-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 4.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show debug -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config logging -- show running-config vpn-sessiondb
-
show service-policy -- show xlate
-
shun -- sysopt uauth allow-http-cache
-
- T through Z Commands
-
Feedback
Table Of Contents
interface through issuer-name Commands
ip nbar protocol-tagging (IOS)
interface through issuer-name Commands
interface
To add an interface to the configuration and enter interface configuration mode, use the interface command in global configuration mode.
interface {vlan <n> | mapped_name}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
In multimode in the system, you can allocate interfaces to context which allows the FWSM to add them; you do not need to manually add interfaces. Similarly, if you assign a VLAN to the failover or state link, the interface command is added automatically.
In single mode, you need to enter the interface command for a given VLAN, to set parameters for it.
In interface configuration mode, you can assign a name, assign a VLAN, assign an IP address, and configure many other settings. If you add an interface for a VLAN that is not yet assigned to the FWSM by the switch, the interface will be in the down state. When you assign the VLAN to the FWSM, the interface changes to an up state. See the show interface command for more information about interface states.
When you assign a VLAN to a context using the allocate-interface command, the FWSM automatically adds the interface to the system configuration, if it is not already present. For example, when you allocate `VLAN 100' to a context, the interface vlan 100 command is added to the system configuration.
The failover lan interface interface_name vlan vlan command specifies the interface name and the VLAN used for communication between the active and the standby modules to determine the operating status of each module.
The failover link interface_name [vlan vlan] command specifies the interface name and VLAN for the stateful failover interface. The link passes all protocol state information between the active and the standby for stateful failover.
Examples
The following example shows how to enter the interface configuration mode:
fwsm(config)# interface vlan22fwsm(config-if)# shutdownRelated Commands
interface bvi
To configure the bridge virtual interface for a bridge group, use the interface bvi command in global configuration mode. To remove the bridge virtual interface configuration, use the no form of this command. Use this command to enter interface configuration mode so you can configure a management IP address for the bridge group.
interface bvi bridge_group_number
no interface bvi bridge_group_number
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM.
Assign each interface to a bridge group using the interface vlan command, and then the bridge-group command. Use the interface bvi command, and then the ip address command to configure the management IP address for the bridge group. The management IP address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access.
Examples
The following example assigns VLANs 300 and 301 to bridge group 1, then sets the management address and standby address of bridge group 1:
hostname(config)# interface vlan 300hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# bridge-group 1hostname(config-if)# interface vlan 301hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# bridge-group 1hostname(config-if)# interface bvi 1hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2Related Commands
interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.
interface-policy num[%]
no interface-policy num[%]
Syntax Description
num
Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%
(Optional) Specifies that the number num is a percentage of the monitored interfaces.
Defaults
If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other FWSM is functioning properly, the FWSM will mark itself as failed and a failover may occur (if the active FWSM is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# interface-policy 25%hostname(config-fover-group)# exithostname(config)#Related Commands
ip address
To set the IP address for an interface (in routed mode) or the management address for a bridge group (transparent mode), use the ip address command in interface configuration mode. For routed mode, enter interface configuration mode for the VLAN ID (the interface command). For transparent mode, enter interface configuration mode for the bridge group (the interface bvi command). To remove the IP address, use the no form of this command. This command also sets the standby address for failover.
ip address ip_address [mask] [standby ip_address]
no ip address [ip_address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
2.2(1)
This command was introduced.
3.1(1)
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
In transparent firewall mode, each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. Each bridge group connects to a separate network. The management IP address is required because the FWSM uses this address as the source address for traffic originating on the FWSM, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.
Examples
The following example sets the IP addresses and standby addresses of two interfaces:
hostname(config)# interface vlan 100hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# interface vlan 200hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2The following transparent firewall example assigns VLANs 300 and 301 to bridge group 1, then sets the management address and standby address of bridge group 1:
hostname(config)# interface vlan 300hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# bridge-group 1hostname(config-if)# interface vlan 301hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# bridge-group 1hostname(config-if)# interface bvi 1hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2Related Commands
ip local pool
To configure IP address pools to be used for VPN remote access tunnels, use the ip local pool command in global configuration mode. To delete address pools, use the no form of this command.
ip local pool poolname first-address—last-address [mask mask]
no ip local pool poolname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.
Examples
The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0Related Commands
ip verify reverse-path
To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the no form of this command.
ip verify reverse-path interface interface_name
no ip verify reverse-path interface interface_name
Syntax Description
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information.
For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
•
•
Examples
The following example enables Unicast RPF on the outside interface:
hostname(config)# ip verify reverse-path interface outsideRelated Commands
ip-address
To include the FWSM IP address in the certificate during enrollment, use the ip-address command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of this command.
ip-address ip-address
no ip-address
Syntax Description
Defaults
The default setting is to not include the IP address.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FWSM IP address in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# ip-address 209.165.200.225Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
ip-address-privacy
To enable the IP Address Privacy feature, use the ip-address-privacy command in sip map configuration mode. To disable IP Address Privacy, use the no form of this command.
ip-address-privacy
no ip-address-privacy
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Sip map configuration
•
•
•
•
—
Command History
Usage Guidelines
When IP Address Privacy is enabled, if any two SIP endpoints participating in an IP phone call or instant messaging session use the same internal firewall interface to contact their SIP proxy server on an external firewall interface, all SIP signaling messages go through the SIP proxy server.
IP Address Privacy can be enabled when SIP over TCP or UDP application inspection is enabled. By default, this feature is disabled. If IP Address Privacy is enabled, the FWSM does not translate internal and external host IP addresses embedded in the TCP or UDP payload of inbound SIP traffic, ignoring translation rules for those IP addresses.
Examples
The following example shows how to identify SIP traffic, define a SIP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list sip-acl permit tcp any any eq 5060hostname(config)# class-map sip-porthostname(config-cmap)# match access-list sip-aclhostname(config-cmap)# sip-map inbound_siphostname(config-sip-map)# ip-address-privacyhostname(config-sip-map)# policy-map S1_policyhostname(config-pmap)# class sip-porthostname(config-pmap-c)# inspect sip s1_policyRelated Commands
ip-comp
To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.T o remove the ip-comp attribute from the running configuration, use the no form of this command. This enables inheritance of a value from another group policy.
ip-comp {enable | disable}
no ip-comp
Syntax Description
Defaults
IP compression is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.
Caution
Examples
The following example shows how to enable IP compression for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-comp enableip nbar protocol-tagging (IOS)
If you use Programmable Intelligent Services Accelerator (PISA) integration with the FWSM, then to enable the PISA to tag packets with an application type using GRE, use the ip nbar protocol-tagging command in interface configuration mode. To disable tagging, use the no form of this command.
Note
ip nbar protocol-tagging [vlan-list vlan_list]
no ip nbar protocol-tagging [vlan-list vlan_list]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Interface configuration.
Command History
Usage Guidelines
Before you enable protocol tagging, you must enable classification using the ip nbar protocol-discovery command. See the Cisco IOS documentation for more information about NBAR classification.
The PISA on the switch supervisor can quickly determine the application type of a given flow by performing deep packet inspection. This determination can be made even if the traffic is not using standard ports. The FWSM can leverage the high-performance deep packet inspection of the PISA card so that it can permit or deny traffic based on the application type. Unlike the FWSM inspection feature, which passes through the control plane path, traffic that the PISA tags can pass through the FWSM accelerated path. Another benefit of FWSM and PISA integration is to consolidate your security configuration on a single FWSM instead of having to configure multiple upstream switches with PISAs installed.
You might want to deny certain types of application traffic when you want to preserve bandwidth for critical application types. For example, you might deny the use of peer-to-peer (P2P) applications if they are affecting your other critical applications.
After the PISA identifies the application used by a given traffic flow, it encapsulates all packets using GRE and includes a tag informing the FWSM of the application type. In addition, an outer IP header almost identical (except for the Layer 4 protocol, which now indicates GRE) to the inner/original IP header is added. The original Layer 2 header is maintained. This preserves the original routing/switching paths for the modified packet. The GRE encapsulation adds 32 bytes (20 bytes for the outer IP header and 12 bytes for the GRE header).
After the FWSM receives the packet and acts on the information, it strips the GRE encapsulation from the packet.
When you configure the FWSM to deny traffic based on the PISA encapsulation, for the VLAN on which that traffic resides, the PISA encapsulates all traffic (including traffic that you did not specify for denial).
The GRE encapsulation increases the packet size slightly, so you should increase the MTU between the PISA and the FWSM according to the Cisco IOS mtu and system jumbomtu commands.
The GRE encapsulation causes a slight performance impact for PISA traffic sent to the FWSM.
Note
Examples
The following example enables protocol discovery and tagging on an SVI:
Router(config)# interface vlan 100Router(config-if)# ip nbar protocol-discovery! enables discoveryRouter(config-if)# ip nbar protocol-tagging! enables taggingRouter(config-if)# mtu 9216! Allows packet sizes up to 9216 bytes without fragmentingThe following example enables protocol discovery and tagging on uplink port GigabitEthernet 6/1:
Router(config)# interface gigabitethernet 6/1Router(config-if)# ip nbar protocol-discovery! ClassificationRouter(config-if)# ip nbar protocol-tagging vlan-list 100! TaggingRouter(config-if)# mtu 9216! Allow packet size up to 9216 bytes without fragmentingRouter(config)# system jumbomtu 9216! Set global LAN port MTU to 9216 bytesRelated Commands
ip-phone-bypass
To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode. To disable IP Phone Bypass, use the ip-phone-bypass disable command. To remove the IP Phone Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for IP Phone Bypass from another group policy.
ip-phone-bypass {enable | disable}
no ip-phone-bypass
Syntax Description
Defaults
IP Phone Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.
You need to configure IP Phone Bypass only if you have enabled user authentication.
Examples
The following example shows how to enable IP Phone Bypass. for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-phone-bypass enableRelated Commands
user-authentication
Requires users behind a hardware client to identify themselves to the FWSM before connecting.
ipsec-udp
To enable IPSec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To disable IPSec over UDP, use the ipsec-udp disable command. To remove the IPSec over UDP attribute from the running configuration, use the no form of this command. This enables inheritance of a value for IPSec over UDP from another group policy.
ipsec-udp {enable | disable}
no ipsec-udp
Syntax Description
Defaults
IPSec over UDP is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a FWSM that is running NAT.
To use IPSec over UDP, you must also configure the ipsec-udp-port command.
The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.
IPSec over UDP is proprietary, it applies only to remote-access connections, and it requires mode configuration, means the FWSM exchanges configuration parameters with the client while negotiating SAs.
Using IPSec over UDP may slightly degrade system performance.
Examples
The following example shows how to set IPSec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp enableRelated Commands
ipsec-udp-port
To set a UDP port number for IPSec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.
ipsec-udp-port port
no ipsec-udp-port
Syntax Description
Defaults
The default port is 10000.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
In IPSec negotiations. the FWSM listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.
You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.
Examples
The following example shows how to set an IPSec UDP port to port 4025 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp-port 4025Related Commands
ipsec-udp
Lets a Cisco VPN client or hardware client connect via UDP to a FWSM that is running NAT.
ipv6 access-list
To configure an IPv6 access list, use the ipv6 access-list command in global configuration mode. To remove an ACE, use the no form of this command. Access lists define the traffic that the FWSM allows to pass through or blocks.
ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
Syntax Description
Defaults
When the log keyword is specified, the default level for syslog message 106100 is 6 (informational).
The default logging interval is 300 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 access-list command lets you specify if an IPv6 address is permitted or denied access to a port or protocol. Each command is called an ACE. One or more ACEs with the same access list name are referred to as an access list. Apply an access list to an interface using the access-group command.
The FWSM denies all packets from an outside interface to an inside interface unless you specifically permit access using an access list. All packets are allowed by default from an inside interface to an outside interface unless you specifically deny access.
The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific. For additional information about access lists, see the access-list extended command.
The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the FWSM.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific interface, use the ipv6 icmp command.
Refer to the object-group command for information on how to configure object groups.
Examples
The following example will allow any host using TCP to access the 3001:1::203:A0FF:FED6:162D server:
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162DThe following example uses eq and a port to deny access to just FTP:
hostname(config)# ipv6 access-list acl_out deny tcp any host 3001:1::203:A0FF:FED6:162D eq ftphostname(config)# access-group acl_out in interface insideThe following example uses lt to permit access to all ports less than port 2025, which permits access to the well-known ports (1 to 1024):
hostname(config)# ipv6 access-list acl_dmz1 permit tcp any host 3001:1::203:A0FF:FED6:162D lt 1025hostname(config)# access-group acl_dmz1 in interface dmz1Related Commands
ipv6 access-list remark
To add a remark to an IPv6 access list, use the ipv6 access-list remark command in global configuration mode. To delete the remark, use the no form of this command.
ipv6 access-list id [line line-num] remark text
no ipv6 access-list id [line line-num] remark [text]
Syntax Description
id
The name of an IPv6 access list.
line line-num
(Optional) The line number at which to insert the remark.
remark text
The text of the remark.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global Configuration
•
—
•
•
—
Command History
Usage Guidelines
The remark text can be up to 100 characters in length, including spaces and punctuation. If you enter more than 100 characters, the remark is truncated at the 100th character. The remark text must contain at least 1 non-space character; you cannot enter an empty remark. You can enter more than one remark for each access list.
You cannot use the access-group command on an ACL that includes a remark only.
Examples
The following example shows how to specify the text of the remark to add before or after an ipv6 access-list command:
hostname(config)# ipv6 access-list example remark this access list should not be usedRelated Commands
ipv6 address
To enable IPv6 and configure the IPv6 addresses on an interface, use the ipv6 address command in interface configuration mode. To remove the IPv6 addresses, use the no form of this command.
ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
no ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
Syntax Description
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Configuring an IPv6 address on an interface enables IPv6 on that interface; you do not need to use the ipv6 enable command after specifying an IPv6 address.
The ipv6 address autoconfig command is used to enable automatic configuration of IPv6 addresses on an interface using stateless autoconfiguration. The addresses are configured based on the prefixes received in Router Advertisement messages. If a link-local address has not been configured, then one is automatically generated for this interface. An error message is displayed if another host is using the link-local address.
The ipv6 address eui-64 command is used to configure an IPv6 address for an interface. If the optional eui-64 is specified, the EUI-64 interface ID will be used in the low order 64 bits of the address. If the value specified for the prefix-length argument is greater than 64 bits, the prefix bits have precedence over the interface ID. An error message will be displayed if another host is using the specified address.
The Modified EUI-64 format interface ID is derived from the 48-bit link-layer (MAC) address by inserting the hex number FFFE between the upper three bytes (OUI field) and the lower 3 bytes (serial number) of the link layer address. To ensure the chosen address is from a unique Ethernet MAC address, the next-to-lowest order bit in the high-order byte is inverted (universal/local bit) to indicate the uniqueness of the 48-bit address. For example, an interface with a MAC address of 00E0.B601.3B7A would have a 64 bit interface ID of 02E0:B6FF:FE01:3B7A.
The ipv6 address link-local command is used to configure an IPv6 link-local address for an interface. The ipv6-address specified with this command overrides the link-local address that is automatically generated for the interface. The link-local address is composed of the link-local prefix FE80::/64 and the interface ID in Modified EUI-64 format. An interface with a MAC address of 00E0.B601.3B7A would have a link-local address of FE80::2E0:B6FF:FE01:3B7A. An error message will be displayed if another host is using the specified address.
Examples
The following example assigns 3FFE:C00:0:1::576/64 as the global address for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 address 3ffe:c00:0:1::576/64The following example assigns an IPv6 address automatically for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 address autoconfigThe following example assigns IPv6 address 3FFE:C00:0:1::/64 to the selected interface and specifies an EUI-64 interface ID in the low order 64 bits of the address:
hostname(config)# interface Vlan101hostname(onfig-if)# ipv6 address 3FFE:C00:0:1::/64 eui-64The following example assigns FE80::260:3EFF:FE11:6670 as the link-level address for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 address FE80::260:3EFF:FE11:6670 link-localRelated Commands
debug ipv6 interface
Displays debug information for IPv6 interfaces.
show ipv6 interface
Displays the status of interfaces configured for IPv6.
ipv6 enable
To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.
ipv6 enable
no ipv6 enable
Syntax Description
This command has no arguments or keywords.
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing.
The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
Examples
The following example enables IPv6 processing on the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 enableRelated Commands
ipv6 icmp
To configure ICMP access rules for an interface, use the ipv6 icmp command in global configuration mode. To remove an ICMP access rule, use the no form of this command.
ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
no ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
Syntax Description
Defaults
If no ICMP access rules are defined, all ICMP traffic is permitted.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as ICMP destination unreachable messages and informational messages like ICMP echo request and reply messages. Additionally, ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path MTU discovery.
If there are no ICMP rules defined for an interface, all IPv6 ICMP traffic is permitted.
If there are ICMP rules defined for an interface, then the rules are processed in order on a first-match basis followed by an implicit deny all rule. For example, if the first matched rule is a permit rule, the ICMP packet is processed. If the first matched rule is a deny rule, or if the ICMP packet did not match any rule on that interface, then the FWSM discards the ICMP packet and generates a syslog message.
For this reason, the order that you enter the ICMP rules is important. If you enter a rule denying all ICMP traffic from a specific network, and then follow it with a rule permitting ICMP traffic from a particular host on that network, the host rule will never be processed. The ICMP traffic is blocked by the network rule. However, if you enter the host rule first, followed by the network rule, the host ICMP traffic will be allowed, while all other ICMP traffic from that network is blocked.
The ipv6 icmp command configures access rules for ICMP traffic that terminates at the FWSM interfaces. To configure access rules for pass-through ICMP traffic, refer to the ipv6 access-list command.
Examples
The following example denies all ping requests and permits all Packet Too Big messages (to support Path MTU Discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideThe following example permits host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outsidehostname(config)# ipv6 icmp permit 2001::/64 echo-reply outsideRelated Commands
ipv6 nd dad attempts
To configure the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection, use the ipv6 nd dad attempts command in interface configuration mode. To return to the default number of duplicate address detection messages sent, use the no form of this command.
ipv6 nd dad attempts value
no ipv6 nd dad [attempts value]
Syntax Description
Defaults
The default number of attempts is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of unicast IPv6 addresses. The frequency at which the neighbor solicitation messages are sent is configured using the ipv6 nd ns-interval command.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state.
Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively up. An interface returning to administratively up restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
Note
When duplicate address detection identifies a duplicate address, the state of the address is set to DUPLICATE and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message similar to the following is issued:
%fwsm-4-DUPLICATE: Duplicate address FE80::1 on outsideIf the duplicate address is a global address of the interface, the address is not used and an error message similar to the following is issued:
%fwsm-4-DUPLICATE: Duplicate address 3000::4 on outsideAll configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
Examples
The following example configures 5 consecutive neighbor solicitation messages to be sent when duplicate address detection is being performed on the tentative unicast IPv6 address of the interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd dad attempts 5The following example disables duplicate address detection on the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd dad attempts 0Related Commands
ipv6 nd ns-interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, use the ipv6 nd ns-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ns-interval value
no ipv6 nd ns-interval [value]
Syntax Description
value
The interval between IPv6 neighbor solicitation transmissions, in milliseconds. Valid values range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds.
Defaults
1000 milliseconds between neighbor solicitation transmissions.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Examples
The following example configures an IPv6 neighbor solicitation transmission interval of 9000 milliseconds for Vlan101:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd ns-interval 9000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd prefix
To configure which IPv6 prefixes are included in IPv6 router advertisements, use the ipv6 nd prefix command in interface configuration mode. To remove the prefixes, use the no form of this command.
ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
no ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
Syntax Description
Defaults
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days), and with both the "onlink" and "autoconfig" flags set.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised.
The default keyword can be used to set default parameters for all prefixes.
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
When onlink is "on" (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
When autoconfig is "on" (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
Examples
The following example includes the IPv6 prefix 2001:200::/35, with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds, in router advertisements sent out on the specified interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd prefix 2001:200::/35 1000 900Related Commands
ipv6 address
Configures an IPv6 address and enables IPv6 processing on an interface.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-interval
To configure the interval between IPv6 router advertisement transmissions on an interface, use the ipv6 nd ra-interval command in interface configuration mode. To restore the default interval, use the no form of this command.
ipv6 nd ra-interval [msec] value
no ipv6 nd ra-interval [[msec] value]
Syntax Description
Defaults
200 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the FWSM is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value.
Examples
The following example configures an IPv6 router advertisement interval of 201 seconds for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd ra-interval 201Related Commands
ipv6 nd ra-lifetime
Configures the lifetime of an IPv6 router advertisement.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-lifetime
To configure the "router lifetime" value in IPv6 router advertisements on an interface, use the ipv6 nd ra-lifetime command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ra-lifetime seconds
no ipv6 nd ra-lifetime [seconds]
Syntax Description
Defaults
1800 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The "router lifetime" value is included in all IPv6 router advertisements sent out the interface. The value indicates the usefulness of the FWSM as a default router on this interface.
Setting the value to a non-zero value to indicates that the FWSM should be considered a default router on this interface. The no-zero value for the "router lifetime" value should not be less than the router advertisement interval.
Setting the value to 0 indicates that the FWSM should not be considered a default router on this interface.
Examples
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd ra-lifetime 1801Related Commands
ipv6 nd reachable-time
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, use the ipv6 nd reachable-time command in interface configuration mode. To restore the default time, use the no form of this command.
ipv6 nd reachable-time value
no ipv6 nd reachable-time [value]
Syntax Description
value
The amount of time, in milliseconds, that a remote IPv6 node is considered reachable. Valid values range from 0 to 3600000 milliseconds. The default is 0.
Defaults
0 milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
Examples
The following example configures an IPv6 reachable time of 1700000 milliseconds for the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd reachable-time 1700000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd suppress-ra
To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd suppress-ra command in interface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN interface, use the no form of this command.
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Syntax Description
This command has no arguments or keywords.
Defaults
Router advertisements are automatically sent on LAN interfaces if IPv6 unicast routing is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the no ipv6 nd suppress-ra command to enable the sending of IPv6 router advertisement transmissions on non-LAN interface types (for example serial or tunnel interfaces).
Examples
The following example suppresses IPv6 router advertisements on the selected interface:
hostname(config)# interface Vlan101hostname(config-subif)# ipv6 nd suppress-raRelated Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 neighbor
To configure a static entry in the IPv6 neighbor discovery cache, use the ipv6 neighbor command in global configuration mode. To remove a static entry from the neighbor discovery cache, use the no form of this command.
ipv6 neighbor ipv6_address if_name mac_address
no ipv6 neighbor ipv6_address if_name [mac_address]
Syntax Description
Defaults
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. These entries are stored in the configuration when the copy command is used to store the configuration.
Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.
The clear ipv6 neighbors command deletes all entries in the IPv6 neighbor discovery cache except static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries—entries learned from the IPv6 neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6 enable command deletes all IPv6 neighbor discovery cache entries configured for that interface except static entries (the state of the entry changes to INCMP [Incomplete]).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Examples
The following example adds a static entry for the an inside host with an IPv6 address of 3001:1::45A and a MAC address of 0002.7D1A.9472 to the neighbor discovery cache:
hostname(config)# ipv6 neighbor 3001:1::45A inside 0002.7D1A.9472Related Commands
clear ipv6 neighbors
Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
show ipv6 neighbor
Displays IPv6 neighbor cache information.
ipv6 route
To add an IPv6 route to the IPv6 routing table, use the ipv6 route command in global configuration mode. To remove an IPv6 default route, use the no form of this command.
ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance]
no ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance]
Syntax Description
Defaults
By default, the administrative-distance is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the show ipv6 route command to view the contents of the IPv6 routing table.
Examples
The following example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 with an administrative distance of 110:
hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 110Related Commands
debug ipv6 route
Displays debug messages for IPv6 routing table updates and route cache updates.
show ipv6 route
Displays the current contents of the IPv6 routing table.
isakmp am-disable
To disable inbound aggressive mode connections, use the isakmp am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.
isakmp am-disable
no isakmp am-disable
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, disables inbound aggressive mode connections:
hostname(config)# isakmp am-disableRelated Commands
isakmp disconnect-notify
To enable disconnect notification to peers, use the isakmp disconnect-notify command in global configuration mode. To disable disconnect notification, use the no form of this command.
isakmp disconnect-notify
no isakmp disconnect-notify
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, enables disconnect notification to peers:
hostname(config)# isakmp disconnect-notifyRelated Commands
isakmp enable
To enable ISAKMP negotiation on the interface on which the IPSec peer communicates with the FWSM, use the isakmp enable command in global configuration mode. To disable ISAKMP on the interface, use the no form of this command.
isakmp enable interface-name
no isakmp enable interface-name
Syntax Description
interface-name
Specifies the name of the interface on which to enable or disable ISAKMP negotiation.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, shows how to disable ISAKMP on the inside interface:
hostname(config)# no isakmp enable insideRelated Commands
isakmp identity
To set the Phase 2 ID to be sent to the peer, use the isakmp identity command in global configuration mode. To return to the default setting, use the no form of this command.
isakmp identity {address | hostname | key-id key-id-string | auto}
no isakmp identity {address | hostname | key-id key-id-string | auto}
Syntax Description
Defaults
The default ISAKMP identity is isakmp identity hostname.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, enables ISAKMP negotiation on the interface for communicating with the IPSec peer, depending on connection type:
hostname(config)# isakmp identity autoRelated Commands
isakmp keepalive
To configure IKE DPD, use the isakmp keepalive command in tunnel-group ipsec-attributes configuration mode. In every tunnel group, IKE keepalives are enabled by default with default threshold and retry values. To return the keepalive parameters to enabled with default threshold and retry values, use the no form of this command.
isakmp keepalive [threshold seconds] [retry seconds] [disable]
no isakmp keepalive disable
Syntax Description
Defaults
The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.
For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec-attributes configuration
•
•
•
•
—
Command History
Usage Guidelines
You can apply this attribute to IPSec remote-access and IPSec LAN-to-LAN tunnel-group types only.
Examples
The following example entered in config-ipsec configuration mode, configures IKE DPD, establishes a threshold of 15, and specifies a retry interval of 10 for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-ipsec)# isakmp keepalive threshold 15 retry 10Related Commands
isakmp policy authentication
To specify an authentication method within an IKE policy, use the isakmp policy authentication command in global configuration mode. IKE policies define a set of parameters for IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
isakmp policy priority authentication {pre-share | dsa-sig | rsa-sig}
no isakmp policy priority authentication
Syntax Description
Defaults
The default ISAKMP policy authentication is pre-share.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you specify RSA signatures, you must configure the FWSM and its peer to obtain certificates from a certification authority (CA). If you specify preshared keys, you must separately configure these preshared keys within the FWSM and its peer.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy authentication command. This example sets the authentication method of RSA Signatures to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 authentication rsa-sigRelated Commands
isakmp policy encryption
To specify the encryption algorithm to use within an IKE policy, use the isakmp policy encryption command in global configuration mode. To reset the encryption algorithm to the default value, which is des, use the no form of this command.
isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
no isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
Syntax Description
Defaults
The default ISAKMP policy encryption is 3des.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy encryption command; it sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25.
hostname(config)# isakmp policy 25 encryption aesThe following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 encryption 3deshostname(config)#Related Commands
isakmp policy group
To specify the Diffie-Hellman group for an IKE policy, use the isakmp policy group command in global configuration mode. IKE policies define a set of parameters to use during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
[no] isakmp policy priority group {1 | 2 | 5 | 7}
Syntax Description
Defaults
The default group policy is group 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
There are four group options: 768-bit (DH Group 1), 1024-bit (DH Group 2), 1536-bit (DH Group 5), and DH Group 7. The 1024-bit and 1536-bit Diffie-Hellman Groups provide stronger security, but require more CPU time to execute.
Note
AES support is available on security appliances licensed for VPN-3DES only. Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or group 2. This is done with the isakmp policy priority group 5 command.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.
hostname(config-if)# isakmp policy 40 group 2Related Commands
isakmp policy hash
To specify the hash algorithm for an IKE policy, use the isakmp policy hash command in global configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default value of SHA-1, use the no form of this command.
isakmp policy priority hash {md5 | sha}
no isakmp policy priority hash
Syntax Description
Defaults
The default hash algorithm is SHA-1 (HMAC variant).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy hash command. This example specifies that the MD5 hash algorithm be used within the IKE policy, with the priority number of 40.
hostname(config)# isakmp policy 40 hash md5Related Commands
isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command in global configuration mode. You can specify an infinite lifetime if the peer does not propose a lifetime. To reset the security association lifetime to the default value of 86,400 seconds (one day), use the no form of this command .
isakmp policy priority lifetime seconds
no isakmp policy priority lifetime
Syntax Description
Defaults
The default value is 86,400 seconds (one day).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When IKE begins negotiations, it seeks to agree upon the security parameters for its own session. Then the security association at each peer refers to the agreed-upon parameters. The peers retain the security association until the lifetime expires. Before a security association expires, subsequent IKE negotiations can use it, which can save time when setting up new IPSec security associations. The peers negotiate new security associations before current security associations expire.
With longer lifetimes, the FWSM sets up future IPSec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default.
Note
The following example, entered in global configuration mode, shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.
Examples
The following example, entered in global configuration mode, sets the lifetime of the IKE security association to 50,4000 seconds (14 hours) within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 lifetime 50400The following example, entered in global configuration mode, sets the IKE security association to an infinite lifetime.
hostname(config)# isakmp policy 40 lifetime 0Related Commands
isakmp reload-wait
To enable waiting for all active sessions to voluntarily terminate before rebooting the FWSM, use the isakmp reload-wait command in global configuration mode. To disable waiting for active sessions to terminate and to proceed with a reboot of the FWSM, use the no form of this command.
isakmp reload-wait
no isakmp reload-wait
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example, entered in global configuration mode, tells the FWSM to wait until all active sessions have terminated before rebooting:
hostname(config)# isakmp reload-waitRelated Commands
issuer-name
To identify the DN from the CA certificate to be compared to the rule entry string, use the issuer-name command in CA certificate map configuration mode. To remove an issuer-name, use the no form of the command.
issuer-name [attr tag] {eq | ne | co | nc} string
no issuer-name [attr tag] {eq | ne | co | nc} string
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CA certificate map configuration
•
•
•
•
—
Command History
Examples
The following example enters the CA certificate map mode for certificate map 4 and configures the issuer name as O = central:
hostname(config)# crypto ca certificate map 4hostname(ca-certificate-map)# issuer-name attr o eq centralhostname(ca-certificate-map)# exitRelated Commands
