Catalyst 6500 Series Switch And Cisco 7600 Router Firewall Services Module Command Reference 2.3

User Manual: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference 2.3

Open the PDF directly: View PDF .
Page Count: 820 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference
Contents

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Catalyst 6500 Series Switch and

Cisco 7600 Series Router Firewall Services

Module Command Reference

Firewall Services Module Release 2.3

Text Part Number: OL-6513-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and

iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco

Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,

Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ

Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pa c ket , PIX, Post-Routing, Pre-Routing,

ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered

trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0502R)

iii

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

CONTENTS

Preface xvii

Audience xvii

Organization xvii

Conventions xvii

Related Documentation

The following publications are available for the Firewall Services Module:

•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation

and Configuration Note

•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Software

Configuration Guide

•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System

Messages Guide

[ ] Elements in square brackets are optional.

{ x | y | z } Alternative keywords are grouped in braces and separated by vertical bars.

Braces can also be used to group keywords and/or arguments; for example,

{interface interface type}.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or

the string will include the quotation marks.

screen font Terminal sessions and information the system displays are in screen font.

boldface screen font Information you must enter is in boldface screen font.

italic screen font Arguments for which you supply values are in italic screen font.

^ The symbol ^ represents the key labeled Control—for example, the key

combination ^D in a screen display means hold down the Control key while

you press the D key.

< > Nonprinting characters, such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

indicates a comment line.

Convention Description

xix

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Preface

Obtaining Documentation

Use this document with the FWSM documentation available online at the following site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_1/index.htm

Cisco provides FWSM technical tips at this URL:

http://www.cisco.com/warp/public/707/index.shtml#FWSM

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several

ways to obtain technical assistance and other technical resources. These sections explain how to obtain

technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

•Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in

North America, by calling 800 553-NETS (6387).

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Preface

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your

document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco

Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical

Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical

Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service

contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and

resolving technical issues with Cisco products and technologies. The website is available 24 hours a day,

365 days a year at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.

If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3

and S4 service requests are those in which your network is minimally impaired or for which you require

product information.) After you describe your situation, the TAC Service Request Tool automatically

provides recommended solutions. If your issue is not resolved using the recommended resources, your

service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at

this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.

(S1 or S2 service requests are those in which your production network is down or severely degraded.)

Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business

operations running smoothly.

xxi

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Preface

Obtaining Additional Publications and Information

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55

USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity

definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You

and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your

business operation are negatively affected by inadequate performance of Cisco products. You and Cisco

will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations

remain functional. You and Cisco will commit resources during normal business hours to restore service

to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or

configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online

and printed sources.

•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit

Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

•Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other

information, go to Cisco Press at this URL:

http://www.ciscopress.com

•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends,

technology breakthroughs, and Cisco products and solutions, as well as network deployment and

troubleshooting tips, configuration examples, customer case studies, certification and training

information, and links to scores of in-depth online resources. You can access Packet magazine at this

URL:

http://www.cisco.com/packet

xxii

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Preface

Obtaining Additional Publications and Information

•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand

services. The publication identifies the challenges facing these companies and the technologies to

help solve them, using real-world case studies and business strategies to help readers make sound

technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and

intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

•World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

CHAPTER

1-1

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Using Firewall Services Module Commands

This chapter describes how to use the Firewall Services Module (FWSM) commands and contains the

following sections:

•Using the FWSM Commands, page 1-1

•Command Modes, page 1-2

For the definitions of terms and acronyms that are used in this publication, see Appendix A, “Acronyms

and Abbreviations.”

Using the FWSM Commands

You will use these FWSM commands for basic tasks:

Command Task

copy running-config Copies the running configuration from memory.

This command is equivalent to the write memory

command.

copy startup-config Copies the startup configuration from the flash

memory. This command is equivalent to the write

memory command.

write memory Saving the configuration.

write terminal Viewing the configuration.

logging buffered debugging Accumulating system log (syslog) messages.

show logging Viewing system log (syslog) messages.

clear logging Clearing the message buffer.

1-2

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 1 Using Firewall Services Module Commands

Command Modes

The FWSM command-line interface (CLI) allows you to do these tasks:

•Check the syntax before entering a command.

Enter a command and press the Enter key to view a quick summary, or precede a command with the

help command (for example, you can use help aaa).

•Abbreviate commands.

You can use the config t command to start configuration mode, the write t command to list the

configuration, and the write m command to write to Flash memory. In most commands, you can

abbreviate the show command as sh. This feature is called command completion.

•Make the IP addresses available for access.

After changing or removing the alias, access-list, global, nat, outbound, and static commands,

enter the clear xlate command.

•Review possible port and protocol numbers at the following Internet Assigned Numbers Authority

(IANA) websites:

http://www.iana.org/assignments/port-numbers

http://www.iana.org/assignments/protocol-numbers

•Create your configuration in a text editor and then cut and paste it into the configuration.

You can paste in a line at a time or the whole configuration. Always check your configuration after

pasting large blocks of text to be sure that all of the text was copied.

For information about how to build your FWSM configuration, refer to the Catalyst 6500 Series Switch

and Cisco 7600 Series Router Firewall Services Module Installation and Configuration Note.

Syslog messages are described in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall

Services Module System Messages Guide.

For information about how to use PDM 4.0 for the FWSM, refer to the online Help included in the PDM

software (accessed through the PDM application Help button).

FWSM technical documentation is located at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/fwsm/

Command Modes

The FWSM contains a command set that is based on Cisco IOS technologies and provides configurable

command privilege modes that are based on the following command modes:

•Unprivileged mode

Unprivileged mode allows you to see the FWSM settings. The unprivileged mode prompt appears

as follows when you first access the FWSM:

FWSM>

•Privileged mode

Privileged mode allows you to change current settings. Any unprivileged mode command will work

in privileged mode. Enter the enable command to start the privileged mode from unprivileged mode

as follows:

FWSM> enable

Password:

fwsm#

1-3

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 1 Using Firewall Services Module Commands

Command Modes

The “#” prompt is displayed.

Enter the exit or quit commands to exit privileged mode and return to unprivileged mode as follows:

fwsm# exit

Logoff

Type help or '?' for a list of available commands.

Enter the disable command to exit privileged mode and return to unprivileged mode as follows:

fwsm# disable

fwsm>

•Configuration mode

Configuration mode allows you to change the FWSM configuration. All privileged, unprivileged,

and configuration commands are available in this mode. Enter the configure terminal command to

start the configuration mode as follows:

fwsm# configure terminal

fwsm(config)#

Enter the exit or quit commands to exit configuration mode and return to privileged mode as

follows:

fwsm(config)# quit

fwsm#

Enter the disable command to exit configuration mode and return to unprivileged mode as follows:

fwsm(config)# disable

fwsm>

•Subconfiguration modes

When you are in context subconfiguration mode, the prompt changes as follows:

fwsm(config-context)#

When you are in class subconfiguration mode, the prompt changes as follows:

fwsm(config-class)#

When you change to a context, the prompt changes as follows:

fwsm/context_name#

When you are in context configuration mode, the prompt changes as follows:

fwsm/context_name(config)#

1-4

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 1 Using Firewall Services Module Commands

Command Modes

CHAPTER

2-1

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Firewall Services Module Commands

This chapter contains an alphabetical listing of all the commands that are available to configure the

Firewall Services Module (FWSM) on the Catalyst 6500 series switch and Cisco 7600 series router.

2-2

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa accounting

To include or exclude TACACS+ or RADIUS user accounting on a server (designated by the aaa-server

command), use the aaa accounting command. To disable accounting services, use the no form of this

command.

[no] aaa accounting {include | exclude} service interface_name source_ip source_mask

[destination_ip destination_mask] server_tag

Syntax Description

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The interface_name must match the VLAN number.

Before you can use this command, you must first designate an AAA server with the aaa-server

command.

To enable accounting for traffic that is specified by an access list, use the aaa accounting match

command.

User accounting services can track the network services that a user accesses. These records are also kept

on the designated AAA server. Accounting information is sent only to the active server in a server group.

include Creates a new rule with the specified service to include.

exclude Creates an exception to a previously stated rule by excluding the specified

service from accounting.

service Accounting service; valid values are any, ftp, http, telnet.

interface_name Interface name from which users require authentication.

source_ip IP address of the local host or network of hosts that you want to be

authenticated or authorized.

source_mask Network mask of source_ip.

destination_ip (Optional) IP address of the destination hosts that you want to access the

source_ip address; 0 indicates that all hosts have access.

destination_mask (Optional) Network mask of the destination_ip.

server_tag AAA server group tag.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-3

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa accounting

When specifying the service, use the any keyword to provide accounting for all TCP services. For UDP

services, use protocol/port. The port refers to the TCP or UDP destination port. A port value of 0 (zero)

indicates all ports. For protocols other than TCP and UDP, the port is not applicable and should not be

used. See Appendix B, “Port and Protocol Values” for port information.

Use the aaa accounting command with the aaa authentication and optionally, the aaa authorization

commands. You must have authentication for traffic that you want to track.

To track connections from any host, enter the local IP address and netmask as 0.0.0.0 0.0.0.0 or 0 0. Use

the same convention for the destination host IP addresses and netmasks; enter 0.0.0.0 0.0.0.0 to indicate

any destination host.

Tip The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization,

aaa accounting, and aaa proxy-limit commands in summary form.

Use interface_name with the source_ip address and the destination_ip address to determine where

access is to come from and from whom.

Examples This example shows how to specify that the authentication server with the IP address 10.1.1.10 resides

on the inside interface and is in the default TACACS+ server group:

fwsm/context(config)# aaa accounting include any inside 0 0 0 0

Related Commands aaa accounting match

aaa authentication

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-4

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa accounting match

To enable accounting for traffic that is identified by an access list, use the aaa accounting match

command. To disable accounting for traffic that is identified by an access list, use the no form of this

command.

[no] aaa accounting match access_list_name interface_name server_tag

Syntax Description

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The access_list_name is defined by the access-list extended command.

In an ACL, permit = account and deny = do not account.

The AAA server group tag is defined by the aaa-server command. Before you can use this command,

you must first designate an AAA server with the aaa-server command.

Examples This example shows how to enable accounting on a specific access list:

fwsm/context(config)# aaa accounting match acl1 termite scram

fwsm/context(config)# show acl

access-list mode auto-commit

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access_list_name Access list name.

interface_name Interface name from which users require authentication.

server_tag AAA server group tag.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-5

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa accounting match

Related Commands aaa authentication

aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-6

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication

To include or exclude user authentication for traffic through the FWSM, use the aaa authentication

command. To disable user authentication, use the no form of this command.

[no] aaa authentication {include | exclude | https} authen_service interface_name source_ip

source_mask [destination_ip destination_mask] server_tag

Syntax Description

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines For each IP address, one aaa authentication command is permitted for inbound connections and one

aaa authentication command is permitted for outbound connections. A given IP address initiates

connections in one direction only.

The aaa authentication command enables or disables the following features:

•A host whose IP address is identified by the aaa-server command, starts a connection through FTP,

Telnet, HTTP or HTTPS, and is prompted for a username and password. If the username and

password are verified by the designated TACACS+ or RADIUS authentication server, the FWSM

allows further traffic between the authenticating host and the destination address.

include Specifies that you want to authenticate the traffic.

exclude Exempts the traffic from being authenticated.

https Enables authentication for HTTPS clients only.

Note This keyword is used without the aaa authentication

secure-http-client command.

authen_service Type of traffic to include or exclude from authentication based on the service

keyword selected. See Appendix B, “Port and Protocol Values” for valid

services.

interface_name Interface name from which users require authentication.

source_ip IP address of the host or network of hosts that you want to be authenticated.

source_mask Network mask of source_ip.

destination_ip (Optional) IP address of the hosts that you want to access the source_ip

address; 0 indicates all hosts.

destination_mask (Optional) Network mask of destination_ip.

server_tag AAA server group tag identified by the aaa-server command.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-7

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication

The prompts differ between the three services that can access the FWSM for authentication as follows:

•A Telnet user sees a prompt that is generated by the FWSM. The FWSM permits a user up to four

tries to log in. If the username or password still fails, the FWSM drops the connection. You can

change this prompt with the auth-prompt command.

•An FTP user sees a prompt from the FTP program. If a user enters an incorrect password, the

connection is dropped immediately.

If the username or password on the authentication database differs from the username or password

on the remote host that you are accessing with FTP, enter the username and password in these

formats:

authentication_user_name

remote_system_user_name

authentication_password

remote_system_password

If you daisy-chain the FWSM, Telnet authentication works in the same way as a single module. For

FTP and HTTP authentication, the user has to enter each password and username with an additional

at “@” character and password or username for each daisy-chained system. A user can exceed the

63-character password limit depending on how many units are daisy-chained and the password

length.

Some FTP graphical user interfaces (GUIs) do not display challenge values.

•An HTTP user sees a pop-up window that is generated by the browser. If a user enters an incorrect

password, the user is prompted again. When the web server and the authentication server are on

different hosts, you can use the virtual command to get the correct authentication.

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters

(some AAA servers accept passwords up to 32 characters). A password or username cannot contain an

“@” character as part of the password or username string.

The valid values for the access authen_service argument are as follows:

•telnet —Telnet access

•ftp—FTP access

•http—HTTP access

•any—All services

•service/port—When you specify a port, only the traffic with a matching destination port is included

or excluded for authentication. The tcp/0 optional keyword enables authentication for all TCP

traffic, which includes FTP, Telnet, HTTP, and HTTPS.

Note FTP, Telnet, and HTTP are equivalent to tcp/21, tcp/23, and tcp/80, https/443.

Note Only Telnet, FTP, or HTTP traffic triggers interactive user authentication.

If you specify ip, all IP traffic is included or excluded for authentication, depending on whether you

specify include or exclude. When all IP traffic is included for authentication, the following occurs:

•Before a user (source IP-based) is authenticated, an FTP, Telnet, HTTP, or HTTPS request triggers

authentication and all other IP requests are denied.

•After a user is authenticated through FTP, Telnet, HTTP, HTTPS, or virtual Telnet authentication

(see the virtual command), all traffic is free from authentication until the uauth timeout.

2-8

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication

Use interface_name, source_ip, and destination_ip to define where access is to come from and from

whom. The address for source_ip is always on the highest security level interface, and destination_ip is

always on the lowest security level interface.

The maximum username prompt for HTTP authentication is 30 characters. The maximum password

length is 15 characters.

The aaa authentication command is not intended to mandate your security policy. The authentication

servers determine whether a user can or cannot access the system. The FWSM interacts with FTP, HTTP

(Web access), HTTPS, and Telnet to display the credential prompts for logging in to the network or

logging in to exit the network.

HTTP Authentication

The aaa authentication command supports HTTP authentication.

Caution We do not recommend that you enable AAA authentication for FTP, Telnet, HTTP, or HTTPS and share

the same AAA server for authenticating inbound and outbound connections.

When using HTTP authentication to a site running Microsoft IIS that has “Basic text authentication” or

“NT Challenge” enabled, you may be denied access from the Microsoft IIS server. This situation occurs

because the browser appends the string: “Authorization: Basic=Uuhjksdkfhk==” to the HTTP GET

commands. This string contains the FWSM authentication credentials.

Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is

trying to access privileged pages on the server. Unless the FWSM username password combination is

exactly the same as a valid Windows NT username and password combination on the Microsoft IIS

server, the HTTP GET command is denied.

To solve this problem, the FWSM provides the virtual http command, which redirects the browser's

initial connection to another IP address, authenticates the user, and then redirects the browser back to

the URL to which the user originally requested.

Once authenticated, a user does not have to reauthenticate even if the FWSM uauth timeout is set low

because the browser caches the “Authorization: Basic=Uuhjksdkfhk==” string in every subsequent

connection to that particular site. This string can only be cleared when the user exits all instances of

Netscape Navigator or Internet Explorer and restarts. Flushing the cache does not clear the

string.commands.

If the user repeatedly browses the Internet, the browser resends the “Authorization:

Basic=Uuhjksdkfhk==” string to transparently reauthenticate the user.

Multimedia applications, such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS Netmeeting

silently start the HTTP service.

Note To avoid interfering with these applications, do not enter blanket outgoing aaa commands for all

challenged ports (such as using the any optional keyword). Be selective with which ports and addresses

that you use to challenge HTTP and when you set the user authentication timeouts to a higher timeout

value. Otherwise, the multimedia programs may fail and crash the PC after establishing outgoing

sessions from the inside sessions.

2-9

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication

TACACS+ and RADIUS Servers

Up to 256 TACACS+ or RADIUS servers are permitted (up to 16 servers in each of the up to 16 server

groups). You can set the number of servers by using the aaa-server command. When a user logs in, the

servers are accessed one at a time starting with the first server that you specify in the configuration, until

a server responds.

The FWSM permits only one authentication type per network. For example, if one network connects

through the FWSM using TACACS+ for authentication, another network connecting through the FWSM

can authenticate with RADIUS. One network cannot authenticate with both the TACACS+ and RADIUS

servers.

For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.

The FWSM displays the same timeout message for both the RADIUS and TACACS+ servers. The

message “aaa server host machine not responding” displays when either of the following occurs:

•The AAA server system is down.

•The AAA server system is up, but the service is not running.

Examples This example shows how to authenticate traffic:

fwsm/context(config)# aaa authentication include any 172.31.0.0 255.255.0.0 0.0.0.0

0.0.0.0 tacacs+

This example shows how to prevent authentication on traffic:

fwsm/context(config)# aaa authentication exclude telnet 172.31.38.0 255.255.255.0 0.0.0.0

0.0.0.0 tacacs+

This example demonstrates how to use the interface_name argument. The firewall has an inside network

of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter

network of 162.65.20.28 (subnet mask 255.255.255.224).

This example shows how to enable authentication for connections that originated from the inside

network to the outside network:

fwsm/context(config)# aaa authentication include any 192.168.1.0 255.255.255.0

209.165.201.0 255.255.255.224 tacacs+

This example shows how to enable authentication for connections that originated from the inside

network to the perimeter network:

fwsm/context(config)# aaa authentication include any 192.168.1.0 255.255.255.0

162.65.20.28 255.255.255.224 tacacs+

This example shows how to enable authentication for connections that originated from the outside

network to the inside network:

fwsm/context(config)# aaa authentication include any 192.168.1.0 255.255.255.0

209.165.201.0 255.255.255.224 tacacs+

This example shows how to enable authentication for connections that originated from the outside

network to the perimeter network:

fwsm/context(config)# aaa authentication include any 209.165.201.0 255.255.255.224

162.65.20.28 255.255.255.224 tacacs+

2-10

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication

This example shows how to enable authentication for connections that originated from the perimeter

network to the outside network:

fwsm/context(config)# aaa authentication include any 162.65.20.28 255.255.255.224

209.165.201.0 255.255.255.224 tacacs+

This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections

and then shows how to enable user authentication so that those addresses must enter user credentials to

exit the firewall. The first aaa authentication command permits authentication on FTP, HTTP, or Telnet

depending on what the authentication server handles. The second aaa authentication command lets host

10.0.0.42 start outbound connections without being authenticated. The default authentication group is

tacacs+.

fwsm/context(config)# nat (inside) 1 10.0.0.0 255.255.255.0

fwsm/context(config)# aaa authentication include any 0 0 tacacs+

fwsm/context(config)# aaa authentication exclude 10.0.0.42 255.255.255.255 tacacs+ any

This example shows how to permit inbound access to any IP address in the range of 209.165.201.1

through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask

255.255.255.224). All services are permitted by the access-list command. The aaa authentication

command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server

handles. The authentication server is at IP address 10.16.1.20 on the inside interface.

fwsm/context(config)# aaa-server AuthIn protocol tacacs+

fwsm/context(config)# aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20

fwsm/context(config)# static (inside,outside) 209.165.201.0 10.16.1.0 netmask

255.255.255.224

fwsm/context(config)# access-list acl_out permit tcp 10.16.1.0 255.255.255.0

209.165.201.0 255.255.255.224

fwsm/context(config)# access-group acl_out in interface outside

fwsm/context(config)# aaa authentication include any 0 0 AuthIn

This example shows how to enable HTTPS authentication for a client:

fwsm/context(config)# aaa authentication secure-http-client

fwsm/context(config)# aaa authentication include http int3 0000 aaaserver3

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-11

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication console

To enable authentication for access to the FWSM CLI, use the aaa authentication console command.

To disable authentication verification, use the no form of this command.

[no] aaa authentication {enable | telnet | ssh | http} console {server_tag [LOCAL] | LOCAL}

Syntax Description

Defaults The defaults are as follows:

•The login password is cisco.

Note The cisco password cannot be used when specifying a password for user authentication.

•The enable password is not set.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The AAA server group tag is defined by the aaa-server command.

The LOCAL keyword specifies a second authentication method that can be local only. The LOCAL

keyword is optional when specified as a RADIUS or TACACS+ server only.

enable (Optional) Specifies access verification for the FWSM’s privileged mode.

telnet (Optional) Specifies access verification for the Telnet access to the FWSM

console.

ssh (Optional) Specifies access verification for the SSH access to the FWSM

console.

http (Optional) Specifies access verification for the HTTP (Hypertext Transfer

Protocol) access to the FWSM (through FDM).

server_tag AAA server group tag of the local database.

LOCAL See the “Usage Guidelines” section for information.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.2(1) This command was modified to support fallback to LOCAL.

2-12

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication console

Any access to the module (SSH, Telnet, enable) requiring a username and password is prompted only

three times.

•The enable and ssh keywords allow three tries before stopping with an access-denied message as

follows:

–

The enable keyword requests a username and password before accessing privileged mode.

–

The ssh keyword requests a username and password before the first command line prompt on

the SSH console connection. The ssh keyword allows a maximum of three authentication

attempts.

•The telnet keyword prompts you continually until you successfully log in. The telnet keyword

forces you to specify a username and password before the first command line prompt of a Telnet

console connection.

Telnet access to the FWSM CLI is available from any internal interface and from the outside interface

with IPSec configured. Telnet access requires previous use of the telnet command.

SSH access to the FWSM console is also available from any interface (IPSec does not have to be

configured on the interface). SSH access requires previous use of the ssh command.

If an aaa authentication ssh console server_tag command is not defined, you can gain access to the CLI

with the username pix and with the FWSM Telnet password (set with the passwd command). If the aaa

command is defined but the SSH authentication requests timeouts, which implies that the AAA servers

may be down or not available, you can gain access to the FWSM using the PIX username and the enable

password (set with the enable password command).

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters

(some AAA servers accept passwords up to 32 characters). A password or username may not contain an

“@” character as part of the password or username string.

The command only accepts the second, optional LOCAL keyword when the server_tag refers to an

existing, valid TACACS+ or RADIUS server group defined in a aaa-server command. You can

configure LOCAL as the first and only server_tag.

The no form of the command removes the complete command and does not support removing single

methods.

Examples This example shows how to enable authentication service for the FWSM console:

fwsm/context(config)# aaa authentication enable console 756

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-13

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication match

To enable authentication on a specific access list, use the aaa authentication match command. To

disable authentication on a specific access list, use the no form of this command.

[no] aaa authentication match access_list_name interface_name server_tag

Syntax Description

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The access_list_name is defined by the access-list deny-flow-max command.

The AAA server group tag is defined by the aaa-server command. Enter TACACS+ or RADIUS to use

the authentication database.

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters

(some AAA servers accept passwords up to 32 characters). A password or username may not contain an

“@” character as part of the password or username string.

Examples This example shows how to enable authentication on a specific access list:

fwsm/context(config)# aaa authentication match

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

access_list_name Access list name.

interface_name Interface name.

server_tag AAA server group tag.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-14

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authentication secure-http-client

To enable encryption of usernames and passwords that are exchanged between an HTTP client and the

FWSM, use the aaa authentication secure-http-client command. To disable encryption for usernames

and passwords, use the no form of this command.

[no] aaa authentication secure-http-client

Syntax Description This command has no arguments or keywords.

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Examples This example shows how to enable authentication on a specific access list:

fwsm/context(config)# aaa authentication secure-http-client

fwsm/context(config)# show aaa

aaa authentication secure-http-client

Related Commands aaa authorization

auth-prompt

password/passwd

service

show aaa

ssh

telnet

virtual

Release Modification

2.3(1) Support for this command was introduced on the FWSM.

2-15

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization

To include or exclude a service from authorization to the specified host, use the aaa authorization

command. To disable the feature, use the no form of this command.

[no] aaa authorization {include | exclude} service interface_name source_ip source_mask

destination_ip destination_mask tacacs_server_tag

Syntax Description

Defaults An IP address of 0 indicates all hosts.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The exclude keyword replaces the former except optional keyword by allowing the user to specify a port

to exclude to a specific host or hosts.

When specifying the destination IP, use 0 to indicate all hosts.

For the destination and local mask, always specify a specific mask value. Use 0 if the IP address is 0,

and use 255.255.255.255 for a host. Always specify a specific mask value.

Use interface_name in combination with the source_ip address and the destination_ip address to

determine where access is to come from and from whom. The source_ip address is always on the highest

security level interface and destination_ip is always on the lowest security level.

include Creates a new rule with the specified service to include.

exclude Creates an exception to a previously stated rule by excluding the specified

service from authorization to the specified host.

service Services that require authorization; see the “Usage Guidelines” section for more

information.

interface_name Interface name that requires authentication.

source_ip IP address of the host or the network of hosts that you want to be authorized.

source_mask Network mask of the source_ip.

destination_ip IP address of the hosts that you want to access the source_ip address.

destination_mask Network mask of the destination_ip.

tacacs_server_tag TACACS+ server group tag.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.2(1) This command was modified to support a second LOCAL method for AAA

configurations.

2-16

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization

You can set the local IP address to 0 to indicate all hosts and to let the authentication server decide which

hosts are authenticated.

Valid values for service are any, ftp, http, telnet, or protocol/port. Services that are not specified are

authorized implicitly. Services that are specified in the aaa authentication command do not affect the

services that require authorization.

For protocol/port, enter the following:

•protocol—Enter the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on).

•port—Enter the TCP or UDP destination port or port range. The port can also be the ICMP type;

that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges apply only to

the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP, and ICMP, the port

is not applicable and should not be used. An example port specification is as follows:

fwsm#/context(config)# aaa authorization include udp/53-1024 inside 0 0 0 0

This example shows how to enable authorization for DNS lookups to the inside interface for all

clients and authorizes access to any other services that have ports in the range of 53 to 1024.

A specific authorization rule does not require the equivalent authentication. Authentication is only

required with either FTP, HTTP, or Telnet to provide an interactive method with the user to enter the

authorization credentials.

Except for its use with command authorization, the aaa authorization command requires previous

configuration with the aaa authentication command; however, use of the aaa authentication command

does not require use of the aaa authorization command.

Currently, the aaa authorization command is supported for use with local and TACACS+ servers but

not with RADIUS servers. Although explicit RADIUS authorization cannot be configured, a dynamic

ACL can be set at the RADIUS server to provide authorization (even if it is not configured in the

FWSM).

Tip The help aaa command displays the syntax and usage for the aaa authentication, aaa authorization,

aaa accounting, and aaa proxy-limit commands in summary form.

One aaa authorization command is permitted for each IP address. To authorize more than one service

with aaa authorization, use the any keyword for the service type.

If the first authorization attempt fails and a second attempt causes a timeout, use the

service resetinbound command to reset the client that failed the authorization so that it will not

retransmit any connections. This example shows an authorization timeout message in Telnet:

Unable to connect to remote host: Connection timed out

User authorization services control which network services that a user can access. After a user is

authenticated, attempts to access restricted services cause the FWSM to verify the access permissions of

the user with the designated AAA server.

Note RADIUS authorization is supported for use with the access-list deny-flow-max commands and for use

in configuring a RADIUS server with an acl=access_list_name vendor-specific identifier. For more

information, see the access-list deny-flow-max command and the aaa-server radius-authport

command.

If the AAA console login request times out, you can gain access to the FWSM by entering the fwsm

username and the enable password.

2-17

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization

When specifying the services service option, the valid values are telnet, ftp, http, https, tcp or 0, tcp

or port, udp or port, icmp or port or protocol [/port]. Only the Telnet, FTP, HTTP, and HTTPS traffic

triggers user interactive authentication.

For authentication of console access, Telnet access, SSH access, and enable mode access, specify telnet,

ssh, or enable.

Examples This example shows how to specify the default FWSM protocol configuration:

fwsm/context(config)# aaa-server TACACS+ protocol tacacs+

fwsm/context(config)# aaa-server RADIUS protocol radius

fwsm/context(config)# aaa-server LOCAL protocol local

This example shows how to use the default protocol TACACS+ with the aaa commands. The first

command specifies that the authentication server with the IP address 10.1.1.10 resides on the inside

interface and is in the default TACACS+ server group. The next three commands specify that any users

starting outbound connections to any destination host will be authenticated using TACACS+, that the

users who are successfully authenticated are authorized to use any service, and that all outbound

connection information will be logged in the accounting database. The last command specifies that

access to the FWSM requires authentication from the TACACS+ server.

fwsm/context(config)# aaa-server TACACS+ (inside) host 10.1.1.10 the key timeout 20

fwsm/context(config)# aaa authentication include any 0 0 0 0 TACACS+

fwsm/context(config)# aaa authorization include any 0 0 0 0

fwsm/context(config)# aaa accounting include any 0 0 0 0 TACACS+

fwsm/context(config)# aaa authentication TACACS+

This example shows how to enable authorization for DNS lookups from the outside interface:

fwsm/context(config)# aaa authorization include udp/53 0.0.0.0 0.0.0.0

This example shows how to enable authorization of ICMP echo-reply packets arriving at the inside

interface from inside hosts:

fwsm/context(config)# aaa authorization include 1/0 0.0.0.0 0.0.0.0

Users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or

FTP.

This example shows how to enable authorization only for ICMP echoes (pings) that arrive at the inside

interface from an inside host:

fwsm/context(config)# aaa authorization include 1/8 0.0.0.0 0.0.0.0

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-18

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization command

To enable authorization for a local or a TACACS server, use the aaa authorization command command.

To disable authorization for local or a TACACS server, use the no form of this command.

[no] aaa authorization command {LOCAL_server_tag | tacacs_server_tag}

Syntax Description

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines You can enter the LOCAL_server_tag argument for the group tag value and use the local FWSM database

AAA services such as local command authorization privilege levels.

Examples This example shows how to enable authorization for a local or a TACACS server:

fwsm/context(config)# aaa authorization Server1

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

LOCAL_server_tag Predefined server tag for the AAA local protocol.

tacacs_server_tag Predefined server tag for the TACACS user authentication server.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.2(1) This command was modified to support a second LOCAL method for AAA

configurations.

2-19

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization match

To enable the local or TACACS+ user-authorization services for a specific access-list command name,

use the aaa authorization match command. To disable the feature, use the no form of this command.

[no] aaa authorization match access_list_name interface_name server_tag

Syntax Description

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The AAA server group tag is defined by the aaa-server command. Enter TACACS+ or RADIUS to use

the authentication database.

The access_list_name is defined by the access-list deny-flow-max command.

The FWSM supports authentication usernames up to 127 characters and passwords up to 16 characters

(some AAA servers accept passwords up to 32 characters). A password or username may not contain an

“@” character as part of the password or username string.

Examples This example shows how to enable authorization for a specified access list:

fwsm/context(config)# aaa authorization match my_access inside Server2

Related Commands aaa authorization

auth-prompt

password/passwd

service

access_list_name access-list command name.

interface_name Interface name that requires authentication.

server_tag AAA server group tag as defined by the aaa-server command.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.2(1) This command was modified to support a second LOCAL method for AAA

configurations.

2-20

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa authorization match

ssh

telnet

virtual

2-21

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa proxy-limit

To specify the number of concurrent proxy connections that are allowed per user, use the aaa

proxy-limit command.

[no] aaa proxy-limit {proxy_limit | disable}

Syntax Description

Defaults The proxy_limit is 16.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the

maximum number of concurrent proxy connections that are allowed per user.

An uauth session is a cut-through session that performs authentication or authorization (the connection

is proxied).

If a source address is a proxy server, you should exclude this IP address from authentication or increase

the number of allowable outstanding AAA requests.

Examples This example shows how to set and display the maximum number of outstanding authentication requests

allowed:

fwsm/context(config)# aaa proxy-limit 6

fwsm/context(config)# show aaa proxy-limit

aaa proxy-limit 6

Related Commands aaa authentication

aaa authorization

aaa-server

show aaa proxy-limit

proxy_limit Number of concurrent proxy connections allowed per user; valid values are

from 1 to 128.

disable Disables the proxy limit.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-22

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server

To define the AAA server group, use the aaa-server command. To remove the AAA server group, use

the no form of this command.

[no] aaa-server server_tag

[no] aaa-server server_tag max-failed-attempts tries

[no] aaa-server server_tag deadtime deatimeout

aaa-server server_tag [interface_name] host server_ip [key] [timeout seconds]

aaa-server server_tag protocol auth_protocol tacacs+ | radius

Syntax Description

Defaults The defaults are as follows:

•The FWSM listens for RADIUS on ports 1645 for authentication and 1646 for accounting. The

default ports are defined in RFC 2058 as 1812 for authentication and 1813 for accounting. The

FWSM RADIUS ports were not changed for backward-compatibility purposes.

•The following are the aaa-server default protocols:

–

aaa-server TACACS+ protocol tacacs+

–

aaa-server RADIUS protocol radius

–

aaa-server LOCAL protocol local

•The default timeout value is 10 seconds.

•The interface name interface_name defaults to the outside.

•The max-attempts is 3.

•The deadtime is 10.

server_tag Alphanumeric string that is the name of the server group.

max-failed-attempts

tries

Specifies the maximum number of AAA requests to attempt to each AAA

server in an AAA server group; the range is from 1 to 5 counters.

deadtime deatimeout Specifies the number of minutes to declare the AAA server group as

unresponsive; the range is from 0 to 1440 minutes.

interface_name (Optional) Interface name on which the server resides.

host server_ip (Optional) IP address of the TACACS+ or RADIUS server.

key (Optional) Case-sensitive, alphanumeric keyword up to 127 characters and

is the same value as the key on the TACACS+ server.

timeout seconds (Optional) Retransmit timer that specifies the time duration before the

FWSM chooses the next AAA server.

protocol auth_protocol Type of AAA server, either tacacs+ or radius.

2-23

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The aaa-server command allows you to specify AAA server groups. The FWSM lets you define separate

groups of TACACS+ or RADIUS servers for specifying different types of traffic. For example, you can

specify a TACACS+ server for inbound traffic and another for outbound traffic. You can also specify that

all outbound HTTP traffic will be authenticated by a TACACS+ server and that all inbound traffic will

use RADIUS. The aaa-server command is used with the crypto map command to establish an

authentication association so that VPN clients are authenticated when they access the FWSM.

Certain types of AAA services can be directed to different servers. Services can also be set up to fail

over to multiple servers.

Use the server_tag in the aaa command to associate aaa authentication and aaa accounting commands

to an AAA server. Up to 14 server groups are permitted. However, you cannot use the LOCAL keyword

with the aaa-server command because the keyword is predefined by the FWSM.

Other aaa commands reference the server tag group defined by the aaa-server command server_tag

parameter. This global setting takes effect when the TACACS+ or RADIUS service is started.

Note When a cut-through proxy is configured, TCP sessions (Telnet, FTP, HTTP, or HTTPS) may have their

sequence number randomized even if the norandomseq optional keyword is used in the nat or static

command. This situation occurs when an AAA server proxies the TCP session to authenticate the user

before permitting access.

AAA server groups are defined by a tag name that directs different types of traffic to each authentication

server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server

in the tag group. You can have up to 14 tag groups, and each group can have up to 14 AAA servers for

a total up to 196 AAA servers.

The max-attempts number keyword and argument allow you to configure the number of AAA requests

to an AAA server before declaring that server unresponsive and tries the next server in the group. You

should set the max-attempts number keyword and argument and the timeout values for the fall-back

behavior when authenticating or authorizing commands in a fall-back configuration. For example, if you

want to declare an individual AAA server as unresponsive, you should reduce the max-attempts number

setting to 1 or 2.

You can configure the deadtime minutes keyword and argument without having configured the LOCAL

method on any of the authentication and authorization commands. The deadtime minutes keyword

and argument affect only the operations when you configure two methods for authenticating and

authorizing AAA.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.2(1) This command was modified to support a second LOCAL method for AAA

configurations.

2-24

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server

Note The second method must be LOCAL.

The deadtime minutes keyword and argument specify the minutes that a particular authentication or

authorization method should be marked as unresponsive and skipped. When a AAA server group is

marked unresponsive, the FWSM immediately performs the authentication or authorization against the

next method specified (which is the local FWSM user database).

Note Every server in a group must be marked unresponsive before the whole group is declared unresponsive.

When you configure the deadtime to 0, the AAA server group is not considered unresponsive and all

authentication and authorization requests are always attempted against this AAA server group before

using the next method in the method list.

The no form of the deadtime command restores the command to its default value of 10 minutes.

The deadtime period begins as soon as the last server in the AAA server group has been marked as down

(unresponsive). A server is marked as down when the max-attempts value is reached and AAA fails to

receive a response. When the deadtime period expires, the AAA server group is active and all requests

are submitted again to the AAA servers in the AAA server group.

Some AAA servers accept passwords up to 32 characters, but the FWSM allows passwords up to

16 characters only.

When specifying the key, any characters entered past 127 are ignored. The key is used between the client

and server for encrypting data between them. The key must be the same on both the client and server

systems. Spaces are not permitted in the key, but other special characters are permitted in the key.

The timeout default is 10 seconds. The maximum time is 30 seconds. If the timeout value is 10 seconds,

the FWSM retransmits for 10 seconds. If no acknowledgment is received, the FWSM tries three times

more for a total of 40 seconds to retransmit data before the next AAA server is selected.

If accounting is enabled, the accounting information goes only to the active server.

If you are upgrading from a previous version of FWSM and have aaa commands in your configuration,

using the default server groups lets you maintain backward compatibility with the aaa commands in your

configuration.

The previous server type optional keyword at the end of the aaa authentication and aaa accounting

commands has been replaced with the aaa-server server_tag group name.

This example shows how to use the default protocol TACACS+ with the aaa commands:

fwsm/context(config)# aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20

fwsm/context(config)# aaa authentication include any 0 0 0 0 TACACS+

fwsm/context(config)# aaa authorization include any outbound 0 0 0 0 host 10.1.1.10

fwsm/context(config)# aaa accounting include any 0 0 0 0 TACACS+

fwsm/context(config)# aaa authentication TACACS+

The previous example specifies that the authentication server with the IP address 10.1.1.10 resides on

the inside interface and is in the default TACACS+ server group. The next three commands specify that

any users starting outbound connections to any destination host will be authenticated using TACACS+,

that the users who are successfully authenticated are authorized to use any service, and that all outbound

connection information will be logged in the accounting database. The last command specifies that

access to the FWSM requires authentication from the TACACS+ server.

2-25

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server

This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies

that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers

in the AuthIn group authenticate inbound connections, and the AuthOut group authenticates outbound

connections.

fwsm/context(config)# aaa-server AuthIn protocol radius

fwsm/context(config)# aaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20

fwsm/context(config)# aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4

fwsm/context(config)# aaa-server AuthOut protocol radius

fwsm/context(config)# aaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15

fwsm/context(config)# aaa authentication include any 0 0 0 0 AuthIn

fwsm/context(config)# aaa authentication include any 0 0 0 0 AuthOut

This example shows how to list the commands that can be used to establish an Xauth crypto map:

fwsm/context(config)# ip address inside 10.0.0.1 255.255.255.0

fwsm/context(config)# ip address outside 168.20.1.5 255.255.255.0

fwsm/context(config)# ip local pool dealer 10.1.2.1-10.1.2.254

fwsm/context(config)# nat (inside) 0 access-list 80

fwsm/context(config)# aaa-server TACACS+ host 10.0.0.2 secret123

fwsm/context(config)# crypto ipsec transform-set pc esp-des esp-md5-hmac

fwsm/context(config)# crypto dynamic-map cisco 4 set transform-set pc

fwsm/context(config)# crypto map partner-map 20 ipsec-isakmp dynamic cisco

fwsm/context(config)# crypto map partner-map client configuration address initiate

fwsm/context(config)# crypto map partner-map client authentication TACACS+

fwsm/context(config)# crypto map partner-map interface outside

fwsm/context(config)# isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

fwsm/context(config)# isakmp client configuration address-pool local dealer outside

fwsm/context(config)# isakmp policy 8 authentication pre-share

fwsm/context(config)# isakmp policy 8 encryption des

fwsm/context(config)# isakmp policy 8 hash md5

fwsm/context(config)# isakmp policy 8 group 1

fwsm/context(config)# isakmp policy 8 lifetime 86400

Related Commands aaa authentication

aaa authorization

aaa-server

show aaa proxy-limit

2-26

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server radius-acctport

To set the port number of the RADIUS server that the FWSM uses for accounting functions, use the

aaa-server radius-acctport command. To return to the default settings, use the no form of this

command.

[no] aaa-server radius-acctport [acct_port]

Syntax Description

Defaults acct_port is 1645.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines You can change authorization and accounting port settings on the FWSM with the aaa-server

radius-acctport and aaa-server radius-authport commands. These commands specify the destination

TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or

accounting functions.

The default RADIUS accounting port is 1645 and the default RADIUS authorization port is 1646. If your

authentication server uses ports other than 1645 and 1646, then you must configure the FWSM for the

appropriate ports prior to starting the RADIUS service with the aaa-server command. For example,

some RADIUS servers use the port numbers 1812 and 1813 as defined in RFC 2138 and RFC 2139. If

your RADIUS server uses ports 1812 and 1813, you must use the aaa-server radius-authport and

aaa-server radius-acctport commands to reconfigure the FWSM to use ports 1812 and 1813.

These port pairs are assigned to authentication and accounting services on the RADIUS servers:

•1645 (authentication), 1646 (accounting)—default for the FWSM

•1812 (authentication), 1813 (accounting)—alternate

You can see these and other commonly used port number assignments online at this URL:

http://www.iana.org/assignments/port-numbers

See the “Specifying Port Values” section in Appendix B for additional information about port number

assignments.

acct_port (Optional) RADIUS authentication port number; valid values are from 1 to

65535.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-27

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server radius-acctport

Examples This example shows how to set the port number of the RADIUS server that the FWSM uses for

accounting functions:

fwsm/context(config)# aaa-server radius-acctport

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-28

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server radius-authport

To set the port number of the RADIUS server that the FWSM uses for authentication functions, use the

aaa-server radius-authport command. To return to the default settings, use the no form of this

command.

[no] aaa-server radius-authport [auth_port]

Syntax Description

Defaults auth_port is 1646.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines You can change authorization and accounting port settings on the FWSM with the aaa-server

radius-acctport and aaa-server radius-authport commands. These commands specify the destination

TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or

accounting functions.

The default RADIUS accounting port is 1645 and the default RADIUS authorization port is 1646. If your

authentication server uses ports other than 1645 and 1646, then you must configure the FWSM for the

appropriate ports prior to starting the RADIUS service with the aaa-server command. For example,

some RADIUS servers use the port numbers 1812 and 1813 as defined in RFC 2138 and RFC 2139. If

your RADIUS server uses ports 1812 and 1813, you must use the aaa-server radius-authport and

aaa-server radius-acctport commands to reconfigure the FWSM to use ports 1812 and 1813.

The following port pairs are assigned to authentication and accounting services on the RADIUS servers:

•1645 (authentication), 1646 (accounting)—default for the FWSM

•1812 (authentication), 1813 (accounting)—alternate

You can see these and other commonly used port number assignments online at this URL:

http://www.iana.org/assignments/port-numbers

See the “Specifying Port Values” section in Appendix B for additional information about port number

assignments.

acct_port (Optional) RADIUS authentication port number; valid values are from 1 to

65535

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-29

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

aaa-server radius-authport

Examples This example shows how to set the port number of the RADIUS server that the FWSM uses for

authentication functions:

fwsm/context(config)# aaa-server radius-authport

Related Commands aaa authorization

auth-prompt

password/passwd

service

ssh

telnet

virtual

2-30

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-group

To bind the access list to an interface, use the access-group command. To unbind the access list from

the interface, use the no form of this command.

[no] access-group access-list {in | out} interface interface_name [per-user-override]

Syntax Description

Defaults per-use-override is off..

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The access-group command binds an access list to an interface. The in keyword applies the access list

to the traffic on the specified interface. The out keyword applies the access list to the outbound traffic.

The no access-group command unbinds the access list from the interface interface_name.

The show access-group command displays the current access list bound to the interfaces.

The clear access-group command removes all the ACLs from the interfaces.

The access-group per-user-override command is implemented for only the inbound ACLs and not for

the outbound ACLs.

Examples This example shows how to use the access-group command:

fwsm/context(config)# static (inside,outside) 209.165.201.3 10.1.1.3

fwsm/context(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80

fwsm/context(config)# access-group acl_out in interface outside

access-list Access list id.

in Filters the inbound packets at the specified interface.

out Filters the outbound packets at the specified interface.

interface interface_name Specifies the name of the network interface.

per-user-override (Optional) Allows the per-user ACLs downloaded by the Authenticaion,

Authorization and Accounting (AAA) configuration to override the

existing interface ACLs. Clients must use RADIUS servers for

authorization.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2.3(1) Support for the per-user-override option was implemented.

2-31

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-group

The static command provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The

access-list command lets any host access the global address using port 80. The access-group command

specifies that the access-list command applies to traffic entering the outside interface.

Related Commands access-list alert-interval

access-list deny-flow-max

access-list extended

access-list remark

clear access-group

clear access-list

object-group

show access-group

show access-list

2-32

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list alert-interval

To specify the time interval between deny flow maximum messages, use the access-list alert-interval

command. To return to the default settings, use the no form of this command.

[no] access-list alert-interval secs

Syntax Description

Defaults 300 seconds

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines The access-list alert-interval command sets the time interval for generating the syslog message 106101.

The syslog message 106101 alerts you that the FWSM has reached a deny flow maximum. When the

deny flow maximum is reached, another 106101 message is generated if at least secs seconds have

occurred since the last 106101 message.

See the access-list deny-flow-max command for information about the deny flow maximum message

generation.

Examples This example shows how to specify the time interval between deny flow maximum messages:

fwsm/context(config)# access-list alert-interval 30

Related Commands access-list deny-flow-max

access-list extended

clear access-list

show access-list

secs Time interval between deny flow maximum message generation; valid values are

from 1 to 3600 seconds.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-33

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list commit

To compile and apply access lists when you are in the manual-commit mode, use the access-list commit

command.

access-list commit

Syntax Description This command has no arguments or keywords.

Defaults This command has no default settings.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines If a context is in access-list mode, newly added rules are not added to the CLS classifier until a commit

command is issued. Those rules are flagged and added once the commit command is entered.

The commit mode provides user-initiated compilation and affects all the commands that are stored as an

ACL configuration in the network processor that require a compilation before they are applied. The

access-list commit command applies to the following commands:

•aaa authentication (include and exclude versions only)

•aaa authorization (include and exclude versions only)

•aaa accounting (include and exclude versions only)

•aaa access-list commands

•established

•filter commands

•fixup protocol is affected only by the commit command

•http

•icmp

•nat 0 access-list

•policy static or nat commands

•ssh

•telnet

Release Modification

2.2(1) Support for this command was introduced on the FWSM.

2-34

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list commit

If you are in manual-commit mode and you need to change one of the previously listed commands,

change the mode to manual-commit and commit the changes before they take effect.

While you are in manual-commit mode, do not enter a command that binds a configuration for a

previouly listed command that has been added to but not committed to an interface. For example, if an

access-list 'foo' command has been added in manual-commit mode and that change has not been

committed, do not enter the access-group command that binds foo to an interface. Commit foo first

through the access-list commit command and only then enter the access-group command.

In manual-commit mode, deleting an ACE flags it for deletion and also removes it from the running

configuration. When you enter the show running command before you enter the access-list commit

command, the original configuration with the following qualifier text “uncommitted deletion” displays.

Adding an ACE flags it as added but not as committed. When you enter the show running command

before you enter the access-list commit command, the original configuration with the following

qualifier text “uncommitted addition” displays. When the access-list commit command runs, these

qualifiers are removed and the configurations become active.

Examples This example shows how to flag and add the access-list rules:

fwsm/context(config)# access-list commit

Related Commands access-group

access-list extended

access-list mode

clear access-list

object-group

show access-list

2-35

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list deny-flow-max

To specify the maximum number of concurrent deny flows that can be created, use the access-list

deny-flow-max command. To return to the default settings, use the no form of this command.

[no] access-list deny-flow-max n

Syntax Description

Defaults The default is 4096.

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines Syslog message 106101 is generated when the FWSM has reached the maximum number, n, of ACL

deny flows.

Examples This example shows how to specify the maximum number of concurrent deny flows that can be created:

fwsm/context(config)# access-list deny-flow-max 256

Related Commands access-list extended

clear access-list

show access-list

nMaximum number of concurrent ACL deny flows that can be created; valid values

are from 1 to 4096.

Release Modification

2.2(1) Support for this command was introduced on the FWSM.

2-36

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list ethertype

To add an EtherType access list to the configuration and to configure policy for IP traffic through the

firewall, use the access-list ethertype command. To remove the access list, use the no form of this

command.

[no] access-list id ethertype {deny | permit} ether-value [unicast | multicast | broadcast]

Syntax Description

Defaults The defaults are as follows:

•The FWSM denies all packets on the originating interface unless you specifically permit access.

•ACL logging generates syslog message 106023 for denied packets—Deny packets must be present

to log denied packets.

•When the log optional keyword is specified, the default level for syslog message 106100 is 6

(informational).

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Examples This example shows how to add an EtherType access list:

fwsm/context(config)# access-list my_access ethertype permit unicast

id Name or number of an access list.

deny Denies access if the conditions are matched. See the “Usage Guidelines”

section for the description.

permit Permits access if the conditions are matched. See the “Usage Guidelines”

section for the description.

ether-value Ethernet value.

unicast (Optional) Specifies unicast notification.

multicast (Optional) Specifies multicast notification.

broadcast (Optional) Specifies broadcast notification.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-37

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list ethertype

Related Commands access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

2-38

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

To add an access list to the configuration and to configure policy for IP traffic through the firewall, use

the access-list extended command. To remove the access list, use the no form of this command.

[no] access-list id extended deny | permit protocol | object-group protocol_obj_grp_id host

source_ip | source_mask | object-group network_obj_grp_id [operator port [port] |

object-group service_obj_grp_id] destination_ip destination_mask | object-group

network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]} [log [disable] |

[level] | [default] | [interval secs]]

Syntax Description id Name or number of an access list.

extended Specifies an extended access list.

deny Denies access if the conditions are matched. See the “Usage Guidelines”

section for the description.

permit Permits access if the conditions are matched. See the “Usage Guidelines”

section for the description.

protocol Name or number of an IP protocol; valid values are icmp, ip, tcp, or udp, or

an integer in the range 1 to 254 representing an IP protocol number. See the

“Usage Guidelines” section for additional information.

object-group Specifies an object group; see the “Usage Guidelines” section for additional

information.

protocol_obj_grp_id Existing protocol object group identification.

source_ip Address of the network or host local to the FWSM; see the “Usage

Guidelines” section for additional information.

source_mask Netmask bits (mask) to be applied to the source_addr if the source address

is for a network mask.

network_obj_grp_id Existing network object group identification.

operator Operand that will compare the source IP address to the destination IP

address; see the “Usage Guidelines” section for additional information.

port (Optional) Port that you permit or deny services access; see the “Usage

Guidelines” section for additional information.

service_obj_grp_id (Optional) Object group.

destination_ip IP address of the network or host to which the packet is being sent; see the

“Usage Guidelines” section for additional information.

destination_mask Netmask bits (mask) to be applied to destination_addr if the destination

address is a network mask.

log default (Optional) Specifies that a syslog message 106100 is generated for the ACE.

See the “Usage Guidelines” section for information.

log disable (Optional) Disables syslog messaging. See the “Usage Guidelines” section

for information.

log level (Optional) Specifies the syslog level; valid values are from 0 to 7. See the

“Usage Guidelines” section for information.

interval secs (Optional) Specifies the time interval at which to generate an 106100 syslog

message; valid values are from 1 to 600 seconds.

2-39

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

Defaults The defaults are as follows:

•The FWSM denies all packets on the originating interface unless you specifically permit access.

•ACL logging generates syslog message 106023 for only specified deny packets—Deny packets must

be present to log denied packets.

•When the log optional keyword is specified, the default level for syslog message 106100 is 6

(informational).

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

Usage Guidelines When used with the access-group command, the deny optional keyword does not allow a packet to

traverse the FWSM. By default, the FWSM denies all packets on the originating interface unless you

specifically permit access.

When you specify the protocol to match any Internet protocol, including TCP and UDP, use the ip

keyword.

Refer to the object-group command for information on how to configure object groups.

The operator compares the source IP address (sip) or destination IP address (dip) ports. Possible

operands include lt for less than, gt for greater than, eq for equal, neq for not equal, and range for an

inclusive range. Use the access-list command without an operator and port to indicate all ports by default

as follows:

fwsm/context(config)# access-list acl_out permit tcp any host 209.165.201.1

Use eq and a port to permit or deny access to just that port. For example, use eq ftp to permit or deny

access only to FTP:

fwsm/context(config)# access-list acl_out deny tcp any host 209.165.201.1 eq ftp

Use lt and a port to permit or deny access to all ports less than the port that you specify. For example,

use lt 2025 to permit or deny access to the well-known ports (1 to 1024):

fwsm/context(config)# access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025

Use gt and a port to permit or deny access to all ports greater than the port that you specify. For example,

use gt 42 to permit or deny ports 43 to 65535:

fwsm/context(config)# access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42

Use neq and a port to permit or deny access to every port except the ports that you specify. For example,

use neq 10 to permit or deny ports 1–9 and 11 to 65535:

fwsm/context(config)# access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-40

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

Use range and a port range to permit or deny access to only those ports named in the range. For example,

use range 10 1024 to permit or deny access only to ports 10 through 1024. All other ports are unaffected.

The use of port ranges can dramatically increase the number of IPSec tunnels. For example, if a port

range of 5000 to 65535 is specified for a highly dynamic protocol, up to 60,535 tunnels can be created.

Enter port to specify services by the port that handles it, such as smtp for port 25, www for port 80, and

so on. You can specify ports by either a literal name or a number in the range of 0 to 65535. Refer to

valid port numbers at this URL:

http://www.iana.org/assignments/port-numbers

See the “Specifying Port Values” section in Appendix B for a list of valid port literal names in port

ranges. You can also specify numbers.

For the log disable | default | level optional keyword, use these guidelines:

•When you specify the log optional keyword, it generates syslog message 106100 for the ACE to

which it is applied. (syslog message 106100 is generated for every matching permit or deny ACE

flow passing through the FWSM.) The first-match flow is cached. Subsequent matches increment

the hit count displayed in the show access-list command for the ACE, and new 106100 messages

are generated at the end of the interval that is defined by interval secs if the hit count for the flow

is not zero.

•The default ACL logging behavior (the log keyword is not specified) is that if a packet is denied,

then message 106023 is generated. If a packet is permitted, then no syslog message is generated.

•You can specify an optional syslog level (0–7) for the generated syslog messages (106100). If no

level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists,

then its existing log level remains unchanged.

•If you do not specify the log disable optional keyword, the access list logging is completely

disabled. No syslog message, including message 106023, is generated.

•The log default optional keyword restores the default access list logging behavior.

Note Refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module

Configuration Guide for additional information about logging.

The interval secs keyword and argument are used as the timeout value for deleting an inactive flow. If

you do not specify the interval secs optional keyword, the default interval is 300 seconds for a new ACE.

If an ACE already exists, any interval that was previously associated with that ACE remains unchanged.

The icmp_type argument is for non-IPSec use only or for permit or deny access to ICMP message types

(see Table 2-1 on page 2-44). You should omit this optional keyword to indicate all ICMP types.

ICMP message types are not supported with IPSec. When the access-list command is used with the

crypto map command, the icmp_type is ignored.

The access-list command allows you to specify if an IP address is permitted or denied access to a port

or protocol. One or more access-list commands with the same access list name are referred to as an

“access list.” Access lists that are associated with IPSec are known as “crypto access lists.”

You can use the object-group command to group access lists.

Use the following guidelines for specifying a source, local, or destination address:

•Use a 32-bit quantity in four-part, dotted-decimal format.

•Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. We do not

recommend that you use this keyword with IPSec.

•Use host address as an abbreviation for a mask of 255.255.255.255.

2-41

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

Use the following guidelines for specifying a network mask:

•Do not specify a mask if the address is for a host; if the destination address is for a host, use the host

keyword before the address as follows:

fwsm/context(config)# access-list acl_grp permit tcp any host 192.168.1.1

•If the address is a network address, specify the mask as a 32-bit quantity in four-part, dotted-decimal

format. Place zeros in the bit positions that you want to ignore.

•Remember that you specify a network mask differently than with the Cisco IOS software access-list

command. With the FWSM, enter 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address,

and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the

appropriate network mask as follows:

fwsm/context(config)# access-list acl_grp permit tcp any 209.165.201.0 255.255.255.224

The access-list command supports the sunrpc service.

The show access-list command lists the access-list commands in the configuration and the hit count of

the number of times each element has been matched during an access-list command search.

Additionally, it displays the number of access list statements in the access list and indicates whether or

not the list is configured for Turbo ACL. If the list has fewer than 18 ACEs, it is marked as

turbo-configured but is not actually configured for Turbo ACL until there are 19 or more entries.

The show access-list source_addr optional keyword and argument filter the show output so that only

those access-list elements that match the source IP address (or with any as source IP address) are

displayed.

The clear access-list command removes all access-list commands from the configuration or, if specified,

removes the access lists by their id. The clear access-list id counters command clears the hit count for

the specified access list.

The no access-list command removes an access-list command from the configuration. If you remove all

the access-list commands in an access list, the no access-list command also removes the corresponding

access-group command from the configuration.

Note The aaa, crypto map, and icmp commands use the access-list commands.

access-list logging Commands

This example shows what happens when you enable an access-list log optional keyword:

fwsm/context(config)# access-group outside-acl in interface outside

fwsm/context(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval

600

fwsm/context(config)# access-list outside-acl permit ip host 2.2.2.2 any

fwsm/context(config)# access-list outside-acl deny ip any any log 2

The previous example shows the use of access-list logging in an ICMP context:

1. An ICMP echo request (1.1.1.1 -> 192.168.1.1) arrives on the outside interface.

2. An ACL called outside-acl is applied for the access check.

3. The packet is permitted by the first ACE of outside-acl that has the log optional keyword enabled.

4. The log flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) has not been cached, so the following syslog

message is generated and the log flow is cached:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) ->

inside/192.168.1.1(8) hit-cnt 1 (first hit)

2-42

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

5. Twenty packets arrive on the outside interface within the next 10 minutes (600 seconds). Because

the log flow has been cached, the log flow is located and the hit count of the log flow is incremented

for each packet.

6. At the end of 10 minutes, this syslog message is generated and the hit count of the log flow is reset

to 0:

106100: access-list outside-acl permitted icmp outside/1.1.1.1(0) ->

inside/192.168.1.1(8) hit-cnt 20 (300-second interval)

7. No packets arrive on the outside interface within the next 10 minutes, so the hit count of the log flow

remains 0.

8. At the end of 20 minutes, the cached flow (ICMP, 1.1.1.1, 0, 192.168.1.1, 8) is deleted because of

the 0 hit count.

To disable a log optional keyword without removing the ACE, enter the access-list id log disable

command.

When removing an ACE with a log optional keyword enabled using the no access-list command, you do

not need to specify all the log options. The ACE is removed if its permit or deny rule is used to uniquely

identify it. However, removing an ACE (with a log optional keyword enabled) does not remove the

associated cached flows. You must remove the entire ACL to remove the cached flows. When a cached

flow is flushed due to the removal of an ACL, a syslog message is generated if the hit count of the flow

is nonzero.

Use the clear access-list command to remove all the cached flows.

access-list id remark command

You can access the access-list id [line line-num] remark text command to include comments (remarks)

about entries in any ACL. You can use remarks to make the ACL easier to scan and interpret. Each

remark line is limited to 100 characters.

The ACL remark can go before or after an access-list command, but you should place it in a consistent

position so that it is clear which remark describes which access-list command.

The no access-list id line line-num remark text and no access-list id line line-num commands both

remove the remark at that line number.

The following are samples of possible access-list remarks:

access-list out-acl remark - ACL for the outside interface

access-list out-acl remark - Allow Joe Smith's group to login

access-list out-acl permit tcp 1.1.1.0 255.255.255.0 server

access-list out-acl remark - Allow Lee White's group to login

access-list out-acl permit tcp 1.1.3.0 255.255.255.0 server

access-list out-acl remark - Deny known hackers

access-list out-acl deny ip host 192.23.56.1 any

access-list out-acl deny ip host 197.1.1.125 any

RADIUS Authorization

The FWSM allows a RADIUS server to send user group attributes to the FWSM in the RADIUS

authentication response message. Additionally, the FWSM allows downloadable access lists from the

RADIUS server. For example, you can configure an access list on a Cisco Secure ACS server and

download it to the FWSM during RADIUS authorization.

After the FWSM authenticates a user, it can use the CiscoSecure acl attribute that is returned by the

authentication server to identify an access list for a given user group. The firewall also provides the same

functionality for TACACS+.

2-43

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

To restrict users to three servers and deny everything else, the access-list commands are as follows:

fwsm/context(config)# access-list eng permit ip any

server1

255.255.255.255

fwsm/context(config)# access-list eng permit ip any

server2

255.255.255.255

fwsm/context(config)# access-list eng permit ip any

server3

255.255.255.255

fwsm/context(config)# access-list eng deny ip any any

In this example, the vendor-specific attribute string in the CiscoSecure configuration is set to acl=eng.

This field in the CiscoSecure configuration contains the access-list identification name. The FWSM gets

the acl=id from CiscoSecure and extracts the ACL number from the attribute string, which it places in a user’s

uauth entry. When a user tries to open a connection, the FWSM checks the access list in the user’s uauth entry,

and depending on the permit or deny status of the access list match, permits or denies the connection. When

a connection is denied, the FWSM generates a syslog message. If there is no match, then the implicit rule is

to deny.

Because the source IP of a given user can vary depending on where the user is logging in from, you should

set the source address in the access-list command to any and the destination address to identify which

network services to which the user is permitted or denied access. To specify that only the users logging in

from a given subnet can use the specified services, you should specify the subnet instead of using any.

Note An access list that is used for RADIUS authorization does not require an access-group command to bind

the statements to an interface.

The aaa authorization command does not have a radius optional keyword.

Configure the access list that is listed in Attribute 11 to specify a per-user access list name. Otherwise,

remove Attribute 11 from the configuration if no access list is intended for user authentication. If the

access list is not configured on the FWSM when the user attempts to login, the login will fail.

For more information, refer to the Cisco FWSM and VPN Configuration Guide.

Usage Notes

The clear access-list command automatically unbinds an access list from a crypto map command or

interface. The unbinding of an access list from a crypto map command can lead to a condition that

discards all packets because the crypto map commands referencing the access list are incomplete. To

correct the condition, either define other access-list commands to complete the crypto map commands

or remove the crypto map commands that pertain to the access-list command. Refer to the crypto map

client command for more information.

ACLs that are dynamically updated on the FWSM by an AAA server can only be shown using the show

access-list command. The write command does not save or display these updated lists.

The access-list command operates on a first-match basis.

If you specify an access-list command and bind it to an interface with the access-group command, by

default, all traffic to that interface is denied. You must explicitly permit traffic. Inbound refers to traffic

passing through the interface, not the traffic passing from a lower security level interface to a higher

security level interface.

Always permit access first and then deny access afterward. If the host entries match, use the permit

keyword; otherwise, use the default deny keyword. You only need to specify additional deny keywords

if you need to deny specific hosts and permit everyone else.

You can see the security levels for interfaces with the show nameif command.

The optional ICMP message type (icmp_type) argument is ignored in IPSec applications because the

message type cannot be negotiated with ISAKMP.

2-44

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

You can bind only one access list to an interface using the access-group command.

If you specify the permit optional keyword in the access list, the FWSM continues to process the packet.

If you specify the deny optional keyword in the access list, the FWSM discards the packet and generates

this syslog message:

%fwsm#-4-106019: IP packet from

source_addr

destination_addr

, protocol protocol

received from interface

interface_name

deny by access-group

The access-list command uses the same syntax as the Cisco IOS software access-list command except

that the FWSM uses a subnet mask. (Cisco IOS software uses a wildcard mask.) For example, in the

Cisco IOS software access-list command, a subnet mask of 0.0.0.255 would be specified as

255.255.255.0 in the FWSM access-list command.

We recommend that you do not use the access-list command with the outbound command. Using these

commands together may cause debugging issues. The outbound command operates from one interface

to another and the access-list command when used with the access-group command applies only to a

single interface. If you use these commands together, the FWSM evaluates the access-list command

before checking the outbound command.

Refer to Chapter 3, “Managing Network Access and Use” in the Cisco Firewall and VPN Configuration

Guide for a detailed description about using the access-list command to provide server access and to

restrict outbound user access.

See the aaa-server radius-acctport and aaa-server radius-authport commands to verify or change

port settings.

ICMP Message Types

For non-IPSec use only, if you prefer more selective ICMP access, you can specify a single ICMP

message type as the last optional keyword in this command. Table 2-1 lists the possible ICMP types

values.

Table 2-1 ICMP Type Literals

ICMP Type Literal

0 echo-reply

3 unreachable

4 source-quench

5 redirect

6 alternate-address

8 echo

9 router-advertisement

10 router-solicitation

11 time-exceeded

12 parameter-problem

13 timestamp-request

14 timestamp-reply

15 information-request

16 information-reply

17 address-mask-request

2-45

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

This example shows that if you specify an ICMP message type for use with IPSec, FWSM ignores it:

fwsm/context(config)# access-list 10 permit icmp any any echo-reply

IPSec is enabled so that a crypto map command references the id for this access-list command, and then

the echo-reply ICMP message type is ignored.

Using the access-list Command with IPSec

If you bind an access list to an interface with the access-group command, the access list selects which

traffic can traverse the FWSM. When bound to a crypto map command, the access list selects which IP

traffic IPSec protects and which traffic IPSec does not protect. For example, access lists can be created

to protect all IP traffic between Subnet X and Subnet Y or traffic between Host A and Host B.

The access lists are not specific to IPSec. The crypto map command referring to the specific access list

defines whether IPSec processing is applied to the traffic matching a permit in the access list.

Crypto access lists that are associated with the IPSec crypto map command have these primary

functions:

•Select outbound traffic to be protected by IPSec (permit = protect).

•Indicate the data flow to be protected by the new security associations (specified by a single permit

entry) when initiating negotiations for IPSec security associations.

•Process traffic to filter out and discard traffic that IPSec protects.

•Determine whether to accept requests for IPSec security associations for the requested data flows

when processing IKE negotiation from the IPSec peer. (Negotiation is only done for the crypto map

commands with the ipsec-isakmp optional keyword.) A peer’s initiated IPSec negotiation will be

accepted only if you specify a data flow that is permitted by a crypto access list that is associated

with an ipsec-isakmp crypto map entry.

You can associate a crypto access list with an interface by defining the corresponding crypto map

command and applying the crypto map set to an interface. You must use different access lists in different

entries of the same crypto map set. The access list’s criteria are applied in the forward direction to traffic

exiting your FWSM and the reverse direction to traffic entering your FWSM.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication

only) and other traffic to receive a different combination of IPSec protection (for example, both

authentication and encryption), you need to create two different crypto access lists to define the two

different types of traffic. These different access lists are then used in different crypto map entries that

specify different IPSec policies.

We recommend that you configure “mirror image” crypto access lists for use by IPSec and that you avoid

using the any keyword.

18 address-mask-reply

31 conversion-error

32 mobile-redirect

Table 2-1 ICMP Type Literals (continued)

ICMP Type Literal

2-46

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

If you configure multiple entries for a given crypto access list, the first permit keyword entry matched

will be the entry used to determine the scope of the IPSec security association. The IPSec security

association will be set up to protect traffic that meets the criteria of the matched keyword entry only. If

traffic matches a different permit entry of the crypto access list, a new, separate IPSec security

association will be negotiated to protect traffic matching the newly matched access list command.

Some services, such as FTP, require two access-list commands, one for port 10 and another for port 21,

to properly encrypt FTP traffic.

Examples This example shows how to create a numbered access list that specifies a Class C subnet for the source

and a Class C subnet for the destination of IP packets. Because the access-list command is referenced

in the crypto map command, the FWSM encrypts all IP traffic that is exchanged between the source and

destination subnets.

fwsm/context(config)# access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0

255.255.0.0

fwsm/context(config)# access-group 101 in interface outside

fwsm/context(config)# crypto map mymap 10 match address 101

This example shows how to let only an ICMP message type of echo-reply be permitted into the outside

interface:

fwsm/context(config)# access-list acl_out permit icmp any any echo-reply

fwsm/context(config)# access-group acl_out interface outside

This example shows how ACEs are numbered by the FWSM and how remarks are inserted (remarks are

not assigned a line number):

fwsm/context(config)# show access-list ac

access-list ac; 2 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

fwsm/context(config)# access-list ac permit tcp object-group remote object-group locals

fwsm/context(config)# show access-list ac

access-list ac; 3 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac line 3 permit tcp object-group remote object-group locals

fwsm/context(config)# access-list ac remark This comment describes the ACE line 3

fwsm/context(config)# show access-list ac

access-list ac; 3 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit tcp object-group remote object-group locals

fwsm/context(config)# access-list ac permit tcp 171.0.0.0 255.0.0.0 any

fwsm/context(config)# show access-list ac

access-list ac; 4 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit tcp object-group remote object-group locals

access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# no access-list ac permit tcp object-group remote object-group locals

fwsm/context(config)# show access-list ac

access-list ac; 3 elements

access-list ac line 1 permit ip any any (hitcnt=0)

2-47

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list extended

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

This example shows how to remove an access list comment:

fwsm/context(config)# access-list ac remark This comment diatribes the ACE line 5

fwsm/context(config)# sh access-list ac

access-list ac; 3 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

access-list ac remark This comment describes the ACE line 5

fwsm/context(config)# no access-list ac remark This comment describes the ACE line 5

fwsm/context(config)# show access-list ac

access-list ac; 3 elements

access-list ac permit ip any any line 1 (hitcnt=0)

access-list ac permit tcp any any line 2 (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac permit tcp 171.0.0.0 255.0.0.0 any line 4 (hitcnt=0)

This example shows how to insert an access list entry at a specific line number:

fwsm/context(config)# show access-list ac

access-list ac; 3 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

fwsm/context(config)# access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any

fwsm/context(config)# show access-list ac

access-list ac; 4 elements

access-list ac line 1 permit ip any any (hitcnt=0)

access-list ac line 2 permit tcp any any (hitcnt=0)

access-list ac remark This comment describes the ACE line 3

access-list ac line 3 permit ip 172.0.0.0 255.0.0.0 any (hitcnt=0)

access-list ac line 4 permit tcp 171.0.0.0 255.0.0.0 any (hitcnt=0)

The show access-list command has the following line of output which shows the total number of cached

ACL log flows (total), the number of cached deny-flows (denied), and the maximum number of allowed

deny-flows:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

Related Commands access-group

access-list commit

access-list extended

access-list mode

clear access-group

clear access-list

configure

object-group

pager

show access-group

show access-list

2-48

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

OL-6513-01

Chapter 2 Firewall Services Module Commands

access-list icmp host

To add an ICMP host access list to the configuration and to configure policy for IP traffic through the

FWSM, use the access-list icmp host command. To remove the access list, use the no form of this

command.

[no] access-list id {deny | permit} host {source_ip | {source_ip source_mask}} [log [disable |

[level] | default] | [interval secs]]

Syntax Description

Defaults The defaults are as follows:

•The FWSM denies all packets on the originating interface unless you specifically permit access.

•ACL logging generates syslog message 106023 for denied packets—Deny packets must be present

to log denied packets.

•When the log optional keyword is specified, the default level for syslog message 106100 is 6

(informational).

Command Modes Security Context Mode: single context mode and multiple context mode

Access Location: context command line

Command Mode: configuration mode

Firewall Mode: routed firewall mode and transparent firewall mode

Command History

id Name or number of an access list.

deny Denies access if the conditions are matched. See the “Usage Guidelines”

section for the description.

permit Permits access if the conditions are matched. See the “Usage Guidelines”

section for the description.

host Specifies that you are adding a host to the access list.

source_ip IP address of the network or host from which the packet is being sent.

source_mask Netmask bits (mask) to be applied to the source_addr if the source address

is for a network mask.

log disable (Optional) Disables syslog messaging. See the “Usage Guidelines” section

for information.

log default (Optional) Specifies that a syslog message 106100 is generated for ACE. See

the “Usage Guidelines” section for information.

log level (Optional) Specifies the syslog level; valid values are from 0 to 7. See the

“Usage Guidelines” section for information.

interval secs (Optional) Specifies the time interval at which to generate an 106100 syslog

message; valid values are from 1 to 600 seconds.

Release Modification

1.1(1) Support for this command was introduced on the FWSM.

2-49