CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

Accessing the Cisco PIX Firewall

The PIX Firewall can be accessed by using the console port or remotely using the following methods:

• Telnet

• Secure Shell (SSH)

• A browser using PIX Device Manger (PDM)

Console port access allows a single user to configure the Cisco PIX Firewall. A user connects a PC or portable computer to the PIX Firewall through the console access port using a rollover cable.

The following sections describe how to access the PIX Firewall remotely using Telnet and SSH. Chapter 13, "PIX Device Manager," covers using the PDM to access the PIX Firewall and other aspects of the PDM in greater detail.

Accessing the Cisco PIX Firewall with Telnet

You can manage the PIX Firewall by using Telnet from hosts on any internal interface. With Internet Protocol Security (IPSec) configured, you can use Telnet to administer the console of a Cisco PIX Firewall remotely from lower-security interfaces.

To access the PIX Firewall using a Telnet connection, you have to first configure the PIX Firewall for Telnet access:

telnet local-ip [mask] [if-name]

telnet 10.1.1.24 255.255.255.255 inside

password telnetpassword

telnet timeout 15

As soon as you have Telnet configured on the Cisco PIX Firewall you are ready to access the PIX Firewall using a Telnet session. You can start a Telnet session to the PIX Firewall from the Windows command-line interface (CLI).

Accessing the Cisco PIX Firewall with Secure Shell

Secure Shell (SSH) is an application that runs over Transmission Control Protocol (TCP). SSH provides strong authentication and encryption capabilities. Cisco PIX Firewall supports the SSH remote shell functionality provided in SSH version 1. SSH version 1 also works with Cisco IOS® Software devices. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console.

To gain access to the PIX Firewall console using SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the password command; the default Telnet password is cisco. To authenticate using the AAA server instead, configure the aaa authenticate ssh console command. SSH permits up to 100 characters in a username and up to 50 characters in a password.

Note

SSH v1.x and v2 are entirely different protocols and are incompatible. Make sure that you download a client that supports SSH v1.x.

Like Telnet, SSH also first must be configured on the PIX Firewall. To configure SSH, follow these steps:

PIXFW (config)#hostname FW-PIX

PIXFW(config)#domain-name cspa-example.com

PIXFW(config)#ca generate rsa key 1024

PIXFW(config)#ca save all

ssh ip_address [netmask] [interface_name]

ssh 10.1.1.25 255.255.255.255 inside

password eXamP1epass

ssh timeout number

To gain access to the Cisco PIX Firewall console using SSH, you have to install an SSH client. After installing the SSH client, enter the username pix (the default), and then enter the password.

When you start an SSH session, a dot (.) appears on the Cisco PIX Firewall console before the SSH user authentication prompt appears:

pix(config)# .

The display of the dot does not affect the functionality of SSH. The dot appears at the console when you generate a server key or decrypt a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to 2 minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.

Command-Level Authorization

In some organizations there may be more than one firewall administrator for the PIX Firewall(s). In those instances you can provide those other admins with full rights/privileges to the PIX Firewalls or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute.

PIX Firewall Version 6.2 and higher supports up to 16 privilege levels. This is similar to what is available with IOS® Software. With this feature, you can assign PIX Firewall commands to one of 16 levels, 0 through 15.

When commands and users have privilege levels set, the two levels are compared to determine if a given user can execute a given command. If the user''''''''s privilege level is lower than the privilege level of the command, the user is prevented from executing the command. In the default configuration, each PIX Firewall command is assigned to either privilege level 0 or privilege level 15.

The privilege command sets user-defined privilege levels for PIX Firewall commands.

[no] privilege [show | clear | configure] level level
[mode enable | configure] command command

Table 4-2 shows the description of the privilege command parameters.

For example, the following commands set the privilege of the different command modifiers of the access-list command:

Privilege show level 9 command access-list
Privilege configure level 11 command access-list
Privilege clear level 10 command access-list

The first line sets the privilege of show access-list (show modifier of command access-list) to 9. The second line sets the privilege level of the configure modifier to 11, and the last line sets the privilege level of the clear modifier to 10.

To set the privilege of all the modifiers of the access-list command to a single privilege level of 10, you would enter the following command:

Privilege level 10 command access-list

Once you have selected the commands for which you want to change the default privileges, you enable the command authorization feature to either LOCAL or TACACS+. The following command enables the command authorization feature to LOCAL:

aaa authorization command LOCAL

To define a user account in the LOCAL database, enter the following command:

Username username {nopassword | password password [encrypted]} [privilege level]

Table 4-3 shows the description of the parameters of the username command.

When users log in to the PIX Firewall, they can enter any command assigned to their privilege level or to lower privilege levels. For example, a user account with a privilege level of 15 can access every command because this is the highest privilege level. A user account with a privilege level of 0 can access only the commands assigned to level 0.

For example, the following command assigns a privilege level of 10 to the user account Fwadmin2.

username Fwadmin2 password cspfa2ed privilege 10

If no privilege level is specified, the user account is created with a privilege level of 2. You can define as many user accounts as you need. If you are not sure what the privilege level assigned to commands is, use the show privilege all command to view the assignments. To view the privilege level assignment of a specific command, enter the following command:

Show privilege command command

Replace command with the command for which you want to display the assigned privilege level. For example, the following command displays the command assignment for the capture command:

PXFW01# show privilege command capture
privilege show level 15 command capture
privilege clear level 15 command capture
privilege configure level 15 command capture

Another useful command to see privilege level is the show curpriv command. This displays the current privilege level. The following examples show output from the show curpriv command for a user named noc_ops. Username indicates the name the user entered when he or she logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates the user has entered the config terminal command.

PIXFW01(config)# show curpriv
Username : noc_ops
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
pixfirewall(config)# exit

To change between privilege levels, use the login command to access another privilege level and the disable command to exit that level.

Installing a New Operating System

Installing a new operating system (OS) on a Cisco PIX Firewall is similar in some respects to installing a new OS on your PC. You must consider fundamental questions such as whether you have enough memory and disk space (Flash size for PIX Firewall) when deciding whether to upgrade the operating system. Table 4-4 shows the random-access memory (RAM) and Flash memory requirements for the different versions and releases of the Cisco PIX Firewall OS.

^[a] Except the Cisco PIX 501, 506, and 506E Security Appliance models, which require 8 MB of Flash, and Cisco PIX 501 Security Appliance, which requires 16 MB of RAM.

In addition to the memory and Flash requirements, you should consider the model of Cisco PIX Firewall before installing an OS. For example, the OS required for the Cisco PIX Firewall model 506 is 5.1x or greater; the Cisco PIX Firewall model 525 needs 5.2x or greater; and the Cisco PIX Firewall model 535 needs 5.3x or greater.

To determine the RAM memory and Flash memory you have running on your Cisco PIX Firewall, use the show version command. The output from this command also tells you which PIX Firewall OS you are currently running, as shown in Example 4-1.

Example 4-1. Sample Output from the show version Command

pixfw(config)# show version
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 19-Dec-02 14:03 by hyen
pixfw up 1 days 07 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium 433 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0001.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fc, irq 7
2: ethernet2: address is 00a0.c7c8.133e, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES:       Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces: 10
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited
This PIX has a Restricted (R) license.
Serial Number: 120430465 (0x1ca2c977)
Running Activation Key: 0xc4e64122 0xc21f5281 0x13652200 0x341f8732
Configuration last modified by enable_15 at 11:22:18.480 UTC Wed Dec 28 2002
<--- More --->

As you can see, the OS version is 6.3(1), and the Flash memory size is 16 megabytes (MB).

In Example 4-1, the line that starts with Running Activation Key displays the activation key for the PIX Firewall. The activation key is the license key for the PIX Firewall OS. It is important to save your configuration and write down your activation key before upgrading to a newer version of the PIX Firewall OS.

Upgrading Your Activation Key

Three important reasons might prompt you to upgrade or change your activation key:

• Your Cisco PIX Firewall does not have failover activated.

• Your PIX Firewall does not currently have virtual private network Data Encryption Standard (VPN-DES) or virtual private network Triple DES (VPN-3DES) encryption enabled.

• You are upgrading from a connection-based license to a feature-based license.

Before the release of PIX Firewall Version 6.2, the activation keys were changed in monitor mode. Cisco PIX Firewall Version 6.2 introduces a method of upgrading or changing the license for your Cisco PIX Firewall remotely without entering monitor mode and without replacing the software image. With this new feature, you can enter a new activation key for a different PIX Firewall license from the CLI. To enter an activation key, use the following command:

activation-key license#

You replace license# with the key you get with your new license. For example:

activation-key 0x14355378 0xabcdef01 0x2645678ab 0xcdef0124

After changing the activation key, you must reboot the PIX Firewall to enable the new license. If you are upgrading to a newer version and you are changing the activation key, you must reboot the Cisco PIX Firewall twiceonce after the new image is installed, and again after the new activation key has been configured.

If you are downgrading to a lower Cisco PIX Firewall software version, it is important to ensure that the activation key running on your system is not intended for a higher version before you install the lower-version software image. If this is the case, you must first change the activation key to one that is compatible with the lower version before installing and rebooting. Otherwise, your system might refuse to reload after you install the new software image.

The show activation-key command output indicates the status of the activation key:

• If the activation key in the PIX Firewall Flash memory is the same as the activation key running on the PIX Firewall, the show activation-key output reads as follows:

  
  The flash activation key is the SAME as the running key.
  

• If the activation key in the PIX Firewall Flash memory is different from the activation key running on the PIX Firewall, the show activation-key output reads as follows:

  
  The flash activation key is DIFFERENT from the running key.
  The flash activation key takes effect after the next reload.
  

• If the PIX Firewall Flash memory software image version is not the same as the running PIX Firewall software image, the show activation-key output reads as follows:

  
  The flash image is DIFFERENT from the running image.
  The two images must be the same in order to examine the flash activation key.
  

Example 4-2 shows sample output from the show activation-key command.

Example 4-2. show activation-key Command Output

pix(config)# show activation-key
Serial Number: 480221353 (0x1c9f98a9)
Running Activation Key: 0x14355378 0xabcdef01 0x2645678ab 0xcdef0124
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 6
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited
The flash activation key is the SAME as the running key.
pix (config)#

Upgrading the Cisco PIX Firewall Operating System

There are three procedures for upgrading a PIX Firewall OS. The use of these procedures is determined by which PIX Firewall OS is currently running on the PIX device and the model of the Cisco PIX Firewall.

• You can use the copy tftp flash command with any Cisco PIX Firewall model running PIX Software Version 5.1.1 or later.

• PIX devices that do not have an internal floppy drive (501, 506(E), 515(E), 525, and 535) come with a read-only memory (ROM) boot monitor program that is used to upgrade the image of the Cisco PIX Firewall. For PIX devices that are running Version 5.0 and earlier, a boothelper disk is required to create boothelper mode, similar to ROM monitor mode.

• PIX Firewall Version 6.2 introduces a Hypertext Transfer Protocol (HTTP) client that lets you use the copy http command to retrieve PIX Firewall configurations, software images, or Cisco PDM software from any HTTP server.

Upgrading the Operating System Using the copy tftp flash Command

Example 4-3 shows a sample upgrade.

Example 4-3. Upgrading the OS Using the copy tftp flash Command

PIX# copy tftp flash
Address or name of remote host [127.0.0.1]? 192.168.1.14
Source file name [cdisk]? pix611.bin
copying tftp://192.168.1.14/pix611.bin to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!
Received 2562048 bytes
Erasing current image
Writing 2469944 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!
Image installed.
PIX#

Note

Under no circumstances must you ever download a Cisco PIX Firewall image earlier than Version 4.4 with TFTP. Doing so corrupts the Cisco PIX Firewall Flash memory unit and requires special recovery methods that must be obtained from the Cisco Technical Assistance Center (TAC).

Upgrading the Operating System Using Monitor Mode

If you are upgrading your Cisco PIX Firewall from Version 5.0.x or earlier to Version 5.1.x or later, you will need to use the boothelper or monitor mode method for the upgrade because before Version 5.1, the PIX Firewall software did not provide a way to TFTP an image directly into Flash. Starting with PIX Firewall software Version 5.1, the copy tftp flash command was introduced to copy a new image directly into the PIX Firewall''''''''s Flash.

The following steps describe how to upgrade the PIX Firewall using monitor mode:

Upgrading the OS Using an HTTP Client

You can also perform a PIX Firewall OS upgrade by connecting to an HTTP server on which the image is stored. The copy http command enables you to download a software image into the Flash memory of the firewall from an HTTP server. The syntax for the copy http command is as follows:

copy http[s]://[user:password@] location [:port ] / http_pathname flash [: [image
| pdm] ]

Secure Sockets Layer (SSL) is used when the copy https command is specified. The user and password options are used for authentication when logging into the HTTP server. The location option is the IP address (or a name that resolves to an IP address) of the HTTP server. The port option specifies the port on which to contact the server. The value for port defaults to port 80 for HTTP and port 443 for HTTP through SSL. The pathname option is the name of the resource that contains the image or PIX Device Manager (PDM) file to copy.

The following example shows how to copy the PIX Firewall software image from an HTTP server into the Flash memory of your PIX Firewall:

copy http://192.168.1.22/software/download flash:image

The following example shows how to copy the PIX Firewall software image through HTTP over SSL (HTTPS), where the SSL authentication is provided by the username dan and the password example:

copy https://dan:example@192.168.1.22/software/download flash:image

Creating a Boothelper Disk Using a Windows PC

The boothelper disk, as described earlier in this chapter, provides assistance for Cisco PIX Firewall models 510 and 520 running PIX software Version 5.0(x) or Version 4. x to be upgraded to a newer version:

Example 4-4. Creating a Bootable Disk from Windows

C:\>rawrite
RaWrite 1.2 - Write disk file to raw floppy diskette
Enter source file name: bh61.bin
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18.
Writing image to drive A:. Press ^C to abort.
Track: 11 Head: 1 Sector: 16
Done.
C:\>

Reboot the PIX Firewall with the disk you created. The PIX Firewall comes up in boothelper mode. Follow the procedure beginning with Step 3 of the earlier section "Upgrading the Operating System Using Monitor Mode" to continue with the upgrade process.

Password Recovery

If you ever find yourself in the unfortunate circumstance of having forgotten or lost the console and Telnet password to your Cisco PIX Firewall, do not panic. Like most Cisco products, PIX devices have a procedure to recover lost passwords. Unlike the Cisco router password recovery process, which entails changing the configuration register number, PIX Firewall uses a different method. PIX Firewall uses a password lockout utility to regain access to the locked-out device. The password lockout utility is based on the PIX Firewall software release you are running. Table 4-5 shows the binary filename (that is included with the utility) and the corresponding PIX Firewall OS on which it is used. These files can be downloaded from the Cisco website.

When you boot the Cisco PIX Firewall with one of these binary files, the enable password is erased and the Telnet password is reset to cisco.

Cisco PIX Firewall Password Recovery: Getting Started

The procedure for password recovery on the Cisco PIX Firewall with a floppy drive is slightly different than with a diskless Cisco PIX Firewall. The difference is in how the Cisco PIX Firewall boots with the binary files listed in Table 4-5. Firewall models that have a floppy drive boot from a disk, and diskless firewall models boot from a TFTP server.

In addition to the binary files, you need the following items:

• Portable computer or PC

• Terminal-emulating software

• TFTP software (only for diskless PIX Firewall models)

• The rawrite.exe utility (needed only for firewall models that have floppy drives to create the boot disk)

Password Recovery Procedure for a PIX Firewall with a Floppy Drive (PIX 520)

Password Recovery Procedure for a Diskless PIX Firewall (PIX 501, 506, 506E, 515E, 515, 525, and 535)

Do you wish to erase the passwords? [yn] y
Passwords have been erased.

Overview of Simple Network Management Protocol on the PIX Firewall

Using Simple Network Management Protocol (SNMP), you can monitor system events on the PIX Firewall. All SNMP values are read only (RO). SNMP events can be read, but information on the PIX Firewall cannot be changed by using SNMP.

The PIX Firewall SNMP traps available to an SNMP management station are as follows:

Generic traps:

• Link up and link down

• Cold start

• Authentication failure

Security-related events sent by the Cisco syslog management information base (MIB):

• Global access denied

• Failover syslog messages

• Syslog messages

PIX Firewall Version 6.2 and later supports monitoring central processing unit (CPU) utilization through SNMP. Overall CPU busy percentage in the last 5-second period, one-minute period, and five-minute period are sent to the SNMP management server.

Note

Similar information on CPU utilization can be displayed by typing in show cpu usage on the Cisco Pix Firewall.

This feature allows network administrators to monitor PIX Firewall CPU usage using SNMP management software for capacity planning.

Configuring Simple Network Management Protocol on the PIX Firewall

The snmp-server command causes the PIX Firewall to send SNMP traps so that the PIX Firewall can be monitored remotely. Use the snmp-server host command to specify which systems receive the SNMP traps. Example 4-6 shows a SNMP sample configuration on a PIX Firewall.

Example 4-5. Sample SNMP Configuration on a PIX Firewall

snmp-server host 10.10.1.22
snmp-server location DC-HQ
snmp-server contact Yung Park
snmp-server community SnMpKey
snmp-server enable traps

The location and contact commands identify where the host is and who administers it. The community command specifies the password in use at the PIX Firewall SNMP agent and the SNMP management station for verifying network access between the two systems.

Troubleshooting Commands

The two most important troubleshooting commands on the PIX Firewall are the following:

• debug

• show

The debug command provides real-time information that helps you troubleshoot protocols operating with and through the PIX Firewall. There are more than three dozen debug commands that are available on the PIX Firewall.

Like the debug command, the show command also has many options available on the Cisco PIX Firewall. One helpful show command is the show tech-support command.

The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session. If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session appear only in the session. By default, a session not using Trace Channel has output disabled by default. The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session or you are using only the PIX Firewall serial console:

• If you are only using the PIX Firewall serial console, all debug commands display on the serial console.

• If you have both a serial console session and a Telnet console session accessing the console, no matter where you enter the debug commands, the output displays on the Telnet console session.

• If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session becomes the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.

The debug commands, except the debug crypto commands, are shared between all Telnet and serial console sessions.

The following is sample output from the show debug command output:

Pixfw#show debug
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace

The show tech-support command lists information that technical support analysts need to help you diagnose PIX Firewall problems. Using this command is very similar to running half a dozen show commands at once. The syntax for the command is as follows:

show tech-support [no-config]

The no-config option excludes the output of the running configuration. Example 4-7 shows a sample output of the show tech-support command with the no-config option.

Example 4-6. Sample Output of the show tech-support no config Command

Pix_fw# show tech-support no-config
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Tue 16-Sept-03 17:49 by morlee
PIXFW01 up 17 days 5 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 0008.a3db.87ea, irq 10
1: ethernet1: address is 0008.a3db.87eb, irq 11
2: ethernet2: address is 00e0.b605.5817, irq 11
3: ethernet3: address is 00e0.b605.5816, irq 10
4: ethernet4: address is 00e0.b605.5815, irq 9
5: ethernet5: address is 00e0.b605.5814, irq 5
6: ethernet6: address is 0003.47ac.5edd, irq 5
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 8
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited
Serial Number: 406044528 (0x1833bf0c)
Running Activation Key: 0xb974f13e 0x3253edba 0x0d0365e4 0xbae9e768
Configuration last modified by enable_15 at 13:36:25.580 EST Sat Jan 10 2004
------------------ show clock ------------------
14:26:55.403 EST Sat Jan 10 2004
------------------ show memory -------------------
Free memory:        197058560 bytes
Used memory:        71376896 bytes
-------------    ----------------
Total memory:       268435456 bytes
------------------ show conn count ------------------
134 in use, 5168 most used
------------------ show xlate count -----------------
93 in use, 3279 most used
------------------ show blocks -----------------
SIZE    MAX    LOW    CNT
4   1600   1581   1600
80    400    344    400
256    500      0    500
1550   2724   1472   1824
2560      1      0      1
4096      1      0      1
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a3db.87ea
IP address 192.168.100.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
383875955 packets input, 1546242085 bytes, 0 no buffer
Received 1958243 broadcasts, 0 runts, 0 giants
22 input errors, 0 CRC, 0 frame, 22 overrun, 0 ignored, 0 abort
362851238 packets output, 2335666853 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/134)
output queue (curr/max blocks): hardware (0/102) software (0/63)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a3db.87eb
IP address 10.20.29.187, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
328261488 packets input, 1334827221 bytes, 0 no buffer
Received 16099319 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
428793671 packets output, 3583318676 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/128)
output queue (curr/max blocks): hardware (2/128) software (0/472)
.
.
.
------------------ show cpu usage -----------------
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
------------------ show process ------------------
PC       SP       STATE      Runtime     SBASE     Stack Process
Hsi 800b0e09 807d3938 8052ddd8         0  807d29b0 3716/4096 arp_timer
Lsi 800b5271 80846a48 8052ddd8         0  80845ad0 3788/4096 FragDBGC
Cwe 8000a945 80bd5e48 80375d90         0  80bd4ee0 3944/4096 CryptIC PDR poll
Lwe 8000f9fe 80bd6de8 80531508         0  80bd5f70 3704/4096 dbgtrace
Lwe 8020685d 80bd8f48 80507300   4655470  80bd7000 6352/8192 Logger
Hsi 8020a4ed 80bdc010 8052ddd8         0  80bda098 7700/8192 tcp_fast.
.
.
------------------ show failover -----------------
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 8 seconds
failover replication http
This host: Primary - Active
Active time: 1499048 (sec)
Interface failover (192.168.10.3): Normal
Interface intf5 (127.0.0.1): Link Down (Shutdown)
Interface EXTRA-NET (10.2.0.1): Normal
Interface Dialindmz (10.2.28.1): Normal
Interface Serverdmz (10.10.43.2): Normal
Interface outside (192.168.100.2): Normal
Interface inside (10.20.29.187): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface failover (192.168.10.2): Normal
Interface intf5 (0.0.0.0): Link Down (Shutdown)
Interface EXTRA-NET (10.2.0.2): Normal
Interface Dialindmz (10.2.28.2): Normal
Interface Serverdmz (10.10.43.3): Normal
Interface outside (192.168.100.4): Normal
Interface inside (10.20.29.24): Normal
Stateful Failover Logical Update Statistics
Link : failover
Stateful Obj    xmit        xerr       rcv         rerr
General      65534709    0         198872    0
sys cmd      198871      0         198872    0
up time      2           0         0         0
xlate        7312548     0         0         0
tcp conn     58023288    0         0         0
udp conn     0           0         0         0
ARP tbl      0           0         0         0
RIP Tbl      0                     0         0
Logical Update Queue Information
Cur     Max     Total
Recv Q:     0     1     198872
Xmit Q:     0     1     9861326
------------------ show traffic --
outside:
received (in 1501994.020 secs):
384156904 packets    1628831642 bytes
1 pkts/sec    1001 bytes/sec
transmitted (in 1501994.020 secs):
363147896 packets    2525315383 bytes
1 pkts/sec    1000 bytes/sec
inside:
received (in 1501994.020 secs):
328515373 packets     1453897436 bytes
1 pkts/sec    1 bytes/sec
transmitted (in 1501994.020 secs):
429046804 packets      3666788039 bytes
2 pkts/sec    2000 bytes/sec
.
.
.
------------------ show perfmon ------------------
PERFMON STATS:    Current    Average
Xlates               0/s        0/s
Connections          4/s        0/s
TCP Conns            1/s        0/s
UDP Conns            3/s        0/s
URL Access           0/s        0/s
URL Server Req       0/s        0/s
TCP Fixup            146/s        0/s
TCPIntercept         0/s        0/s
HTTP Fixup           87/s         0/s
FTP Fixup            0/s        0/s
AAA Authen           0/s        0/s
AAA Author           0/s        0/s
AAA Account          0/s        0/s