© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 17 System Maintenance
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure Telnet access to the PIX Firewall console. Configure SSH access to the PIX Firewall console. Configure command authorization. Recover PIX Firewall passwords using general password recovery procedures. Use TFTP to install and upgrade the software image on the PIX Firewall. Configure SNMP on the PIX.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Remote Access
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Telnet Access to the PIX Firewall Console Specifies which hosts can access the PIX Firewall console via Telnet. telnet ip_address [netmask] [if_name] pixfirewall(config)# pix1(config)# telnet inside pix1(config)# telnet timeout 15 pix1(config)# passwd telnetpass Sets the maximum time a console Telnet session can be idle before being logged off by the PIX Firewall. telnet timeout minutes pixfirewall(config)# Sets the password for Telnet access to the PIX Firewall. passwd password [encrypted] pixfirewall(config)# Internet Telnet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Viewing and Disabling Telnet kill telnet_id pixfirewall# Terminates a Telnet session. Enables you to view which IP addresses are currently accessing the PIX Firewall console via Telnet. who [local_ip] pixfirewall# Removes Telnet access from a previously authorized IP address. clear telnet pixfirewall(config)# Displays IP addresses permitted to access the PIX Firewall via Telnet. show telnet pixfirewall#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SSH Connections to the PIX Firewall SSH connections to the PIX Firewall Provide secure remote access. Provide strong authentication and encryption. Require RSA key pairs for the PIX Firewall. Require DES or 3DES activation keys. Allow up to five SSH clients to simultaneously access the PIX Firewall console. Use the Telnet password for local authentication.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring SSH Access to the PIX Firewall Console Removes any previously generated RSA keys. ca zeroize rsa pixfirewall(config)# Saves the CA state. ca save all pixfirewall(config)# Configures the domain name. domain-name name pixfirewall(config)# Generates an RSA key pair. ca generate rsa {key | specialkey} key_modulus_size pixfirewall(config)# Specifies the host or network authorized to initiate an SSH connection. ssh ip_address [netmask] [interface_name] pixfirewall(config)# Specifies how long a session can be idle before being disconnected. ssh timeout pixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Connecting to the PIX Firewall with an SSH Client pix1(config)# ca zeroize rsa pix1(config)# ca save all pix1(config)# domain-name cisco.com pix1(config)# ca generate rsa key 768 pix1(config)# ca save all pix1(config)# ssh outside pix1(config)# ssh timeout 30 Internet SSH username: pix password: telnetpassword
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Viewing, Disabling, and Debugging SSH debug ssh pixfirewall(config)# Enables SSH debugging. Removes all SSH command statements from the configuration. clear ssh pixfirewall(config)# Disconnects an SSH session. ssh disconnect session_id pixfirewall# show ssh sessions [ip_address] pixfirewall# Enables you to view the status of your SSH sessions.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Overview The purpose of command authorization is to securely and efficiently administer the PIX Firewall. It has the following types: Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable-Level Command Authorization Complete the following tasks to configure and use enable-level command authorization: Use the enable command to create privilege levels and assign passwords to them. Use the privilege command to assign specific commands to privilege levels. Use the aaa authorization command to enable the command authorization feature. Use the enable command to access the desired privilege level.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Create and Password-Protect Your Privilege Levels Configures enable passwords for the various privilege levels. enable password pw [level priv_1evel] [encrypted] pixfirewall(config)# pix1(config)# enable password Passw0rD level 10 enable [priv_1evel] pixfirewall(config)# pix1> enable 10 Password: Passw0rD pix1# Provides access to a particular privilege level from the > prompt. Internet pix1> enable 10 password: PasswOrD
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Assign Commands to Privilege Levels and Enable Command Authorization privilege [show | clear | configure] level level [mode enable | configure] command command pixfirewall(config)# pix1(config)# enable password Passw0rD level 10 pix1(config)# privilege show level 8 command access-list pix1(config)# privilege configure level 10 command access-list pix1(config)# aaa authorization command LOCAL Configures user-defined privilege levels for PIX Firewall commands. aaa authorization command LOCAL | tacacs_server_tag pixfirewall(config)# Enables command authorization. pixfirewall> enable 10 Password: Passw0rD pixfirewall# config t pixfirewall(config)# access-list...
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Using the Local User Database Complete the following tasks to configure and use command authorization with the local user database: Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access privilege levels.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Creating User Accounts in the Local Database username username nopassword | password password [encrypted] [privilege level] pixfirewall(config)# pix1(config)# username admin password passw0rd privilege 15 pix1(config)# username kenny password chickadee privilege 10 Configures the username for the specified privilege level. Internet Local database: admin passwOrd 15 kenny chickadee 10
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Authentication with the Local Database Enables user authentication. pix1(config)# privilege configure level 10 command access-list pix1(config)# username kenny password chickadee privilege 10 pix1(config)# aaa authorization command LOCAL pix1(config)# aaa authentication enable console LOCAL aaa authentication [serial | enable | telnet | ssh | http] console group_tag pixfirewall(config )# pixfirewall> login Username: kenny Password: chickadee pixfirewall# config t pixfirewall(config)# access-list... Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Using ACS Complete the following tasks to configure and use ACS command authorization: Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute. Use the aaa-server command to specify the TACACS+ server. Use the aaa authentication command to enable authentication with a TACACS+ server. Use the aaa authorization command to enable command authorization with a TACACS+ server.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization Command for Command Authorization with ACS Enables command authorization. pix1(config)# aaa-server MYTACACS protocol tacacs+ pix1(config)# aaa-server MYTACACS (inside) host thekey timeout 20 pix1(config)# aaa authentication enable console MYTACACS pix1(config)# aaa authorization command MYTACACS aaa authorization command LOCAL |tacacs_server_tag pixfirewall(config)# Internet MYTACACS Authentication Authorization
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Viewing Your Command Authorization Configuration Displays the privileges for a command or set of commands. show privilege [all | command command | level level] pixfirewall# Displays the user account that is currently logged in. show curpriv pixfirewall# Internet MYTACACS
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lockout Internet MYTACACS X Local database: admin passwOrd 15 kenny chickadee 10 X
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SNMP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SNMP Overview Internet NMS Trap Get (Request) Get (Response) PIX Firewall SNMP agent
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA MIB Support The Cisco Firewall MIB, Cisco Memory Pool MIB, and Cisco Process MIB provide the following PIX Firewall information through SNMP: Buffer use from the show block command Connection count from the show conn command CPU use through the show cpu usage command Failover status Memory use from the show memory command
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SNMP to the PIX Firewall Configures the SNMP community string, a shared secret among the NMS and the managed devices. snmp-server host [if_name] ip_addr [trap | poll] pixfirewall(config)# pix1(config)# snmp-server host inside pix1(config)# snmp-server community OURCOMMUNITY pix1(config)# snmp-server enable traps pix1(config)# logging on pix1(config)# logging history debugging Identifies the management station. snmp-server community key pixfirewall(config)# Enables sending log messages as SNMP trap notifications. snmp-server enable traps pixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SNMP manager Internet pix1(config)# static (inside,outside) netmask pix1(config)# access-list TRAPSIN permit udp host host eq snmptrap pix1(config)# access-group TRAPSIN in interface outside Traps SNMP TrapsOutside to Inside SNMP managed device
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SNMP PollingOutside to Inside pix1(config)# static (inside,outside) netmask pix1(config)# access-list POLLIN permit udp host host eq snmp pix1(config)# access-group POLLIN in interface outside SNMP managed device Internet Get responses SNMP manager
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Management Tools
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Device Manager PDM is a browser-based configuration tool designed to help configure and monitor your PIX Firewall. Internet SSL secure tunnel
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Management Center for Firewalls
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Activation Keys
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Entering a New Activation Key Updates the activation key on your PIX Firewall. Used to enable licensed features on PIX Firewall. activation-key activation-key-four-tuple pixfirewall(config)# pix1(config)# activation-key 0x xabcdef01 0x ab 0xcdef Internet Activation key
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Upgrading the Image and the Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1Install the new image. Step 2Reboot the system. Step 3Update the activation key. Step 4Reboot the system.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Troubleshooting the Activation Key Upgrade MessageProblem and Resolution The activation key you entered is the same as the running key. Either the activation key has already been upgraded or you need to enter a different key. The Flash image and the running image differ. Reboot the PIX Firewall and re-enter the activation key. The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Password Recovery and Image Upgrade
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Password Recovery Download the following file from Cisco.com: npXX.bin (where XX = the PIX Firewall image version number). Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to TFTP the previously downloaded image. Follow the directions displayed.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Image Upgrade pix1# copy tftp:// /pix632. bin flash copy tftp[:[[//location][/tftp_pathname]]] flash[:[image | pdm]] pixfirewall(config)# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall Internet TFTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary SSH provides secure remote management of the PIX Firewall. TFTP is used to upgrade the software image on PIX Firewalls. You can configure three different types of command authorization: enable level with password, local command authorization, and ACS command authorization. The PIX Firewall can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the PIX Firewall on all interfaces. Password recovery for the PIX Firewall requires a TFTP server.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC PIX Firewall SSH client TFTP server Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB PIX Firewall Student PC SSH client TFTP server