Knowing the General Commands | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

Several commands are covered in this section. These commands will help you monitor, display, and save your configurations, and they are all within the privileged or configuration mode. Therefore, use the enable and config terminal commands to enter the necessary access mode.

Here's a preview of the commands:

`clear arp`	`reload`
`clear xlate`	`show arp`
`enable`	`show conn`
`enable password`	`show history`
`hostname`	`show xlate`
`passwd`	`telnet`
`ping`

The enable Command

enable allows you to enter the privileged EXEC mode. Although this mode requires a password, the password is blank by default and simply pressing Enter when you see the password prompt lets you enter privileged EXEC mode.

The enable password command sets a privilege EXEC mode password. These passwords are case sensitive, so be careful. You can use the show enable command to display the encrypted version of the password stored in the configuration, like so:

 pixfirewall(config)# enable password oregon pixfirewall(config)# show enable enable password W5TSthJO5zEtPi9F encrypted pixfirewall(config)#

The passwd Command

The passwd command is used to set the password for Telnet access to the PIX. By default, this password is cisco ; it must be in all lowercase because it's case sensitive. The following command sets the password to cisco :

 pixfirewall(config)# passwd cisco pixfirewall(config)#

The telnet Command

The telnet command specifies which hosts can connect to the PIX inside interface using Telnet. Telnet users can access the PIX on all interfaces except the outside interface. If users need access via the outside interface, an IPSec established connection is required before Telnet will connect. The Telnet syntax is as follows :

 telnet <local_ip> [<mask>] [<if_name>]

Table 4.3. The telnet Command Options

Option	Function
local_ip	This is the IP address of the host you want to allow Telnet access.
mask	This is optional and can be used to define a whole subnet if necessary.
if_name	This is optional and is required only when you are using IPSec to connect to the outside interface.

The following example shows how to allow host 192.168.1.11 to Telnet into the PIX firewall on the inside interface:

 pixfirewall(config)# telnet 192.168.1.11 pixfirewall(config)# show telnet 192.168.1.11 255.255.255.255 inside pixfirewall(config)#

The hostname Command

The hostname command is used to change the command-line prompt as well as the fully qualified domain name used to generate RSA keys. The default hostname is pixfirewall . The following command sets the hostname to firewall2 :

 pixfirewall(config)# hostname firewall2 firewall2(config)#

The show history Command

The show history command displays a list of previously entered commands. The following command displays the history:

 pixtraincenter# show history   show history   show interface   enable

The show conn Command

The show conn command displays connection table information about TCP traffic traveling through the PIX. In this example, host 192.168.1.11 with port 11969 is going to 165.193.123.44 port 80:

 pixfirewall# show conn 1 in use, 5 most used TCP out 165.193.123.44:80 in 192.168.1.11:1969 idle 0:00:03 Bytes 334 pixfirewall#

The show xlate Command

Use the show xlate command to view the current translation slots made in the translation table (recall that a PIX uses a connection table and a translation table to track the flow of traffic through its interfaces). Translation slots is the term used to describe the translation mapping from an internal address to a global external address. In this example, a local user using IP address 192.168.1.11 with port 1969 has been translated to a global outside interface address of 169.254.8.31 port 1237:

 pixfirewall# show xlate 1 in use, 53 most used PAT Global 169.254.8.31(1237) Local 192.168.1.11(1969) PAT Global 169.254.8.31(2346) Local 192.168.1.12(5671) pixfirewall#

The clear xlate Command

The clear xlate command clears the current translation slot entries. This should be done every time you add, modify, or delete something using the following commands: aaa-server , access-lists , alias , conduits , global , nat , and routes type . This helps to reset the xlate table and make the previous command operate as expected. The following shows the command being executed from the privileged EXEC mode:

 pixfirewall# clear xlate

The ping Command

The ping command enables you to test whether the PIX firewall can reach another IP address, and it results in a new mapping in the Address Resolution Protocol (ARP) table. The following example shows a ping command and a response:

 pixfirewall# ping 192.168.1.11     192.168.1.11 response received  0ms     192.168.1.11 response received  0ms     192.168.1.11 response received  0ms

The ping command can be used to show that an IP address is reachable , but it doesn't test whether traffic can flow through the PIX firewall.

The show arp Command

The show arp command displays the ARP table, which maps an IP address to a physical MAC address. The following command displays the ARP cache:

 pixfirewall# show arp     inside 192.168.1.11 0002.a599.aa96     inside 255.255.255.255 0002.a599.aa96

The clear arp Command

The clear arp command flushes all the entries in the ARP cache from RAM. The following command clears the ARP cache:

 pixfirewall# show arp     inside 192.168.1.11 0002.a599.aa96     inside 255.255.255.255 0002.a599.aa96 pixfirewall# clear arp pixfirewall# show arp pixfirewall#

The reload Command

The reload command reboots the PIX firewall and loads the flash memory configuration into RAM. Please note that there is no such thing as a reboot command. The reload command displays the reload command and the resulting output from the command:

 pixfirewall# reload Proceed with reload? [confirm] y Rebooting.... CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08