Table Of Contents

C Commands

ca

ca generate rsa key

capture

clear

clock

conduit

configure

console

copy

crashinfo

crypto dynamic-map

crypto ipsec

crypto map

C Commands

---

ca

Configure the PIX Firewall to interoperate with a certification authority (CA).

ca authenticate ca_nickname [fingerprint]

[no] ca configure ca_nickname ca | ra retry_period retry_count [crloptional]

[no] ca crl request ca_nickname

[no] ca enroll ca_nickname challenge_password [serial] [ipaddress]

ca generate rsa {key | specialkey} key_modulus_size

[no] ca identity ca_nickname [ca_ipaddress| hostname [:ca_script_location] [ldap_ip address| hostname]]

[no] ca save all

[no] ca subject-name ca_nickname X.500_string

[no] ca verifycertdn X.500_string

ca zeroize rsa [keypair_name]

show ca certificate

show ca crl

show ca configure

show ca identity

show ca mypubkey rsa

show ca subject-name

show ca verifycertdn

Syntax Description

ca_ipaddress	The CA's IP address.
ca_nickname	The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently, the PIX Firewall supports only one CA at a time.
ca | ra	Indicates whether to contact the CA or registration authority (RA) when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
crloptional	Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate certificate revocation list (CRL) is not accessible to your PIX Firewall. The default is without the crloptional option.
fingerprint	A key consisting of alphanumeric characters the PIX Firewall uses to authenticate the CA's certificate.
hostname	The host name.
ipaddress	Return the PIX Firewall unit's IP address in the certificate.
key	Specifies that one general-purpose RSA key pair will be generated.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.
retry_count	Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.
retry_period	Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute.
serial	Return the PIX Firewall unit's serial number in the certificate.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
subject-name	Configures the device certificate request with the specified subject name.
verifycertdn	Verifies the certificate's Distinguished Name (DN) and acts as a subject name filter, based on the X.500_string. If the subject name of the peer certificate matches the X.500_string, then it is filtered out and ISAKMP negotiation fails.
X.500_string	Specify per RFC1779. The entered string will be the Distinguished Name (DN) sent.

Defaults

The retry_count default is 0.

Command Modes

Configuration mode.

Usage Guidelines

The sections that follow describe each ca command.

The PIX Firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft. Refer to the Cisco PIX Firewall and VPN Configuration Guide for a list of specific CA server versions the PIX Firewall supports.

The lifetime of a certificate and the certificate revocation list (CRL) is checked in UTC, which is the same as GMT. Set the PIX Firewall clock to UTC to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock.

The PIX Firewall authenticates the entity certificate (the device certificate). The PIX Firewall assumes the entity certificate is issued by the same trusted point or root (the CA server). As a result, they should have the same root certificate (issuer certificate). Therefore, the PIX Firewall assumes the entity exchanges the entity certificate only, and cannot process a certificate chain that includes both the entity and root certificates.

ca authenticate

The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.

To authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in an out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.

If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.

The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command. To view the CA's certificate, use the show ca certificate command.

---

Note If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.

---

ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 crloptional

ca crl request

The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall.

A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your PIX Firewall.

The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. When the CRL does expire, the PIX Firewall automatically updates it by downloading a new CRL and replaces the expired CRL with the new CRL.

If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

The ca crl request command is not saved with the PIX Firewall configuration between reloads.

The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:

ca crl request myca

The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded.

The following is sample output from the show ca crl command. See Table 4-2 for descriptions of the strings within the following sample output.

show ca crl

CRL:

    CRL Issuer Name:

        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA

=<16> username@example.com

    LastUpdate:17:07:40 Jul 11 2000

    NextUpdate:05:27:40 Jul 19 2000

ca enroll

The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.

The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.

The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

---

Note This password is not stored anywhere, so you must remember this password.

---

If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate, but will require further manual authentication of the PIX Firewall administrator identity.

The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.

The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.

---

Note When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command for information about the isakmp identity address command.

---

The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.

ca enroll myca.example.com 1234567890 serial

ca generate rsa

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

---

Note Before issuing this command, make sure your PIX Firewall has a host name and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a host name and domain name.

---

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

In this example, one general-purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048

---

Note You cannot generate both special usage and general purpose keys; you can only generate one or the other.

---

ca identity

The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.

The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the previously listed location, include the location and the name of the script within the ca identity command statement.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.

The following example indicates that the CA myca.example.com is declared as the PIX Firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.

ca identity myca.example.com 205.139.94.231 

ca save all

The ca save all commands lets you save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.

The ca save command itself is not saved with the PIX Firewall configuration between reloads.

To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user can issue this show command.

ca subject-name ca_nickname X.500_string

The ca subject-name ca_nickname X.500_string command is a certificate enrollment enhancement that supports X.500 directory names.

When the ca subject-name ca_nickname X.500_string command is configured, the firewall enrolls the device certificate with the subject Distinguished Name (DN) that is specified in the X.500_string, using RFC 1779 format. The supported DN attributes are listed in Table 4-1

Table 4-1 Supported Distinguished Name attributes.

Attribute	Description
ou	OrganizationalUnitName
o	OrganizationName
st	StateOrProvinceName
c	CountryName
ea	Email address (a non-RFC 1779 format attribute)

For more information on RFC 1779, refer to http://www.ietf.org/rfc/rfc1779.txt.

PIX Firewall software Version 6.3 supports X.509 (certificate support) on the VPN client. Cisco IOS software, the VPN 3000 concentrator, and the PIX Firewall look for the correct VPN group (mode config group) according to the ou attribute. (The ou attribute is part of the subject DN of the device certificate when the Easy VPN client negotiates the RSA signature.) For example,

ca subject-name myca ou=my_department, o=my_org, st=CA, c=US

where my_department is the VPN group.

---

Note If the X.500_string is being using to communicate between a Cisco VPN 3000 headend and the firewall, the VPN 3000 headend must not be configured to use DNS names for its backup servers. Instead, the backup servers must be specified by their IP addresses.

---

ca verifycertdn X.500_string

The ca verifycertdn X.500_string command verifies the certificate's Distinguished Name (DN) and acts as a subject name filter, based on the X.500_string. If the subject name of the peer certificate matches the X.500_string, then it is filtered out and ISAKMP negotiation fails.

ca zeroize rsa

The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

1. Use the no ca identity command to manually remove the PIX Firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.

2. Ask the CA administrator to revoke your PIX Firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall unit's certificates using the crypto ca enroll command.

To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.

---

Note You may have more than one pair of RSA keys due to SSH. See the ssh command in "S Commands" for more information.

---

show ca commands

The show ca certificate command displays the CA Server's subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the PIX Firewall's certificates.

The following is sample output from the show ca certificate command. The CA certificate stems from a Microsoft CA server previously generated for this PIX Firewall.

show ca certificate

RA Signature Certificate

  Status:Available

  Certificate Serial Number:6106e08a000000000005

  Key Usage:Signature

    CN = SCEP

     OU = VSEC

     O = Cisco

     L = San Jose

     ST = CA

     C = US

     EA =<16> username@example.com

  Validity Date:

    start date:17:17:09 Jul 11 2000

    end   date:17:27:09 Jul 11 2001

Certificate

  Status:Available

  Certificate Serial Number:1f80655400000000000a

  Key Usage:General Purpose

  Subject Name

    Name:pixfirewall.example.com

  Validity Date:

    start date:20:06:23 Jul 17 2000

    end   date:20:16:23 Jul 17 2001

CA Certificate

  Status:Available

  Certificate Serial Number:25b81813efe58fb34726eec44ae82365

  Key Usage:Signature

    CN = MSCA

     OU = Cisco

     O = VSEC

     L = San Jose

     ST = CA

     C = US

     EA =<16> username@example.com

  Validity Date:

    start date:17:07:34 Jul 11 2000

RA KeyEncipher Certificate

  Status:Available

  Certificate Serial Number:6106e24c000000000006

  Key Usage:Encryption

    CN = SCEP

     OU = VSEC

     O = Cisco

     L = San Jose

     ST = CA

     C = US

     EA =<16> username@example.com

  Validity Date:

    start date:17:17:10 Jul 11 2000

    end   date:17:27:10 Jul 11 01 

Table 4-2 describes strings within the show ca certificate command sample output.

Table 4-2 show ca certificate command Output Strings

Sample Output String	Description
CN	common name
C	country
EA	E-mail address
L	locality
ST	state or province
O	organization name
OU	organizational unit name
DC	domain component

The show ca crl command displays whether there is a certificate revocation list (CRL) in the PIX Firewall RAM, and where and when the CRL downloaded.

The show ca configure command displays the current communication parameter settings stored in the PIX Firewall RAM.

The show ca identity command displays the the current certification authority (CA) settings stored in RAM.

The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.

The following is sample output from the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command.

show ca mypubkey rsa

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com

 Usage: Signature Key

 Key Data:

            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d

            6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf

            6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001

% Key pair was generated at: 15:34:55 Aug 05 1999

Key name: pixfirewall.example.com

 Usage: Encryption Key

 Key Data:

            305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a

            48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98

            908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

Examples

In the following example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 5432

%Error in verifying the received fingerprint. Type help or `?' for a list of 
available commands.

ca generate rsa key

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key.

ca generate rsa key modulus

Syntax Description

ca generate rsa key	Generates an RSA key for the PIX Firewall.
modulus	Defines the modulus used to generate the RSA key. This is a size measured in bits. You can specify a modulus between 512, 768, 1024, and 2048.

---

Note Before issuing this command, make sure your PIX Firewall host name and domain name have been configured (using the hostname and domain-name commands). If a domain name is not configured, the PIX Firewall uses a default domain of ciscopix.com.

---

Defaults

RSA key modulus default (during PDM setup) is 768. The default domain is ciscopix.com.

Command Modes

Configuration mode.

Usage Guidelines

If your PIX Firewall already has RSA keys when you issue this command, you are warned and prompted to replace the existing keys with new keys.

---

Note The larger the key modulus size you specify, the longer it takes to generate an RSA. We recommend a default value of 768.

---

PDM uses the Secure Sockets Layer (SSL) communications protocol to communicate with the PIX Firewall.

SSL uses the private key generated with the ca generate rsa command. For a certificate, SSL uses the key obtained from a certification authority (CA). If that does not exist, it uses the PIX Firewall self-signed certificate created when the RSA key pair was generated.

If there is no RSA key pair when an SSL session is initiated, the PIX Firewall creates a default RSA key pair using a key modulus of 768.

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the show ca my rsa key command.

Examples

The following example demonstrates how one general purpose RSA key pair is generated. The selected size of the key modulus is 1024.

router(config) ca generate rsa key 1024

Key name:pixfirewall.cisco.com

 Usage:General Purpose Key

 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c8ed4c

  9f5e0b52 aea931df 04db2872 5c4c0afd 9bd0920b 5e30de82 63d834ac f2e1db1f

  1047481a 17be5a01 851835f6 18af8e22 45304d53 12584b9c 2f48fad5 31e1be5a

  bb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 7bb44b4c a64a9cf0 efaacd42

  e291e4ea 67efbf6c 90348b75 320d7fd3 c573037a ddb2dde8 00df782c 39020301 0001

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

capture capture_name [access-list acl_name][buffer bytes] [ethernet-type type][interface name] [packet-length bytes] [circular-buffer]

no capture capture_name [access-list [acl_name]] [interface name] [circular-buffer]

clear capture capture_name

show capture [capture_name] [access-list acl_name] [detail] [dump]

Syntax Description

access-list	Selects packets based on IP or higher fields. By default, all IP packets are matched.
acl_name	The access list id.
buffer	Defines the buffer size used to store the packet. The default size is 512 KB. Once the buffer is full, packet capture stops.
bytes	The number of bytes (b) to allocate.
capture_name	A name to uniquely identify the packet capture.
circular-buffer	Overwrites the buffer, starting from the beginning, when the buffer is full.
detail	Shows additional protocol information for each packet.
dump	Shows a hexidecimal dump of the packet transported over the data link transport. (However, the MAC information is not shown in the hex dump.)
ethernet-type	Selects packets based on the Ethernet type. An exception is the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching. By default, all Ethernet types are accepted.
interface	The interface for packet capture.
name	The name of the interface on which to use packet capture.
packet-length	Sets the maximum number of bytes of each packet to store in the capture buffer. By default, the maximum is 68 bytes.
type	An Ethernet type to exclude from capture. The default is 0, so you can restore the default at any time by setting type to 0.

Defaults

The default type is 0.

Command Modes

Configuration mode.

Usage Guidelines

To enable packet capturing, attach the capture to an interface with the interface option. Multiple interface statements attach the capture to multiple interfaces.

If the buffer contents are copied to a TFTP server in ASCII format, then only the headers can be seen. The details and hex dump of the packets can not be seen. To see the details and hex dump, transfer the buffer in PCAP format and then read with TCPDUMP or Ethereal using the options to show the detail and hex dump of the packets.

The ethernet-type and access-list options select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.

The capture capture_name circular-buffer command enables the capture buffer to overwrite itself, starting from the beginning, when the capture buffer is full.

Enter the no capture command with either the access-list or interface option unless you want to clear the capture itself. Entering no capture without options deletes the capture. If the access-list option is specified, the access list is removed from the capture and the capture is preserved. If the interface option is specified, the capture is detached from the specified interface and the capture is preserved.

To clear the capture buffer, use the clear capture capture_name command. The short form of clear capture is not supported to prevent accidental destruction of all packet captures.

---

Note The capture command is not saved to the configuration, and the capture command is not replicated to the standby unit during failover.

---

Use the copy capture: capture_name tftp://location/path [pcap] command to copy capture information to a remote TFTP server.

Use the https://pix-ip-address/capture/capture_name[/pcap] command to view the packet capture information with a web browser.

If the pcap option is specified, then a libpcap-format file is downloaded to your web browser and can be saved using your web browser. (A libcap file can be viewed with Tcpdump or Ethereal.)

The show capture command displays the capture configuration when no options are specified. If the capture_name is specified, then it displays the capture buffer contents for that capture.

Output Formats

The decoded output of the packets are dependent on the protocol of the packet. In Table 4-3, the bracketed output is displayed when the detail option is specified.

Table 4-3 Packet Capture Output Formats 

Packet Type	Capture Output Format
802.1Q	HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet
ARP	HH:MM:SS.ms [ether-hdr] arp-type arp-info
IP/ICMP	HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure]
IP/UDP	HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len
IP/TCP	HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options
IP/Other	HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length
Other	HH:MM:SS.ms ether-hdr: hex-dump

Examples

On a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:

https://209.165.200.232/capture/mycapture/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://209.165.200.232/capture/http/pcap

In the following example, the traffic is captured from an outside host at 209.165.200.241 to an inside HTTP server.

access-list http permit tcp host 10.120.56.15 eq http host 209.165.200.241

access-list http permit tcp host 209.165.200.241 host 10.120.56.15 eq http

capture http access-list http packet-length 74 interface inside

To capture ARP packets, enter the following:

pixfirewall(config)# capture arp ethernet-type arp interface outside

To display the packets captured by an ARP capture, enter the following:

pixfirewall(config)# show capture arp

2 packets captured

19:12:23.478429 arp who-has 209.165.200.228 tell 209.165.200.10

19:12:26.784294 arp who-has 209.165.200.228 tell 209.165.200.10

2 packets shown

To capture PPPoE Discovery packets on multiple interfaces, enter the following:

pixfirewall(config)# capture pppoed ethernet-type pppoed interface outside

pixfirewall(config)# capture pppoed interface inside

The following stores a PPPoED trace to a file name "pppoed-dump" on a TFTP server at 209.165.201.17. (Some TFTP servers require that the file exists and is world writable, so check your TFTP server for the appropriate permissions and file first.)

pixfirewall(config)# copy capture:pppoed tftp://209.165.201.17/pppoed-dump

Writing to file '/tftpboot/pppoed-dump' at 209.165.201.17 on outside

To display the capture configuration, use the show capture command without specifying any options as follows:

pixfirewall(config)# show capture

capture arp ethernet-type arp interface outside

capture http access-list http packet-length 74 interface inside

clear

Removes configuration files and commands from the configuration, or resets command values. However, using the no form of a command is preferred to using the clear form to change your configuration because the no form is usually more precise.

clear file configuration | pdm | pki

clear command

no command

Command Modes

Configuration mode for clear commands that remove or reset firewall configurations. Privilege mode for commands that clear items such as counters in show commands. Additionally, the clear commands available in less secure modes are available in subsequent (more secure) modes. However, commands from a more secure mode are not available in a less secure mode.

Syntax Description

Table 4-4, Table 4-5, and Table 4-6 list the clear commands available in each mode.

Table 4-4 Unprivileged Mode Clear Command

Clear Command	Description	Used in the following command(s)
clear pager	Resets the number of displayed lines to 24.	pager

Table 4-5 Privileged Mode Clear Commands  

Clear Command	Description	Used in the following command(s)
clear aaa accounting	To clear the local, TACACS+, or RADIUS user account.	aaa accounting {include | exclude}
clear aaa authentication	To clear the local or TACACS+ user authentication.	aaa authentication
clear aaa authorization	To clear the local or TACACS+ user authorization.	aaa authorization {include | exclude}
clear aaa-server	To remove a defined server group.	aaa authorization, aaa authentication aaa-server
clear arp	Clears the ARP table.	arp
clear auth-prompt	Removes an auth-prompt command statement from the configuration.	auth-prompt
clear banner	Removes all configured banners.	banner
clear blocks	Resets the show blocks command statement counters.	show blocks / clear blocks
clear configure	Resets command parameters in the configuration to their default values.	configure
clear crashinfo	Deletes the crash information file from the Flash memory of the firewall.	crashinfo
clear flashfs	Clears Flash memory prior to downgrading the PIX Firewall software version.	fragment
clear floodguard	Removes Flood Defender, which protects against flood attacks from configuration.	floodguard
clear local-host	Resets the information displayed for the show local-host command.	show local-host/clear local host
clear passwd	Resets the Telnet password back to "cisco."	password
clear traffic	Resets the counters for the show traffic command.	show traffic/clear traffic
clear uauth	Deletes one user's or all users' AAA authorization caches, which forces the users to reauthenticate the next time they create a connection.	show uauth/clear uauth
clear xlate	Clears the contents of the translation slots.	show xlate/clear xlate

Table 4-6 Configuration Mode Clear Commands 

Clear Command	Description	Used in the following command(s)
clear aaa	Removes aaa command statements from the configuration.	aaa accounting
clear aaa accounting	Removes aaa-server command statements from the configuration.	aaa authorization
clear aaa-server	Remove a defined server group from the configuration.	aaa authorization
clear access-group	Removes access-group command statements from the configuration.	access-group
clear access-list	Removes access-list command statements from the configuration. This command also stops all traffic through the PIX Firewall on the affected access-list command statements.	access-list
clear access-list aclname counters	Clears the counters shown by the show access-list command.	access-list
clear alias	Removes alias command statements from the configuration.	alias
clear apply	Removes apply command statements from the configuration.	outbound / apply
clear capture	Clears the packet capture.	capture
clear clock	Removes clock command statements from the configuration.	clock
clear conduit	Removes conduit command statements from the configuration.	conduit
clear dhcpd	Removes dhcpd command statements from the configuration.	dhcpd
clear established	Removes established command statements from the configuration.	established
clear filter	Removes filter command statements from the configuration.	filter
clear fixup	Resets fixup protocol command statements to their default values.	fixup protocol
clear flashfs	Clears Flash memory before downgrading to a previous PIX Firewall version.	fragment
clear global	Removes global command statements from the configuration.	global
clear http	Removes all HTTP hosts and disables the server.	http
clear icmp	Removes icmp command statements from the configuration.	icmp
clear igmp	Removes IGMP groups.	igmp
clear ip	Sets all PIX Firewall interface IP addresses to 127.0.0.1 and stops all traffic.	ip address
clear ip address	Clears all PIX Firewall interface IP addresses (configuration mode).	ip address
clear ip audit	Clears the IDS signature on the interface (configuration mode).	ip audit
clear ip local pool	Clears pool of local IP addresses for dynamic assignment to a VPN.	ip local pool
clear ip verify reverse-path	Clears RPF IP spoofing protection (configuration mode).	ip verify reverse-path
clear [crypto] dynamic-map	Remove crypto dynamic-map command statements from the configuration.The keyword crypto is optional.	crypto dynamic-map and dynamic-map
clear [crypto] ipsec sa	Delete the active IPSec security associations. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa counters	Clear the traffic counters maintained for each security association. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa entry destination-address protocol spi	Delete the active IPSec security association with the specified address, protocol, and SPI. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa map map-name	Delete the active IPSec security associations for the named crypto map set. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa peer	Delete the active IPSec security associations for the specified peer. The keyword crypto is optional.	crypto ipsec
clear [crypto] isakmp sa	Delete the active IKE security associations. The keyword crypto is optional.	isakmp
clear [crypto] map	Delete all parameters entered through the crypto map command belonging to the specified map. Does not delete dynamic maps.	crypto map
clear isakmp	Remove isakmp command statements from the configuration.	isakmp
clear isakmp log	Clears events in the isakmp log buffer	isakmp
clear interface	Clear counters for the show interface command.	interface
clear logging	Clear syslog message queue accumulated by the logging buffered command.	logging
clear mroute	Clear a multicast route.	mroute
clear names	Removes name command statements from the configuration.	name / names
clear nameif	Reverts nameif command statements to default interface names and security levels.	nameif
clear nat	Removes nat command statements from the configuration.	nat
clear ntp	Removes ntp command statements from the configuration.	ntp
clear outbound	Removes outbound command statements from the configuration.	outbound / apply
clear ospf [process-id] {process | counters | neighbor [neighbor-intf] [neighbr-id]}	Clears and restarts the OSPF process with the specified ID, resets OSPF interface counters, neighbor interface router designation, or neighbor router ID, depending on the option selected. This command does not remove any configuration. Use the no form of the router ospf or routing interface command to remove the OSPF configuration.	routing interface
clear pdm	Removes all locations, disables logging and clears the PDM buffer. Internal PDM command.	pdm
clear privilege	Removes privilege command statements from the configuration.	privilege
clear rip	Removes rip command statements from the configuration.	rip
clear route	Removes route command statements from the configuration that do not contain the CONNECT keyword.	route
clear service	Removes service command statements from the configuration.	service
clear snmp-server	Removes snmp-server command statements from the configuration.	· When this feature is off, regular SIP Fixup will work as it does under PIX 6.3.3
clear ssh	Removes ssh command statement from the configuration.	ssh
clear static	Removes static command statements from the configuration.	static
clear sysopt	Removes sysopt command statements from the configuration.	sysopt
clear telnet	Removes telnet command statements from the configuration.	telnet
clear tftp-server	Removes tftp-server command statements from the configuration.	tftp-server
clear timeout	Resets timeout command durations to their default values.	timeout
clear url-cache	Removes url-cache command statements from the configuration.	url-cache
clear url-server	Removes url-server command statements from the configuration.	url-server
clear username	Removes username command statements from the configuration.	username
clear virtual	Removes virtual command statements from the configuration.	virtual
clear vpdn	Removes vpdn command statements from the configuration.	vpdn
clear vpnclient	Removes vpnclient command statements from the configuration.	vpnclient

clock

Set the PIX Firewall clock for use with the PIX Firewall Syslog Server (PFSS) and the Public Key Infrastructure (PKI) protocol.

clock set hh:mm:ss {day month | month day} year

clear clock

[no] clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

[no] clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]

[no] clock timezone zone hours [minutes]

show clock [detail]

Syntax Description

date	The date command form is used as an alternative to the recurring form of the clock summer-time command. It specifies that summertime should start on the first date entered and end on the second date entered. If the start date month is after the end date month, the summer time zone is accepted and assumed to be in the Southern Hemisphere.
day	The day of the month to start, from 1 to 31.
detail	Displays the clock source and current summertime settings.
hh:mm:ss	The hour:minutes:seconds expressed in 24-hour time; for example, 20:54:00 for 8:54 pm. Zeros can be entered as a single digit; for example, 21:0:0.
hours	The hours of offset from UTC.
minutes	The minutes of offset from UTC.
month	The month expressed as the first three characters of the month; for example, apr for April.
offset	The number of minutes to add during summertime. The default is 60 minutes.
recurring