-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
-
About This Guide
-
Quick Start Steps
-
Introduction to the Firewall Services Module
-
Configuring the Switch for the Firewall Services Module
-
Connecting to the Firewall Services Module and Managing the Configuration
-
Configuring the Firewall Mode
-
Managing Security Contexts
-
Configuring Basic Settings
-
Configuring Bridging Parameters and ARP Inspection
-
Configuring IP Addresses, Routing, and DHCP
-
Configuring Network Address Translation
-
Controlling Network Access with Access Control Lists
-
Allowing Remote Management
-
Configuring AAA
-
Configuring Application and Protocol Inspection
-
Filtering HTTP, HTTPS, or FTP Requests Using an External Server
-
Using Failover
-
Managing Software and Configuration Files
-
Monitoring and Troubleshooting the Firewall Services Module
-
Specifications
-
Sample Configurations
-
Understanding the Command-Line Interface
-
Addresses, Protocols, and Ports Reference
-
Acronyms and Abbreviations
-
Index
-
Feedback
Table Of Contents
Understanding the Command-Line Interface
How Commands Correspond with Lines in the Text File
Commands Not Included in the Text Configuration
Multiple Security Context Files
Understanding the Command-Line Interface
This appendix includes the following topics, which describe how to use the command-line interface (CLI) on the Firewall Services Module (FWSM):
•
Filtering Show Command Output
Note
Command Prompts
When you are in the system configuration or in single context mode, the prompt begins with the host name:
FWSMWhen you are within a context, the prompt begins with the host name followed by the context name:
FWSM/contextThe prompt changes depending on the access mode:
•
FWSM>FWSM/context>•
FWSM#FWSM/context#•
FWSM(config)#FWSM/context(config)#•
FWSM(config-class)#FWSM/context(config-if)#Syntax Formatting
Command syntax descriptions use the following conventions:
Abbreviating Commands
You can abbreviate most commands down to the fewest unique characters for a command; for example, you can enter wr t to view the configuration instead of entering the full command write terminal, or you can enter en to start privileged mode and con te to start configuration mode. In addition, you can enter 0 to represent 0.0.0.0.
Command Line Editing
The FWSM uses the same command-line editing conventions as Cisco IOS software. You can view all previously entered commands with the show history command or individually with the up arrow or ^p command. Once you have examined a previously entered command, you can move forward in the list with the down arrow or ^n command. When you reach a command you wish to reuse, you can edit it or press the Enter key to start it. You can also delete the word to the left of the cursor with ^w, or erase the line with ^u.
The FWSM permits up to 512 characters in a command; additional characters are ignored.
Filtering Show Command Output
You can use the "pipe" operator (|) with any show command and include a filter option and filtering expression. The filtering is performed by matching each output line with a regular expression, similar to Cisco IOS software. By selecting different filter options you can include or exclude all output that matches the expression. You can also display all output beginning with the line that matches the expression.
The syntax for using filtering options with the show command is as follows:
show command | {include | exclude | begin | grep [-v]} regexpIn this command string, the first vertical bar (|) is the pipe operator and must be included in the command. This operator directs the output of the show command to the filter. In the syntax diagram, the other vertical bars (|) indicate alternative options and are not part of the command.
The include option includes all output lines that match the regular expression. The grep option without -v has the same effect. The exclude option excludes all output lines that match the regular expression. The grep option with -v has the same effect. The begin option shows all the output lines starting with the line that matches the regular expression.
Replace regexp with any Cisco IOS regular expression. The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
When creating regular expressions, you can use any letter or number that you want to match. In addition, certain keyboard characters have special meaning when used in regular expressions. Table C-2 lists the keyboard characters that have special meaning.
Command Output Paging
On commands such as help or?, show, show xlate, or other commands that provide long listings, you can determine if the information displays a screen and pauses, or lets the command run to completion. The pager command lets you choose the number of lines to display before the More prompt appears.
When paging is enabled, the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command:
•
•
•
Adding Comments
You can precede a line with a colon ( : ) to create a comment. However, the comment only appears in the command history buffer and not in the configuration. Therefore, you can view the comment with the show history command or by pressing an arrow key to retrieve a previous command, but because the comment is not in the configuration, the write terminal command does not display it.
Text Configuration Files
This section describes how to format a text configuration file that you can download to the FWSM, and includes the following topics:
•
•
•
To download the file, see the "Downloading a Text Configuration" section.
How Commands Correspond with Lines in the Text File
The text configuration file includes lines that correspond with the commands described in this guide and in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is "FWSM(config)#":
FWSM(config)# class goldIn the text configuration file you are not prompted to enter commands, so the prompt is omitted:
class goldSubcommands
Subcommands appear indented under the main command when entered at the command line. Your text file lines do not need to be indented, as long as the subcommands appear directly following the main command. For example, the following unindented text is read the same as indented text:
class silverlimit all 5%class goldlimit all 10%Automatic Text Entries
When you download a configuration to the FWSM, the FWSM inserts some lines automatically. For example, the FWSM inserts lines for default settings or for the time the configuration was modified. You do not need to enter these automatic entries when you create your text file.
Line Order
For the most part, commands can be in any order in the file. However, some lines, such as access control entries (ACEs), are processed in the order they appear, and the order can affect the function of the access control list (ACL). Other commands might also have order requirements. For example, you must enter the nameif command for an interface before you assign an IP address to it because many subsequent commands use the name of the interface. Also, subcommands must directly follow the main command.
Commands Not Included in the Text Configuration
Some commands do not insert lines in the configuration. For example, a runtime command such as show config does not have a corresponding line in the text file. Commands that you might expect to have entries but do not are noted in this guide, such as activation key or mode multiple.
Passwords
The login, enable, and user passwords are automatically encrypted before they are stored in the configuration. For example, the encrypted form of the password "letmein" might look like jMorNbK0514fadBh. You can copy the configuration passwords to another FWSM in their encrypted form, but you cannot unencrypt the passwords yourself.
If you enter an unencrypted password in a text file, the FWSM does not automatically encrypt them when you copy the configuration to the FWSM. The FWSM only encrypts them when you save the running configuration from the command line using the copy running-config startup-config or write memory command.
Multiple Security Context Files
For multiple security contexts, the entire configuration consists of multiple parts:
•
•
•
The system configuration does not include any interfaces or network settings for itself. Rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses a context that is designated as the admin context.
Each context is similar to a single context mode configuration. The system configuration differs from a context configuration in that the system configuration includes system-only commands (such as a list of all contexts) while other typical commands are not present (such as many interface parameters).
See Chapter 5 "Managing Security Contexts," for more information about contexts.
Command Help
Help information is available from the command line by entering help or a question mark to list all commands, or after a command to list command syntax; for example, arp ?.
The number of commands listed when you use the question mark or help command differs by access mode so that unprivileged mode offers the least commands and configuration mode offers the greatest number of commands.
In addition, you can enter any command by itself on the command line and then press Enter to view the command syntax.
