Catalyst 6500 Series and Cisco 7600 Series Switch Firewall Services Module Command Reference, 3.1(1)

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Catalyst 6500 Series and Cisco 7600 Series Switch Firewall Services Module Command Reference, 3.1

Copyright © 2006 Cisco Systems, Inc. All rights reserved.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

C O N T E N T S

About This Guide

Using the Command-Line Interface

aaa accounting through accounting-server-group Commands

aaa accounting

aaa accounting command

aaa accounting console

aaa accounting match

aaa authentication

aaa authentication console

aaa authentication match

aaa authentication secure-http-client

aaa authorization

aaa authorization command

aaa authorization match

aaa local authentication attempts max-fail

aaa mac-exempt

aaa proxy-limit

aaa-server host

aaa-server protocol

absolute

accept-subordinates

access-group

access-list alert-interval

access-list commit

access-list deny-flow-max

access-list ethertype

access-list extended

access-list mode

access-list remark

access-list standard

Contents

accounting-port

accounting-server-group

activation-key through auto-update timeout Commands

activation-key

address-pool

admin-context

alias

allocate-acl-partition

allocate-interface

area

area authentication

area default-cost

area filter-list prefix

area nssa

area range

area stub

area virtual-link

arp

arp timeout

arp-inspection

asdm disconnect

asdm disconnect log_session

asdm group

asdm history enable

asdm location

asr-group

authentication-port

authentication-server-group

authorization-dn-attributes

authorization-required

authorization-server-group

auth-prompt

auto-update device-id

Contents

auto-update timeout

backup-servers through bridge-group Commands

backup-servers

banner

banner (group-policy)

blocks

bridge-group

cache-time through clear capture Commands

cache-time

call-agent

capture

cd

certificate

chain

changeto

checkheaps

check-retransmission

checksum-verification

class

class (policy-map)

class-map

clear aaa local user fail-attempts

clear aaa local user lockout

clear aaa-server statistics

clear access-group

clear access-list

clear arp

clear asp drop

clear blocks

clear capture

clear configure through clear configure virtual Commands

clear configure

clear configure aaa

Contents

clear configure access-group

clear configure access-list

clear configure alias

clear configure arp

clear configure arp-inspection

clear configure asdm

clear configure auth-prompt

clear configure auto-update

clear configure banner

clear configure ca certificate map

clear configure class

clear configure class-map

clear configure command-alias

clear configure console

clear configure context

clear configure crypto

clear configure crypto ca trustpoint

clear configure crypto dynamic-map

clear configure crypto map

clear configure dhcpd

clear configure dhcprelay

clear configure dns

clear configure established

clear configure failover

clear configure filter

clear configure firewall

clear configure fixup

clear configure fragment

clear configure ftp

clear configure ftp-map

clear configure global

clear configure group-policy

clear configure gtp-map

clear configure hostname

Contents

clear configure http-map

clear configure icmp

clear configure interface

clear configure interface bvi

clear configure ip

clear configure ip local pool

clear configure ip verify reverse-path

clear configure ipv6

clear configure isakmp

clear configure isakmp policy

clear configure logging

clear configure mac-address-table

clear configure mac-learn

clear configure mac-list

clear configure management-access

clear configure mgcp-map

clear configure monitor-interface

clear configure mroute

clear configure mtu

clear configure multicast-routing

clear configure name

clear configure nat

clear configure object-group

clear configure passwd

clear configure pim

clear configure policy-map

clear configure prefix-list

clear configure privilege

clear configure rip

clear configure route

clear configure route-map

clear configure router

clear configure service-policy

clear configure snmp-map

Contents

clear configure ssh

clear configure static

clear configure sunrpc-server

clear configure sysopt

clear configure telnet

clear configure terminal

clear configure timeout

clear configure tunnel-group

clear configure url-block

clear configure url-cache

clear configure url-server

clear configure username

clear configure virtual

clear console-output through clear xlate Commands

clear console-output

clear counters

clear crashinfo

clear crypto accelerator statistics

clear crypto ca crls

clear crypto protocol statistics

clear dhcprelay statistics

clear dns-hosts cache

clear failover statistics

clear fragment

clear gc

clear igmp counters

clear igmp group

clear igmp traffic

clear interface

clear ip verify statistics

clear ipsec sa

clear ipv6 access-list counters

clear ipv6 neighbors

Contents

clear local-host

clear logging asdm

clear logging buffer

clear mac-address-table

clear memory profile

clear mfib counters

clear ospf

clear pim counters

clear pim reset

clear pim topology

clear prompt

clear resource usage

clear route

clear service-policy

clear service-policy inspect gtp

clear shun

clear sunrpc-server active

clear traffic

clear uauth

clear url-block block statistics

clear url-cache statistics

clear url-server

clear xlate

client-access-rule through crl-configure Commands

client-access-rule

client-firewall

client-update

command-alias

command-queue

compatible rfc1583

configure http

configure memory

configure net

configure terminal

Contents

console timeout

content-length

content-type-verification

context

copy

copy capture

crashinfo force

crashinfo save disable

crashinfo test

crl

crl configure

crypto ca authenticate through crypto map set trustpoint Commands

crypto ca authenticate

crypto ca certificate chain

crypto ca certificate map

crypto ca crl request

crypto ca enroll

crypto ca export

crypto ca import

crypto ca trustpoint

crypto dynamic-map match address

crypto dynamic-map set peer

crypto dynamic-map set pfs

crypto dynamic-map set reverse route

crypto dynamic-map set security-association lifetime

crypto dynamic-map set transform-set

crypto ipsec df-bit

crypto ipsec fragmentation

crypto ipsec security-association lifetime

crypto ipsec transform-set

crypto key generate dsa

crypto key generate rsa

crypto key zeroize

Contents

crypto map match address

crypto map set connection-type

crypto map set peer

crypto map set pfs

crypto map set phase1 mode

crypto map set reverse-route

crypto map set security-association lifetime

crypto map set transform-set

crypto map set trustpoint

debug aaa through debug sip Commands

debug aaa

debug appfw

debug arp

debug arp-inspection

debug asdm history

debug context

debug control-plane

debug crypto ca

debug crypto ipsec

debug crypto isakmp

debug crypto isakmp

debug ctiqbe

debug ctm

debug dhcpc

debug dhcpd

debug dhcprelay

debug disk

debug dns

debug entity

debug fixup

debug fover

debug fsm

debug ftp client

debug generic

Contents

debug h323

debug http

debug http-map

debug icmp

debug igmp

debug ils

debug imagemgr

debug ipsec-over-tcp

debug ipv6

debug iua-proxy

debug kerberos

debug ldap

debug mac-address-table

debug menu

debug mfib

debug mgcp

debug mrib

debug ntdomain

debug ospf

debug parser cache

debug pim

debug pix acl

debug pix cls

debug pix pkt2pc

debug pix process

debug pix uauth

debug pptp

debug radius

debug rip

debug rtsp

debug sdi

debug sequence

debug skinny

debug smtp

Contents

debug ssh

debug sunrpc

debug tacacs

debug tcp-map

debug timestamps

debug vpn-sessiondb

debug xdmcp

debug sip

default through drop Commands

default (crl configure)

default (crl configure)

default (time-range)

default-domain

default enrollment

default-group-policy

default-information originate

delete

deny-request-cmd

dhcpd dns

dhcpd domain

dhcpd enable

dhcpd lease

dhcpd option

dhcpd ping-timeout

dhcpd wins

dhcp-network-scope

dhcprelay enable

dhcprelay server

dhcprelay setroute

dhcprelay enable

dhcp-server

dir

disable

distance ospf

Contents

dns name-server

dns retries

description

dns-server

dns timeout

domain-name

drop

email through ftp-map Commands

email

enable

enable password

endpoint

enforcenextupdate

enrollment retry count

enrollment retry period

enrollment terminal

enrollment url

erase

established

exit

failover

failover active

failover group

failover interface ip

failover interface-policy

failover key

failover lan interface

failover lan unit

failover link

failover polltime

failover reload-standby

failover replication http

failover reset

Contents

filter ftp

filter https

filter java

filter url

firewall transparent

format

fqdn

fragment

ftp mode passive

ftp-map

gateway through http-map Commands

gateway

global

group-delimiter

group-lock

group-object

group-policy

group-policy attributes

h225-map

help

hostname

hsi

hsi-group

hsi-group

http

http authentication-certificate

http redirect

http server enable

http-map

icmp through ignore lsa mospf Commands

icmp

icmp-object

id-cert-issuer

igmp

Contents

igmp forward interface

igmp join-group

igmp limit

igmp query-interval

igmp query-max-response-time

igmp query-timeout

igmp static-group

igmp version

ignore lsa mospf

inspect ctiqbe through inspect xdmcp Commands

inspect ctiqbe

inspect dns

inspect esmtp

inspect ftp

inspect gtp

inspect h323

inspect http

inspect icmp

inspect icmp error

inspect ils

inspect mgcp

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect smtp

inspect snmp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

Contents

interface bvi

interface-policy

‘ip address

ip-address

ip-address-privacy

ip local pool

ip verify reverse-path

ip-comp

ip-phone-bypass

ipsec-udp

ipsec-udp-port

ipv6 access-list

ipv6 access-list remark

ipv6 address

ipv6 enable

ipv6 icmp

ipv6 nd dad attempts

ipv6 nd ns-interval

ipv6 nd prefix

ipv6 nd ra-interval

ipv6 nd ra-lifetime

ipv6 nd reachable-time

ipv6 nd suppress-ra

ipv6 neighbor

ipv6 route

isakmp am-disable

isakmp disconnect-notify

isakmp enable

isakmp identity

isakmp keepalive

isakmp policy authentication

isakmp policy encryption

isakmp policy group

isakmp policy hash

Contents

isakmp reload-wait

issuer-name

join-failover-group through kill Commands

join-failover-group

kerberos-realm

key

keypair

kill

ldap-base-dn through log-adj-changes Commands

ldap-base-dn

ldap-defaults

ldap-dn

ldap-login-dn

ldap-login-password

ldap-naming-attribute

ldap-scope

leap-bypass

limit-resource

log-adj-changes

logging asdm through logout Commands

logging asdm

logging asdm-buffer-size

logging buffered

logging buffer-size

logging class

logging console

logging debug-trace

logging device-id

logging emblem

logging enable

logging facility

logging flash-bufferwrap

logging flash-maximum-allocation

Contents

logging from-address

logging ftp-bufferwrap

logging ftp-server

logging history

logging host

logging list

logging mail

logging message

logging monitor

logging permit-hostdown

logging queue

logging recipient-address

logging savelog

logging standby

logging timestamp

logging trap

login

logout

mac-address-table aging-time through multicast-routing Commands

mac-address-table aging-time

mac-address-table static

mac-learn

mac-list

management-access

mask-syst-reply

match access-list

match any

match default-inspection-traffic

match dscp

match interface

match ip address

match ip next-hop

match ip route-source

match metric

Contents

match precedence

match route-type

match rtp

max-failed-attempts

max-header-length

max-uri-length

mcc

member

memory caller-address

memory profile enable

memory profile text

message-length

mgcp-map

mkdir

mode

monitor-interface

more

mroute

mtu

multicast-routing

name through ospf transmit-delay Commands

name

nameif

names

nat

nat-control

neighbor

nem

network area

network-object

nt-auth-domain-controller

object-group

ospf authentication

Contents

ospf database-filter all out

ospf dead-interval

ospf hello-interval

ospf message-digest-key

ospf mtu-ignore

ospf network point-to-point non-broadcast

ospf priority

ospf retransmit-interval

ospf transmit-delay

pager through pwd Commands

pager

passwd

password (crypto ca trustpoint)

password-storage

peer-id-validate

perfmon

perfmon interval

perfmon settings

periodic

permit errors

pfs

pim

pim accept-register

pim dr-priority

pim hello-interval

pim join-prune-interval

pim old-register-checksum

pim rp-address

pim spt-threshold infinity

ping

policy

policy-map

polltime interface

port-misuse

Contents

preempt

prefix-list

prefix-list description

prefix-list sequence-number

pre-shared-key

primary

privilege

prompt

protocol http

protocol ldap

protocol-object

protocol scep

pwd

queue-limit through router-id Commands

queue-limit

quit

radius-common-pw

radius-with-expiry

reactivation-mode

redistribute

reload

remote-access threshold session-threshold-exceeded

rename

replication http

request-command deny

request-method

request-queue

resource acl-partition

retry-interval

re-xauth

rip

rmdir

route

Contents

router-id

same-security-traffic through show asdmsessions Commands

same-security-traffic

sdi-pre-5-slave

sdi-version

secure-unit-authentication

security-level

serial-number

server-port

service resetinbound

service-policy

set connection

set connection timeout

set metric

set metric

setup

show aaa local user

show access-list

show activation-key

show admin-context

show arp

show arp-inspection

show arp statistics

show asdm history

show asdm sessions

show asp drop through show curpriv Commands

show asp drop

show asp table arp

show asp table classify

show asp table interfaces

show asp table mac-address-table

show asp table routing

show asp table vpn-context

show asr

Contents

show blocks

show capture

show checkheaps

show checksum

show chunkstat

show class

show conn

show console-output

show context

show counters

show counters description

show cpu

show crashinfo

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crls

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto key mypubkey

show crypto protocol statistics

show ctiqbe

show curpriv

show debug through show ipv6 traffic Commands

show debug

show dhcprelay state

show dhcprelay statistics

show disk

show dns-hosts

show failover

show file

show firewall

show fragment

show gc

Contents

show h323-ras

show history

show idb

show igmp groups

show igmp traffic

show interface

show interface ip brief

show ip address

show ip verify statistics

show ipsec sa

show ipsec sa summary

show ipsec stats

show ipv6 access-list

show ipv6 interface

show ipv6 neighbor

show ipv6 route

show ipv6 routers

show ipv6 traffic

show isakmp sa through show route Commands

show isakmp sa

show isakmp stats

show local-host

show logging

show mac-address-table

show management-access

show memory

show memory binsize

show memory profile

show memory-caller address

show mfib

show mfib active

show mfib count

show mfib interface

show mfib reserved

Contents

show mfib summary

show mfib verbose

show mgcp

show mode

show mrib client

show mrib route

show mrib route summary

show mroute

show nameif

show ospf

show ospf border-routers

show ospf database

show ospf flood-list

show ospf interface

show ospf neighbor

show ospf request-list

show ospf retransmission-list

show ospf summary-address

show ospf virtual-links

show perfmon

show pim df

show pim group-map

show pim interface

show pim join-prune statistic

show pim neighbor

show pim range-list

show pim topology

show pim topology reserved

show pim topology route-count

show pim traffic

show pim tunnel

show processes

show prompt

show reload

Contents

show resource allocation

show resource types

show resource usage

show route

show running-config through show running-config isakmp Commands

show running-config

show running-config aaa

show running-config aaa-server

show running-config aaa-server host

show running-config access-group

show running-config access-list

show running-config alias

show running-config arp

show running-config arp timeout

show running-config arp-inspection

show running-config asdm

show running-config auth-prompt

show running-config auto-update

show running-config banner

show running-config class-map

show running-config command-alias

show running-config console timeout

show running-config context

show running-config crypto

show running-config crypto isakmp

show running-config crypto ipsec

show running-config crypto map

show running-config crypto dynamic-map

show running-config dhcpd

show running-config dhcprelay

show running-config dns

show running-config domain-name

show running-config enable

show running-config established

Contents

show running-config filter

show running-config fragment

show running-config ftp mode

show running-config ftp-map

show running-config global

show running-config group-delimiter

show running-config group-policy

show running-config gtp-map

show running-config http

show running-config http-map

show running-config icmp

show running-config interface

show running-config interface bvi

show running-config ip address

show running-config ip local pool

show running-config ip verify reverse-path

show running-config ipv6

show running-config isakmp

show running-config logging through show running-config vpn-sessiondb Commands

show running-config logging

show running-config logging rate-limit

show running-config mac-address-table

show running-config mac-learn

show running-config mac-list

show running-config management-access

show running-config mgcp-map

show running-config monitor-interface

show running-config mroute

show running-config mtu

show running-config multicast-routing

show running-config name

show running-config nameif

show running-config names

Contents

show running-config object-group

show running-config passwd

show running-config pim

show running-config policy-map

show running-config prefix-list

show running-config privilege

show running-config rip

show running-config route

show running-config route-map

show running-config router

show running-config same-security-traffic

show running-config service

show running-config service-policy

show running-config snmp-map

show running-config snmp-server

show running-config ssh

show running-config static

show running-config sunrpc-server

show running-config sysopt

show running-config telnet

show running-config terminal

show running-config tftp-server

show running-config timeout

show running-config tunnel-group

show running-config url-block

show running-config url-cache

show running-config url-server

show running-config username

show running-config virtual

show running-configuration vpn-sessiondb

show service-policy through show xlate Commands

show service-policy

show service-policy inspect gtp

show shun

Contents

show skinny

show snmp-server statistics

show ssh sessions

show startup-config

show sunrpc-server active

show tcpstat

show tech-support

show traffic

show uauth

show url-block

show url-cache statistics

show url-server

show version

show vlan

show vpn-sessiondb

show vpn-sessiondb ratio

show vpn-sessiondb summary

show xlate

shun through sysopt uauth allow-http-cache Commands

shun

shutdown

sip-map

smtp-server

snmp-map

snmp-server community

snmp-server contact

snmp-server enable

snmp-server enable traps

snmp-server host

snmp-server listen-port

snmp-server location

split-dns

split-tunnel-network-list

Contents

ssh disconnect

ssh scopy enable

ssh timeout

ssh version

static

strict-http

strip-group

strip-realm

subject-name (crypto ca certificate map)

subject-name (crypto ca trustpoint)

summary-address

sunrpc-server

support-user-cert-validation

sysopt connection tcpmss

sysopt connection timewait

sysopt nodnsalias

sysopt noproxyarp

sysopt radius ignore-secret

sysopt uauth allow-http-cache

tcp-map through tunnel-limit Commands

telnet

terminal

terminal pager

terminal width

tftp-server

timeout

timeout (aaa-server host)

timeout (gtp-map)

time-range

timers lsa-group-pacing

timers spf

transfer-encoding

trust-point

tunnel-group

Contents

tunnel-group ipsec-attributes

tunnel-group-map default-group

tunnel-group-map enable

tunnel-limit

upgrade-mp through write terminal Commands

upgrade-mp

url

url-block

url-cache

url-server

user-authentication

user-authentication-idle-timeout

username

username attributes

virtual http

virtual telnet

vpn-access-hours

vpn-addr-assign

vpn-filter

vpn-framed-ip-address

vpn-framed-ip-netmask

vpn-group-policy

vpn-idle-timeout

vpn-sessiondb logoff

vpn-sessiondb max-session-limit

vpn-session-timeout

vpn-simultaneous-logins

vpn-tunnel-protocol

who

wins-server

write erase

write memory

write net

About This Guide

This preface describes who should read the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, how it is organized, and its document conventions. This preface includes the following sections:

• Document Objectives, page xxxiii

• Audience, page xxxiii

• Document Organization, page xxxiv

• Document Conventions, page xxxv

• Related Documentation, page xxxvi

• Obtaining Documentation, page xxxvi

• Documentation Feedback, page xxxvii

• Cisco Product Security Overview, page xxxvii

• Obtaining Technical Assistance, page xxxviii

• Obtaining Additional Publications and Information, page xl

Document Objectives

This guide contains the commands available for use with the FWSM to protect your network from unauthorized use.

You can also configure and monitor the FWSM by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see:

http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm.

Audience

About This Guide Document Organization

Document Organization

This guide includes the following chapters:

• Chapter 1, “Using the Command-Line Interface,” introduces you to the FWSM commands and access modes.

• Chapter 2, “aaa accounting through accounting-server-group Commands,” provides detailed descriptions of the aaa accounting through accounting-server-group commands.

• Chapter 3, “activation-key through auto-update timeout Commands,” provides detailed descriptions of the activation-key through auto-update timeout commands.

• Chapter 4, “backup-servers through bridge-group Commands,” provides detailed descriptions of the

backup-servers through bridge-group commands.

• Chapter 5, “cache-time through clear capture Commands,” provides detailed descriptions of the

cache-time through clear capture commands

• Chapter 6, “clear configure through clear configure virtual Commands,” provides detailed descriptons of the clear configure through clear configure virtual commands.

• Chapter 7, “clear console-output through clear xlate Commands,” provides detailed descriptons of the clear console-output through clear xlate commands.

• Chapter 8, “client-access-rule through crl-configure Commands,” provides detailed descriptons of the client-access-rule through crl-configure commands.

• Chapter 9, “crypto ca authenticate through crypto map set trustpoint Commands,” provides detailed descriptons of the crypto ca authenticate through crypto map set trustpoint commands.

• Chapter 10, “debug aaa through debug sip Commands,” provides detailed descriptons of the debug aaa through debug sip commands.

• Chapter 11, “default through drop Commands,” provides detailed descriptons of the default

through drop commands.

• Chapter 12, “email through ftp-map Commands,” provides detailed descriptons of the email

through ftp-map commands.

• Chapter 13, “gateway through http-map Commands,” provides detailed descriptons of the gateway

through http-map commands.

• Chapter 14, “icmp through ignore lsa mospf Commands,” provides detailed descriptons of the icmp

through ignore lsamospf commands.

• Chapter 15, “inspect ctiqbe through inspect xdmcp Commands,” provides detailed descriptons of the inspect ctiqbe through inspect xdmcp commands.

• Chapter 16, “interface through issuer-name Commands,” provides detailed descriptons of the

interface through issuer-name commands.

• Chapter 17, “join-failover-group through kill Commands,”provides detailed descriptons of the

join-failover-group through kill commands.

• Chapter 18, “ldap-base-dn through log-adj-changes Commands,” provides detailed descriptons of the ldap-base-dn through log-adj-changes commands.

• Chapter 19, “logging asdm through logout Commands,” provides detailed descriptons of the inspect ctiqbe through inspect xdmcp commands.

About This Guide

Document Conventions

• Chapter 21, “name through ospf transmit-delay Commands,” provides detailed descriptons of the

name through ospf transmit-delaycommands.

• Chapter 22, “pager through pwd Commands,” provides detailed descriptons of the passwd through

pwd commands.

• Chapter 23, “queue-limit through router-id Commands,” provides detailed descriptons of the

queue-limit through router-id commands.

• Chapter 24, “same-security-traffic through show asdmsessions Commands,” provides detailed descriptons of the same-security-traffic through show asdm sessions commands.

• Chapter 25, “show asp drop through show curpriv Commands,” provides detailed descriptons of the

show asp drop through show curpriv commands.

• Chapter 26, “show debug through show ipv6 traffic Commands,” provides detailed descriptons of the show debug through show ipv6 traffic commands.

• Chapter 27, “show isakmp sa through show route Commands,” provides detailed descriptons of the

show isakmp sa through show route commands.

• Chapter 28, “show running-config through show running-config isakmp Commands,” provides detailed descriptons of the show running-config through show running-config isakmp

commands.

• Chapter 29, “show running-config logging through show running-config vpn-sessiondb Commands,” provides detailed descriptons of the show running-config logging through show running-config vpn-sessionb commands.

• Chapter 30, “show service-policy through show xlate Commands,” provides detailed descriptons of the show service-policy through show xlate commands.

• Chapter 31, “shun through sysopt uauth allow-http-cache Commands,” provides detailed descriptons of the shun through sysopt unauth allow-http-cache commands.

• Chapter 32, “tcp-map through tunnel-limit Commands,” provides detailed descriptons of the

tcp-map through tunnel-limit commands.

• Chapter 33, “upgrade-mp through write terminal Commands,” provides detailed descriptons of the

upgrade-mp through write terminal commands.

Document Conventions

The FWSM command syntax descriptions use the following conventions: Command descriptions use these conventions:

• Braces ({ }) indicate a required choice.

• Square brackets ([ ]) indicate optional elements.

• Vertical bars ( | ) separate alternative, mutually exclusive elements.

• Boldface indicates commands and keywords that are entered literally as shown.

• Italics indicate arguments for which you supply values. Examples use these conventions:

• Examples depict screen displays and the command line in screen font.

• Information you need to enter in examples is shown in boldfacescreen font.

About This Guide Related Documentation

• Examples might include output from different platforms; for example, you might not recognize an interface type in an example because it is not available on your platform. Differences should be minor.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

For information on modes, prompts, and syntax, see Chapter 1, “Using the Command-Line Interface.”

Related Documentation

For more information, refer to the following documentation:

• Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide

• Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Messages

• Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module to Release 3.1

• Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Release Notes

• Cisco ASDM Release Notes

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

About This Guide

Documentation Feedback

The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number

DOC-DOCDVD=) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at

[email protected] or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can send comments about Cisco documentation to [email protected].

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering 170 West Tasman Drive

San Jose, CA 95134-9883 We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

About This Guide Obtaining Technical Assistance

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies —[email protected]

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• Nonemergencies —[email protected]

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

Obtaining Technical Assistance

About This Guide

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools.Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

About This Guide Obtaining Additional Publications and Information

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:

About This Guide

Obtaining Additional Publications and Information

• Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at this URL:

C H A P T E R

1

Using the Command-Line Interface

This describes how to use the CLI on the FWSM, and includes the following topics:

• Firewall Mode and Security Context Mode, page 1-1

• Command Modes and Prompts, page 1-2

• Syntax Formatting, page 1-3

• Abbreviating Commands, page 1-3

• Command-Line Editing, page 1-3

• Command Completion, page 1-3

• Command Help, page 1-4

• Filtering show Command Output, page 1-4

• Command Output Paging, page 1-5

• Adding Comments, page 1-5

• Text Configuration Files, page 1-6

Note The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the FWSM operating system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works with or has the same function on the FWSM.

Firewall Mode and Security Context Mode

The FWSM runs i