Cisco IOS FW Tips

From Bobs Projects
Jump to: navigation, search

Some (hopefully) useful tips for administering the DoI Cisco Virtual Firewall using the IOS commandline. Full documentation is available online FWSM Configuration Guide

First up, you need an account on the Cisco Virtual Firewall for CECS.

Use Secure SHell (ssh) to log into the firewall:

> ssh bobe@150.203.204.166
bobe@150.203.204.166's password:
csitfw/CECS>

(or, bobe@csitfw-vlan-1091.anu.edu.au - whichever floats your boat)

(give it your password)

You then need to enable "superuser" mode:

csitfw/CECS> en
Password: ********
csitfw/CECS#

(you can also use "enable", or "e?" and then the "n" etc.)

(and give it your password again, for good measure - just like with sudo...)

There are two configurations of interest:

  • running-config - the currently running configuration
  • startup-config - saved config that will be used upon next startup

Generally, modify the running-config, then save to the startup-config.

A useful command is show. As Stu says: "Use show command to draw out information".

Now, a good thing to do is to find out which access groups are available:

csitfw/CECS# show running-config | inc access-group
...

(inc is like "grep" etc.)

To make changes, use:

csitfw/CECS# configure terminal
csitfw/CECS(config)# 

To add a new rule:

csitfw/CECS(config)# ipv6 access-list ipv6_inside_access_in line 1 permit icmp6 any any
csitfw/CECS(config)#

To remove an existing rule:

csitfw/CECS(config)# no ipv6 access-list ipv6_inside_access_in line 2 permit icmp any any
csitfw/CECS(config)#

When finished making changes:

csitfw/CECS(config)# exit
csitfw/CECS#

If you have made any changes, save the running-config to startup-config with:

csitfw/CECS# write memory
csitfw/CECS#

then, when finished:

csitfw/CECS# exit
>