Firewall Feature Set Commands
16-116 Configuring Security
Syntax of the “no” Form
ThenoformsetseitherthetimeoutorAuthporttoitsdefaultvalue:
no ip firewall auth {timeout # | port #}
Defaults
•Timeout:1800seconds
• Authenticationport:3000
Mode
Globalconfiguration:XSR(config)#
Example
ThefollowingexampleresetstheICMPidletimeout:
XSR(config)#ip firewall icmp timeout 3000

ip firewall disable/enable

WhenissuedinGlobalmode,thiscommandisa“masterswitch”whichactivatesordeactivates
thefirewallsystemwide.Youcanalsousethiscommandasa“localswitch”inInterface
configurationmode,enablingordisablingthefirewallonaperinterfacebasis.Thecommand
behavesseparatelyandinteractivelyatGlobalandInterfacemodesasfollows:
•Thesystemlevelfirewallisdisabledbydefault.
•Theinterfacelevelfirewallisenabledbydefaultunlessexplicitlydisabled.
•Ifthefirewallisenabled,packetinspectionwilloccuronallinterfacesthathavethefirewall
enabledattheinterfacelevel.
•Aparticularinterfacemaybeenabledbutsubsequentlydisablingthefirewallglobally
overridesallenabledinterfaces.
•Ifyouenablethefirewallglobally,allinterfaceswillbeenableduntilyousubsequentlydisable
aparticularinterface.
Enabledisplaysinrunning-config,butnotdisable.
•Evenifyouhavenotconfiguredthefirewall,entering ip firewall enablewillturnon
packetinspection.
Syntax
ip firewall {disable | enable}
port # TCPportonwhichthefirewallauthenticatorwilllisten.Range:1024to65535.
Note: TCP traffic (e.g., Telnet) passed first through a firewall-disabled interface destined to a
firewall-enabled will be dropped regardless of policy.