Static PAT does not support H.323 or multimedia application traffic. Additionally, the Telnet port 23 and PFM port 1467 of the PIX Firewall interface cannot be used for Static PAT because the PIX Firewall requires traffic to these ports be protected by IPSec. The following examples enable static port address translations (Static PATs) for the following services, interfaces, and hosts:
Telnet to the PIX Firewall outside interface to be redirected inside host 10.1.1.15:
static (inside, outside) tcp interface telnet 10.1.1.15 telnet
FTP to the PIX Firewall outside interface to be redirected inside host 10.1.1.30:
static (inside, outside) tcp interface ftp 10.1.1.30 ftp
DNS to the PIX Firewall outside interface to be redirected inside host 10.1.1.30:
static (inside, outside) udp interface domain 10.1.1.30 domain
TCP Intercept Feature
Prior to version 5.3, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN attacks. Previously, if an embryonic connection limit was configured in a static command statement, PIX Firewall simply dropped new connection attempts once the embryonic threshold was reached. Given this, a modest attack could stop an institution's Web traffic. For static command statements without an embryonic connection limit, PIX Firewall passes all traffic. If the affected system does not have TCP SYN attack protection, and most operating systems do not offer sufficient protection, then the affected system's embryonic connection table overloads and all traffic stops. With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted. For each SYN, PIX Firewall responds on behalf of the server with an empty SYN/ACK segment. PIX Firewall retains pertinent state information, drops the packet, and waits for the client's acknowledgement. If the ACK is received, then a copy of the client's SYN segment is sent to the server and the TCP three-way handshake is performed between PIX Firewall and the server. If and only if, this three-way handshake completes, may the connection resume as normal. If the client does not respond during any part of the connection phase, then PIX Firewall retransmits the necessary segment using exponential back-offs. This feature requires no change to the PIX Firewall command set, only that the embryonic connection limit on the static command now has a new behavior.
8-35
Chapter 8 static
S Commands
Deny Xlate for Network or Broadcast Address for Inbound Traffic
For all inbound traffic, PIX Firewall denies translations for destination IP addresses identified as network address or broadcast addresses. PIX Firewall utilizes the global IP and mask from a static command statement to differentiate regular IP addresses from network or broadcast addresses. If a global IP address is a valid network address with a matching network mask, then PIX Firewall disallows the xlate for network or broadcast IP addresses with inbound packet.
Interface Names
The rules for which command to use with an interface is summarized in Table 8-5. Table 8-5 assumes that the security levels are 40 for dmz1 and 60 for dmz2.
Table 8-5 Interface Access Commands by Interface
From This Interface inside inside inside dmz1 dmz1 dmz1 dmz2 dmz2 dmz2 outside outside outside
Using Statics
To This Interface outside dmz1 dmz2 outside dmz2 inside outside dmz1 inside dmz1 dmz2 inside
Use This Command nat nat nat nat static static nat nat static static static static
For the interface names in the static command, always specify the highest security level interface name first, and then the lower security level interface name. However, the IP addresses are specified in the opposite order because the first IP address you specify is for the lower security level interface, and the second IP address is for the higher security level interface. The way to remember this is as follows: static (if_name_high, if_name_low) ip_address_low ip_address_high where the highest security level interface is an inside interface, and the lowest security level interface is an outside interface. If you do not want an address translation, the format of the static command is as follows: static (if_name_high, if_name_low) ip_address ip_address where the interface IP addresses are the same.
8-36
78-13849-01
Chapter 8
S Commands static
For example, assume you have four interfaces on the PIX Firewall that have security levels set with the nameif command as follows:
nameif nameif nameif nameif ethernet0 ethernet1 ethernet2 ethernet3 outside security0 inside security100 dmz1 security40 dmz2 security60
To access the inside from the outside interface, use the static command as follows:
static (inside,outside) outside_ip_address inside_ip_address netmask mask
Replace outside_ip_address with the global IP address (an IP address on the lower security level interface). Replace inside_ip_address with the IP address of the host on the higher security level interface that you want to grant access to. Use these replacements in the rest of the commands in this section. Replace mask with 255.255.255.255 for host addresses, except when subnetting is in effect; for example, 255.255.255.128. For network addresses, use the appropriate class mask; for example, for Class A networks, use 255.0.0.0. To access the inside from the dmz1 interface, use the static command as follows:
static (inside,dmz1) dmz1_ip_address inside_ip_address netmask mask
To access the inside from the dmz2 interface, use the static command as follows:
static (inside,dmz2) dmz2_ip_address inside_ip_address netmask mask
To access the dmz2 interface from the dmz1 interface, use the static command as follows:
static (dmz2,dmz1) dmz1_ip_address dmz2_ip_address netmask mask
To go the other way around, from a higher security level interface to a lower security level interface, use the nat and global commands. For example, to access dmz1 from dmz2, use the following commands.
nat (dmz2) 1 0 0 global (dmz1) 1 global_ip_address-global_ip_address
Replace global_ip_address-global_ip_address with the IP address range of the addresses in the pool of global addresses. The nat command specifies the name of the higher security level interface; the pool of global addresses are on the lower security level interface. View the nat command page for more information on using these commands.
Note
If you use a static command, you must also use an access-list command. The static command makes the mapping, the access-list command lets users access the static command mapping. The first IP address you specify in the static command is the first IP address you specify in the access-list command as shown in this example:
static (dmz2,dmz1) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 access-list acl_dmz1 permit tcp 10.1.1.0 255.255.255.0 host 10.1.1.1 access-group acl_dmz1 in interface dmz1
The static command maps the address 10.1.1.1 on the dmz1 interface so that users on the dmz1 interface can access the 192.168.1.1 host on the dmz2 interface. The access-list command lets any users in the 10.1.1.0 network access the 10.1.1.1 address over any TCP port. The access-group command statement binds the access-list command statement to the dmz1 interface.
8-37
Chapter 8 static
S Commands
Note
Always make access-list command statements as specific as possible. Using the any option to allow any host access should be used with caution for access lists used with statics. With NAT disabled, the static command has a different sense of logic. With NAT disabled, addresses on both sides of the PIX Firewall are registered addresses. Between interfaces, addresses must be on different subnets that you control with subnetting. See the Cisco PIX Firewall and VPN Configuration Guide for more information about subnetting. Without address translation, you protect addresses on the inside or perimeter interfaces by not providing access to them. Without an access-list command statement, the inside host cannot be accessed on the outside and is, in effect, invisible to the outside world. Conversely, only by opening statics and access lists to servers on the inside or perimeter interfaces, do the hosts become visible. Without address translation, the format of the static command becomes different: static (high,low) high high Again, the security level set for each interface with the nameif command determines what information you fill in. You are using static to access a higher security interface from a lower security interface. The IP address you want visible on the lower security interface is that of the higher security interface. This is the IP address users on the lower security interfaces network will use to access the server on the higher security level interfaces network. Because address translation is not occurring, the actual address of the server is presented as both the visible address and the address of the host. For example, a web server on the dmz, 209.165.201.5 needs to be accessible by users on the outside. The static and access-list command statements are as follows.
static (dmz,outside) 209.165.201.5 209.165.201.5 netmask 255.255.255.255 access-list acl_out permit tcp any host 209.165.201.5 eq www access-group acl_out in interface outside
The static command presents the 209.165.201.5 address on the outside interface. The DNS server on the outside would map this IP address to the domain of the company; for example, example.com. Users accessing example.com are permitted to access the web server via port 80 by the access-list command. Another example of no-NAT statics would be when users on dmz1 need to access a web server on dmz2. The network uses a Class C address and subnets it with the .240 subnet. Addresses 209.165.201.1 to 209.165.201.14 are on dmz1, and addresses 209.165.201.17 to 209.165.201.30 are on dmz2. The web server is at 209.165.201.25. The static and access-list command statements are as follows.
static (dmz2,dmz1) 209.165.201.25 209.165.201.25 netmask 255.255.255.255 access-list acl_dmz1 permit tcp any host 209.165.201.25 eq www access-group acl_dmz1 in interface dmz1
The static command statement opens access to the web server at 209.165.201.25. The access-list command statement permits access to the web server only on port 80 (www).
Additional static Information
After changing or removing a static command statement, use the clear xlate command. You can create a single mapping between the global and local hosts, or create a range of statics known as net statics. The static command determines the network mask of network statics by the netmask option or by the number in the first octet of the global IP address. The netmask option can be used to override the number in the first octet. If the address is all zeros where the net mask is zero, then the address is a net address.
8-38
78-13849-01
Chapter 8
S Commands syslog
Note
Do not create statics with overlapping global IP addresses.
Examples
The example that follows creates a static command and then permits users to call in through H.323 using Intel Internet Phone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, or MS NetMeeting to 10.1.1.2 using IP address 209.165.201.2, to 10.1.1.10 using IP address 209.165.201.10, and so on. The net static command that follows maps addresses 209.165.201.1 through 209.165.201.30 to local addresses 10.1.1.1 through 10.1.1.30.
static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.255 access-list acl_out permit tcp any 209.165.201.0 255.255.255.224 eq h323 access-group acl_out in interface outside
The following example shows the commands used to disable Mail Guard:
static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255 access-list acl_out permit tcp any host 209.165.201.1 eq smtp access-group acl_out in interface outside no fixup protocol smtp 25
In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.
Related Commands
access-list
syslog
Enable syslog message facility. Obsolete command replaced by the logging command. (Privileged mode.) See the logging command for more information. The syslog command is available for backward compatibility.
sysopt
Change PIX Firewall system options. (Configuration mode.) Configure with the command... sysopt connection permit-pptp | permit-l2tp | permit-ipsec sysopt connection tcpmss bytes sysopt connection timewait sysopt ipsec pl-compatible sysopt nodnsalias inbound | outbound Remove with the command... no sysopt connection permit-pptp | permit-l2tp | permit-ipsec no sysopt connection tcpmss bytes no sysopt connection timewait no sysopt ipsec pl-compatible no sysopt nodnsalias inbound | outbound
8-39
Chapter 8 sysopt
S Commands
Configure with the command... sysopt noproxyarp if_name sysopt radius ignore-secret sysopt route dnat sysopt security fragguard sysopt uauth allow-http-cache N/A
Remove with the command... no sysopt noproxyarp if_name no sysopt radius ignore-secret no sysopt route dnat no sysopt security fragguard no sysopt uauth allow-http-cache clear sysopt
Show command options show sysopt
Show command output Displays the sysopt commands in the configuration.
Syntax Description
connection permit-ipsec
Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections. Implicitly permit any packet that came from an L2TP/IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for L2TP/IPSec connections. Allow PPTP traffic to bypass conduit or access-list command statement checking. Force TCP proxy connection to have a maximum segment size no greater than bytes. The default value for bytes is 1380. Force each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence. Enable IPSec packets to bypass the PIX Firewall units NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface. Disable inbound embedded DNS A record fixups according to aliases that apply to the A record address. Disable outbound DNS A record replies. Disable proxy-ARPs on a PIX Firewall interface. Ignore authenticator key to avoid retransmit caveat. Specify that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop. Enable the IP Frag Guard feature. Allows the web browser to supply a username and password from its cache for AAA authentication.
connection permit-l2tp
connection permit-pptp connection tcpmss bytes connection timewait ipsec pl-compatible
nodnsalias inbound nodnsalias outbound noproxyarp if_name radius ignore-secret route dnat
security fragguard uauth allow-http-cache
Usage Guidelines
The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature. There is no need to enter the sysopt connection permit-12tp command if the sysopt connection permit-ipsec command is present.
8-40
78-13849-01
Chapter 8
S Commands sysopt
sysopt connection permit-ipsec
Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements. An access-list or conduit command statement must be available for inbound sessions. By default, any inbound session must be explicitly permitted by a conduit or access-list command statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command. If both the sysopt ipsec pl-compatible command and the sysopt connection permit-ipsec command are used within your configuration, the sysopt ipsec pl-compatible command will take precedence. If the sysopt connection permit-ipsec command is not configured, you must explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall. The no sysopt connection permit-ipsec command disables the option.
sysopt connection permit-pptp
Let PPTP traffic bypass conduit and access-list command statement checking. Use the vpdn command to implement PPTP.
sysopt connection permit-l2tp
This command allows L2TP traffic to bypass conduit/access-list checking. Because L2TP traffic can only come from IPSec, the sysopt connection permit-ipsec command will allow L2TP traffic to pass as well.
sysopt ipsec pl-compatible
Note
The sysopt ipsec pl-compatible command provides a migration path for Private Link users from Private Link tunnels to IPSec tunnels. The sysopt ipsec pl-compatible command enables the IPSec feature to simulate the Private Link feature supported in PIX Firewall version 4. The Private Link feature provides encrypted tunnels to be established across an unsecured network between Private-Link equipped PIX Firewall units. The sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features and enables incoming IPSec packets to terminate on the sending interface. The sysopt ipsec pl-compatible command is not available on a PIX 501. The no sysopt ipsec pl-compatible command disables the option, which is off by default.
Note
When using the sysopt ipsec pl-compatible command, all PIX Firewall features, such as access list control, stateful inspection, and user authentication, are bypassed for IPSec packets only. If both the sysopt ipsec pl-compatible command and the sysopt connection permit-ipsec command are used within your configuration, the sysopt ipsec pl-compatible command will take precedence.
8-41
Chapter 8 sysopt
S Commands
If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.
sysopt connection tcpmss
The sysopt connection tcpmss command forces proxy TCP connections to have a maximum segment size no greater than bytes. This command requests that each side not send a packet of a size greater than bytes at any time during the initial TCP connection establishment.
Note
If the client sending the proxy TCP connection does not announce a maximum segment size, PIX Firewall assumes that the RFC 793 default value of 536 bytes is in effect. If the client announces a maximum segment size larger than the number of bytes, PIX Firewall reduces the maximum segment size to bytes. The bytes value can be a minimum of 28 and any maximum number. You can disable this feature by setting bytes to zero. By default, the PIX Firewall sets 1380 bytes as the sysopt connection tcpmss even though this command does not appear in the default configuration. The calculation for setting the TCP maximum segment size to 1380 bytes is as follows.
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
1500 bytes is the MTU for Ethernet connections. We recommend that the default value of 1380 bytes be used for Ethernet. In its 1380 byte default value, this command increases throughput of the sysopt security fragguard command. The TCP maximum segment size is the maximum size that an end host can inject into the network at one time (see RFC 793 for more information on the TCP protocol). The sysopt connection tcpmss command is recommended in a network environment being attacked being with overly aggressive TCP or HTTP stack with a faulty path MTU value that is degrading the performance of the PIX Firewall IP Frag Guard feature.
Note
Although, not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value.
sysopt connection timewait
By default the PIX Firewall does not use the timewait option. Use the sysopt connection timewait command to enable the timewait option when you have an end host application whose default TCP terminating sequence is a simultaneous close. This is recommended because the default behavior of the PIX Firewall is to track the shutdown sequence and release the connection after two FINs and the ACKnowledgment of the last FIN segment. This quick release heuristic enables the PIX Firewall to sustain a high connection rate, based on the most common closing sequence, known as the normal close sequence. However, in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal close sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state. Having many sockets in the CLOSING state can degrade the performance of an end host. For instance, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Old versions of HP/UX are also susceptible to this behavior. Using the sysopt connection timewait command creates a window for the simultaneous close down sequence to complete.
8-42
78-13849-01
Chapter 8
S Commands sysopt
The no sysopt connection timewait command removes the sysopt connection timewait command from your configuration. In other words, if you enable the timewait option with the sysopt connection timewait command, you can disable it using the no sysopt connection timewait command.
Note
The sysopt connection timewait command requires more system resources than default processing and, when in use, may impact PIX Firewall performance. Noticeable performance impact is most likely when there is limited memory available, and when there is highly dynamic traffic such as HTTP.
sysopt nodnsalias
The sysopt nodnsalias inbound disables inbound embedded DNS A record fixups according to aliases that apply to the A record address. sysopt nodnsalias outbound affects outbound replies. This command remedies the case when a DNS server is on the outside and users on the inside need to access a server on a perimeter interface. In the past, you would use the alias command to permit DNS responses to resolve correctly through the PIX Firewall, but formerly you had to reverse the parameters for the local IP address and foreign IP address. For example, you would normally code the alias command as follows:
alias (inside) 192.168.1.4 209.165.201.11 255.255.255.255
Inside host 192.168.1.5 needs access to www.example.com, which resolves at an outside ISP DNS to 209.165.201.11. The PIX Firewall fixes this DNS response sending the host a response of 192.168.1.4. The host uses its gateway (the PIX Firewall) to go to 192.168.1.4, which the PIX Firewall now aliases back to the 209.165.201.11. Because this is actually 192.168.1.4, a server on the perimeter interface of the PIX Firewall, the packet is dropped because the PIX Firewall sent the packet to the outside interface, which is the incorrect interface. The sysopt nodnsalias inbound command has the same effect as reversing the alias command statement parameters as follows:
alias (inside) 209.165.201.11 192.168.1.4 255.255.255.255
This works properly because everything happens in reverse. The DNS is now modified to 209.165.201.11 and the host inside uses its gateway (the PIX Firewall) to get there, the PIX Firewall aliases this back to 192.168.1.4 and routes it out the perimeter interface to the correct host and the TCP connection is established.
sysopt noproxyarp
By default, the PIX Firewall responds to ARP requests directed at the PIX Firewalls interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests). The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable regular (non-proxy) ARP request responses on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.
sysopt radius ignore-secret
Some commonly used RADIUS servers, such as Livingston version 1.16, have a usage caveat where they do not include the key in the authenticator hash in the accounting acknowledgment response. This can cause the PIX Firewall to continually retransmit the accounting request. Use the sysopt radius
8-43
Chapter 8 sysopt
S Commands
ignore-secret command to cause the PIX Firewall to ignore the key in the authenticator of accounting acknowledgments thus avoiding the retransmit problem. (The key described here is the key you set with the aaa-server command.)
sysopt route dnat
The sysopt route dnat command specifies that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop.
sysopt security fragguard
The sysopt security fragguard command enables the IP Frag Guard feature. This feature is disabled by default. This feature enforces two addition security checks in addition to the security checks recommended by RFC 1858 against the many IP fragment style attacks: teardrop, land, and so on. First, each non-initial IP fragments is required to be associated with an already seen valid initial IP fragments. Second, IP fragments are rated to 100 full IP fragmented packets per second to each internal host. The IP Frag Guard feature operates on all interfaces in the PIX Firewall and cannot be selectively enabled or disabled by interface. PIX Firewall uses the security fragguard command to enforce the security policy determined by a access-list permit or access-list deny command to permit or deny packets through the PIX Firewall.
Note
Use of the sysopt security fragguard command breaks normal IP fragmentation conventions. However, not using this command exposes PIX Firewall to the possibility of IP fragmentation attacks. We recommend that packet fragmentation not be permitted on the network if at all possible. The show sysopt command lists the sysopt commands in the configuration. The clear sysopt command resets the sysopt command to default settings. The no sysopt security fragguard command disables the IP Frag Guard feature.
Examples
The following example disables IP Frag Guard and then lists the current command options:
no sysopt security fragguard show sysopt sysopt security fragguard no sysopt connection tcpmss no sysopt connection timewait
8-44
78-13849-01
Chapter 8
S Commands sysopt
In the following example, a PPTP client authenticates using MS-CHAP, negotiates MPPE encryption, receives the DNS and WINS server addresses, and Telnets to the host 192.168.0.2 directly through the nat 0 command.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my-aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my-aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip 10.1.1.0 255.255.255.0 host 192.168.0.2 access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.2.2.99 access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.2.2.100 nat (inside) 0 access-list nonat sysopt connection permit-pptp
sysopt connection permit-ipsec
The following is a minimal IPSec configuration to enable a session to be connected from host 172.21.100.123 to host 172.21.200.67 across an IPSec tunnel that terminates from peer 209.165.201.1 to peer 201.165.200.225. With sysopt connection permit-ipsec and access-list command statements: On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123 access-list 10 permit ip host 172.21.200.67 host 172.21.100.123 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.200.1 crypto map mymap interface outside
On peer 201.165.200.225:
static 172.21.200.67 172.21.200.67 access-list 10 permit ip host 172.21.100.123 host 172.21.200.67 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.100.1 crypto map mymap interface outside
With sysopt connection permit-ipsec and without conduit command statements: On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123 access-list 10 permit ip host 172.21.200.67 host 172.21.100.123 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.200.1 crypto map mymap interface outside sysopt connection permit-ipsec
8-45
Chapter 8 sysopt
S Commands
On peer 201.165.200.225:
static 172.21.200.67 172.21.200.67 access-list 10 permit ip host 172.21.100.123 host 172.21.200.67 crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 10 crypto map mymap 10 set transform-set t1 crypto map mymap 10 set peer 172.21.100.1 crypto map mymap interface outside sysopt connection permit-ipsec
8-46
78-13849-01
C H A P T E R
T through Z Commands
telnet
Specify the host for PIX Firewall console access via Telnet. (Configuration mode.) Start with the command... telnet ip_address [netmask] [if_name] Stop with the command... clear telnet [ip_address [netmask] [if_name]] no telnet [ip_address [netmask] [if_name]] N/A
telnet timeout minutes
Show command options show telnet show telnet timeout
Show command output Displays the current list of IP addresses authorized to Telnet to the PIX Firewall. Displays the Telnet timeout value.
Syntax Description
if_name
If IPSec is operating, PIX Firewall lets you specify an unsecure interface name, typically, the outside interface. At a minimum, the crypto map command must be configured to specify an interface name with the telnet command. An IP address of a host or network that can access the PIX Firewall Telnet console. If an interface name is not specified, the address is assumed to be on an internal interface. PIX Firewall automatically verifies the IP address against the IP addresses specified by the ip address commands to ensure that the address you specify is on an internal interface. If an interface name is specified, PIX Firewall only checks the host against the interface you specify. Bit mask of ip_address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255. If you do not specify netmask, it defaults to 255.255.255.255 regardless of the class of local_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address. The number of minutes that a Telnet session can be idle before being closed by PIX Firewall. The default is 5 minutes. The range is 1 to 60 minutes.
ip_address
netmask
timeout minutes
9-1
Chapter 9 telnet
Usage Guidelines
The telnet command lets you specify which hosts can access the PIX Firewall console with Telnet. You can enable Telnet to the PIX Firewall on all interfaces. However, the PIX Firewall enforces that all Telnet traffic to the outside interface be IPSec protected. Therefore, to enable Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic generated by the PIX Firewall and enable Telnet on the outside interface. Up to 16 hosts or networks are allowed access to the PIX Firewall console with Telnet, 5 simultaneously. The show telnet command displays the current list of IP addresses authorized to telnet to the PIX Firewall. Use the no telnet or clear telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout feature to set the maximum time a console Telnet session can be idle before being logged off by PIX Firewall. The clear telnet command does not affect the telnet timeout command duration. The no telnet command cannot be used with the telnet timeout command. Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the PIX Firewall console. Use the kill command to terminate an active Telnet console session. If the aaa command is used with the console option, Telnet console access must be authenticated with an authentication server.
Note
If you have configured the aaa command to require authentication for PIX Firewall Telnet console access and the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the password that was set with the enable password command.
Usage Notes
1.
If you do not specify the interface name, the telnet command adds command statements to the configuration to let the host or network access the Telnet console from all internal interfaces. When you use the show telnet command, this assumption may not seem to make sense. For example, if you enter the following command without a netmask or interface name.
telnet 192.168.1.1
If you then use the show telnet command, you see that not just one command statement is specified, but all internal interfaces are represented with a command statement:
show telnet 192.168.1.1 255.255.255.255 inside 192.168.1.1 255.255.255.255 intf2 192.168.1.1 255.255.255.255 intf3
The purpose of the show telnet command is that, were it possible, the 192.168.1.1 host could access the Telnet console from any of these internal interfaces. An additional facet of this behavior is that you must delete each of these command statements individually with the following commands.
no telnet 192.168.1.1 255.255.255.255 inside no telnet 192.168.1.1 255.255.255.255 intf2 no telnet 192.168.1.1 255.255.255.255 intf3
2.
To access the PIX Firewall with Telnet from the intf2 perimeter interface, use the following command:
telnet 192.168.1.1 255.255.255.255 int2
3.
The default password to access the PIX Firewall console via Telnet is cisco.
9-2
78-13849-01
Chapter 9
T through Z Commands telnet
4.
Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall units command history feature via the arrow keys. However, you can access the last entered command by pressing Ctrl-P. The telnet timeout command affects the next session started but not the current session. If you connect a computer directly to the inside interface of the PIX Firewall with Ethernet to test Telnet access, you must use a cross-over cable and the computer must have an IP address on the same subnet as the inside interface. The computer must also have its default route set to be the inside interface of the PIX Firewall. If you need to access the PIX Firewall console from outside the PIX Firewall, you can use a static and access-list command pair to permit a Telnet session to a Telnet server on the inside interface, and then from the server to the PIX Firewall. In addition, you can attach the console port to a modem but this may add a security problem of its own. You can use the same terminal settings as for HyperTerminal, which is described in the Cisco PIX Firewall and VPN Configuration Guide. If you have IPSec configured, you can access the PIX Firewall console with Telnet from outside the PIX Firewall. Once an IPSec tunnel is created from an outside host to the PIX Firewall, you can access the console from the outside host.
5. 6.
7.
8.
Output from the debug crypto ipsec, debug crypto isakmp, and debug ssh commands do not display in a Telnet or SSH console session. For information about the debug crypto ipsec and debug crypto isakmp commands, refer to the debug command page.
Examples
The following examples permit hosts 192.168.1.3 and 192.168.1.4 to access the PIX Firewall console via Telnet. In addition, all the hosts on the 192.168.2.0 network are given access:
telnet 192.168.1.3 255.255.255.255 inside telnet 192.168.1.4 255.255.255.255 inside telnet 192.168.2.0 255.255.255.0 inside show telnet 192.168.1.3 255.255.255.255 inside 192.168.1.4 255.255.255.255 inside 192.168.2.0 255.255.255.0 inside
You can remove individual entries with the no telnet command or all telnet command statements with the clear telnet command:
no telnet 192.168.1.3 255.255.255.255 inside show telnet 192.168.1.4 255.255.255.255 inside 192.168.2.0 255.255.255.0 inside clear telnet show telnet
You can change the maximum session idle duration as follows:

telnet timeout 10 show telnet timeout telnet timeout 10 minutes
An example Telnet console login session appears as follows (the password does not display when entered):
PIX passwd: cisco Welcome to the PIX Firewall Type help or ? for a list of available commands. pixfirewall>
9-3
Chapter 9 terminal
Related Commands
aaa accounting kill passwd who
terminal
Change console terminal settings. (Configuration mode.) Start with the command... terminal monitor terminal width characters Stop with the command... terminal no monitor N/A
Syntax Description
characters monitor width
Permissible values are 0, which means 511 characters, or a value in the range of 40 to 511. Enable or disable syslog message displays on the console. Set the width for displaying information during console sessions.
Usage Guidelines
The terminal monitor command lets you enable or disable the display of syslog messages in the current session for either Telnet or serial access to the PIX Firewall console. Use the logging monitor command to enable or disable various levels of syslog messages to the console; use the terminal no monitor command to disable the messages on a per session basis. Use terminal monitor to restart the syslog messages for the current session. The terminal width command sets the width for displaying command output. The terminal width is controlled by the command: terminal width nn, where nn is the width in characters. If you enter a line break, it is not possible to backspace to the previous line.
Examples
The following example shows enabling logging and then disabling logging only in the current session with the terminal no monitor command:
logging monitor terminal no monitor
9-4
78-13849-01
Chapter 9
T through Z Commands tftp-server
tftp-server
Specify the IP address of the TFTP configuration server. (Configuration mode.) Start with the command... tftp-server [if_name] ip_address path Stop with the command... no tftp-server [[if_name] ip_address path] clear tftp-server [[if_name] ip_address path]
Show command options show tftp-server
Show command output Displays the tftp-server command statements in the current configuration.
Syntax Description
if_name
Interface name on which the TFTP server resides. If not specified, an internal interface is assumed. If you specify the outside interface, a warning message informs you that the outside interface is unsecure. The IP address or network of the TFTP server. The path and filename of the configuration file. The format for path differs by the type of operating system on the server. The contents of path are passed directly to the server without interpretation or checking. The configuration file must exist on the TFTP server. Many TFTP servers require the configuration file to be world-writable to write to it and world-readable to read from it.
ip_address path
Usage Guidelines
The tftp-server command lets you specify the IP address of the server that you use to propagate PIX Firewall configuration files to your firewalls. Use the tftp-server command with the configure net command to read from the configuration or with the write net command to store the configuration in the file you specify. The clear tftp-server command removes the tftp-server command from your configuration. PIX Firewall supports only one TFTP server. The path name you specify in the tftp-server is appended to the end of the IP address you specify in the configure net and write net commands. The more you specify of a file and path name with the tftp-server command, the less you need to specify with the configure net and write net commands. If you specify the full path and filename in the tftp-server command, the IP address in the configure net and write net commands can be represented with a colon ( : ). The no tftp server command disables access to the server. The show tftp-server command lists the tftp-server command statements in the current configuration.
Examples
The following example specifies a TFTP server and then reads the configuration from /pixfirewall/config/test_config:
tftp-server 10.1.1.42 /pixfirewall/config/test_config ... configure net :
9-5
Chapter 9 timeout
timeout
Set the maximum idle time duration. (Configuration mode.) Configure with the command... timeout [xlate [hh:mm:ss]] [conn [hh:mm:ss]] [half-closed [hh:mm:ss]] [udp [hh:mm:ss]] [rpc [hh:mm:ss]] [h323 [hh:mm:ss]] [sip [hh:mm:ss]] [sip_media [hh:mm:ss]][uauth [hh:mm:ss] [absolute | inactivity]] Remove with the command... clear timeout
Show command options show timeout
Show command output Displays the current timeout command settings.
Syntax Description
absolute
Run uauth timer continuously, but after timer elapses, wait to reprompt the user until the user starts a new connection, such as clicking a link in a web browser. The default uauth timer is absolute. To disable absolute, set the uauth timer to 0 (zero). Idle time until a connection slot is freed. Use 0:0:0 for the time value to never time out a connection. This duration must be at least 5 minutes. The default is 1 hour. Duration for H.323 inactivity timer. When this time elapses, the port used by the H.323 service closes. This duration must be at least 5 minutes. The default is 5 minutes.
conn hh:mm:ss
h323 hh:mm:ss
half-closed hh:mm:ss Idle time until a TCP half-close connection is freed. The default is 10 minutes. Use 0:0:0 to never time out a half-closed connection. The minimum is 5 minutes. inactivity rpc hh:mm:ss sip hh:mm:ss sip_media hh:mm:ss Start uauth timer after a connection becomes idle. Idle time until an RPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes. Modifies the SIP timer. SIP signalling port is set to a default of 30 minutes. Modifies the media timer, which is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout. SIP media port is set to 2 minutes in the list of protocol timers. Duration before authentication and authorization cache times out and user has to re authenticate next connection. This duration must be shorter than the xlate values. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections. Idle time until a UDP slot is freed. This duration must be at least 1 minute. The default is 2 minutes. Idle time until a translation slot is freed. This duration must be at least 1 minute. The default is 3 hours.
uauth hh:mm:ss
udp hh:mm:ss xlate hh:mm:ss
9-6
78-13849-01
Chapter 9
T through Z Commands timeout
Usage Guidelines
The timeout command sets the idle time for connection, translation UDP, RPC, and H.323 slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. The clear timeout command sets the durations to their default values. This command is used in conjunction with the show and clear uauth commands.
Note
Do not use the timeout uauth 0:0:0 command if passive FTP is used for the connection, or if the virtual command is used for Web authentication. The connection timer takes precedence over the translation timer, such that the translation timer only works after all connections have timed out.
Uauth Inactivity and Absolute Qualifiers
The uauth inactivity and absolute qualifiers cause users to have to reauthenticate after either a period of inactivity or an absolute duration. If you set the inactivity timer to a duration, but the absolute timer to zero, then users are only reauthenticated after the inactivity timer elapses. If you set both timers to zero, then users have to reauthenticate on every new connection. The inactivity timer starts after a connection becomes idle. If a user establishes a new connection before the duration of the inactivity timer, the user is not required to reauthenticate. If a user establishes a new connection after the inactivity timer expires, the user must reauthenticate. The default durations are zero for the inactivity timer and 5 minutes for the absolute timer; that is, the default behavior is to cause the user to reauthenticate every 5 minutes. The absolute timer runs continuously, but waits to reprompt the user when the user starts a new connection, such as clicking a link and the absolute timer has elapsed, then the user is prompted to reauthenticate. The absolute timer must be shorter than the xlate timer; otherwise, a user could be reprompt after their session already ended. Inactivity timers give users the best Web access because they are not prompted to regularly reauthenticate. Absolute timers provide security and manage the PIX Firewall connections better. By being prompted to reauthenticate regularly, users manage their use of the resources more efficiently. Also by being reprompted, you minimize the risk that someone will attempt to use another users access after they leave their workstation, such as in a college computer lab. You may want to set an absolute timer during peak hours and an inactivity timer thereafter. Both an inactivity timer and an absolute timer can operate at the same time, but you should set the absolute timer duration longer than the inactivity timer. If the absolute timer is less than the inactivity timer, the inactivity timer never occurs. For example, if you set the absolute timer to 10 minutes and the inactivity timer to an hour, the absolute timer reprompts the user every 10 minutes; therefore, the inactivity timer will never be started.
Note
RPC and NFS are very unsecure protocols and should be used with caution.
9-7
Chapter 9 url-block
Examples
The following is sample output from the show timeout command:

show timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
The following is sample output from the timeout command in which variables are changed and then displayed with the show timeout command:
timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity show timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity
Related Commands
show xlate/clear xlate show uauth/clear uauth
url-block
Enables long URL support and HTTP response buffering for URL filtering services. (Configuration mode.) Start with the command... url-block block block_buffer_limit url-block url-mempool memory_pool_size
Websense only:
Stop with the command... no url-block block block_buffer_limit no url-block url-mempool memory_pool_size no url-block url-size long_url_size
url-block url-size long_url_size N/A
clear url-block block stat
Show command options show url-block block stats
Show command output Displays the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.
Syntax Description
block stat block block_buffer_limit stats url-block
The url-block buffer statistics. The maximum number of blocks allowed in the HTTP response buffer. The HTTP response buffering statistics. Creates the buffer to store long URLs. The default buffer size is 1 KB.
9-8
78-13849-01
Chapter 9
T through Z Commands url-cache
url-mempool memory_pool_size url-size long_url_size
The size of the URL buffer memory pool in Kilobytes (KB), from 2 KB to 10240 KB. The maximum allowed URL size in KB, from 2 KB to 4 KB.
Usage Guidelines
The url-block command requires that a valid Websense URL filtering configuration is running on your PIX Firewall. Once this is in place, you can use this command to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense server. The url-block command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense server (through a TCP packet stream) so that the Websense server can grant or deny access to that URL. The clear url-block block stats command clears the url-block statistics counters.
Examples
The following example illustrates the use of the show url-block block stat and clear url-block block stat commands:
pix525(config)# show url-block block stat URL Pending Packet Buffer Stats with max block1 ----------------------------------------------------Cumulative number of packets held:110 Maximum number of packets held (per URL):1 Current number of packets held (global):0 Packets dropped due to exceeding url-block buffer limit:894 Packet drop due to retransmission:0 pix525(config)# clear url-block block stat pix525(config)# show url-block block stat URL Pending Packet Buffer Stats with max block1 ----------------------------------------------------Cumulative number of packets held:0 Maximum number of packets held (per URL):0 Current number of packets held (global):0 Packets dropped due to exceeding url-block buffer limit:0 Packet drop due to retransmission:0
url-cache
Caches webserver responses that are pending a permit or deny response from an N2H2 or Websense server. (Configuration mode.) Start with the command... url-cache {dst | src_dst} size kbytes Stop with the command... no url-cache {dst | src_dst} size kbytes clear url-cache
Show command options show url-cache stats
Show command output Displays URL cache statistics, including the number of cache lookups and hit rate.
9-9
Chapter 9 url-cache
Syntax Description
dst size kbytes src_dst
Cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the N2H2 or Websense server. Specifies a value for the cache size within the range 1 to 128 KB. Cache entries based on the both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the N2H2 or Websense server. Use the stat option to display additional URL cache statistics, including the number of cache lookups and hit rate.
stat
Usage Guidelines
The url-cache command provides a configuration option to buffer the response from a webserver if its response is faster than that from the N2H2 or Websense filtering service server. This prevents the web servers response from being loaded twice. Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics. Caching stores URL access privileges in memory on the PIX Firewall. When a host requests a connection, the PIX Firewall first looks in the URL cache for matching access privileges instead of forwarding the request to the N2H2 or Websense server. Disable caching with the no url-cache command. The clear url-cache command removes url-cache command statements from the configuration. Using the URL cache does not update the Websense accounting logs for Websense protocol version 1. If you are using Websense protocol version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol version 4 and for N2H2 URL filtering while using the url-cache command.
Note
If you change settings on the N2H2 or Websense server, disable the cache with the no url-cache command and then re-enable the cache with the url-cache command. The show url-cache command with the stats option displays the following entries:

SizeThe size of the cache in kilobytes, set with the url-cache size option. EntriesThe maximum number of cache entries based on the cache size. In UseThe current number of entries in the cache. LookupsThe number of times the PIX Firewall has looked for a cache entry. HitsThe number of times the PIX Firewall has found an entry in the cache.
You can view additional information about N2H2 or Websense filtering acitivity with the show perfmon command.
Examples
The following example caches all outbound HTTP connections based on the source and destination addresses:
url-cache src_dst 128
9-10
78-13849-01
Chapter 9
T through Z Commands url-server
The following is sample output from the show url-cache stat command:
show url-cache stat URL Filter Cache Stats ---------------------Size : 1KB Entries : 36 In Use : 30 Lookups : 300 Hits : 290
url-server
Designate a server running either N2H2 or Websense for use with the filter command; you cannot run both of these URL filtering services simultaneously. (Configuration mode.) Start with the command...
N2H2
Stop with the command...

N2H2
url-server [(if_name)] vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP}]
Websense
no url-server [(if_name)] vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP}]
Websense
url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP} version]
no url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP} version]
Show command options show url-server
Show command output Displays the following information: For N2H2: url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol [{TCP | UDP}{version 1 | 4}] For Websense: url-server (if_name) vendor websense host local_ip timeout seconds protocol [{TCP | UDP}]
show url-server stats
Displays the URL server vendor; number of URLs total, allowed, and denied; and the URL server status.
Syntax Description
N2H2 host local_ip if_name port number The server that runs the URL filtering application. The network interface where the authentication server resides. If not specified, the default is inside. The N2H2 server port. The PIX Firewall also listens for UDP replies on this port. The default port number is 4005.
9-11
Chapter 9 url-server
protocol timeout seconds vendor n2h2 Websense if_name host local_ip timeout seconds protocol vendor websense version
The protocol can be configured using TCP or UDP keywords. The default is TCP. The maximum idle time permitted before PIX Firewall switches to the next server you specified. The default is 5 seconds. Indicates URL filtering service vendor is N2H2.
The network interface where the authentication server resides. If not specified, the default is inside. The server that runs the URL filtering application. The maximum idle time permitted before PIX Firewall switches to the next server you specified. The default is 5 seconds. The protocol can be configured using TCP or UDP keywords. The default is TCP protocol, version 1. Indicates URL filtering service vendor is Websense. Specifies protocol version 1 or 4. The default is TCP protocol version 1. TCP can be configured using version 1 or version 4. UDP can be configured using version 4 only.
Usage Guidelines
The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the PIX Firewall does not update the configuration on the application server; this must be done separately, according to the individual vendors instructions. Once you designate the server, enable the URL filtering service with the filter command. Follow these steps to filter URLs:
Step 1 Step 2 Step 3 Step 4 Step 5
Designate the URL filtering application server with the appropriate form of the vendor-specific url-server command. Enable URL filtering with the filter command. (Optional) Use the url-cache command to enable URL caching to improve perceived response time. (Optional) Enable long URL and HTTP buffering support using the url-block commands. Use the show url-block block stats, show url-cache stats, show url-server stats, and the show pdm commands to view run information. For more information about Filtering by N2H2, visit N2H2's website at: http://www.n2h2.com. For more information on Websense filtering services, visit the following website: http://www.websense.com/
9-12
78-13849-01
Chapter 9
T through Z Commands username
The show url-server command displays the URL servers vendor, host address, timeout length, and protocol. For N2H2, the port number is also displayed, and the protocol version is displayed for Websense.
Examples
Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) vendor n2h2 host 10.0.1.1 filter url http 0 0 0 0 filter url except 10.0.2.54 255.255.255.255 0 0
Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) vendor websense host 10.0.1.1 filter url http 0 0 0 0 filter url except 10.0.2.54 255.255.255.255 0 0
The following is an example of the show url-server stats command:

pixfirewall# show url-server stats URL Server Statistics: ---------------------URL Server Vendor URLs total/allowed/denied URL Server Status: -----------------171.69.39.222 171.69.39.3
n2h2 100/95/5
UP DOWN
Related Commands
aaa authorization filter show
username
Sets the username for the specified privilege level. (Configuration mode.) Start with the command... username username {[{nopassword | password password} [encrypted]] [privilege level]} Stop with the command... no username username clear username
Show command options show username username
Show command output Displays users entered in the local PIX Firewall user authentication database.
9-13
Chapter 9 virtual
Syntax escription D
username
Specifies the name of a specific user in the local PIX Firewall authentication database.
Usage Guidelines
The local PIX Firewall user authentication database consists of the users entered with the username command. The PIX Firewall login command uses this database for authentication.
Related Commands
login privilege
virtual
Access the PIX Firewall virtual server. (Configuration mode.) Access with the command... virtual http ip_address [warn] virtual telnet ip_address Stop with the command... N/A N/A
Syntax Description
ip_address
For outbound use, ip_address must be an address routed to the PIX Firewall. Use an RFC 1918 address that is not in use on any interface. For inbound use, ip_address must be an unused global address. An access-list and static command pair must provide access to ip_address, as well as an aaa accounting authentication command statement. See the Examples section for more information. For example, if an inside client at 192.168.0.100 has a default gateway set to the inside interface of the PIX Firewall at 192.168.0.1, the ip_address can be any IP address not in use on that segment (such as 10.2.3.4). As another example, if the inside client at 192.168.0.100 has a default gateway other than the PIX Firewall (such as a router at 192.168.0.254), then the ip_address would need to be set to a value that would get statically routed to the PIX Firewall. This might be accomplished by using a value of 10.0.0.1 for the ip_address, then on the client, setting the PIX Firewall at 192.168.0.1 as the route to host 10.0.0.1.
warn
Let virtual http command users know that the command was redirected. This option is only applicable for text-based browsers where the redirect cannot happen automatically.
Usage Guidelines
The virtual http command lets web browsers work correctly with the PIX Firewall aaa command. The aaa command assumes that the AAA server database is shared with a web server. PIX Firewall automatically provides the AAA server and web server with the same information. The virtual http command works with the aaa command to authenticate the user, separate the AAA server information from the web clients URL request, and direct the web client to the web server. Use the show virtual http command to list commands in the configuration. Us the no virtual http command to disable its use.
9-14
78-13849-01
Chapter 9
T through Z Commands virtual
The virtual http command works by redirecting the web browsers initial connection to the ip_address, which resides in the PIX Firewall, authenticating the user, then redirecting the browser back to the URL which the user originally requested. This mechanism comprises the PIX Firewall units new virtual server feature. The reason this command is named as it is, is because the virtual http command accesses the virtual server for use with HTTP, another name for the Web. This command is especially useful for PIX Firewall interoperability with Microsoft IIS, but is useful for other authentication servers. When using HTTP authentication to a site running Microsoft IIS that has Basic text authentication or NT Challenge enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: Authorization: Basic=Uuhjksdkfhk== to the HTTP GET commands. This string contains the PIX Firewall authentication credentials. Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied. To solve this problem, PIX Firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested. Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the Authorization: Basic=Uuhjksdkfhk== string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use. If you want double authentication through the authentication and web browser, configure the authentication server to not accept anonymous connections.
Note
Do not set the timeout uauth duration to 0 seconds when using the virtual command because this will prevent HTTP connections to the real web server. For both the virtual http and virtual telnet commands, if the connection is started on either an outside or perimeter interface, a static and access-list command pair is required for the fictitious IP address. The virtual telnet command allows the Virtual Telnet server to provide a way to pre-authenticate users who require connections through the PIX Firewall using services or protocols that do not support authentication. The virtual telnet command can be used both to log in and log out of the PIX Firewall. When an unauthenticated user Telnets to the virtual IP address, they are challenged for their username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, they see the message Authentication Successful and their authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout. If a user wishes to log out and clear their entry in the PIX Firewall uauth cache, the user can again Telnet to the virtual address. The user is prompted for their username and password, the PIX Firewall removes the associated credentials from the uauth cache, and the user will receive a Logout Successful message. If inbound users on either the perimeter or outside interfaces need access to the Virtual Telnet server, a static and access-list command pair must accompany use of the virtual telnet command. The global IP address in the static command must be a real IP address. The local address in the static command is the IP address of the virtual server. The Virtual Telnet server provides a way to pre-authenticate users who require connections through the PIX Firewall using services or protocols that do not support authentication. Users first connect to the Virtual Telnet server IP address, where the user is prompted for a username and password.
9-15
Chapter 9 virtual
Examples
virtual httpThe following example shows the commands required to use the virtual http command for an inbound connection:
static (inside, outside) 209.165.201.1 209.165.201.1 netmask 255.255.255.255 access-list acl_out permit tcp any host 209.165.201.1 eq 80 access-group acl_out in interface outside aaa authentication include any inbound 209.165.201.1 255.255.255.255 0 0 tacacs+ virtual http 209.165.201.1
The next example displays the show virtual command output:

show virtual http virtual http 209.165.201.1
virtual telnetAfter adding the virtual telnet command to the configuration and writing the configuration to Flash memory, users wanting to start PPTP sessions through PIX Firewall use Telnet to access the ip_address as shown in the following example: On the PIX Firewall:
virtual telnet 209.165.201.25 static (inside, outside) 209.165.201.25 209.165.201.25 netmask 255.255.255.255 access-list acl_out permit tcp any host 209.165.201.25 eq telnet access-group acl_out in interface outside write memory
On an inside host:
/unix/host%telnet 209.165.201.30 Trying 209.165.201.25... Connected to 209.165.201.25. Escape character is ^]. username: username TACACS+ Password: password Authentication Successful Connection closed by foreign host. /unix/host%
The username and password are those for the user on the TACACS+ server.
9-16
78-13849-01
Chapter 9
T through Z Commands vpdn
vpdn
Implement the L2TP, PPTP, or PPPoE features. (Configuration mode.) Start with the command... vpdn enable if_name vpdn group group_name accept dialin pptp|l2tp vpdn group group_name l2tp tunnel hello hello_timeout vpdn group group_name ppp encryption mppe 40 | 128 | auto [required] vpdn group group_name client configuration address local address_pool_name vpdn group group_name client configuration dns dns_server_ip1 [dns_server_ip2] vpdn group group_name client configuration wins wins_server_ip1 [wins_server_ip2] vpdn group group_name client authentication aaa aaa_server_group vpdn group group_name client authentication local vpdn group group_name client accounting aaa_server_group vpdn group group_name pptp echo echo_timeout vpdn username name password pass vpdn group group_name localname username vpdn group group_name request dialout pppoe vpdn group group_name ppp authentication PAP | CHAP | MSCHAP Stop with the command... clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]] clear vpdn [group | username | tunnel [all | [id tunnel_id]]]
Show command options show vpdn tunnel [l2tp | pptp | pppoe] [id tunnel_id | packets | state | summary | transport] show vpdn username [name]
Show command output Displays tunnel information.
Displays local usernames.
9-17
Chapter 9 vpdn
Show command options Show command output show vpdn session [l2tp | pptp | pppoe] [id Displays session information. session_id | packets | state | window] show vpdn pppinterface [id intf_id] Displays the interface identification value.
Syntax Description
l2tp | pptp | pppoe
l2tp tunnel hello hello_timeout accept dialin pptp|l2tp pptp all client accounting aaa-server-group
Select either l2tp, pptp, or pppoe to display information for only that tunnel type. The PIX Firewall shows all three tunnel protocols if no option is not specified. Species L2TP tunnel keep-alive hello timeout value in seconds. Default is 60 seconds if not specied. The value can be between10 to 300 seconds. Accept a dial-in request using PPTP or L2TP. [clear command only]Removes all L2TP or PPTP tunnels from the configuration. Specifies the AAA server group for accounting. The accounting aaa server group can be different from the aaa server group for user authentication.
client authentication aaa Specifies the AAA server group for user authentication. aaa_server_group client authentication local client configuration address local address_pool_name client configuration dns dns_server_ip1 [dns_server_ip2] Authenticate using the local username and password entries you specify in the PIX Firewall configuration. Specifies the local address pool used to allocate an IP address to a client. Use the ip local pool command to specify the IP addresses for use by the clients. Specifies up to two DNS server IP addresses. If set, the PIX Firewall sends this information to the Windows client during the IPCP phase of PPP negotiation.
client configuration wins Specifies up to two WINS server IP addresses. wins_server_ip1 [wins_server_ip2] enable if_name Enable the VPDN function on a PIX Firewall interface. Specifies the interface in if_name where L2TP or PPTP traffic is received. Only inbound connections are supported. [clear command only]Removes all vpdn group commands from the configuration. Specifies the VPDN group name. The VPDN group_name is an ASCII string to denote a VPDN group. You can make up the name. The maximum length is 63 characters. Identify tunnel or session. Unique session identifier. Unique tunnel identifier. [clear command only]Removes PPTP tunnels from the configuration that match tunnel_id. You can view the tunnel IDs with the show vpdn tunnel command. Assigns a name to the group for PPPoE use. This is also the name in the vpdn username command.
group group group_name
id id session_id id tunnel_id id tunnel_id
localname username
9-18
78-13849-01
Chapter 9
packets pass password
Packet and byte count. Specifies the password for the local group used for PPPoE. Specifies local user password.
ppp authentication PAP | Specifies the Point-to-Point Protocol (PPP) authentication protocol. The CHAP | MSCHAP Windows client dial-up networking settings lets you specify what authentication protocol to use (PAP, CHAP, or MS-CHAP). Whatever you specify on the client must match the setting you use on the PIX Firewall. Password Authentication Protocol (PAP) lets PPP peers authenticate each other. PAP passes the host name or username in clear text. Challenge Handshake Authentication Protocol (CHAP) lets PPP peers prevent unauthorized access through interaction with an access server. MS-CHAP is a Microsoft derivation of CHAP. PIX Firewall supports MS-CHAP version 1 only (not version 2.0). If an authentication protocol is not specified on the host, do not specify the ppp authentication option in your configuration. ppp encryption mppe 40 Specifies the number of session key bits used for MPPE (Microsoft | 128 | auto [required] Point-to-Point Encryption) negotiation. The domestic version of the Windows client can support 40- and 128-bit session keys, but international version of the Windows client only supports 40-bit session keys. On the PIX Firewall, use auto to accommodate both. Use required to indicate that MPPE must be negotiated or the connection will be terminated. pppinterface id intf_id pptp echo echo_timeout A PPP virtual interface is created for each PPTP or PPPoE tunnel. Specifies the PPTP keep-alive echo timeout value in seconds. PIX Firewall terminates a tunnel if an echo reply is not received within the timeout period you specify. Specifies to allow dialout PPPoE requests. Session state. Tunnel summary information. Tunnel transport information. [clear command only]Removes one or more L2TP or PPTP tunnels from the configuration. Enter or display local username. However, when used as a clear command option, username removes all vpdn username commands from the configuration. Window information.
request dialout pppoe state summary transport tunnel username name
window
Usage Guidelines
The vpdn command implements the L2TP, PPTP, and PPPoE features for the inbound connections. Refer to Cisco PIX Firewall and VPN Configuration Guide for L2TP and PPTP configuration examples. Point-to-Point Tunneling Protocol (PPTP) is a layer two tunneling protocol, which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP tunnels the IP protocol. RFC 2637 describes the PPTP protocol.
Note
The PIX Firewall is a PPTP and L2TP Server and a PPPoE client. The show vpdn commands list tunnel and session information.
9-19
Chapter 9 vpdn
The clear vpdn command removes all vpdn commands from the configuration and stops all the active PPTP, L2TP, and PPPoE tunnels. The clear vpdn all command lets you remove all tunnels, and the clear vpdn id tunnel_id command lets you remove tunnels associated with tunnel_id. (You can view the tunnel_id with the show vpdn command.) The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration.
PPPoE
Because PPPoE encapsulates PPP, PPPoE relies on PPP to perform authentication and ECP and CCP functions for client sessions operating within the VPN tunnel. Additionally, PPPoE is not supported in conjunction with DHCP because PPP assigns the IP address for PPPoE. The following are PPPoE restrictions on the PIX Firewall:

The PIX Firewall acts as a PPPoE client only. The PPPoE client is only supported on the outside interface of the PIX Firewall in PIX Firewall software version 6.2.
Note
Unless the VPDN group for PPPoE is configured, PPPoE will not be able to establish a connection. To define a VPDN group to be used for PPPoE, use the vpdn group group_name request dialout pppoe command. If your ISP requires authentication, use the vpdn group group_name ppp authentication PAP | CHAP | MSCHAP command to select the authentication protocol used by your ISP. Use the vpdn group group_name localname username command to associate the username assigned by your ISP with the VPDN group. Use the vpdn username username password pass command to create a username and password pair for the PPPoE connection. The username must be a username that is already associated with the VPDN group specified for PPPoE.
Note
If your ISP is using CHAP or MS-CHAP, the username may be called the remote system name and the password may be called the CHAP secret. The PPPoE client functionality is turned off by default, so after VPDN configuration, enable PPPoE with the ip address if_name pppoe [setroute] command. The setroute option causes a default route to be created if no default route exists. As soon as PPPoE is configured, the PIX Firewall attempts to find a PPPoE access concentrator with which to communicate. When a PPPoE connection is terminated, either normally or abnormally, the PIX Firewall attempts to find a new access concentrator with which to communicate. The following ip address commands should not be used after a PPPoE session is initiated because they will terminate the PPPoE session:

ip address outside pppoe, because it attempts to initiate a new PPPoE session. ip address outside dhcp, because it disables the interface until the interface gets its DHCP configuration. ip address outside address netmask, because it brings up the interface as a normally initialized interface.
9-20
78-13849-01
Chapter 9
PPTP
Use the vpdn command with the sysopt connection permit-pptp to allow PPTP traffic to bypass checking of conduit or access-list command statements. You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands. PPTP is an alternative to IPSec handling for VPN clients or Easy VPN Remote devices. While PPTP is less secure than IPSec, PPTP is easier to implement and maintain. Only inbound PPTP connections are supported and only one PIX Firewall interface can have the vpdn command enabled. Supported authentication protocols include: PAP, CHAP, and MS-CHAP using external AAA (RADIUS or TACACS+) servers or the PIX Firewall local username and password database. Through the PPP IPCP protocol negotiation, PIX Firewall assigns a dynamic internal IP address to the PPTP client allocated from a locally defined IP address pool. PIX Firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported. When you specify MPPE, you must use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the PIX Firewall in the RADIUS Authentication Accept packet. See RFC 2548, Microsoft Vendor Specific RADIUS Attributes, for more information on the MSCHAP_MPPE_KEY attribute. Cisco Secure ACS 2.5 and higher versions support the MSCHAP/MPPE encryption. PIX Firewall PPTP VPN has been tested with the following Microsoft Windows products: Windows 95 with DUN 1.3, Windows 98, Windows NT 4.0 with Service Pack (SP) 6, and Windows 2000.
Note
If you configure PIX Firewall for 128-bit encryption and if a Windows 95 or Windows 98 client does not support 128-bit or greater encryption, then the connection to the PIX Firewall is refused. When this occurs, the Windows client moves the dial-up connection menu down to the screen corner while the PPP negotiation is in progress. This gives the appearance that the connection is accepted when it is not. When the PPP negotiation completes, the tunnel terminates and PIX Firewall ends the connection. The Windows client eventually times out and disconnects.
Examples
The following is a sample PPPoE configuration:

vpdn vpdn vpdn vpdn group pppoegroup request dialout pppoe group pppoegroup localname myusername group pppoegroup ppp authentication pap username myusername password mypassword
ip address outside pppoe setroute
9-21
Chapter 9 vpdn
The VPDN commands configure a VPDN group for PPPoE, and the ip address outside pppoe setroute command enables the PPPoE session. The following example is sample output from the show vpdn tunnel l2tp command:
pix# show vpdn tunnel l2tp L2TP Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 1 is up, remote id is 7, 1 active sessions Tunnel state is established, time since change 12 secs Remote Internet Address 171.69.39.85, port 1701 Local Internet Address 172.23.58.48, port 1701 15 packets sent, 48 received, 377 bytes sent, 4368 received Control Ns 3, Nr 4 Local RWS 16, Remote RWS 8 Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs 2 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 pix#
The following example is sample output from the show vpdn tunnel command:
pix# show vpdn tunnel L2TP Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 1 is up, remote id is 7, 1 active sessions Tunnel state is established, time since change 12 secs Remote Internet Address 171.69.39.85, port 1701 Local Internet Address 172.23.58.48, port 1701 15 packets sent, 48 received, 377 bytes sent, 4368 received Control Ns 3, Nr 4 Local RWS 16, Remote RWS 8 Retransmission time 1, max 1 seconds Unsent queuesize 0, max 0 Resend queuesize 0, max 1 Total resends 0, ZLB ACKs 2 Retransmit time distribution: 0 0 0 0 0 0 0 0 0 % No active PPTP tunnels pix#
The following is sample output from the show vpdn tunnel packet command:
show vpdn tunnel packet PPTP Tunnel Information (Total tunnels=1 sessions=1) LocID 1 Pkts-In 1196 Pkts-Out 13 Bytes-In Bytes-Out 113910 420
The following is sample output from the show vpdn tunnel state command:
show vpdn tunnel state PPTP Tunnel Information (Total tunnels=1 sessions=1)
LocID RemID 1 1
State estabd
Time-Since-Event-Chg 6 secs
9-22
78-13849-01
Chapter 9
The following is sample output from the show vpdn tunnel summary command:
show vpdn tunnel summary PPTP Tunnel Information (Total tunnels=1 sessions=1) LocID RemID 1 1 State Remote Address estabd 172.16.38.194 Port 1723 Sessions 1
The following is sample output from the show vpdn tunnel transport command:
show vpdn tunnel transport PPTP Tunnel Information (Total tunnels=1 sessions=1)
LocID Type Local Address 1 IP 172.16.1.209
Port Remote Address Port 1723 172.16.38.194 1723
The following is sample output from the show vpdn session command:
pix# show vpdn session L2TP Session Information (Total tunnels=1 sessions=1) Call id 1 is up on tunnel id 1 Remote tunnel name is abc-win2ke2 Internet Address is 171.69.39.85 Session username is guest, state is established Time since change 158 secs, interface outside Remote call id is 1 PPP interface id is 1 15 packets sent, 83 received, 377 bytes sent, 8412 received Sequencing is off % No active PPTP tunnels
The following is sample output of a simple configuration that allows Windows PPTP clients to dial in without any authentication (not recommended). The Windows client can Telnet to internal host 192.168.0.2 through the static global address 209.165.201.2.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 vpdn group 1 accept dialin pptp vpdn group 1 client configuration address local my-addr-pool vpdn enable outside static (inside, outside) 209.165.201.2 192.168.0.2 access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet access-group acl_out in interface outside
In the next example, PPTP clients authenticate using MS-CHAP and negotiate MPPE encryption with the PIX Firewall. The PPTP client can Telnet to host 192.168.0.2 through the static global 209.165.201.2. The Telnet session will be encrypted.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my-aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 client authentication aaa my-aaa-server-group vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn enable outside static (inside, outside) 209.165.201.2 192.168.0.2 access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 209.165.201.2 eq telnet access-group acl_out in interface outside
9-23
Chapter 9 vpdn
In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my-aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my-aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list nonat access-list acl_out permit tcp 10.1.1.0 255.255.255.0 host 192.168.0.2 eq telnet access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.99 eq domain access-list acl_out permit udp 10.1.1.0 255.255.255.0 host 10.2.2.100 eq netbios-ns access-group acl_out in interface outside
In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command statement. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my-aaa-server-group protocol radius vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication aaa my-aaa-server-group vpdn group 1 client configuration dns 10.2.2.99 vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list nonat sysopt connection permit-pptp
In the next example, PPTP clients authenticate using MS-CHAP, negotiate MPPE encryption, receive the DNS and WINS server addresses, and can Telnet to the host 192.168.0.2 directly through the nat 0 command. The PPTP authenticates using the PIX Firewall local username and password database you create with the vpdn username command. Users are reauthenticated again by the aaa command when they start a Telnet session. An access-group command statement is not present because the sysopt connection permit-pptp command statement allows all the PPTP traffic through the tunnel.
ip local pool my-addr-pool 10.1.1.1-10.1.1.254 aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678 aaa-server my-aaa-server-group protocol radius vpdn username usrname1 password password1 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto required vpdn group 1 client configuration address local my-addr-pool vpdn group 1 client authentication local vpdn group 1 client configuration dns 10.2.2.99
9-24
78-13849-01
Chapter 9
T through Z Commands vpnclient
vpdn group 1 client configuration wins 10.2.2.100 vpdn enable outside access-list nonat permit ip host 192.168.0.2 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.99 10.1.1.0 255.255.255.0 access-list nonat permit ip host 10.2.2.100 10.1.1.0 255.255.255.0 nat (inside) 0 access-list nonat sysopt connection permit-pptp aaa authentication include telnet inbound 192.168.0.2 255.255.255.255 10.1.1.0 255.255.255.0
vpnclient
Initiates Easy VPN Remote setup. (Configuration mode.) Start with the command... Stop with the command... vpnclient vpngroup group_name password no vpnclient vpngroup preshared_key no vpnclient username vpnclient username xauth_username password xauth_password vpnclient server ip_primary no vpnclient server [ip_secondary_1, ip_secondary_2, ... , ip_secondary_n] vpnclient mode client-mode | no vpnclient mode network-extension-mode vpnclient enable no vpnclient enable N/A clear vpnclient
Show command options show vpnclient
Show command output Displays VPN client or Easy VPN Remote device configuration information.
Syntax Description
group_name ip_primary ip_secondary_1, ip_secondary_2, ... , ip_secondary_n password preshared_key xauth_password xauth_username
The name of the VPN group configured on the VPN headend. The maximum length is 63 characters. The primary IP address for the Easy VPN Remote Server. Any number of secondary IP addresses (backup VPN headends), from 1 to n, for the Easy VPN Remote Server. (Check your platform-specific documentation for applicable peer limits on your PIX Firewall platform.) Specifies to set the password. The IKE pre-shared key used for authentication by the Easy VPN Remote Server. The user password to be used for user authorization. The maximum length is 127 characters. The username to be used for user authorization. The maximum length is 127 characters.
9-25
Chapter 9 vpngroup
Usage Guidelines
The vpnclient command stores non-transitory Easy VPN Remote configuration information in the flash memory of the PIX Firewall so that it is preserved whether or not the PIX Firewall reboots. You must specify all variables for a vpnclient command prior to enabling a Easy VPN Remote connection except for the xauth_username and xauth_password. Also, you must configure NAT, IKE (using the isakmp and isakmp policy commands), the crypto ipsec transform set, crypto map, and an access control list (to trigger building the VPN tunnel) to enable Easy VPN Remote. The no vpnclient enable command closes all established VPN tunnels and prevents new VPN tunnels from initiating until you enter a vpnclient enable command. The clear vpnclient command removes all vpnclient commands from your configuration.
Examples
The following is an example Easy VPN Remote configuration:

vpnclient vpnclient vpnclient vpnclient vpngroup group_a password pre_share_a username user_1 password pass_1 server vpn_gateway_a mode client-mode
vpngroup
Supports Cisco VPN Client version 3.x (Cisco Unified VPN Client Framework) and Easy VPN Remote devices. (Configuration mode.) Start with the command... vpngroup group_name address-pool pool_name vpngroup group_name default-domain domain_name vpngroup group_name dns-server dns_ip_prim [dns_ip_sec] vpngroup group_name idle-time idle_seconds vpngroup group_name max-time max_seconds vpngroup group_name password preshared_key vpngroup group_name pfs vpngroup group_name split-dns domain_name1 [domain_name2, domain_name3, ... , domain_name8] vpngroup group_name split-tunnel acl_name vpngroup group_name wins-server wins_ip_prim [wins_ip_sec] Stop with the command... no vpngroup group_name address-pool pool_name no vpngroup group_name default-domain domain_name no vpngroup group_name dns-server dns_ip_prim [dns_ip_sec] no vpngroup group_name idle-time idle_seconds no vpngroup group_name max-time max_seconds no vpngroup group_name password preshared_key no vpngroup group_name pfs no vpngroup group_name split-dns
no vpngroup group_name split-tunnel acl_name no vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]
Syntax Description
acl_name dns_ip_prim
The name of the access list to which to bind split tunneling. The IP address of the primary DNS server.
9-26
78-13849-01
Chapter 9
T through Z Commands vpngroup
dns_ip_sec domain_name domain_name1 [domain_name2, domain_name3, ... , domain_name8] group_name idle_seconds max_seconds pfs pool_name preshared_key split-dns vpngroup wins_ip_prim wins_ip_sec
The IP address of the secondary DNS server. The default domain name. The domains to configure for split DNS.
Specifies the VPN group name and is an ASCII string with a maximum length of 63 characters. (You choose the name.) The inactivity timeout in seconds. The default is 1800 seconds or 30 minutes. The maximum connection time, in seconds, the VPN group is allowed. The default maximum connection time is set to unlimited. Specifies to require that the VPN client or Easy VPN Remote device to perform PFS. The IP address pool name. The VPN group pre-shared key. Specifies to use split DNS. Identifies the VPN dial-up group. The maximum identifier length is 63 characters. The IP address of the primary WINS server. The IP address of the secondary WINS server.
Usage Guidelines
Be sure to configure the IKE Mode Config prior to configuring support for the Cisco VPN 3000 Client. In configuring IKE Mode Config, specify that the PIX Firewall initiates the IKE Mode Config. For additional information about configuring interoperability with the Cisco VPN 3000 Client using the vpngroup commands, see the Cisco PIX Firewall and VPN Configuration Guide. The Cisco VPN 3000 Client supports Windows 2000. The vpngroup command set lets you configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 Client(s) that are part of the given group. The same VPN group name is configured in the Cisco VPN 3000 Client to ensure the matching of VPN client or Easy VPN Remote policy. Configure a VPN group name of default to create a VPN group policy that matches any group name. The PIX Firewall selects the VPN group name default, if there is no other policy match. The vpngroup address-pool command lets you define a pool of local addresses to be assigned to a VPN group.
Note
Both the vpngroup address-pool command and the ip local pool command enable you to specify a pool of local addresses to be used for assigning dynamic IP addresses to VPN clients and Easy VPN Remote devices. In the case of the Cisco VPN 3000 Client, the specified pool of addresses is associated with a given group, which consists of Cisco VPN 3000 Client users. We recommend using the vpngroup address-pool command only if you will configure more than one pool of addresses to be used by more than one VPN user group. The vpngroup address-pool command gives the PIX Firewall added flexibility to configure different pools of local addresses for different user groups.
9-27
Chapter 9 vpngroup
The vpngroup dns-server command enables the PIX Firewall to download an IP address of a DNS server to a Cisco VPN 3000 Client as part of an IKE negotiation. The vpngroup wins-server command lets the PIX Firewall download an IP address of a WINS server to a Cisco VPN 3000 Client as part of an IKE negotiation. To enable the PIX Firewall to download a default domain name to a Cisco VPN 3000 Client as part of IKE negotiation, use the vpngroup default-domain command. Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall. Split tunneling allows a remote VPN client or Easy VPN Remote device simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the PIX Firewall downloads its local network IP address and netmask specified within the associated access list to the VPN client or Easy VPN Remote device as part of the policy push to the client. In turn, the VPN client or Easy VPN Remote device sends the traffic destined to the specified local PIX Firewall network via an IPSec tunnel and all other traffic in the clear. The PIX Firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network. If you do not enable split tunneling, all traffic between the VPN client or Easy VPN Remote device and the PIX Firewall is sent through an IPSec tunnel. All traffic originating from the VPN client or Easy VPN Remote device is sent to the PIX Firewalls outside interface through a tunnel, and the clients access to the Internet from its remote site is denied. Regardless of whether split tunneling is enabled, VPN clients and Easy VPN Remote devices negotiate an IPSec tunnel to the PIX Firewall units IP address with a netmask of 255.255.255.255. Networks defined in access-list deny command statements are not pushed to VPN clients or Easy VPN Remote devices. The vpngroup idle-time command sets the inactivity timeout for a Cisco VPN 3000 Client. When the inactivity timeout for all IPSec SAs have expired for a given VPN client or Easy VPN Remote device, the tunnel is terminated. The default inactivity timeout is 30 minutes. The vpngroup max-time command sets the maximum connection time for a Cisco VPN 3000 Client. When the maximum connection time is reached for a given VPN client or Easy VPN Remote device, the tunnel is terminated. This means the connection between the Cisco VPN 3000 Client and the PIX Firewall will have to be reestablished. The default maximum connection time is set to an unlimited amount of time.
Note
The inactivity timeout specified with the vpngroup idle-time command and maximum connection time specified with the vpngroup max-time command for a given Cisco VPN 3000 Client take precedence over the commands used to set global lifetime timeouts. These commands are the isakmp policy lifetime and crypto map set security-association lifetime seconds commands. Configure the VPN groups pre-shared key employing the vpngroup password command to be used during IKE authentication. This pre-shared key is equivalent to the password that you enter within the Group Password box of the Cisco VPN 3000 Client while configuring your group access information for a connection entry. The PIX Firewall configured password displays in asterisks within the file configuration.
9-28
78-13849-01
Chapter 9
T through Z Commands vpngroup
Note
Both the vpngroup password command and the isakmp key address command let you specify a pre-shared key to be used for IKE authentication. We recommend that you use the vpngroup password command only if you plan to configure more than one VPN user group. The vpngroup password command gives the PIX Firewall added flexibility to configure different VPN user groups.
Examples
The following example show use of the vpngroup commands. The VPN client(s) or Easy VPN Remote device(s) within the VPN group named as myVpnGroup will be dynamically assigned one of the IP addresses from the pool of addresses ranging from 10.140.40.0 to 10.140.40.7. The policy attributes for the group myVpnGroup will be downloaded to the given VPN client or Easy VPN Remote device during the policy push to the client. Split tunnelling is enabled. In the example, all traffic destined for the 10.130.38.0 255.255.255.0 PIX Firewall network from the VPN client or Easy VPN Remote device will be IPSec protected.
access-list 90 permit ip 10.130.38.0 255.255.255.0 10.140.40.0 255.255.255.248 ip local pool vpnpool 10.140.40.1-10.140.40.7 crypto crypto crypto crypto crypto isakmp isakmp isakmp isakmp isakmp isakmp ipsec transform-set esp-sha esp-null esp-sha-hmac dynamic-map dynmap 50 set transform-set esp-sha map mapName 10 ipsec-isakmp dynamic dynmap map mapName client configuration address initiate map mapName interface outside enable outside identity hostname policy 7 authentication pre-share policy 7 encryption 3des policy 7 hash md5 policy 7 group 1 myVpnGroup myVpnGroup myVpnGroup myVpnGroup myVpnGroup myVpnGroup myVpnGroup myVpnGroup address-pool vpnpool dns-server 10.131.31.11 wins-server 10.131.31.11 default-domain example.com split-tunnel 90 idle-time 1800 max-time 86400 password ********
vpngroup vpngroup vpngroup vpngroup vpngroup vpngroup vpngroup vpngroup
9-29
Chapter 9 who
who
Show active Telnet administration sessions on the PIX Firewall. (Unprivileged mode.) Start with the command... who [local_ip] Stop with the command... N/A
Show command options show who [local_ip]
Show command output Displays the PIX Firewall TTY_ID and IP address of each Telnet client currently logged into the PIX Firewall.
Syntax Description
local_ip
An optional internal IP address to limit the listing to one IP address or to a network IP address.
Usage Guidelines
The who command shows the PIX Firewall TTY_ID and IP address of each Telnet client currently logged into the PIX Firewall. This command is the same as the show who command.
Examples
The following example shows how to display the current Telnet sessions:
pixfirewall# who 0: From 192.168.1.3 1: From 192.168.2.2
Related Commands
kill telnet
write
Store, view, or erase the current configuration. (Privileged mode.) Start with the command... write net [[server_ip]:[filename]] write floppy write memory | floppy [uncompressed] write standby write terminal Remove entire configuration from flash with... write erase N/A N/A N/A N/A
9-30
78-13849-01
Chapter 9
T through Z Commands write
Note
The PIX 506/506E does not support use of the write standby command. Also, the PIX 515/515E, PIX 506/506E, and the PIX 525 do not support use of the write floppy command.
Syntax Description
erase filename
Clear the Flash memory configuration. A filename you specify to qualify the location of the configuration file on the TFTP server named in server_ip. If you set a filename with the tftp-server command, do not specify it in the write command; instead just use a colon ( : ) without a filename. Many TFTP servers require the configuration file to be world-writable to write to it.
floppy memory server_ip standby terminal uncompressed
Stores the current configuration on diskette. Stores the current configuration in Flash memory, along with the activation key value and timestamp for when the configuration was last modified. Specifes the IP address of the TFTP server. If you specify the full path and filename in the tftp-server command, then use a : in the write command. Stores the configuration to the failover standby unit from RAM-to-RAM. Display current configuration on the terminal. Writes the configuration to memory without storing it in compressed format.
Usage Guidelines
The write net command stores the current configuration into a file on a TFTP server elsewhere in the network. Additionally, the write net command uses the TFTP server IP address specified in the tftp-server command. If you specify both the IP address and path name in the tftp-server command, you can specify the write net :filename command as simply a colon ( : ) as follows:
write net :
Use the configure net command to get the configuration from the file. The write erase command clears the Flash memory configuration. The write floppy command stores the current configuration on diskette. The diskette must be DOS formatted or a PIX Firewall boot disk. If you are formatting the diskette from Windows, choose the Full format type, not the Quick (erase) selection. You can tell that information is stored on the diskette by observing that the light next to the diskette drive glows while information transfers. The diskette you create can only be read or written by the PIX Firewall. If you use the write floppy command with a diskette that is not a PIX Firewall boot disk, do not leave the floppy in the floppy drive because it will prevent the firewall from rebooting in the event of a power failure or system reload. Only one copy of the configuration can be stored on a single diskette. The write memory command saves the current running configuration to Flash memory. Use the configure memory command to merge the current configuration with the image you saved in Flash memory. PIX Firewall lets processing continue during the write memory command.
9-31
Chapter 9 write
If another PIX Firewall console user tries to change the configuration while you are executing the write memory command, the user receives the following messages:
Another session is busy writing configuration to memory Please wait a moment for it to finish
After the write memory command completes, PIX Firewall lets the other command complete.
Note
Only use the write memory command if a configuration has been created with IP addresses for both network interfaces. The write standby command writes the configuration stored in RAM on the active failover unit to the RAM on the standby unit. When the primary unit boots it automatically writes the configuration to the secondary unit. Use the write standby command if the primary and secondary units configurations have different information. The write terminal command displays the current configuration in the PIX Firewall units RAM memory. You can also display the configuration stored in Flash memory using the show configure command.
Defaults
The default on the PIX Firewall is to store all configurations in compressed format. However, whether a configuration is stored compressed or uncompressed is transparent when executing configuration commands.
Examples
The following example specifies the TFTP server and creates a file named new_config in which to store the configuration:
tftp-server 10.1.1.2 /pixfirewall/config/new_config write net :
The following example erases the contents of Flash memory and reloads the PIX Firewall:
write erase Erase PIX configuration in Flash memory? [confirm] y reload Proceed with reload? [confirm] y
The following example saves the configuration on diskette:

write floppy Building configuration [OK]
The following example saves the current configuration to Flash memory:

write memory Building configuration [OK]
The following example displays the configuration:

write terminal Building configuration : Saved
9-32
78-13849-01
Chapter 9
T through Z Commands Y and Z Commands
Related Commands
configure
Y and Z Commands
There are no y or z PIX Firewall commands.
9-33
Chapter 9 Y and Z Commands
9-34
78-13849-01

CCNA Security (Commands Reference)

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CCNA Security (Commands Reference)

Caricato da

Copyright:

Formati disponibili

Command Name: Mode: Syntax:

aaa accounting connection h323 router(config)#

Use only the RADIUS security protocol with this command.

Command Name: Mode: Syntax:

aaa accounting delay-start router(config)#

aaa accounting nested router(config)#

Command Name: Mode: Syntax:

aaa accounting resource start-stop group router(config)#

Command Name: Mode: Syntax:

aaa accounting resource stop-failure group router(config)#

Example: router(config)# aaa accounting resource default stop-failure group radius

Command Name: Mode: Syntax:

aaa accounting suppress null-username router(config)#

aaa accounting suppress null-username no aaa accounting suppress null-username

Command Name: Mode: Syntax:

aaa accounting update router(config)#

Integer specifying number of minutes.

Command Name: Mode: Syntax

aaa accounting router(config)#

commands level default list-name start-stop

stop-only none method1 [method2...]

Command Name: Mode: Syntax:

aaa dnis map accounting network group router(config)#

Command Name: Mode: Syntax:

aaa session-mib router(config)#

aaa session-mib disconnect no aaa session-mib disconnect Syntax Description:

aaa aaa aaa aaa aaa

Command Name: Mode: Syntax: accounting no accounting Syntax Description:

accounting (gatekeeper) router(config)#

Command Name: Mode: Syntax:

Misconceptions: none Related commands: aaa accounting Sample Configurations:

Command Name: Mode: Syntax: debug aaa accounting

debug aaa accounting router#

Command Name: Mode: Syntax:

ppp accounting router(config-if)

ppp accounting default no ppp accounting

show accounting router#

Command Name: Mode: Syntax:

aaa authentication arap router(config)#

At least one of the keywords described in below.

Uses the line password for authentication.

Uses the local username database for authentication.

Uses case-sensitive local username authentication.

Uses the list of all RADIUS servers for authentication.

Uses the list of all TACACS+ servers for authentication.

Related commands: aaa new-model Sample Configurations:

Command Name: Mode: Syntax:

aaa authentication banner router(config)#

aaa authentication enable default

Command Name: Mode: Syntax:

aaa authentication fail-message router(config)#

aaa authentication fail-message dstringd no aaa authentication fail-message Syntax Description:

Command Name: Mode: Syntax:

aaa authentication login router(config)#

aaa authentication login {default [method2...]

no aaa authentication login {default [method2...] Syntax Description:

default listname method

Sample Configurations: aaa new-model !

Command Name: Mode: Syntax:

aaa authentication nasi router(config)#

At least one of the methods described in below.

Description Uses the enable password for authentication.

Uses the line password for authentication.