Cisco PIX Firewall and VPN Configuration Guide Version 6.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide xix Document Objectives Audience xix xix Document Organization xx Document Conventions xxi Obtaining Documentation xxi Cisco.com xxi Documentation CD-ROM xxii Ordering Documentation xxii Documentation Feedback xxii Obtaining Technical Assistance xxiii Cisco.
Contents Protecting Your Network from Attack 1-8 Unicast Reverse Path Forwarding 1-9 Mail Guard 1-9 Flood Guard 1-9 Flood Defender 1-9 FragGuard and Virtual Reassembly 1-10 DNS Control 1-10 ActiveX Blocking 1-10 Java Filtering 1-10 URL Filtering 1-10 Configurable Proxy Pinging 1-11 Supporting Specific Protocols and Applications 1-11 How Application Inspection Works 1-11 Voice over IP 1-12 CTIQBE (TAPI) 1-12 H.
Contents Accessing and Monitoring PIX Firewall 1-20 Connecting to the Inside Interface of a Remote PIX Firewall Cisco PIX Device Manager (PDM) 1-21 Command Authorization 1-21 Telnet Interface 1-22 SSH Version 1 1-22 NTP 1-22 Auto Update 1-22 Capturing Packets 1-22 Using SNMP 1-22 XDMCP 1-23 Using a Syslog Server 1-23 FTP and URL Logging 1-23 Integration with Cisco IDS 1-23 PIX Firewall Failover 1-21 1-24 Upgrading the PIX Firewall OS and License 1-24 Using the Command-Line Interface 1-25 Access Modes
Contents Configuring PIX Firewall Interfaces 2-4 Assigning an IP Address and Subnet Mask 2-5 Identifying the Interface Type 2-5 Changing Interface Names or Security Levels 2-6 Establishing Outbound Connectivity with NAT and PAT Overview 2-7 How NAT and PAT Work 2-9 Configuring NAT and PAT 2-9 2-7 Configuring the PIX Firewall for Routing 2-12 Using RIP 2-12 Configuring RIP Static Routes on PIX Firewall 2-13 Using OSPF 2-14 Overview 2-14 Security Issues When Using OSPF 2-14 OSPF Features Supported 2-15 Res
Contents Policy NAT 2-40 Limitations 2-42 Configuring Policy NAT 2-42 Configuring Global Translations 2-42 Configuring Static Translations 2-43 Enabling Stub Multicast Routing 2-43 Overview 2-44 Allowing Hosts to Receive Multicast Transmissions 2-44 Forwarding Multicasts from a Transmission Source 2-46 Configuring IGMP Timers 2-47 Setting the Query Interval 2-47 Setting Query Response Time 2-47 Clearing IGMP Configuration 2-47 Viewing and Debugging SMR 2-47 For More Information about Multicast Routing 2-48
Contents Downloading Access Lists 3-20 Configuring Downloadable ACLs 3-20 Downloading a Named Access List 3-21 Downloading an Access List Without a Name Software Restrictions 3-23 3-22 Simplifying Access Control with Object Grouping 3-24 How Object Grouping Works 3-24 Using Subcommand Mode 3-25 Configuring and Using Object Groups with Access Control Configuring Protocol Object Groups 3-28 Configuring Network Object Groups 3-28 Configuring Service Object Groups 3-28 Configuring ICMP-Type Object Groups 3-2
Contents Using Secure Unit Authentication 4-6 Overview 4-6 Establishing a Connection with SUA Enabled 4-7 Managing Connection Behavior with SUA 4-7 Using Individual User Authentication 4-8 Using X.
Contents Voice Over IP 5-14 CTIQBE 5-14 CU-SeeMe 5-15 H.
Contents CHAPTER 6 Configuring IPSec and Certification Authorities How IPSec Works 6-1 6-1 Internet Key Exchange (IKE) 6-2 IKE Overview 6-2 Configuring IKE 6-4 Disabling IKE 6-6 Using IKE with Pre-Shared Keys 6-6 Using Certification Authorities 6-7 CA Overview 6-8 Public Key Cryptography 6-8 Certificates Provide Scalability 6-8 Supported CA Servers 6-9 Configuring the PIX Firewall to Use Certificates 6-9 Verifying the Distinguished Name of a Certificate 6-12 Configuring IPSec 6-13 IPSec Overview 6-1
Contents Using PIX Firewall with a VeriSign CA 7-7 Scenario Description 7-7 Configuring PIX Firewall 1 with a VeriSign CA Configuring PIX Firewall 2 with a VeriSign CA Using PIX Firewall with an In-House CA 7-13 Scenario Description 7-14 Configuring PIX Firewall 1 for an In-House CA Configuring PIX Firewall 2 for an In-House CA 7-8 7-11 7-15 7-18 Using an Encrypted Tunnel to Obtain Certificates 7-20 Establishing a Tunnel Using a Pre-Shared Key 7-21 PIX Firewall 1 Configuration 7-21 PIX Firewall 2 Config
Contents Using an Easy VPN Remote Device with Digital Certificates 8-13 Client Verification of the Easy VPN Server Certificate 8-14 Scenario Description 8-14 Configuring the PIX Firewall 8-16 Configuring the Easy VPN Remote Software Client 8-19 Using PPTP for Remote Access 8-20 Overview 8-20 PPTP Configuration 8-21 PPTP Configuration Example 8-21 CHAPTER 9 Accessing and Monitoring PIX Firewall 9-1 Connecting to PIX Firewall Over a VPN Tunnel 9-1 Command Authorization and LOCAL User Authentication 9-
Contents Allowing a Telnet Connection to the Outside Interface 9-18 Overview 9-18 Using Telnet with an Easy VPN Remote Device 9-18 Using Cisco Secure VPN Client Version 1.
Contents SNMP Usage Notes 9-43 SNMP Traps 9-44 Receiving Requests and Sending Syslog Traps Compiling Cisco Syslog MIB Files 9-45 Using the Firewall and Memory Pool MIBs 9-46 ipAddrTable Notes 9-46 Viewing Failover Status 9-47 Verifying Memory Usage 9-48 Viewing The Connection Count 9-49 Viewing System Buffer Usage 9-50 CHAPTER 10 Using PIX Firewall Failover 9-44 10-1 Failover System Requirements 10-2 Understanding Failover 10-3 Overview 10-3 Network Connections 10-4 Failover and State Links 10-4 Fa
Contents Frequently Asked Failover Questions 10-21 Configuration Replication Questions 10-21 Basic Failover Questions 10-22 Cable-Based Failover Questions 10-23 LAN-Based Failover Questions 10-23 Stateful Failover Questions 10-24 Failover Configuration Examples 10-24 Cable-Based Failover Example 10-25 LAN-Based Failover Example 10-26 CHAPTER 11 Changing Feature Licenses and System Software 11-1 Upgrading Your License by Entering a New Activation Key Obtaining an Activation Key 11-2 Entering a New Acti
Contents APPENDIX A Acronyms and Abbreviations APPENDIX B Configuration Examples for Other Remote Access Clients B-1 Xauth with RSA Ace/Server and RSA SecurID B-1 Terminology B-1 Introduction B-2 PIX Firewall Configuration B-3 SecurID with Cisco VPN Client Version 3.x B-4 Token Enabled B-4 Next Tokencode Mode B-4 New PIN Mode B-5 SecurID with Cisco VPN 3000 Client Version 2.5 B-5 Token Enabled B-6 Next Tokencode Mode B-6 New PIN Mode B-6 SecurID with Cisco Secure VPN Client Version 1.
Contents Configuring the Inside Server C-3 Configuring Both Systems After Rebooting APPENDIX D TCP/IP Reference Information IP Addresses Ports C-4 D-1 D-1 D-2 Protocols and Applications D - 5 Supported Multimedia Applications D - 6 Supported Protocols and Applications D - 6 Using Subnet Masks D - 7 Masks D - 7 Uses for Subnet Information Using Limited IP Addresses Addresses in the .128 Mask Addresses in the .192 Mask Addresses in the .224 Mask Addresses in the .240 Mask Addresses in the .
About This Guide This preface introduces the Cisco PIX Firewall and VPN Configuration Guide and contains the following sections: • Document Objectives, page xix • Audience, page xix • Document Organization, page xx • Document Conventions, page xxi • Obtaining Documentation, page xxi • Obtaining Technical Assistance, page xxiii • Obtaining Additional Publications and Information, page xxiv Document Objectives This document describes how to configure the Cisco PIX Firewall to protect your networ
About This Guide Document Organization Document Organization This guide includes the following chapters and appendixes: • Chapter 1, “Getting Started,” describes the benefits provided by PIX Firewall and the technology used to implement each feature. • Chapter 2, “Establishing Connectivity,” describes how to establish secure connectivity between an unprotected network, such as the public Internet, and one or more protected networks.
About This Guide Document Conventions Document Conventions Command descriptions use these conventions: • Braces ({ }) indicate a required choice. • Square brackets ([ ]) indicate optional elements. • Vertical bars ( | ) separate alternative, mutually exclusive elements. • Boldface indicates commands and keywords that are entered literally as shown. • Italics indicate arguments for which you supply values.
About This Guide Obtaining Documentation Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Registered Cisco.
About This Guide Obtaining Technical Assistance Obtaining Technical Assistance Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities. Cisco.
About This Guide Obtaining Additional Publications and Information All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://tools.cisco.com/RPF/register/register.do If you are a Cisco.
About This Guide Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.
About This Guide Obtaining Additional Publications and Information Cisco PIX Firewall and VPN Configuration Guide xxvi 78-15033-01
C H A P T E R 1 Getting Started The Cisco PIX Firewall lets you establish stateful firewall protection and secure VPN access with a single device. PIX Firewall provides a scalable security solution with failover support available for selected models to provide maximum reliability. PIX Firewall uses a specialized operating system that is more secure and easier to maintain than software firewalls that use a general-purpose operating system, which are subject to frequent threats and attacks.
Chapter 1 Getting Started Controlling Network Access • Access Control, page 1-6 • VLAN Support, page 1-8 Chapter 2, “Establishing Connectivity” provides configuration instructions for establishing network connectivity through the PIX Firewall. Chapter 3, “Controlling Network Access and Use” provides configuration instructions for using the PIX Firewall to control network connectivity.
Chapter 1 Getting Started Controlling Network Access The PIX Firewall also lets you implement your security policies for connection to and from the inside network. Typically, the inside network is an organization's own internal network, or intranet, and the outside network is the Internet, but the PIX Firewall can also be used within an intranet to isolate or protect one group of internal computing systems and users from another.
Chapter 1 Getting Started Controlling Network Access PIX Firewall handles UDP data transfers in a manner similar to TCP. Special handling allows DNS, archie, StreamWorks, H.323, and RealAudio to work securely. The PIX Firewall creates UDP “connection” state information when a UDP packet is sent from the inside network. Response packets resulting from this traffic are accepted if they match the connection state information. The connection state information is deleted after a short period of inactivity.
Chapter 1 Getting Started Controlling Network Access Address Translation The Network Address Translation (NAT) feature works by substituting, or translating, host addresses on one interface with a “global address” associated with another interface. This protects internal host addresses from being exposed on other network interfaces. To understand whether you want to use NAT, decide if you want to expose internal addresses on other network interfaces connected to the PIX Firewall.
Chapter 1 Getting Started Controlling Network Access Cut-Through Proxy Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
Chapter 1 Getting Started Controlling Network Access The PIX Firewall allows a RADIUS server to send user group attributes to the PIX Firewall in the RADIUS authentication response message. The PIX Firewall then matches an access list to the attribute and determines RADIUS authorization from the access list. After the PIX Firewall authenticates a user, it will apply an access list for the user that was returned by the AAA server using the Cisco acl attribute (acl=).
Chapter 1 Getting Started Protecting Your Network from Attack Object Grouping Object grouping, introduced in PIX Firewall Version 6.2, reduces the complexity of configuration and improves scalability for large or complex networks. Object grouping lets you apply access rules to logical groups of network objects. When you apply a PIX Firewall command to an object group, the command affects all network objects defined within the group.
Chapter 1 Getting Started Protecting Your Network from Attack For more information about the PIX Firewall features used to protect your network against specific attacks, refer to Chapter 5, “Configuring Application Inspection (Fixup).” For information about configuring ActiveX Blocking, Java Filtering, and URL Filtering, refer to the “Filtering Outbound Connections” section on page 3-31 in Chapter 3, “Controlling Network Access and Use.
Chapter 1 Getting Started Protecting Your Network from Attack ActiveX Blocking ActiveX controls, formerly known as OLE or OCX controls, are components that can be inserted into a web page or other application. The PIX Firewall ActiveX blocking feature blocks HTML
Chapter 1 Getting Started Supporting Specific Protocols and Applications Supporting Specific Protocols and Applications This section describes how the PIX Firewall enables the secure use of specific protocols and applications.
Chapter 1 Getting Started Supporting Specific Protocols and Applications Note • SCCP, page 1-12 • SIP, page 1-13 Version 6.2 of the PIX Firewall introduces PAT support for H.323 and SIP. This helps to expand your address space to accommodate the large number of endpoints involved when implementing VoIP networks. CTIQBE (TAPI) The Telephony API (TAPI) and Java Telephony API (JTAPI) are protocols used by Cisco VoIP applications. PIX Firewall Version 6.
Chapter 1 Getting Started Supporting Specific Protocols and Applications When coupled with an H.323 Proxy, an SCCP client can interoperate with H.323 compliant terminals. Application inspection in the PIX Firewall works with SCCP Version 3.1.1. The functionality of PIX Firewall application inspection ensures that all SCCP signalling and media packets can traverse the Firewall by providing NAT of the SCCP signaling packets. Note PIX Firewall Version 6.3 introduces PAT support for SCCP.
Chapter 1 Getting Started Creating a Virtual Private Network LDAP Version 2 and ILS PIX Firewall Version 6.2 or higher supports using NAT with Lightweight Directory Access Protocol (LDAP) Version 2, used by the Internet Locator Service (ILS). Applications that depend on ILS include Microsoft NetMeeting and SiteServer Active Directory. These applications use ILS to provide registration and location of end points in the ILS directory.
Chapter 1 Getting Started Creating a Virtual Private Network Virtual Private Networks Virtual Private Networks (VPNs) let you securely interconnect geographically distributed users and sites over the public Internet. VPNs can provide lower cost, improved reliability, and easier administration than traditional wide-area networks based on private Frame Relay or dial-up connections. VPNs maintain the same security and management policies as a private network.
Chapter 1 Getting Started Creating a Virtual Private Network • Phase 1—This phase, implemented through the Internet Key Exchange (IKE) protocol, establishes a pair of IKE SAs. IKE SAs are used for negotiating one or more IPSec SAs, which are used for the actual transmission of application data. • Phase 2—This phase uses the secure channel provided by the IKE SAs to negotiate the IPSec SAs.
Chapter 1 Getting Started Creating a Virtual Private Network Most browsers, by default, trust certificates from well-known CAs, such as VeriSign, and provide options for adding CAs, and for generating and requesting a digital certificate. You can also preconfigure browser software before it is distributed to users with your CA and the necessary certificates.
Chapter 1 Getting Started Creating a Virtual Private Network Supporting Remote Access with a Cisco Easy VPN Server The PIX Firewall supports mixed VPN deployments, including both site-to-site and remote-access traffic. A remote access VPN uses analog, dial, ISDN, DSL, mobile IP, and cable technologies to securely connect mobile users, telecommuters, and other individual systems to a network protected by the PIX Firewall.
Chapter 1 Getting Started Using PIX Firewall in a Small Office, Home Office Environment Using PIX Firewall in a Small Office, Home Office Environment This section describes features provided by the PIX Firewall that support its use in a small office, home office (SOHO) environment.
Chapter 1 Getting Started Accessing and Monitoring PIX Firewall A DHCP server is simply a computer that provides configuration parameters to a DHCP client, and a DHCP client is a computer or network device that uses DHCP to obtain network configuration parameters. When functioning as a DHCP server, the PIX Firewall dynamically assigns IP addresses to DHCP clients from a pool of designated IP addresses. PIX Firewall Version 6.2 or higher supports DHCP option 66 and DHCP option 150 requests.
Chapter 1 Getting Started Accessing and Monitoring PIX Firewall • Telnet Interface, page 1-22 • SSH Version 1, page 1-22 • NTP, page 1-22 • Auto Update, page 1-22 • Capturing Packets, page 1-22 • Using SNMP, page 1-22 • XDMCP, page 1-23 • Using a Syslog Server, page 1-23 • FTP and URL Logging, page 1-23 • Integration with Cisco IDS For information about configuring the features described in this section, refer to Chapter 9, “Accessing and Monitoring PIX Firewall.
Chapter 1 Getting Started Accessing and Monitoring PIX Firewall Telnet Interface The PIX Firewall Telnet interface provides a command-line interface similar to Cisco IOS software. The Telnet interface lets you remotely manage the PIX Firewall via the console interface. The Telnet interface limits access of the Telnet interface to specified client systems within the inside network (based on source address) and is password protected.
Chapter 1 Getting Started Accessing and Monitoring PIX Firewall The SNMP Firewall and Memory Pool MIBs extend the number of traps you can use to discover additional information about the state of the PIX Firewall, including the following events: Note • Buffer usage from the show block command • Connection count from the show conn command • Failover status • Memory usage from the show memory command PIX Firewall Version 6.2 or higher supports monitoring CPU utilization through SNMP.
Chapter 1 Getting Started PIX Firewall Failover PIX Firewall Failover The PIX Firewall failover feature lets you connect two identical PIX Firewall units with a special failover cable to achieve a fully redundant firewall solution. To configure the PIX Firewall failover feature, refer to Chapter 10, “Using PIX Firewall Failover.
Chapter 1 Getting Started Using the Command-Line Interface Using the Command-Line Interface This section includes the following topics, which describe how to use the PIX Firewall command-line interface (CLI): Note • Access Modes, page 1-25 • Accessing Configuration Mode, page 1-26 • Abbreviating Commands, page 1-27 • Backing Up Your PIX Firewall Configuration, page 1-27 • Command Line Editing, page 1-28 • Filtering Show Command Output, page 1-28 • Command Output Paging, page 1-29 • Commen
Chapter 1 Getting Started Using the Command-Line Interface • Configuration mode—Displays the prompt (config)#, where pixname is the host name assigned to the PIX Firewall. You use configuration mode to change system configuration. All privileged, unprivileged, and configuration commands work in this mode. Use the configure terminal command to start configuration mode and the exit or quit commands to exit.
Chapter 1 Getting Started Using the Command-Line Interface Step 5 The following prompt appears: Password: Press the Enter key. Step 6 You are now in privilege Level 15, which lets you use all the commands assigned to this privilege level. The following prompt appears: pixfirewall# Type configure terminal and press Enter. You are now in configuration mode. Note If the Command Authorization feature (introduced in PIX Firewall Version 6.
Chapter 1 Getting Started Using the Command-Line Interface Command Line Editing PIX Firewall uses the same command-line editing conventions as Cisco IOS software. You can view all previously entered commands with the show history command or individually with the up arrow or ^p command. Once you have examined a previously entered command, you can move forward in the list with the down arrow or ^n command. When you reach a command you wish to reuse, you can edit it or press the Enter key to start it.
Chapter 1 Getting Started Using the Command-Line Interface Table 1-2 Using Special Characters in Regular Expressions Character Type Character Special Meaning underscore _ Matches a comma (,), left brace ({), right brace (}), left parenthesis, right parenthesis, the beginning of the input string, the end of the input string, or a space. brackets [] Designates a range of single-character patterns. hyphen - Separates the end points of a range.
Chapter 1 Getting Started Using the Command-Line Interface Configuration Size For PIX Firewall Version 5.3(2) and higher, the PIX 525 and PIX 535 support configurations up to 2 MB. The maximum size for the PIX 501 is 256 KB. The maximum configuration size for all other PIX Firewall platforms is 1 MB. For PIX Firewall models using software before Version 5.3(2), the maximum configuration size is 350 KB.
Chapter 1 Getting Started Before You Start Configuring PIX Firewall Note The factory default setting for the DHCP address pool size is determined by your PIX Firewall platform and your feature license. For information about the possible options, refer to “Using the PIX Firewall DHCP Client” in Chapter 4, “Using PIX Firewall in SOHO Networks.
Chapter 1 Getting Started Where to Go from Here • To configure or use PIX Firewall system management tools, refer to Chapter 9, “Accessing and Monitoring PIX Firewall.” • To configure the PIX Firewall failover feature, refer to Chapter 10, “Using PIX Firewall Failover.” • To upgrade the software image on your PIX Firewall, refer to Chapter 11, “Changing Feature Licenses and System Software.
Chapter 1 Getting Started Where to Go from Here For more information on firewalls, refer to: • Bernstein, T., Bhimani, A.B., Schultz, E. and Siegel, C. A. Internet Security for Business. Wiley. Information about this book is available at: http://www.wiley.com • Chapman, D. B. & Zwicky, E. D. Building Internet Firewalls. O’Reilly. Information on this book is available at: http://www.ora.com/ • Cheswick, W. and Bellovin, S. Firewalls & Internet Security. Addison-Wesley.
Chapter 1 Getting Started Where to Go from Here Cisco PIX Firewall and VPN Configuration Guide 1-34 78-15033-01
C H A P T E R 2 Establishing Connectivity This chapter describes the basic preparation and configuration required to use the network firewall features of the Cisco PIX Firewall. After completing this chapter, you will be able to establish basic connectivity from your internal network to the public Internet or resources on your perimeter network.
Chapter 2 Establishing Connectivity Initial Configuration Checklist Table 2-1 Initial Configuration Checklist Task Explanation Procedure If you have purchased a new feature license, upgrade your feature license If you have purchased (or need to purchase) a new activation key for your PIX Firewall, upgrade your license before configuring the firewall.
Chapter 2 Establishing Connectivity Setting Default Routes Table 2-1 Initial Configuration Checklist (continued) Task Explanation Procedure Configure PIX Firewall interfaces Assign an IP address and subnet mask to each interface Refer to the “Configuring PIX Firewall in your PIX Firewall that connects to another network. Interfaces” section on page 2-4. All interfaces in a new PIX Firewall are shut down by default. You need to explicitly enable each interface you are using.
Chapter 2 Establishing Connectivity Configuring PIX Firewall Interfaces To configure the default routes on a Cisco IOS router to forward traffic to the PIX Firewall complete the following steps: Step 1 Telnet to the router that connects to the inside interface of the PIX Firewall, or connect to the router’s console port. If you are using a Windows PC, you can connect to the console port using the HyperTerminal program. You will need to know the password for the router.
Chapter 2 Establishing Connectivity Configuring PIX Firewall Interfaces Assigning an IP Address and Subnet Mask Assign an IP address to each interface in your PIX Firewall that connects to another network. PIX Firewall interfaces do not have IP addresses until you assign them. Note Multiple IP addresses can be assigned on the outside interface for internal web servers.
Chapter 2 Establishing Connectivity Configuring PIX Firewall Interfaces Cisco PIX Firewall and VPN Configuration Guide 2-6 78-15033-01
Chapter 2 Establishing Connectivity Configuring PIX Firewall Interfaces Note • Replace hardware_id with the hardware name for the network interface card, such as ethernet2 and ethernet3, and so forth. For details about the interface numbering of a specific PIX Firewall model, refer to the Cisco PIX Firewall Hardware Installation Guide. • Replace hardware_speed with the speed of the interface, using the values shown in Table 2-2.
Chapter 2 Establishing Connectivity Establishing Outbound Connectivity with NAT and PAT Use the show nameif command to view the current names and security levels for each interface. The results of this command for a PIX Firewall with three interfaces might be as follows.
Chapter 2 Establishing Connectivity Establishing Outbound Connectivity with NAT and PAT Chapter 3, “Controlling Network Access and Use.” Static NAT provides a permanent one-to-one map between two addresses. Dynamic NAT uses a range or pool of global addresses to let you support a large number of users with a limited number of global addresses. Port Address Translation (PAT) maps a single global IP address to many local addresses.
Chapter 2 Establishing Connectivity Establishing Outbound Connectivity with NAT and PAT Table 2-3 Address Translation Types Type of Address Translation Function Outside dynamic PAT Translates between host addresses on less secure interfaces and a single address on a more secure interface. This provides a many-to-one mapping between external addresses and an internal address.
Chapter 2 Establishing Connectivity Establishing Outbound Connectivity with NAT and PAT Figure 2-1 dmz1 192.168.1.1 security20 Sketching Interfaces and Security Levels outside 209.165.201.1 security0 dmz3 192.168.3.1 security60 PIX Firewall inside 192.168.0.1 security100 dmz4 192.168.4.1 security80 34787 dmz2 192.168.2.1 security40 Step 3 Add a nat command statement for each higher security level interface from which you want users to start connections to interfaces with lower security levels: a.
Chapter 2 Establishing Connectivity Establishing Outbound Connectivity with NAT and PAT Step 4 Add a global command statement for each lower security interface which you want users to have access to; for example, on the outside, dmz1, and dmz2. The global command creates a pool of addresses that translated connections pass through. There should be enough global addresses to handle the number of users on each interface simultaneously accessing the lower security interface.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing Another way to measure traffic is to back up your PAT address. For example: nat (inside) 1 10.1.0.0 255.255.0.0 global (outside) 1 209.165.200.225 global (outside) 1 192.168.1.1 In this example, two port addresses are configured for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing Note Before testing your configuration, flush the ARP caches on any routers that feed traffic into or from the PIX Firewall and between the PIX Firewall and the Internet. For Cisco routers, use the clear arp command to flush the ARP cache. Configuring RIP Static Routes on PIX Firewall Follow these steps to add static routes: Step 1 Sketch out a diagram of your network as shown in Figure 2-2.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing The “1” at the end of the command statement specifies how many hops (routers) the router is from the PIX Firewall. Because it is the first router, you use 1. Step 3 Add the static routes for the dmz4 interface: route dmz4 192.168.7.0 255.255.255.0 192.168.4.2 1 route dmz4 192.168.8.0 255.255.255.0 192.168.4.2 1 These command statements direct packets intended to the 192.168.6.0 and 192.168.7.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that redistributes traffic or imports external routes (Type 1 or Type 2) between routing domains is called an Autonomous System Boundary Router (ASBR). An ABR uses link-state advertisements (LSA) to send information about available routes to other OSPF routers.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing Table 2-4 Cisco IOS OSPF Commands Supported in PIX Firewall Version 6.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing • Redistribution of routes between non-OSPF routing protocols • Policy Routing A maximum of two OSPF processes are allowed and PIX Firewall will only allow redistribution between these OSPF processes. Any topology in which the same router is connected to two different interfaces of the PIX Firewall is not supported.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing In this configuration, the inside interface learns routes dynamically from all areas, but its private routes are not propagated onto the backbone or public areas. The DMZ is visible to the backbone.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing To move the network 10.130.12.0 255.255.255.0 area 10.130.12.0 to router ospf 10, enter the following commands: pixfirewall(config-router)# router ospf 50 pixfirewall(config-router)# no network 10.130.12.0 255.255.255.0 area 10.130.12.0 pixfirewall(config-router)# router ospf 10 pixfirewall(config-router)# network 10.130.12.0 255.255.255.0 area 10.130.12.0 pixfirewall(config-router)# s router router ospf 10 network 10.130.12.
Chapter 2 Establishing Connectivity Configuring the PIX Firewall for Routing Viewing OSPF Configuration Table 2-5 lists some of the show commands that you can enter from privileged or configuration modes to display information about OSPF on the PIX Firewall. Refer to the Cisco PIX Firewall Command Reference or to the Cisco IOS documentation for all the options and the detailed syntax.
Chapter 2 Establishing Connectivity Testing and Saving Your Configuration Table 2-5 OSPF show Commands (continued) Command Result show ospf retransmission-list [neighbor-addr] [interface-name] Displays a list of all link-state advertisements (LSAs) waiting to be resent. Replace neighbor-addr with the IP address of a neighbor. Replace interface-name with the identifier for a specific interface.
Chapter 2 Establishing Connectivity Testing and Saving Your Configuration Testing Connectivity You can use the access-list command to allow hosts on one interface to ping through to hosts on another interface. This lets you test that a specific host is reachable through the PIX Firewall. The ping program sends an ICMP echo request message to the IP address and then expects to receive an ICMP echo reply.
Chapter 2 Establishing Connectivity Testing and Saving Your Configuration To ping from one interface to another, bind the access-list and access-group command statements to the lower security interface, which lets the ICMP echo reply to return to the sending host. For example, enter the following command statement to ping from the inside interface to the outside interface: access-group acl_out in interface outside Step 3 Enable debugging.
Chapter 2 Establishing Connectivity Basic Configuration Examples Also try the following to fix unsuccessful pings: a. Verify the physical connectivity of the affected interface(s). If there are switches or hubs between the hosts and the PIX Firewall, verify that all the links are working. You can try connecting a host directly to the PIX Firewall using a crossover cable. b. Make sure you have a default route command statement for the outside interface. For example: route outside 0 0 209.165.201.2 1 c.
Chapter 2 Establishing Connectivity Basic Configuration Examples Two Interfaces Without NAT or PAT When you first add a PIX Firewall to an existing network, it is easiest to implement if you do not have to renumber all the inside and outside IP addresses. The configuration in Figure 2-5 illustrates this scenario. All inside hosts can start connections. All external hosts are blocked from initiating connections or sessions on inside hosts. Figure 2-5 Two Interfaces Without NAT Internet 209.165.201.
Chapter 2 Establishing Connectivity Basic Configuration Examples Step 5 Set the ARP timeout to 14,400 seconds (four hours): arp timeout 14400 With this command, entries are kept in the ARP table for four hours before they are flushed. Four hours is the standard default value for ARP timeouts. Step 6 Disable failover access: no failover Step 7 Enable the use of text strings instead of IP addresses: names This makes your configuration files more readable.
Chapter 2 Establishing Connectivity Basic Configuration Examples Step 14 Disable SNMP access and SNMP traps generation: no snmp-server location no snmp-server contact snmp-server community public Step 15 Set the maximum transmission unit value for Ethernet access: mtu outside 1500 mtu inside 1500 Example 2-2 shows the listing for the basic configuration required to implement a PIX Firewall with two interfaces without NAT.
Chapter 2 Establishing Connectivity Basic Configuration Examples Figure 2-6 Two Interfaces with NAT or PAT Internet 209.165.201.1 Outside 209.165.201.3 34784 192.168.3.1 Intranet The following steps show how to change the example given in “Two Interfaces Without NAT or PAT” for enabling NAT and PAT: Step 1 Identify the IP addresses for each interface: ip address outside 209.165.201.3 255.255.255.224 ip address inside 192.168.3.1 255.255.255.
Chapter 2 Establishing Connectivity Basic Configuration Examples no failover names pager lines 24 logging buffered debugging nat (inside) 1 0 0 global (outside) 1 209.165.201.10-209.165.201.30 global (outside) 1 209.165.201.8 route outside 0.0.0.0 0.0.0.0 209.165.201.
Chapter 2 Establishing Connectivity Basic Configuration Examples The following procedure shows the way the configuration for this example differs from the example shown in “Two Interfaces Without NAT or PAT.” Step 1 Identify the security level and names of each interface by entering the following commands: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 An additional nameif command is required for the third interface in this example.
Chapter 2 Establishing Connectivity Basic Configuration Examples no failover arp timeout 14400 nat (inside) 0 209.165.201.8 255.255.255.248 static (dmz,outside) 209.165.201.2 209.165.201.19 netmask 255.255.255.248 access-group acl_out in interface outside access-group ping_acl in interface inside access-group ping_acl in interface dmz route outside 0.0.0.0 0.0.0.0 209.165.201.
Chapter 2 Establishing Connectivity Basic Configuration Examples The following procedure shows the commands that differ from the example shown in “Three Interfaces Without NAT or PAT”: Step 1 Enable Telnet access for a host on the inside interface of the PIX Firewall by entering the following commands: telnet 10.0.0.100 255.255.255.255 telnet timeout 15 Step 2 Create a pool of global addresses for the outside and DMZ interfaces.
Chapter 2 Establishing Connectivity Using VLANs with the Firewall global (outside) 1 209.165.201.10-209.165.201.30 global (outside) 1 209.165.201.5 global (dmz) 1 192.168.0.10-192.168.0.20 nat (inside) 1 10.0.0.0 255.0.0.0 nat (dmz) 1 192.168.0.0 255.255.255.0 static (dmz,outside) 209.165.201.6 webserver netmask 255.255.255.
Chapter 2 Establishing Connectivity Using VLANs with the Firewall Note When configuring failover for a VLAN interface, hello packets are sent over the physical interface, so the physical interface must be configured with an ip address. Using Logical Interfaces With Version 6.3, you can assign VLANs to physical interfaces on the PIX Firewall, or you can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.
Chapter 2 Establishing Connectivity Using VLANs with the Firewall Note To determine the maximum number of logical interfaces that you can use, subtract the number of physical interfaces in use on your PIX Firewall from the number of total interfaces. VLAN Security Issues By default, with no VLANs configured, the PIX Firewall sends untagged packets to any directly connected switch.
Chapter 2 Establishing Connectivity Using VLANs with the Firewall In Figure 2-9, the PIX Firewall is configured with one physical and one logical interface assigned to VLAN 2 and VLAN 3. The PIX Firewall interconnects the two VLANs, while providing firewall services, such as access lists, to improve network security.
Chapter 2 Establishing Connectivity Using Outside NAT Replace old_vlan_id with the existing VLAN ID and replace new_vlan_id with the new VLAN ID you want to use. This command lets you change the VLAN ID without removing the logical interface, which is helpful if you have added a number of access-lists or firewall rules to the interface and you do not want to start over.
Chapter 2 Establishing Connectivity Using Outside NAT After you configure outside NAT, when a packet arrives at the outer (less secure) interface of the PIX Firewall, the PIX Firewall attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and inserted into the database.
Chapter 2 Establishing Connectivity Using Outside NAT These commands translate all the source addresses on the remote network to a range of internal IP addresses (192.168.100.3-128).The router then automatically distributes the traffic from the inside interface of the PIX Firewall along with traffic originating on the 192.168.100.0 subnetwork. Configuring Overlapping Networks In Figure 2-11, the PIX Firewall connects two private networks with overlapping address ranges.
Chapter 2 Establishing Connectivity Policy NAT The NAT command for outside NAT, which translates the outside hosts from 192.168.100.0/24 into 209.165.201.0/24 on the inside network, is as follows: static (outside, inside) 209.165.201.0 192.168.100.0 netmask 255.255.255.0 In addition, the following routes need to be added in the PIX Firewall: route outside 192.168.100.128 255.255.255.128 209.165.200.225 2 route outside 192.168.100.0 255.255.255.128 209.165.200.
Chapter 2 Establishing Connectivity Policy NAT Figure 2-12 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the local address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the local address is translated to 209.165.202.130. Figure 2-12 Policy NAT with Different Destination Addresses 209.165.201.11 209.165.200.225 209.165.201.0/27 209.165.200.
Chapter 2 Establishing Connectivity Policy NAT Figure 2-13 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the local address is translated to 209.165.202.130. Figure 2-13 Policy NAT with Different Destination Ports Web and Telnet server: 209.
Chapter 2 Establishing Connectivity Policy NAT Limitations The following configuration limitations apply to policy NAT: • Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements. • An access list must be used only once with the nat command.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Step 4 Enter global commands to associate the outside addresses for translation to the outside destination networks. global (outside) 1 209.165.202.129 255.255.255.255 global (outside) 2 209.165.202.130 255.255.255.255 Configuring Static Translations Step 1 Configure IP addresses for the inside and outside interfaces. ip address inside 10.1.2.1 255.255.255.0 ip address outside 209.165.202.129 255.255.255.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Overview SMR allows the PIX Firewall to function as a “stub router.” A stub router is a device that acts as an Internet Group Management Protocol (IGMP) proxy agent. The IGMP is used to dynamically register specific hosts in a multicast group on a particular LAN with a multicast (MC) router.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Replace mc-source-if-name with the name of the PIX Firewall interface that is connected to the MC router. This is typically the outside interface. For example, the following command enables the forwarding of IGMP reports on the currently selected PIX Firewall interface, when the MC router is connected to the interface named “outside.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Example 2-7 Inside Receiving Hosts with Access Control The following example configures the inside and DMZ receivers: multicast interface outside igmp access-group 1 multicast interface inside igmp forward interface outside igmp access-group 1 multicast interface dmz igmp forward interface outside igmp access-group 1 ! The following permits igmp messages to 225.2.1.0/25 network access-list 1 permit igmp any 225.2.1.0 255.255.255.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing • Replace out-if-name with the name of the PIX Firewall interface connected to the next-hop router interface toward the hosts registered to receive the transmission. This is typically the outside (or less secure) interface.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Use the following command to clear static multicast routes: clear mroute [src-addr | group-addr | interface interface_name] Replace src-addr with the IP address of the multicast source. Replace group-addr with the address of the receiving multicast group. Replace interface-name with the PIX Firewall interface on which multicasts are enabled.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing EG - Egress Forwarding Counts: Packets in/Packets out/Bytes out Failure Counts: RPF / TTL / Empty Olist / Other (*,225.2.1.14), Flags: S Last Used: 0:00:16 Forwarding Counts: 3/1/188 Failure Counts: 0/0/2/0 inside Flags: F (192.168.1.113,225.2.1.
Chapter 2 Establishing Connectivity Enabling Stub Multicast Routing Cisco PIX Firewall and VPN Configuration Guide 2-52 78-15033-01
C H A P T E R 3 Controlling Network Access and Use This chapter describes how to establish and control network connectivity for different applications and implementations after you have completed your basic configuration, described in Chapter 2, “Establishing Connectivity.
Chapter 3 Controlling Network Access and Use Enabling Inbound Connections The main options of the static command are as follows: static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] [max_conns] • Replace internal_if_name with the internal network interface name. In general, this is the higher security level interface you are accessing. • Replace external_if_name with the external network interface name.
Chapter 3 Controlling Network Access and Use Enabling Inbound Connections You use the access-list and access-group commands to permit access based on source or destination IP address, or by the protocol port number. Use the access-list command to create a single access list entry, and use the access-group command to bind one or more access list entries to a specific interface. Only specify one access-group command for each interface.
Chapter 3 Controlling Network Access and Use Controlling Outbound Connectivity • Use the first port parameter after an operator to identify the protocol port used by the source host that initiates the connection. • Replace destination_address with the host or network global address that you specified with the static command statement. For a host address, precede the address with host; for networks, specify the network address and the appropriate network mask.
Chapter 3 Controlling Network Access and Use Using the Static Command for Port Redirection Use the deny parameter to restrict specific types of access. For example, to prevent hosts belonging to the 192.168.1.0 network on the inside interface from starting connections on the outside interface and to permit all others, specify the 192.168.1.0 network address as the source address and the network connected to the outside interface as the destination address.
Chapter 3 Controlling Network Access and Use Using the Static Command for Port Redirection Port Redirection Configuration Figure 3-1 illustrates a typical network scenario in which the port redirection feature might be useful. Port Redirection Using the Static Command 10.1.1.2 209.165.201.25 Inside Outside PAT address = 209.165.201.
Chapter 3 Controlling Network Access and Use Using the Static Command for Port Redirection Step 6 Redirect FTP requests for IP address 209.165.201.5: static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0 This command causes FTP requests to be redirected to 10.1.1.3. Step 7 Redirect Telnet requests for PAT address 209.165.201.15: static (inside,outside) tcp 209.165.201.15 telnet 10.1.1.4 telnet netmask 255.255.255.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Using Authentication and Authorization You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you must use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Follow these steps to enable the PIX Firewall to support user authentication and authorization: Step 1 For inbound authentication, create the static and access-list command statements required to permit outside hosts to access servers on the inside network. Step 2 If the internal network connects to the Internet, create a global address pool of registered IP addresses.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Step 5 Enable authorization with the aaa authorization command. PIX Firewall checks the authorization request with the AAA server, which makes the decision about what services a user can access. aaa authorization include authen_service if_name 0 0 0 0 Replace authen_service with an identifier that specifies the traffic to be included, such as ftp, telnet, or http.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Figure 3-2 Note Secure Authentication Page The Cisco Systems text field shown in this example was customized using the auth-prompt command. For the detailed syntax of this command refer to the Cisco PIX Firewall Command Reference. If you do not enter a string using the auth-prompt command, this field will be blank.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Because HTTPS authentication occurs on the SSL port 443, do not use the access-list command to block traffic from the HTTP client to HTTP server on port 443. Also, if you configure static PAT for web traffic on port 80, you must also configure a static entry for SSL port 443.
Chapter 3 Controlling Network Access and Use Using Authentication and Authorization Using MAC-Based AAA Exemption PIX Firewall Versions 6.3 and higher let you use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP Phones, that do not support AAA authentication. To use this feature, you identify the MAC addresses on the inside (higher security) interface.
Chapter 3 Controlling Network Access and Use Access Control Configuration Example To view the current entries in a specific MAC list, enter the following command: show mac-list [mcl-id] If you omit the MAC list identifier, the system displays all currently configured MAC lists. To clear all the entries on a MAC list, enter the following command: clear mac-list [mclid] If you omit the MAC list identifier, the system clears all the currently configured MAC lists.
Chapter 3 Controlling Network Access and Use Access Control Configuration Example The following procedure shows the basic configuration required for this example.
Chapter 3 Controlling Network Access and Use Access Control Configuration Example Authentication and Authorization This section describes how to implement authentication and authorization for traffic through the PIX Firewall, using a TACACS+ server. The commands used for this purpose are in addition to the basic firewall configuration required, which is described in the previous section, “Basic Configuration.” The aaa-server command specifies the IP address of the TACACS+ authentication server.
Chapter 3 Controlling Network Access and Use Access Control Configuration Example Step 2 Specify that the access-list group regulates the activities of inside hosts starting outbound connections: access-group acl_in in interface inside Note Step 3 For information about logging activity associated with specific ACLs, see “Logging Access Control List Activity” in Chapter 9, “Accessing and Monitoring PIX Firewall.” Create static address mappings: static (inside, outside) 209.165.201.16 192.168.3.
Chapter 3 Controlling Network Access and Use Using TurboACL Adding Comments to ACLs PIX Firewall Version 6.3 and higher lets you include comments about entries in any ACL. The remarks make the ACL easier to understand and scan. A remark can be up to 100 characters and can precede or follow an access-list command. However, for clarity, comments should be placed consistently within an access list.
Chapter 3 Controlling Network Access and Use Using TurboACL Note When you add or delete an element from a turbo-enabled ACL the internal data tables associated with the ACL are regenerated, which produces an appreciable load on the PIX Firewall CPU. The TurboACL feature requires significant amounts of memory and is most appropriate for high-end PIX Firewall models, such as the PIX 525 or PIX 535. The minimum memory required for TurboACL is 2.
Chapter 3 Controlling Network Access and Use Downloading Access Lists Viewing TurboACL Configuration The show access-list command displays the memory usage of each individually turbo-compiled ACL and the shared memory usage for all the turbo-compiled ACLs. If no ACL is turbo-compiled, no turbo-statistic is displayed. This command also shows the number of ACEs in an ACL and whether an ACL is configured with TurboACL.
Chapter 3 Controlling Network Access and Use Downloading Access Lists The following are the two methods for downloading an access list from a AAA server to the PIX Firewall: • Downloading a named access list—Configure a user (real) authentication profile to include a Shared Profile Component (SPC) and then configure the SPC to include the access list name and the actual access list. This method should be used when there are frequent requests for downloading a large access list.
Chapter 3 Controlling Network Access and Use Downloading Access Lists Step 3 Configure a Cisco Secure ACS user or a group through User Setup or Group Setup to include the defined ACL in the user or group settings. Once the configuration is properly configured, a user authentication request will first cause the access list name to be sent to the PIX Firewall. The PIX Firewall will determine if the named ACL already exists and if not, the PIX Firewall will request the ACL to be downloaded.
Chapter 3 Controlling Network Access and Use Downloading Access Lists Statements are separated by colons (:). Statements should not include the access-list command or the access list name. You can configure multiple occurrences of the string “ip:inacl#nnn=” in the same user authentication profile to define a PIX Firewall access list. If multiple entries have the same sequence number, they will be configured in the same order as they appear in the Cisco-specific VSA attribute.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Simplifying Access Control with Object Grouping This section describes how to use object grouping, a feature introduced in PIX Firewall Version 6.2, for simplifying complex access control policies.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping After creating these groups, you could use a single access rule to allow trusted hosts to make specific service requests to a group of public servers. Object groups can also contain other object groups or be contained by other object groups. Object grouping dramatically compresses the number of access rules required to implement a particular security policy.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Configuring and Using Object Groups with Access Control To configure an object group and to use it for configuring access lists, perform the following steps: Step 1 Enter the appropriate subcommand mode for the type of group you want to configure.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Step 5 (Optional) Verify that the object group has been configured successfully: pix(config)# show object-group [network | services | icmp-type] [grp-id] This command displays a list of the currently configured object groups of the specified type. Without a parameter, the command displays all object groups.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Note The show config and write commands display the commands in the same way they are configured. Configuring Protocol Object Groups This section describes the commands required to configure a protocol object group.
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Enter the following command to add a single TCP or UDP port number to the service object group: pix(config-service)# port-object eq service grp-id Enter the following command to add a range of TCP or UDP port numbers to the service object group: pix(config-service)# port-object range begin_service end_service Enter the following command to add the object group identified by grp-id to the current service object g
Chapter 3 Controlling Network Access and Use Simplifying Access Control with Object Grouping Step 4 Add the first object group to the group that will contain that object: pix(config-protocol)# group-object A Step 5 Add any other objects to the group that are required: pix(config-protocol)# protocol-object 4 The resulting configuration of Group_B in this example is equivalent to the following: pix(config-protocol)# pix(config-protocol)# pix(config-protocol)# pix(config-protocol)# protocol-object prot
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections To remove a specific object group, use the following command: pix(config)# no object-group grp_id Replace grp_id with the identifier assigned to the specific group you want to remove. Note You cannot remove an object group or make an object group empty if it is used in a command.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Filtering Java Applets The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections When a user issues an HTTP request to a website, the PIX Firewall sends the request to the web server and to the filtering server at the same time. If the filtering server permits the connection, the PIX Firewall allows the reply from the website to reach the user who issued the original request. If the filtering server denies the connection, the PIX Firewall redirects the user to a block page, indicating that access was denied.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Buffering HTTP Replies for Filtered URLs By default, when a user issues a request to connect to a specific website, the PIX Firewall sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections To enable HTTPS filtering, use the following command: filter https dest_port |except localIP local_mask foreign_IP foreign_mask [allow] To enable FTP filtering, use the following command: filter ftp dest_port |except localIP local_mask foreign_IP foreign_mask [allow] [interact-block] The filter ftp command lets you identify the FTP traffic to be filtered by a Websense server. FTP filtering is not supported on N2H2 servers.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Filtering Long URLs PIX Firewall Version 6.1 and earlier versions do not support filtering URLs longer than 1159 bytes. PIX Firewall Versions 6.2 and higher support filtering URLs up to 4 KB for the Websense filtering server. PIX Firewall Versions 6.2 and higher support a maximum URL length of 1159 bytes for the N2H2 filtering server. In addition, PIX Firewall Version 6.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections URL Server Status: -----------------10.130.28.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Configuration Procedure Perform the following steps to filter URLs: Step 1 Identify the address of the filtering server with the url-server commands: For Websense: # url-server [(if_name)] host local_ip [timeout seconds] [protocol TCP | UDP version 1|4] For N2H2: # url-server [(if_name)] vendor n2h2 host local_ip[:port number] [timeout seconds] [protocol TCP | UDP] Replace if_name with the name of the PIX Firewall interface th
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Step 3 (Optional) Enable buffering of HTTP replies for URLs that are pending a response from the filtering server by entering the following command: url-block block block-buffer-limit Replace block-buffer-limit with the maximum number of blocks that will be buffered.
Chapter 3 Controlling Network Access and Use Filtering Outbound Connections Step 9 Configure the required URL filters at the user interface of the filtering server. For more information about filtering with the N2H2 or Websense filtering servers, refer to the following web sites: http://www.websense.com http://www.n2h2.
C H A P T E R 4 Using PIX Firewall in SOHO Networks This chapter describes features provided by the PIX Firewall that are used in the small office, home office (SOHO) environment.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Overview When used with PIX Firewall Versions 6.2 and higher, you can use a PIX Firewall 501 or PIX 506/506E as an Easy VPN Remote device when connecting to an Easy VPN Server, such as a Cisco VPN 3000 Concentrator or another PIX Firewall. Note PIX Firewall 506/506E platforms, when used as Easy VPN remote devices, do not support the use of logical VLAN interfaces for sending traffic across a VPN tunnel.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Figure 4-2 Using the PIX Firewall in Client Mode Remote LAN Central LAN 192.168.200.3 192.168.100.3 Internet PIX Firewall 501 or 506/506E Easy VPN Server ISP router Address hidden from central LAN 83964 192.168.100.4 Address visible from remote LAN As shown in Figure 4-2, client mode causes VPN connections to be initiated by traffic, so resources are only used on demand.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Establishing Network Connectivity Before you can connect the PIX Firewall Easy VPN Remote device to the Easy VPN Server, you must establish network connectivity between both devices through your Internet service provider (ISP). After connecting your PIX Firewall to the DSL or Cable modem, you should follow the instructions provided by your ISP to complete the network connection.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device vpnclient mode {client-mode | network-extension-mode} Step 5 • Client mode applies NAT to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. • Network extension mode—This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device RELATED CONFIGURATION sysopt connection permit-ipsec global (outside) 10 interface global (outside) 65001 90.0.0.10 nat (inside) 10 60.0.0.0 255.255.255.0 0 0 access-list _vpnc_pat_acl permit ip any 10.0.0.0 255.255.255.0 access-list _vpnc_pat_acl permit ip any 110.0.0.0 255.255.255.0 access-list _vpnc_acl permit ip host 90.0.0.10 10.0.0.0 255.255.255.0 access-list _vpnc_acl permit ip host 90.0.0.10 110.0.0.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Overview Secure unit authentication (SUA) is a feature introduced with PIX Firewall Version 6.3 to improve security when using a PIX Firewall as an Easy VPN Remote device. With SUA, one-time passwords, two-factor authentication, and similar authentication schemes can be used to authenticate the remote PIX Firewall before establishing a VPN tunnel to an Easy VPN Server.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Secure Unit Authentication (SUA) is configured as part of the VPN policy on the Easy VPN Server and cannot be configured directly on the Easy VPN Remote device. After connecting to the Easy VPN Server, the Easy VPN Remote device downloads the VPN policy, which then enables or disables SUA. When SUA is disabled and the PIX Firewall is in network extension mode, a connection is automatically initiated.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device Note After enabling SUA, your local PIX Firewall will not require static credentials because credentials are entered manually each time a connection is made. However, if SUA is disabled for any reason at the Easy VPN Server, you will need static credentials to make a VPN connection.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device PIX Firewall Version 6.3 or higher lets you use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP Phones, that do not support this type of authentication. When MAC-based AAA exemption is enabled, the PIX Firewall bypasses the AAA server for traffic that matches both the MAC address of the device and the IP address that has been dynamically assigned by a DHCP server.
Chapter 4 Using PIX Firewall in SOHO Networks Using PIX Firewall as an Easy VPN Remote Device The following command omits the DN, and as a result the PIX Firewall prompts for this information: pixfirewall(config)# ca subject-name Common name (cn) [pixfirewall.example.com] :pixfirewall.example.com Department (ou) []: VSEC BU Company(o) []:Cisco System State (st) []:CA Country (c) []:US Email (e) []:klee@example.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall PPPoE Client To establish a VPN tunnel with this server, enter the following command on the PIX Firewall used as an Easy VPN Remote device: ca verifycertdn cn*myvpn, ou=myou, o=myorg, st=ca, c=US This command causes the receiving PIX Firewall to accept certificates with any DN having the following attributes: • Common Name (CN) containing the string myvpn • Organizational Unit (OU) equal to myou • Organization (O) equal to myorg
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall PPPoE Client PPPoE provides a standard method of employing the authentication methods of the Point-to-Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE allows authenticated assignment of IP addresses. In this type of implementation, the PPPoE client and server are interconnected by Layer 2 bridging protocols running over a DSL or other broadband connection.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall PPPoE Client Step 3 Associate the username assigned by your ISP to the VPDN group by entering the following command: vpdn group group_name localname username Replace group_name with the VPDN group name and username with the username assigned by your ISP.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall PPPoE Client For example: ip address outside 201.n.n.n 255.255.255.0 pppoe Note The setroute option is an option of the ip address command that you can use to allow the access concentrator to set the default routes when the PPPoE client has not yet established a connection. When using the setroute option, you cannot have a statically defined route in the configuration.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DCHP Server 6 packets sent, 6 received, 84 bytes sent, 0 received pix1# Using Related Commands Use the following vpdn command to set the PPP parameters used during the PPP session: vpdn group group_name ppp authentication [PAP|CHAP|MSCHAP] Use the following command to cause the DHCP server to use the WINS and DNS addresses provided by the access concentrator as part of the PPP/IPCP negotiations: dhcpd auto_config [client_ifx_name] Th
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DCHP Server Table 4-2 DHCP Clients Supported by PIX Firewall PIX Firewall Version PIX Firewall Platform Maximum Number of DHCP Client Addresses (Active Hosts) Version 5.2 and earlier All platforms 10 Version 5.3 to Version 6.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DCHP Server Configuring the DHCP Server Feature Be sure to configure the IP address and the subnet mask of the interface using the ip address command prior to enabling the DHCP server feature. Note With PIX Firewall Version 6.3 and higher, the DHCP server can be enabled on any interface. With earlier versions, the DHCP server can only be enabled on the inside interface.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DCHP Server Step 6 Enable the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DCHP Server crypto map mymap interface outside sysopt connection permit-ipsec nat (inside) 0 access-list ipsec-peer isakmp policy 10 authentication preshare isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0 isakmp enable outside !configure dhcp server pool of addresses dhcpd address 172.17.1.100-172.17.1.
Chapter 4 Using PIX Firewall in SOHO Networks Using DHCP Relay Note With PIX Firewall Version 6.2 and lower, the DHCP server can only be enabled on the inside interface and therefore can only respond to DHCP option 150 and 66 requests from Cisco IP Phones or other network devices on the internal network. With PIX Firewall Version 6.3 and higher, the DHCP server can be enabled on any interface and with as many instances as required. Using DHCP Relay PIX Firewall Version 6.3 provides a DHCP relay agent.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DHCP Client Replace seconds with the number of seconds allowed for relay address negotiation. You can use the following commands to display debugging information for the DHCP Relay Agent: Debug dhcprelay event Debug dhcprelay error Debug dhcprelay packet Using the PIX Firewall DHCP Client This section describes how to enable and manage the DHCP client on a PIX Firewall.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DHCP Client Note Do not configure the PIX Firewall with a default route when using the setroute argument of the ip address dhcp command.
Chapter 4 Using PIX Firewall in SOHO Networks Using the PIX Firewall DHCP Client Cisco PIX Firewall and VPN Configuration Guide 4-24 78-15033-01
C H A P T E R 5 Configuring Application Inspection (Fixup) This chapter describes how to use and configure application inspection, which is often called “fixup” because you use the fixup command to configure it.
Chapter 5 Configuring Application Inspection (Fixup) How Application Inspection Works Figure 5-1 Basic ASA Operations ACL 2 Client 6 7 5 3 XLATE CONN Server 4 Inspection 67564 1 Security appliance In Figure 5-1, operations are numbered in the order they occur, and are described as follows: 1. A TCP SYN packet arrives at the PIX Firewall to establish a new connection. 2. The PIX Firewall checks the access control list (ACL) database to determine if the connection is permitted. 3.
Chapter 5 Configuring Application Inspection (Fixup) How Application Inspection Works Table 5-1 Application Inspection Functions (continued) Application FTP H.323 PAT? NAT (1-1)? Yes Yes PIX Firewal Yes l Version 6.2 and higher Standards RFC 1123 ITU-T H.323, H.245, H225.0, Q.931, Q.
Chapter 5 Configuring Application Inspection (Fixup) Using the fixup Command Using the fixup Command You can use the fixup command to change the default port assignments or to enable or disable application inspection for the following protocols and applications: • CTIQBE (disabled by default) • DNS • ESP-IKE (disabled by default) • FTP • H.
Chapter 5 Configuring Application Inspection (Fixup) Using the fixup Command You can view the explicit (configurable) fixup protocol settings with the show fixup command. The default settings for configurable protocols are as follows.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols Basic Internet Protocols This section describes how the PIX Firewall supports the most common Internet protocols and how you can use the fixup command and other commands to solve specific problems.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols PIX Firewall Version 6.2 introduces full support for NAT and PAT of DNS messages originating from either inside (more secure) or outside (less secure) interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols The FTP application inspection inspects the FTP sessions and performs four tasks: • Prepares dynamic secondary data connection • Tracks ftp command-response sequence • Generates an audit trail • NATs embedded IP address FTP application inspection prepares secondary channels for FTP data transfer.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols HTTP You can use the fixup command to change the default port assignment for the Hypertext Transfer Protocol (HTTP). The command syntax is as follows. fixup protocol http [port[-port] Use the port option to change the default port assignments from 80. Use the -port option to apply HTTP application inspection to a range of port numbers. Note The no fixup protocol http command statement also disables the filter url command.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols Application inspection of ESP traffic is disabled by default. To enable this feature, enter the following command: fixup protocol esp-ike When this feature is enabled, PIX Firewall preserves the IKE source port.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols SMTP This section describes how application inspection works with the Simple Mail Transfer Protocol (SMTP). It includes the following topics: • Application Inspection, page 5-12 • Sample Configuration, page 5-13 You can use the fixup command to change the default port assignment for SMTP. The command syntax is as follows. fixup protocol smtp [port[-port]] The fixup protocol smtp command enables the Mail Guard feature.
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols The PIX Firewall inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server with the fixup protocol tftp command. Specifically, the fixup inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).
Chapter 5 Configuring Application Inspection (Fixup) Basic Internet Protocols Sample Configuration Figure 5-3 illustrates a network scenario implementing SMTP and NFS on an internal network. Figure 5-3 Sample Configuration with SMTP and NFS (Sun RPC) Internet Intel Internet Phone 209.165.201.2 209.165.201.3 209.165.201.4 209.165.201.5 Outside Global pool 209.165.201.6-8 209.165.201.10 (PAT) 209.165.200.225-254 209.165.201.1 PIX Firewall RIP 10.1.1.1 10.1.1.3 10.1.1.11 10.1.1.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP If the mail server has to talk to many mail servers on the outside which connect back with the now obsolete and highly criticized IDENT protocol, use this access-list command statement to speed up mail transmission. The access-group command statement binds the access-list command statements to the outside interface. Example 5-1 shows a command listing for configuring access to services for the network.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP • CTIQBE application inspection does not support configurations using the alias command, which is deprecated after the introduction of outside NAT with PIX Firewall Version 6.2. • Stateful Failover of CTIQBE calls is not supported. • Using the debug ctiqbe command may delay message transmission, which may have a performance impact in a real-time environment.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP H.323 This section describes how to manage application inspection for the H.323 suite of protocols. It includes the following topics: • Overview, page 5-16 • Multiple Calls on One Call Signalling Connection, page 5-16 • Viewing Connection Status, page 5-17 • Technical Background, page 5-17 Overview You can use the fixup command to change the default port assignment for the H.323 protocol.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Replace hh with the number of hours, mm with the minutes and ss with the seconds. The default is 1 hour. To keep the channel open without any timeout, set the timer to 0 by entering the following command: timeout h225 00:00:00 To disable the timer and close the TCP connection immediately after all calls are cleared, set the timeout value to 1 second, as follows: timeout h225 00:00:01 Viewing Connection Status To display the status of H.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP The PIX Firewall administrator must open an access list for the well-known H.323 port 1720 for the H.225 call signaling. However, the H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the PIX Firewall opens an H.225 connection based on inspection of the ACF message. The PIX Firewall dynamically allocates the H.245 channel after inspecting the H.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response may not arrive from the same address as the command was sent to. This can happen when multiple call agents are being used in a failover configuration and the call agent that received the command has passed control to a backup call agent, which then sends the response.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Use the mgcp gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295. It must correspond with the group_id of the call agents that are managing the gateway. Use the clear mgcp command to remove all of the MGCP configuration and set the command queue limit to the default of 200.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Overview Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals. Application layer functions in the PIX Firewall recognize SCCP Version 3.3. The functionality of the application layer software ensures that all SCCP signalling and media packets can traverse the Firewall by providing NAT of the SCCP Signaling packets.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Note If the Cisco CallManager IP address and the SCCP port must both be translated, the SCCP port must be statically mapped to the same port of the actual address for Cisco IP Phone registrations to succeed.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Using SCCP with Cisco CallManager on a Higher Security Interface Cisco IP Phones require access to a TFTP server to download the configuration information they need to connect to the Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an access list to connect to the protected TFTP server on UDP port 69.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Overview SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP This command statement causes the PIX Firewall to allow a new connection on port 5060 from an outside phone if a UDP connection already exists from that phone to an inside phone. A call can be placed on hold for the time specified in the timeout interval for SIP. You can increase this interval as necessary with the timeout command.
Chapter 5 Configuring Application Inspection (Fixup) Voice Over IP Note When this feature is turned on, outside NAT/alias/bi-directional NAT and Policy NAT will not work. When a packet from the lower security level (e.g., outside) comes to the higher security level (e.g., inside), since we retain the NATted IP addresses in it, and don't send the packet through the NAT engine, outside NAT will not be performed for the inbound SIP packets.
Chapter 5 Configuring Application Inspection (Fixup) Multimedia Applications SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload that identifies the call, as well as the source and destination. Contained within this database are the media addresses and media ports that were contained in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session.
Chapter 5 Configuring Application Inspection (Fixup) Multimedia Applications 2. Once a connection is established, the client sends an LVMConnectFunnel message to the server indicating the UDP port that it expects to receive the data. 3. Server chooses a UDP port in the range 1024-5000 to stream the netshow data down to the client. 4. Server sends the stream in the negotiated port. 5. Netshow session ends by tearing down the TCP connection.
Chapter 5 Configuring Application Inspection (Fixup) Multimedia Applications TCP Stream TCP streams are used with Netshow as follows: 1. Client makes a TCP connection to the server using the well-known port 1755. 2. Once a connection is established, the client sends an LVMConnectFunnel message to the server confirming the use of TCP connection. 3. Server sends the stream in the already connected TCP port. 4. Netshow session ends by tearing down the TCP connection.
Chapter 5 Configuring Application Inspection (Fixup) Database and Directory Support RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. PIX Firewall only supports TCP, in conformity with RFC 2326. This TCP control channel will be used to negotiate the data channels that will be used to transmit audio/video traffic, depending on the transport mode that is configured on the client.
Chapter 5 Configuring Application Inspection (Fixup) Database and Directory Support ILS and LDAP The Internet Locator Service (ILS) is based on the Lightweight Directory Access Protocol (LDAP) and is LDAPv2 compliant. ILS was developed by Microsoft for use with its NetMeeting, SiteServer, and Active Directory products. By default, fixup protocol ils is disabled. You can use the fixup command to enable the ILS fixup and, optionally, change the default port assignment. The command syntax is as follows.
Chapter 5 Configuring Application Inspection (Fixup) Database and Directory Support Network File System and Sun RPC The port assignment for Sun Remote Procedure Call (RPC) is not configurable. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port on the system. When a client attempts to access an RPC service on a server, it must find out which port that service is running on.
Chapter 5 Configuring Application Inspection (Fixup) Management Protocols Example 5-2 Configuring NFS Access access-list acl_out permit udp host 209.165.201.2 host 209.165.201.11 eq sunrpc access-list acl_out permit udp host 209.165.201.2 host 209.165.201.11 eq 2049 Oracle SQL*Net (V1/V2) The SQL*Net protocol consists of different packet types that PIX Firewall handles to make the data stream appear consistent to the Oracle applications on either side of the firewall.
Chapter 5 Configuring Application Inspection (Fixup) Management Protocols Internet Control Message Protocol The ICMP payload is scanned to retrieve the five-tuple from the original packet. ICMP inspection supports both one-to-one NAT and PAT. Using the retrieved five-tuple, a lookup is performed to determine the original address of the client.
Chapter 5 Configuring Application Inspection (Fixup) Management Protocols The fixup can be enabled or disabled via the fixup command [no] fixup protocol snmp 161-162. However, existing connections will retain the fixup configuration present when the connection was created. Use clear xlate or clear local to clear connections and allow any new fixup configuration to take effect.
Chapter 5 Configuring Application Inspection (Fixup) Management Protocols Cisco PIX Firewall and VPN Configuration Guide 5-36 78-15033-01
C H A P T E R 6 Configuring IPSec and Certification Authorities This chapter provides information about using IP Security Protocol (IPSec), Internet Key Exchange (IKE), and certification authority (CA) technology with the PIX Firewall.
Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange (IKE) IPSec can be configured to work in two different modes: • Tunnel Mode—This is the normal way in which IPSec is implemented between two PIX Firewall units (or other security gateways) that are connected over an untrusted network, such as the public Internet. • Transport Mode—This method of implementing IPSec is typically done with L2TP to allow authentication of native Windows 2000 VPN clients.
Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange (IKE) IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states the security parameters that will be used to protect subsequent IKE negotiations.
Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange (IKE) There is an implicit trade-off between security and performance when you choose a specific value for each parameter. The level of security provided by the default values is adequate for the security requirements of most organizations. If you are interoperating with a peer that supports only one of the values for a parameter, your choice is limited to the other peer’s supported value.
Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange (IKE) For further information about the two authentication methods, refer to the following sections: Step 5 • “Using IKE with Pre-Shared Keys” • “Using Certification Authorities” Specify the Diffie-Hellman group identifier: isakmp policy priority group 1 | 2 | 5 Note Support for Diffie-Hellman group 5 is introduced with PIX Firewall version 6.
Chapter 6 Configuring IPSec and Certification Authorities Internet Key Exchange (IKE) Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Note Although the output shows “no volume limit” for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds) with IKE; volume li
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities Step 2 Configure the PIX Firewall domain name: domain-name name For example: domain-name example.com Step 3 Specify the pre-shared key at the PIX Firewall: isakmp key keystring address peer-address [netmask mask] Replace keystring with the password string that the PIX Firewall and its peer will use for authentication Replace peer-address with the remote peer’s IP address.
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities CA Overview Certification authorities (CAs) are responsible for managing certificate requests and issuing digital certificates. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the entity’s public key.
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities CAs can also revoke certificates for peers that will no longer participate in IPSec. Revoked certificates are not recognized as valid by other peers. Revoked certificates are listed in a certificate revocation list (CRL), which each peer may check before accepting another peer’s certificate. Some CAs have a registration authority (RA) as part of their implementation.
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities Follow these steps to enable your PIX Firewall to interoperate with a CA and obtain your PIX Firewall certificate(s): Step 1 Configure the PIX Firewall host name: hostname newname For example: hostname mypixfirewall In this example, “mypixfirewall” is the name of a unique host in the domain. Step 2 Configure the PIX Firewall domain name: domain-name name For example: domain-name example.
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities Step 6 Configure the parameters of communication between the PIX Firewall and the CA: ca configure ca_nickname ca | ra retry_period retry_count [crloptional] For example: ca configure myca.example.com ca 1 20 crloptional If the PIX Firewall does not receive a certificate from the CA within 1 minute (the default) of sending a certificate request, it will resend the certificate request.
Chapter 6 Configuring IPSec and Certification Authorities Using Certification Authorities Step 9 Verify that the enrollment process was successful using the show ca certificate command: show ca certificate The following is sample output from the show ca certificate command including a PIX Firewall general purpose certificate and the RA and CA public-key certificates: Subject Name Name: mypixfirewall.example.com IP Address: 192.150.50.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec Validity Date: start date: 23:48:00 UTC Feb 18 2003 end date: 23:58:00 UTC Feb 18 2004 -------------------------------------------------------------------------------- To establish a VPN tunnel with this server, enter the following command on the PIX Firewall that will receive this certificate: ca verifycertdn cn*myvpn, ou=myou, o=myorg, st=ca, c=US This command causes the receiving PIX Firewall to accept certificates with any D
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec You can establish IPSec SAs in two ways: • Manual SAs with Pre-Shared Keys —The use of manual IPSec SAs requires a prior agreement between administrators of the PIX Firewall and the IPSec peer. There is no negotiation of SAs, so the configuration information in both systems should be the same for traffic to be processed successfully by IPSec.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec crypto map entry specifies the use of manual security associations, a security association should have already been established via configuration. (If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.) The policy described in the crypto map entries is used during the negotiation of security associations.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec Binding a crypto map to an interface will also initialize the run-time data structures, such as the security association database and the security policy database. If the crypto map is modified in any way, reapplying the crypto map to the interface will resynchronize the various run-time data structures with the crypto map configuration.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec (In other words, it does not allow the policy as specified in this crypto map entry to be applied to this traffic.) If this traffic is denied in all the crypto map entries for that interface, the traffic is not protected by crypto IPSec. The crypto access list you define will be applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec associations for different kinds of traffic, define multiple crypto access lists, and apply each one to a separate ipsec-manual crypto map command entry. Each access list should include one permit statement defining which traffic to protect. Note If you clear or delete the last element from an access list, the crypto map references to the destroyed access list are also removed.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec IPSec security associations use one or more shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations.
Chapter 6 Configuring IPSec and Certification Authorities Configuring IPSec Note PIX Firewall version 6.3 introduces support for AES, which provides for encryption keys of 128, 192, and 256 bits. In this example, “myset1” and “myset2” are the names of the transform sets. “myset1” has two transforms defined, while “myset2” has three transforms defined. Step 3 Create a crypto map entry by performing the following steps: a.
Chapter 6 Configuring IPSec and Certification Authorities Using Dynamic Crypto Maps crypto map mymap 10 set security-association lifetime seconds 2700 This example shortens the timed lifetime for the crypto map “mymap 10” to 2700 seconds (45 minutes). The traffic volume lifetime is not changed. f.
Chapter 6 Configuring IPSec and Certification Authorities Using Dynamic Crypto Maps Note Use care when using the any keyword in permit command entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit command entry to include multicast or broadcast traffic, the access list should include deny command entries for the appropriate address range.
Chapter 6 Configuring IPSec and Certification Authorities Using Dynamic Crypto Maps Step 1 Assign an access list to a dynamic crypto map entry: crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name This determines which traffic should be protected and not protected. For example: crypto dynamic-map dyn1 10 match address 101 In this example, access list 101 is assigned to dynamic crypto map “dyn1.” The map’s sequence number is 10.
Chapter 6 Configuring IPSec and Certification Authorities Using Dynamic Crypto Maps Step 4 Specify that IPSec should ask for PFS when requesting new security associations for this dynamic crypto map entry, or should demand PFS in requests received from the peer: crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2] For example: crypto dynamic-map dyn1 10 set pfs group1 Step 5 Add the dynamic crypto map set into a static crypto map set.
Chapter 6 Configuring IPSec and Certification Authorities Manual Configuration of SAs Manual Configuration of SAs When you cannot use IKE to establish SAs between your PIX Firewall and a remote IPSec peer, you can manually configure the SAs. This is only practical with a limited number of IPSec peers having known IP addresses (or DNS host names), so this method of configuration is most practical for site-to-site VPNs.
Chapter 6 Configuring IPSec and Certification Authorities Manual Configuration of SAs Step 3 Create a crypto map entry by performing the following steps: a. Create a crypto map entry in IPSec manual configuration mode: crypto map map-name seq-num ipsec-manual For example: crypto map mymap 10 ipsec-manual In this example, “mymap” is the name of the crypto map set. The map set’s sequence number is 10, which is used to rank multiple entries within one crypto map set.
Chapter 6 Configuring IPSec and Certification Authorities Manual Configuration of SAs Step 5 Set the AH SPIs and keys to apply to outbound protected traffic: crypto map map-name seq-num set session-key outbound ah spi hex-key-data For example: crypto map mymaptwo 30 set session-key outbound ah 400 123456789A123456789A123456789A123456789A Step 6 If the specified transform set includes the ESP protocol, set the ESP SPIs and keys to apply to inbound protected traffic.
Chapter 6 Configuring IPSec and Certification Authorities Viewing IPSec Configuration Viewing IPSec Configuration Table 6-2 lists commands you can use to view information about your IPSec configuration. Table 6-2 Commands to View IPSec Configuration Information Command Purpose show crypto ipsec transform-set View your transform set configuration. show crypto map [interface interface-name | tag View your crypto map configuration.
Chapter 6 Configuring IPSec and Certification Authorities Clearing SAs Cisco PIX Firewall and VPN Configuration Guide 78-15033-01 6-29
Chapter 6 Configuring IPSec and Certification Authorities Clearing SAs Cisco PIX Firewall and VPN Configuration Guide 6-30 78-15033-01
C H A P T E R 7 Site-to-Site VPN Configuration Examples A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6, “Configuring IPSec and Certification Authorities.
Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys Note If you do not need to do VPN tunneling for intranet traffic, you can use this example without the access-list or the nat 0 access-list commands. These commands disable NAT for traffic that matches the access list criteria.
Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys Step 4 Configure the supported IPSec transforms: crypto ipsec transform-set strong esp-3des esp-sha-hmac Step 5 Create an access list: access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0 This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses. Note Step 6 Steps 5 and 6 are not required if you want to enable NAT for all traffic.
Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging on mtu outside 1500 mtu inside 1500 ip address outside 209.165.201.8 255.255.255.224 ip address inside 192.168.12.1 255.255.255.0 no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 access-list 90 access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.
Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys Configuring PIX Firewall 2 for VPN Tunneling Follow these steps to configure PIX Firewall 2: Step 1 Define a host name: hostname SanJose Step 2 Define the domain name: domain-name example.com Step 3 Configure the ISAKMP policy: isakmp enable outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des Step 4 Configure a pre-shared key and associate it with the peer: crypto isakmp key cisco1234 address 209.
Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys Step 11 Apply the crypto map to an interface: crypto map newyork interface outside Step 12 Specify that IPSec traffic be implicitly trusted (permitted): sysopt connection permit-ipsec Example 7-2 lists the configuration for PIX Firewall 2.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map newyork 10 ipsec-is
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA For the general procedures to configure the PIX Firewall for a CA, see “Using Certification Authorities” in Chapter 6, “Configuring IPSec and Certification Authorities.” This section provides an example configuration for the specific network illustrated in Figure 7-2. Figure 7-2 VPN Tunnel Network VeriSign CA Server example.com 209.165.202.130 Router Router Internet 209.165.201.7 209.165.200.228 209.165.201.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA Step 5 Authenticate the CA by obtaining its public key and its certificate: ca authenticate example.com This command is not stored in the configuration. Step 6 Request signed certificates from your CA for your PIX Firewall’s RSA key pair. Before entering this command, contact your CA administrator because they will have to authenticate your PIX Firewall manually before granting its certificate. ca enroll example.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA Example 7-3 PIX Firewall 1 with Public CA nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname NewYork domain-name example.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA Configuring PIX Firewall 2 with a VeriSign CA Note The following steps are nearly the same as those in the previous section “Configuring PIX Firewall 1 with a VeriSign CA” for configuring PIX Firewall 2. The differences are in Steps 1 and 2, and Steps 11 to 13, which are specific for the PIX Firewall 2 in this example.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with a VeriSign CA Step 9 Configure an IKE policy: isakmp enable outside isakmp policy 8 auth rsa-sig Step 10 Create a partial access list: access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address perimeter 0.0.0.0 arp timeout 14400 nat (inside) 0 10.0.0.0 255.0.0.0 0 0 nat 0 access-list 80 access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA Scenario Description PIX Firewall supports the use of the following certification authorities (CAs): • VeriSign support is provided through the VeriSign Private Certificate Services (PCS) and the OnSite service, which lets you establish an in-house CA system for issuing digital certificates. • Entrust, Entrust VPN Connector, version 4.1 (build 4.1.0.337) or higher.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA Configuring PIX Firewall 1 for an In-House CA Follow these steps to configure PIX Firewall 1 for use with an in-house CA. These steps are similar to the procedure shown in “Using PIX Firewall with a VeriSign CA.” Step 1 Define a host name: hostname NewYork Step 2 Define the domain name: domain-name example.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA Step 9 Map a local IP address to a global IP address: static (dmz, outside) 209.165.202.131 10.1.0.2 netmask 255.255.255.255 Step 10 Permit the host (PIX Firewall 2) to access the global host via LDAP, port 389: access-list globalhost permit tcp 209.165.200.229 255.255.255.255 host 209.165.202.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging on interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 209.165.201.8 255.255.255.224 ip address inside 192.168.12.1 255.255.255.0 no failover failover ip address outside 0.0.0.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA Configuring PIX Firewall 2 for an In-House CA Follow these steps to configure PIX Firewall 2: Step 1 Define a host name: hostname SanJose Step 2 Define the domain name: domain-name example.com Step 3 Configure an IKE policy: isakmp enable outside isakmp policy 8 auth rsa-sig Step 4 Define CA-related enrollment commands: ca identity abcd 209.165.202.131 209.165.202.
Chapter 7 Site-to-Site VPN Configuration Examples Using PIX Firewall with an In-House CA Step 10 Create a partial access list: access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0 Step 11 Define a crypto map: crypto crypto crypto crypto Step 12 map map map map newyork newyork newyork newyork 20 20 20 20 ipsec-isakmp match address 80 set transform-set strong set peer 209.165.201.
Chapter 7 Site-to-Site VPN Configuration Examples Using an Encrypted Tunnel to Obtain Certificates no rip inside passive no rip inside default no rip dmz passive no rip dmz default no rip perimeter passive no rip perimeter default route outside 0.0.0.0 0.0.0.0 209.165.200.
Chapter 7 Site-to-Site VPN Configuration Examples Using an Encrypted Tunnel to Obtain Certificates VPN Tunnel Network Router DMZ 10.1.0.1 Router Internet 209.165.201.7 209.165.200.228 209.165.201.8 outside 209.165.200.229 outside PIX Firewall 2 PIX Firewall 1 192.168.12.1 inside Microsoft CA Server 10.1.0.2 (global address=209.165.202.131) 10.0.0.1 inside 192.168.12.2 New York 10.0.0.
Chapter 7 Site-to-Site VPN Configuration Examples Using an Encrypted Tunnel to Obtain Certificates Step 5 Configure NAT 0: nat (dmz) 0 access-list 90 Step 6 Configure a transform set that defines how the traffic will be protected: crypto ipsec transform-set strong esp-3des esp-sha-hmac Step 7 Define a crypto map: crypto crypto crypto crypto Step 8 map map map map toSanJose toSanJose toSanJose toSanJose 20 20 20 20 ipsec-isakmp match address 90 set transform-set strong set peer 209.165.200.
Chapter 7 Site-to-Site VPN Configuration Examples Using an Encrypted Tunnel to Obtain Certificates PIX Firewall 2 Configuration Follow these steps to configure PIX Firewall 2: Step 1 Define a host name: hostname SanJose Step 2 Define the domain name: domain-name example.com Step 3 Configure an IKE policy: isakmp enable outside isakmp policy 8 auth pre-share isakmp key cisco address 209.165.201.8 netmask 255.255.255.255 Step 4 Create a partial access list: access-list 80 permit ip host 209.165.200.
Chapter 7 Site-to-Site VPN Configuration Examples Using an Encrypted Tunnel to Obtain Certificates Step 12 Authenticate the CA by obtaining its public key and its certificate: ca authenticate abcd This command is entered at the command line and does not get stored in the configuration. Step 13 Request signed certificates from your CA for your PIX Firewall’s RSA key pair.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module PIX Firewall 2 Configuration Follow these steps to configure PIX Firewall 2: Step 1 Clear the IPSec SAs: clear ipsec sa Step 2 Clear the ISAKMP SAs: clear isakmp sa Step 3 Create a partial access list: access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module Packets are processed by a pair of VLANs, one Layer 3 (L3) inside VLAN and one Layer 2 (L2) outside VLAN. The packets are routed to the inside VLAN. After encrypting the packets the VPNSM uses the corresponding outside VLAN. In the decryption process, the packets from the outside to the inside are bridged to the VPNSM using the outside VLAN.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module Step 4 Define your Internet Security Association and Key Management Protocol (ISAKMP) policy proposals: crypto isakmp policy 1 hash md5 authentication pre-share group 2 Step 5 In this example, pre-shared keys are used and defined by issuing the following command: crypto isakmp key cisco address 209.165.200.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module ! interface GigabitEthernet1/2 no ip address shutdown ! interface FastEthernet2/1 ip address 10.10.10.1 255.255.255.0 no keepalive ! !--- This is the secure port which is configured in routed port mode. !--- This routed port mode purposely does not have an L3 IP address !--- configured, which is normal for the BITW process.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module ip classless !--- Configure the routing so that the device !--- knows how to reach its destination network. ip route 0.0.0.0 0.0.0.0 172.18.124.1 ! !--- This is the crypto ACL. access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 Example 7-8 shows the complete configuration for the PIX Firewall.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 failover ip address intf5 0.0.0.0 pdm history enable arp timeout 14400 access-list host1 permit icmp any any access-group host1 in interface outside route outside 0.0.0.0 0.0.0.0 14.36.1.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module interface GigabitEthernet3/2 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,200,1002-1005 switchport mode trunk Step 2 Add the VLAN 100 interface, and the interface where the tunnel will be terminated (in this case, FastEthernet2/2): interface Vlan100 ip address 209.165.201.1 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module ! !--!--!--!--!--- Define a static crypto map entry for the peer with mode ipsec-isakmp. This indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. crypto map cisco 10 ipsec-isakmp set peer 209.165.200.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module flowcontrol receive on cdp enable ! interface Vlan1 no ip address shutdown ! !--- This is the IVLAN configured for intercepting the traffic !--- destined to the secure port on which the VPN Services Module's inside port !--- is the only port present. Interface Vlan100 ip address 209.165.201.1 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Connecting to a Catalyst 6500 and Cisco 7600 Series IPSec VPN Services Module mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 209.165.200.225 255.255.255.0 ip address inside 10.20.20.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.
Chapter 7 Site-to-Site VPN Configuration Examples Manual Configuration with NAT Verifying Your Configuration You can use the following commands to confirm that your configuration is working properly.
Chapter 7 Site-to-Site VPN Configuration Examples Manual Configuration with NAT Example 7-11 lists the configuration for PIX Firewall 1. Example 7-11 Two Interfaces with IPSec—PIX Firewall 1 Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.
Chapter 7 Site-to-Site VPN Configuration Examples Manual Configuration with NAT PIX Firewall 2 Configuration Follow these steps to program the PIX Firewall 2 unit for IPSec: Step 1 Create a crypto map command statement. Step 2 Create the access-list command entries to select traffic for this policy. Note For manual keying, only one access-list permit command statement is permitted in the configuration. Step 3 Create the transform set for the crypto command statement entry.
Chapter 7 Site-to-Site VPN Configuration Examples Manual Configuration with NAT timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no rip outside passive no rip outside default no rip inside passive no rip inside default sysopt connection tcpmss 1380 crypto ipsec transform-set myset ah-md5-hmac esp-des crypto map mymap 10 ipsec-manual crypto map mymap 10 match address 10 crypto map mymap 10 set peer 192.168.1.
C H A P T E R 8 Managing VPN Remote Access This chapter describes how to configure the PIX Firewall as an Easy VPN Server and how to configure Easy VPN Remote software clients. It also describes how to use the PIX Firewall with Point-to-Point Tunneling Protocol (PPTP) clients.
Chapter 8 Managing VPN Remote Access Using the PIX Firewall as an Easy VPN Server Overview With software Version 6.2 and later releases, you can configure the PIX Firewall as an Easy VPN Server. When used as an Easy VPN Server, the firewall can push VPN configuration to any Easy VPN Remote device, which greatly simplifies configuration and administration. Figure 8-1 illustrates how an Easy VPN Server can be used in a Virtual Private Network (VPN).
Chapter 8 Managing VPN Remote Access Using the PIX Firewall as an Easy VPN Server Note PIX Firewall Version 6.3 introduces a feature that lets you establish a management connection to the inside interface of a PIX Firewall over a VPN tunnel. This feature is designed for remote management of a PIX Firewall used as an Easy VPN Remote device, which typically has an IP address dynamically assigned to its outside interface.
Chapter 8 Managing VPN Remote Access Using the PIX Firewall as an Easy VPN Server Enabling Redundancy PIX Firewall Version 6.3 introduces support for redundancy among Easy VPN Servers. You can define a list of servers on an Easy VPN Server that can be pushed to the Easy VPN Remote. When no backup Easy VPN Server is configured, what happens after a failure to connect to the Easy VPN server depends on SUA status and whether the Easy VPN Remote device is in client mode or network extension mode.
Chapter 8 Managing VPN Remote Access Configuring Extended Authentication (Xauth) To specify the length of time that a VPN tunnel can remain open without user activity, enter the following command: vpngroup groupname user-idle-timeout {hh:mm:ss} This command specifies the length of time for the specified VPN group in hours, minutes, and seconds (hh:mm:ss).
Chapter 8 Managing VPN Remote Access Configuring Extended Authentication (Xauth) Note The IKE Mode Config feature also is negotiated between IKE Phase 1 and 2. If both features are configured, Xauth is performed first. The Xauth feature is optional and is enabled using the crypto map map-name client authentication aaa-group-tag command. AAA must be configured on the PIX Firewall using the aaa-server group_tag (if_name) host server_ip key timeout seconds command before Xauth is enabled.
Chapter 8 Managing VPN Remote Access Configuring Easy VPN Remote Devices with IKE Mode Config Configuring Easy VPN Remote Devices with IKE Mode Config A PIX Firewall used as an Easy VPN Server uses the IKE Mode Configuration (Config) protocol to download an IP address and other network level configuration to an Easy VPN Remote device as part of the IKE negotiation.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Pre-Shared Keys When the Cisco Easy VPN Remote device initiates ISAKMP with the PIX Firewall, the VPN group name and pre-shared key (or certificate) are sent to the PIX Firewall. The PIX Firewall then uses the group name to look up the configured client policy attributes for the given Cisco Easy VPN Remote device and downloads the matching policy attributes to the client during the IKE negotiation.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Pre-Shared Keys • Pool of local addresses to be assigned to the VPN group. • (Optional) IP address of a DNS server to download to the Cisco Easy VPN Remote device. • (Optional) IP address of a WINS server to download to the Cisco Easy VPN Remote device. • (Optional) Default domain name to download to the Cisco Easy VPN Remote device.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Pre-Shared Keys Configuring the PIX Firewall Follow these steps to configure the PIX Firewall to interoperate with the Cisco Easy VPN Remote device using Xauth, IKE Mode Config, AAA authorization with RADIUS, and a wildcard, pre-shared key: Step 1 Define AAA related parameters: aaa-server radius protocol radius aaa-server partnerauth protocol radius aaa-server partnerauth (dmz) host 192.168.101.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Pre-Shared Keys Specify which transform sets are allowed for this dynamic crypto map entry.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Pre-Shared Keys failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 arp timeout 14400 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates To allow the Easy VPN Remote software client to gain VPN access to the PIX Firewall using a pre-shared key, create one connection entry for the Easy VPN Remote software client that identifies the following: • Host name or IP address of the remote server you want to access, which in this case is a PIX Firewall • Name of the VPN group you belong to • Pre-shared key or password of the VPN group you belong to
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates To identify the DN of the PIX Firewall on an Easy VPN software client, create a .pcf file and use the CertSubjectName keyword.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates (Optional) Split tunneling on the PIX Firewall, which allows both encrypted and clear traffic between the Easy VPN Remote device and the PIX Firewall. • Note • If split tunnelling is not enabled, all traffic between the Easy VPN Remote device and the PIX Firewall will be encrypted. (Optional) Inactivity timeout for the Easy VPN Remote device. The default is 30 minutes.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates aaa-server partnerauth protocol tacacs+ aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5 Step 2 Define a host name: hostname SanJose Step 3 Define the domain name: domain-name example.com Step 4 Generate the PIX Firewall RSA key pair: ca generate rsa key 512 This command is entered at the command line and does not get stored in the configuration.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates isakmp isakmp isakmp isakmp Step 13 enable policy policy policy outside 8 encr 3des 8 hash md5 8 authentication rsa-sig Create an access list that defines the local network(s) requiring IPSec protection: access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.
Chapter 8 Managing VPN Remote Access Using an Easy VPN Remote Device with Digital Certificates Example 8-2 VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Digital Certificates nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname SanJose domain-name example.
Chapter 8 Managing VPN Remote Access Using PPTP for Remote Access vpngroup superteam wins-server 10.0.0.15 vpngroup superteam default-domain example.com vpngroup superteam split-tunnel 90 vpngroup superteam idle-time 1800 ca identity abcd 209.165.200.228 209.165.200.
Chapter 8 Managing VPN Remote Access Using PPTP for Remote Access Overview The firewall provides support for Microsoft PPTP, which is an alternative to IPSec handling for VPN clients. While PPTP is less secure than IPSec, PPTP may be easier in some networks to implement and maintain. The vpdn command implements the PPTP feature for inbound connections between the firewall and a Windows client.
Chapter 8 Managing VPN Remote Access Using PPTP for Remote Access The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration. The clear vpdn command removes all vpdn commands from the configuration. You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands.
Chapter 8 Managing VPN Remote Access Using PPTP for Remote Access Cisco PIX Firewall and VPN Configuration Guide 8-22 78-15033-01
C H A P T E R 9 Accessing and Monitoring PIX Firewall This chapter describes how to configure and use the tools and features provided by the PIX Firewall for monitoring and configuring the system, and for monitoring network activity.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication • SNMP • SNMP traps • Syslogs To enable management access over a VPN tunnel, enter the following command: management-access mgmt_if Replace mgmt_if with the IP address assigned to the interface of the remote PIX Firewall to which you want to connect. Note You must enable management access for each interface that is connected to the supported management services that you want to use.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication For example, the following command assigns the enable password Passw0rD to privilege Level 10: enable password Passw0rD level 10 The following example shows the usage of the enable password command with the encrypted keyword: enable password .
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication For example, the following command assigns a privilege level of 15 to the user account admin. username admin password passw0rd privilege 15 If no privilege level is specified, the user account is created with a privilege level of 2. You can define as many user accounts as you need.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication Viewing the Current User Account The PIX Firewall maintains usernames in the following authentication mechanisms: • LOCAL • TACACS+ • RADIUS To view the user account that is currently logged in, enter the following command: show curpriv The system displays the current user name and privilege level, as follows: Username:admin Current privilege level: 15 Current Mode/s:P_PRIV As mentioned in the secti
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication Overview LOCAL and TACACS+ Command Authorization is supported in PIX Firewall Version 6.2 and higher. With the LOCAL command authorization feature, you can assign PIX Firewall commands to one of 16 levels. Caution When configuring the Command Authorization feature, do not save your configuration until you are sure it works the way you want.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication privilege privilege privilege privilege privilege Note show level 15 mode configure command logging clear level 15 mode configure command logging configure level 15 mode configure command logging clear level 15 mode enable command logging configure level 15 mode enable command logging Do not use the mode parameter for commands that are not mode-specific.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication privilege privilege privilege privilege clear level 15 command access-list configure level 15 command access-list show level 15 command activation-key configure level 15 command activation-key To view the command assignments for a specific privilege level, enter the following command: show privilege level level Replace level with the privilege level for which you want to display the command assignments.
Chapter 9 Accessing and Monitoring PIX Firewall Command Authorization and LOCAL User Authentication To create the tacacs_server_tag, use the aaa-server command, as follows: aaa-server tacacs_server_tag [(if_name)] host ip_address [key] [timeout seconds] Use the tacacs_server_tag parameter to identify the TACACS+ server and use the if_name parameter if you need to specifically identify the PIX Firewall interface connected to the TACACS+ server. Replace ip_address with the IP address of the TACACS+ server.
Chapter 9 Accessing and Monitoring PIX Firewall Configuring PIX Firewall Banners This website provides a downloadable file with instructions for using it to remove the lines in the PIX Firewall configuration that enable authentication and cause the lockout problem. You can encounter a different type of lockout problem if you use the aaa authorization command tacacs_server_tag command and you are not logged as the correct user.
Chapter 9 Accessing and Monitoring PIX Firewall Using Network Time Protocol Overview The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations such as validating a certificate revocation lists (CRL), which includes a precise time stamp. PIX Firewall Version 6.
Chapter 9 Accessing and Monitoring PIX Firewall Using Network Time Protocol Viewing NTP Status and Configuration This section describes the information available about NTP status and associations. To view information about NTP status and configuration, use any of the following commands: • show ntp associations—displays information about the configured time servers. • show ntp associations detail—provides detailed information. • show ntp status—displays information about the NTP clock.
Chapter 9 Accessing and Monitoring PIX Firewall Using Network Time Protocol Example 9-2 provides sample output from the show ntp association detail command: Example 9-2 Sample Output from ntp association detail Command pix(config)# show ntp associations detail 172.23.56.249 configured, our_master, sane, valid, stratum 4 ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22 2002) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 38.
Chapter 9 Accessing and Monitoring PIX Firewall Using Network Time Protocol Table 9-2 Output Description from ntp association detail Command (continued) Output Column Heading Description peer poll intvl Peer's poll interval to us. root delay Delay along path to root (ultimate stratum 1 time source). root disp Dispersion of path to root. reach Peer reachability (bit string in octal). sync dist Peer synchronization distance. delay Round-trip delay to peer.
Chapter 9 Accessing and Monitoring PIX Firewall Managing the PIX Firewall Clock Table 9-3 Output Description from ntp status Command (continued) Output Column Heading Description clock offset Offset of the system clock to synchronized peer. root delay Total delay along path to root clock. root dispersion Dispersion of root path. peer dispersion Dispersion of synchronized peer.
Chapter 9 Accessing and Monitoring PIX Firewall Using Telnet for Remote System Management The recurring keyword indicates that summer time should start and end on the days specified by the values that follow this keyword. If no values are specified, the summer time rules default to United States rules. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the week (Sunday, Monday,…). The month parameter is the full name of the month (January, February,…).
Chapter 9 Accessing and Monitoring PIX Firewall Using Telnet for Remote System Management Configuring Telnet Console Access to the Inside Interface Note See the telnet command page within the Cisco PIX Firewall Command Reference for more information about this command. Follow these steps to configure Telnet console access: Step 1 Enter the PIX Firewall telnet command. For example, to let a host on the internal interface with an address of 192.168.1.
Chapter 9 Accessing and Monitoring PIX Firewall Using Telnet for Remote System Management Allowing a Telnet Connection to the Outside Interface This section tells you how to configure a Telnet connection to a lower security interface of the PIX Firewall. It includes the following topics: • Overview, page 9-18 • Using Telnet with an Easy VPN Remote Device, page 9-18 • Using Cisco Secure VPN Client Version 1.
Chapter 9 Accessing and Monitoring PIX Firewall Using Telnet for Remote System Management To open a VPN tunnel for running a Telnet session to a PIX Firewall from an Easy VPN Remote device, follow these steps: Step 1 Set up IPSec by entering the following commands: isakmp isakmp isakmp crypto crypto crypto crypto Step 2 policy 10 authentication pre-share policy 10 group 2 enable outside ipsec transform-set esp-des-md5 esp-des esp-md5-hmac dynamic-map dynmap 10 set transform-set esp-des-md5 map mymap 10
Chapter 9 Accessing and Monitoring PIX Firewall Using Telnet for Remote System Management Note To complete the configuration of the VPN client, refer to the vpngroup command in the Cisco PIX Firewall Command Reference. Using Telnet Perform the following steps to test Telnet access: Step 1 From the host, start a Telnet session to a PIX Firewall interface IP address. If you are using Windows 95 or Windows NT, click Start>Run to start a Telnet session.
Chapter 9 Accessing and Monitoring PIX Firewall Using SSH for Remote System Management Trace Channel Feature The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session. If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session.
Chapter 9 Accessing and Monitoring PIX Firewall Using SSH for Remote System Management Overview SSH is an application running on top of a reliable transport layer, such as TCP/IP that provides strong authentication and encryption capabilities. The PIX Firewall supports the SSH remote shell functionality provided in SSH Version 1. SSH Version 1 also works with Cisco IOS software devices. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console.
Chapter 9 Accessing and Monitoring PIX Firewall Using SSH for Remote System Management Identifying the Host Using an SSH Client Identify each host authorized to access the PIX Firewall console using SSH by entering the following command: [no] ssh ip_address [netmask] [interface_name] To use this command: • Replace ip_address with the IP address of the host or network authorized to initiate an SSH connection to the PIX Firewall. • Replace netmask with the network mask for ip_address.
Chapter 9 Accessing and Monitoring PIX Firewall Using SSH for Remote System Management Configuring Authentication for an SSH Client To configure local authentication for an SSH client accessing the PIX Firewall, enter the following command: ssh -c 3des -1 pix -v ipaddress The password used to perform local authentication is the same as the one used for Telnet access. The default for this password is cisco.
Chapter 9 Accessing and Monitoring PIX Firewall Enabling Auto Update Support lists the progress the client is making as it interacts with the PIX Firewall. The Username column lists the login username that has been authenticated for the session. The “pix” username appears when non-AAA authentication is used. Enabling Auto Update Support Auto Update is a protocol specification introduced with PIX Firewall Version 6.2.
Chapter 9 Accessing and Monitoring PIX Firewall Enabling Auto Update Support Managing Auto Update Support To enable the PIX Firewall for polling an AUS, use the following command: [no] auto-update device-id hardware-serial | hostname | ipaddress [if-name] | mac-address [if-name] | string text The auto-update device-id command is used to identify the device ID to send when communicating with the AUS.
Chapter 9 Accessing and Monitoring PIX Firewall Capturing Packets Timeout: none Device ID: host name [pix-pri] Next poll in 4.93 minutes Last poll: 11:36:46 PST Tue Nov 13 2001 Last PDM update: 23:36:46 PST Tue Nov 12 2001 Capturing Packets This section describes the packet capture utility introduced with PIX Firewall Version 6.2.
Chapter 9 Accessing and Monitoring PIX Firewall Capturing Packets Replace acl_id with the name of any existing access list, which can limit the capture based on one or more of the following selection criteria: • IP protocol type • Source or destination addresses • TCP or UDP port • ICMP type For information about configuring an access control list, refer to “Controlling Outbound Connectivity” in Chapter 3, “Controlling Network Access and Use.
Chapter 9 Accessing and Monitoring PIX Firewall Capturing Packets Step 4 To copy the contents of the packet capture buffer to a TFTP server, enter the following command: copy capture:capture-name tftp://location/path [pcap] Replace capture-name with the name of the packet capture you want to view. Replace location and path with the host name, path name, and file name of the file where you want to store the captured packets.
Chapter 9 Accessing and Monitoring PIX Firewall Capturing Packets Table 9-4 Packet Capture Formats (continued) Capture Type Syntax Other IP packets HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length ARP packets HH:MM:SS.ms [ether-hdr] arp-type arp-info Other packets HH:MM:SS.ms ether-hdr: hex-dump Packet Capture Examples This section includes examples of different types of packet captures. Example 9-5 illustrates an HTTP packet capture.
Chapter 9 Accessing and Monitoring PIX Firewall Saving Crash Information to Flash Memory 10:46:28.923368 arp who-has 209.165.200.226 (ff:ff:ff:ff:ff:ff tell 209.165.200.235 10:46:29.255998 arp who-has 209.165.202.129 tell 209.165.202.130 (0:2:b9:45:bf:7b) 10:46:29.256136 arp reply 209.165.202.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog To save test crash information to Flash memory, enter the following command: crashinfo test This command can be used for reassurance and testing and does not actually crash the PIX Firewall. This command erases the current contents of the crash file in Flash memory, and saves information to Flash memory that is similar to what is saved during an actual system crash.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Enabling Logging to Syslog Servers This section describes how to enable logging messages to one or more syslog servers. For information about saving messages to a buffer, displaying them on the console, specifying the transport used for syslog messages, or various other options, refer to the logging command in the Cisco PIX Firewall Command Reference.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Replace syslogid with the numeric identifier assigned to the syslog message.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog To view disabled messages, enter the following command: show logging disabled To view all messages with modified levels, and all disabled messages, enter the following command: show logging message Logging Access Control List Activity This section describes a logging option, introduced with PIX Firewall Version 6.3, that lets you log the number of permits or denies of a flow by an ACL entry during a specific period of time.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog To enable logging of the number of permits or denies of a flow by an ACL entry during a specific period of time, use the following command: access-list acl_id [log [disable|default] | [level] [interval seconds]] Use the disable option to completely disable the log option, including syslog message 106023. Use the default option to restore the default ACL logging behavior, which is to generate syslog message 106023 if a packet is denied.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Logging Behavior There are some behavior differences among various types of IP traffic because access check is only applied to those packets which do not have an existing connection. This section summarizes the logging behavior for different types of traffic.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Deny Example 1. An inbound TCP packet (3.3.3.3/12345 -> 192.168.1.1/1357) arrives on the outside interface. 2. The packet is permitted by the first ACE of the outside-acl access list, which has the log option enabled with log level 2. 3. The log flow (TCP, 3.3.3.3, 12345, 192.168.1.1, 1357) has not be cached, so the following syslog message is generated and the log flow is cached. 106100: access-list outside-acl denied tcp outside/3.3.3.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Table 9-5 Syslog Message Format for ACL Logging Field Description Displays the number of times this flow was permitted or denied by the ACL entry in the configured time interval. The value is 1 when the first syslog message is generated for the flow. first hit Displays the first message generated for this flow. n-second interval Displays the interval over which the hit count is accumulated.
Chapter 9 Accessing and Monitoring PIX Firewall Using Syslog Table 9-7 summarizes the commands that you can use to determine the messages that are displayed. Table 9-7 Commands to Control Syslog Messages Command Effect ip audit signature signature_number disable Attaches a global policy to a signature. Used to disable or exclude a signature from auditing. no ip audit signature signature_number Removes the policy from a signature. Used to reenable a signature.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Table 9-7 Commands to Control Syslog Messages (continued) Command Effect ip audit name audit_name attack [alarm] [drop] [reset]] no ip audit name audit_name show ip audit name [action [attack] [name [info | attack]] ip audit interface if_name audit_name no ip audit interface [if_name] show ip audit interface All attack signatures except those disabled or excluded by the ip audit signature command are considered part of the policy.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP The PIX Firewall SNMP traps available to an SNMP management station are as follows: • Generic traps: – Link up and link down (cable connected to the interface or not; cable connected to an interface working or not working) – Cold start – Authentication failure (mismatched community string) • Security-related events sent via the Cisco syslog MIB: – Global access denied – Failover syslog messages – Syslog messages Use CiscoWorks for Windows or
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Each row of the cpmCPUTotalTable consists of the following five elements: • Index of each CPU Note Because all current PIX Firewall hardware platforms support a single CPU, PIX Firewall returns only one row from cpmCPUTotalTable and the index is always 1.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP SNMP Traps Traps are different than browsing; they are unsolicited “comments” from the managed device to the management station for certain events, such as link up, link down, and syslog event generated. An SNMP object ID (OID) for PIX Firewall displays in SNMP event traps sent from the PIX Firewall. PIX Firewall provides system OID in SNMP event traps & SNMP mib-2.system.sysObjectID variable based on the hardware platform.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Step 5 Start sending syslog traps to the management station with the logging on command. Step 6 To disable sending syslog traps, use the no logging on command or the no snmp-server enable traps command. The commands in Example 9-11 specify that PIX Firewall can receive the SNMP requests from host 192.168.3.2 on the inside interface but does not send SNMP syslog traps to any host.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Step 10 Find the file CISCO-MEMORY-POOL-MIB.my (CISCO-MEMORY-POOL-MIB.mib) and click OK. Step 11 Scroll to the bottom of the list, and click the last entry. Step 12 Click Add. Step 13 Find the file CISCO-SMI.my (CISCO-SMI.mib) and click OK. Step 14 Scroll to the bottom of the list, and click the last entry. Step 15 Click Add. Step 16 Find the file CISCO-SYSLOG-MIB.my (CISCO-SYSLOG-MIB.mib) and click OK. Step 17 Click Load All.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP In SNMP protocol, the MIB table index should be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the PIX Firewall interface IP address, so the IP address should be unique; otherwise, the SNMP agent will get confused and may return information of another interface (row), which has the same IP (index).
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Verifying Memory Usage You can determine how much free memory is available with the Cisco Memory Pool MIB. From the PIX Firewall command line, memory usage is viewed with the show memory command. The following is sample output from the show memory command.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Viewing The Connection Count You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall MIB. From the PIX Firewall command line, you can view the connection count with the show conn command. The following is sample output from the show conn command to demonstrate where the information in cfwConnectionStatTable originates.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Viewing System Buffer Usage You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the cfwBufferStatsTable. The system buffer usage provides an early warning of the PIX Firewall reaching the limit of its capacity. On the command line, you can view this information with the show blocks command. The following is sample output from the show blocks command to demonstrate how cfwBufferStatsTable is populated.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP In the HP OpenView Browse MIB application’s “MIB values” window a sample MIB query yields the following information: cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blocks cfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startup cfwBufferStatInformation.4.8 :current number of available 4 byte blocks cfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blocks cfwBufferStatInformation.80.
Chapter 9 Accessing and Monitoring PIX Firewall Using SNMP Cisco PIX Firewall and VPN Configuration Guide 9-52 78-15033-01
C H A P T E R 10 Using PIX Firewall Failover This chapter describes the PIX Firewall failover feature, which allows a secondary PIX Firewall to take over the functionality of a failed primary PIX Firewall.
Chapter 10 Using PIX Firewall Failover Failover System Requirements Failover System Requirements Table 10-1 lists the system requirements for the failover feature.
Chapter 10 Using PIX Firewall Failover Understanding Failover Understanding Failover This section describes how failover works, and includes the following topics: • Overview, page 10-3 • Network Connections, page 10-3 • Failover and State Links, page 10-4 • Primary and Secondary Vs.
Chapter 10 Using PIX Firewall Failover Understanding Failover Figure 10-1 Parallel Position in Network PIX 515E Primary unit PIX 515E Standby unit FDX 100 Mbps Link 10/100 ETHERNET 1 FAILOVER FDX 10/100 ETHERNET 0 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED PIX-515 100 Mbps Link PIX-515 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED CONSOLE 100 Mbps Link FDX 10/100 ETHERNET 1 Outside switch 100 Mbps Link FAILOVER FDX 10/100 ETHERNET 0 CONSOLE Internet Inside network 8793
Chapter 10 Using PIX Firewall Failover Understanding Failover The failover link can be one of the following connections: • Serial failover cable (“cable-based failover”)—If the two units are within six feet of each other, then we recommend that you use the serial failover cable. Using this cable allows the firewall to sense a power loss of the peer unit, and to differentiate a power loss from an unplugged cable.
Chapter 10 Using PIX Firewall Failover Understanding Failover Primary and Secondary Vs. Active and Standby The main differences between the two units in a failover pair are related to which unit is active and which unit is standby, namely which IP addresses to use and which unit actively passes traffic.
Chapter 10 Using PIX Firewall Failover Understanding Failover Configuration replication from the active unit to the standby unit occurs in the following ways: Note • When the standby unit completes its initial startup, it clears its running configuration using the clear configure all command (except for the LAN-based failover commands that are not replicated), and the active unit sends its entire configuration to the standby unit.
Chapter 10 Using PIX Firewall Failover Failover Configuration Prerequisites 3. Broadcast Ping test—The ping test consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If all network tests fail, then the interface is considered to be failed. If the standby unit has more operational interfaces, then a failover occurs.
Chapter 10 Using PIX Firewall Failover Configuring Cable-Based Failover Step 2 If an interface is not going to be used, turn off the interface by entering: primary(config)# interface hardware_id shutdown Where hardware_id is ethernetn or gb-ethernetn. This step prevents the firewall from expecting hello packets on the interface.
Chapter 10 Using PIX Firewall Failover Configuring Cable-Based Failover Step 2 a. Step/Command Description If you have not done so already, configure the Ethernet interface you are using for the Stateful Failover link: (Stateful Failover) primary(config)# interface hardware_id hardware_speed Enables the interface. • hardware_id—ethernetn or gb-ethernetn. • hardware_speed—The hardware speed and duplex for the Ethernet interface.
Chapter 10 Using PIX Firewall Failover Configuring LAN-Based Failover Step 3 Step/Command Description primary(config)# failover ip address interface_name ip_address For each interface that has an IP address, this command identifies the failover IP address. This IP address is used on the standby unit. This IP address must be in the same subnet as the active IP address. You do not need to identify the subnet mask. To check the current IP address settings, enter the show ip address command.
Chapter 10 Using PIX Firewall Failover Configuring LAN-Based Failover Note If you are changing from cable-based failover to LAN-based failover, complete all the steps in the following procedures that you did not already complete when you initially set up cable-based failover. For example, you might need to configure the failover ip address command for the failover link, but you do not need to reconfigure all the other failover IP addresses.
Chapter 10 Using PIX Firewall Failover Configuring LAN-Based Failover Step/Command b. primary(config)# nameif hardware_id interface_name securitylevel Description Names the interface and sets the security level. Where: • hardware_id—ethernetn or gb-ethernetn. • interface_name—A string describing the interface. • securitylevel—A number between 1 and 99. 0 and 100 are reserved for the inside and outside interfaces. Because this interface is a dedicated link, the security level can be any number.
Chapter 10 Using PIX Firewall Failover Configuring LAN-Based Failover Step/Command c. primary(config)# ip address interface_name ip_address [netmask] Description Sets the IP address. For example: primary(config)# ip address state 192.168.3.1 255.255.255.0 Step 3 primary(config)# failover ip address interface_name ip_address For each interface that has an IP address, this command identifies the failover IP address. This IP address is used on the standby unit.
Chapter 10 Using PIX Firewall Failover Configuring LAN-Based Failover Step 7 Step/Command Description primary(config)# failover lan interface interface_name Identifies the Ethernet interface for the failover link. For example, enter: primary(config)# failover lan interface faillink Step 8 primary(config)# failover lan key string (Optional) Encrypts the failover communications over the Ethernet link. If you do not enter this command, all failover communications are sent in clear text.
Chapter 10 Using PIX Firewall Failover Verifying the Failover Configuration Step/Command c. secondary(config)# ip address interface_name ip_address [netmask] Description Set the IP address to match the IP address on the primary unit. The secondary unit does not use this IP address, but instead uses the failover IP address you set in the next step. However, you must still set the primary IP address. For example: secondary(config)# ip address faillink 192.168.2.1 255.255.255.
Chapter 10 Using PIX Firewall Failover Verifying the Failover Configuration • Using the Show Failover Command, page 10-17 • Testing the Failover Functionality, page 10-20 See the “Monitoring Failover” section for other troubleshooting tools.
Chapter 10 Using PIX Firewall Failover Verifying the Failover Configuration Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0 Lan Based Failover is Active interface intf3 (192.168.3.1): Normal, peer (192.168.3.2) Normal Table 10-2 Show Failover Display Description Field Failover Serial Failover Cable status: Options • On • Off • Normal—The cable is connected to both units, and they both have power. • My side not connected—The serial cable is not connected to this unit.
Chapter 10 Using PIX Firewall Failover Verifying the Failover Configuration Table 10-2 Show Failover Display Description (continued) Field Options Interface name (n.n.n.n): For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions: • Failed—The interface has failed. • Link Down—The interface line protocol is down. • Normal—The interface is working correctly.
Chapter 10 Using PIX Firewall Failover Forcing Failover Table 10-2 Show Failover Display Description (continued) Field Options Xmit Q The status of the transmit queue. Lan-based Failover is Active This field appears only when LAN-based failover is enabled. interface name (n.n.n.n): For the LAN failover link, the display shows the IP address currently being used on each unit, as well as the condition of the link. See the peer (n.n.n.
Chapter 10 Using PIX Firewall Failover Monitoring Failover Failover Off ... To disable the LAN failover link, disable failover and then disable the LAN failover link: primary(config)# no failover primary(config)# no failover lan enable When you enable failover again, the firewall uses the serial failover cable if connected. Monitoring Failover When a failover occurs, both PIX Firewalls send out syslog messages, and the ACTIVE light on the front of the devices indicate the current state.
Chapter 10 Using PIX Firewall Failover Frequently Asked Failover Questions Frequently Asked Failover Questions This section contains some frequently asked questions about the failover features and includes the following topics: • Configuration Replication Questions, page 10-23 • Basic Failover Questions, page 10-23 • Cable-Based Failover Questions, page 10-24 • LAN-Based Failover Questions, page 10-25 • Stateful Failover Questions, page 10-25 Cisco PIX Firewall and VPN 10-22 78-15033-01
Chapter 10 Using PIX Firewall Failover Frequently Asked Failover Questions Configuration Replication Questions • Does configuration replication save the configuration to Flash memory on the standby unit? No, the configuration is only in running memory. • How can both units be configured the same without manually entering the configuration twice? Commands entered on the active unit are automatically replicated to the standby unit.
Chapter 10 Using PIX Firewall Failover Frequently Asked Failover Questions • How long does it take to detect a failure? – Network errors are detected within two consecutive polling intervals (by default, 15 second intervals). The polling interval is user-configurable using the failover poll command. – (Cable-based only) Power failure and cable failure is detected immediately. – Failover communication errors are detected within two consecutive polling intervals.
Chapter 10 Using PIX Firewall Failover Frequently Asked Failover Questions LAN-Based Failover Questions • What happens if the failover link is disconnected at startup? The primary unit becomes active. The secondary unit uses other interfaces to detect if the primary unit is active, and does not become active itself. If the primary unit is not active, then the secondary unit waits a brief period before becoming active.
Chapter 10 Using PIX Firewall Failover Failover Configuration Examples Failover Configuration Examples This section includes sample configurations and network diagrams, and includes the following topics: • Cable-Based Failover Example, page 10-26 • LAN-Based Failover Example, page 10-27 Cable-Based Failover Example Figure 10-2 shows the network diagram for a failover configuration using a serial failover cable. Figure 10-2 Cable-Based Failover Configuration Internet 209.165.201.
Chapter 10 Using PIX Firewall Failover Failover Configuration Examples failover ip address outside 209.165.201.2 failover ip address inside 192.168.2.2 failover ip address state 192.168.253.2 failover link state failover global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0 access-list acl_out permit tcp any 209.165.201.5 eq 80 access-group acl_out in interface outside route outside 0 0 209.
Chapter 10 Using PIX Firewall Failover Failover Configuration Examples telnet 192.168.2.45 255.255.255.255 hostname pixfirewall ip address outside 209.165.201.1 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address failover 192.168.254.1 255.255.255.0 ip address state 192.168.253.1 255.255.255.252 failover ip address outside 209.165.201.2 failover ip address inside 192.168.2.2 failover ip address failover 192.168.254.2 failover ip address state 192.168.253.
C H A P T E R 11 Changing Feature Licenses and System Software This chapter describes how to change (upgrade or downgrade) the feature license or software image on your Cisco PIX Firewall.
Chapter 11 Changing Feature Licenses and System Software Upgrading Your License by Entering a New Activation Key Upgrading Your License by Entering a New Activation Key This section describes how to upgrade your PIX Firewall license and includes the following topics: • Obtaining an Activation Key, page 11-2 • Entering a New Activation Key, page 11-2 • Troubleshooting the License Upgrade, page 11-4 Obtaining an Activation Key To obtain an activation key, you will need a Product Authorization Key, wh
Chapter 11 Changing Feature Licenses and System Software Upgrading Your License by Entering a New Activation Key To enter an activation key, enter the following command: activation-key activation-key-four-tuple In this command, replace activation-key-four-tuple with the activation key you obtained with your new license. For example: activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234 The leading “0x” hexadecimal indicator is optional.
Chapter 11 Changing Feature Licenses and System Software Upgrading Your License by Entering a New Activation Key Troubleshooting the License Upgrade Table 11-1 lists the messages that the system displays when the activation key has not been changed: Table 11-1 Troubleshooting the License Upgrade System Message Displayed Resolution The activation key you entered is the same as the Either the activation key has already been Running key. upgraded or you need to enter a different key.
Chapter 11 Changing Feature Licenses and System Software Using HTTP to Copy Software and Configurations Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Enabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Throughput: Unlimited ISAKMP peers: Unlimited Flash activation key: 0xyadayada 0xyadayada 0xyadayada 0xyadayada Licensed Features: Failover: yada VPN-DES: yada VPN-3DES: yada Maximum
Chapter 11 Changing Feature Licenses and System Software Downloading the Current Software Copying PIX Firewall Configurations To retrieve a configuration from an HTTP server, enter the following command: configure http[s]://[user:password@]location[:port]/pathname SSL will be used when https is entered. The user and password options are used for basic authentication when logging in to the server. The location option is the IP address (or a name that resolves to the IP address) of the server.
Chapter 11 Changing Feature Licenses and System Software Downloading the Current Software • pix6nn.bin—The latest software image. Place this image in the TFTP directory so it can be downloaded to the PIX Firewall unit. • pfss512.exe—Contains the PIX Firewall Syslog Server (PFSS), supported on Windows NT, 2000, or XP. After installation, this receives syslog messages from the PIX Firewall and store them in daily log files.
Chapter 11 Changing Feature Licenses and System Software Downloading the Current Software Follow these steps to install the latest PIX Firewall software: Step 1 Use a network browser, such as Netscape Navigator to access http://www.cisco.com. Step 2 If you are a registered Cisco.com user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register. Step 3 After you click LOGIN, a dialog box appears requesting your username and password.
Chapter 11 Changing Feature Licenses and System Software Installing and Recovering PIX Firewall Software Installing and Recovering PIX Firewall Software This section contains the following topics: • Installing Image Software from the Command Line • Using Monitor Mode to Recover the PIX Firewall Image • Using Boothelper • Downloading an Image with Boothelper Installing Image Software from the Command Line To use TFTP to install a software image from the PIX Firewall command line, enter the followin
Chapter 11 Changing Feature Licenses and System Software Installing and Recovering PIX Firewall Software Step 6 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible. Step 7 If needed, use the ping command to verify accessibility. Use the interface command to specify which interface the ping traffic should use. If the PIX Firewall has only two interfaces, the monitor mode defaults to the inside interface.
Chapter 11 Changing Feature Licenses and System Software Installing and Recovering PIX Firewall Software Get the Boothelper Binary Image Use the following steps to download the Boothelper binary image: Step 1 Log in to Cisco.com and continue to the PIX Firewall software directory, as described in the previous section, “Downloading Software from the Web” or “Downloading Software with FTP.” Step 2 Download the latest Boothelper image (bh5nn.bin; where nn is the latest version available) from Cisco.
Chapter 11 Changing Feature Licenses and System Software Installing and Recovering PIX Firewall Software Preparing a Boothelper Diskette on a Windows System Follow these steps to create the Boothelper diskette from a Windows system: Step 1 Locate an IBM formatted diskette that does not contain useful files. Do not use the PIX Firewall boot diskette that came with your original PIX Firewall purchase—you will need this diskette for system recovery should you need to downgrade versions.
Chapter 11 Changing Feature Licenses and System Software Downgrading to a Previous Software Version Step 5 You can now enter commands to download the binary image from the TFTP server. In most cases, you need only specify the address, server, and file commands, and then enter the tftp command to start the download. The commands are as follows: a. If needed, use a question mark (?) or enter the help command to list the available commands. b.
Chapter 11 Changing Feature Licenses and System Software Upgrading Failover Systems from a Previous Version To downgrade to an earlier version, enter the following command: flash downgrade version Replace version with one of the following values: • 4.2 • 5.0 • 5.1 You do not need to use the flash downgrade command when downgrading to Versions 5.2 or 5.3 from Version 6.1.
Chapter 11 Changing Feature Licenses and System Software TFTP Download Error Codes Step 1 Connect a separate console to the primary unit and one to the secondary unit. Step 2 Reload both PIX Firewall units, and bring them to monitor mode. Step 3 On the primary unit, use monitor mode TFTP to load the new PIX Firewall image. You will want to save the image to Flash memory and let it boot up. Enter a show failover command to ensure everything looks fine. Step 4 Repeat Step 3 on the secondary unit.
Chapter 11 Changing Feature Licenses and System Software TFTP Download Error Codes ....<11>..<11>.<11>......<11>... Also, tracing will show “A” and “T” for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses. Table 11-2 Error Code Numeric Values Error Code Description -1 Timeout between the PIX Firewall and TFTP server. 2 The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.
A P P E N D I X A Acronyms and Abbreviations This appendix lists the acronyms and abbreviations used in this document. Refer to the Cisco PIX Firewall Command Reference for information on the commands described in this section. For more information on acronyms used in this guide, refer to the Internetworking Terms and Acronyms guide, which can be viewed online at the following website: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.
Appendix A Table A-1 Acronyms and Abbreviations Acronyms and Abbreviations (continued) Acronym Description CPU Central Processing Unit. CRL certificate revocation list. CTI Computer Telephony Integration. CTIQBE Computer Telephony Interface Quick Buffer Encoding. DES Data Encryption Standard. DH Diffie-Hellman. DHCP Dynamic Host Configuration Protocol. DNS Domain Name System—Operates over UDP unless zone file access over TCP is required. DoS Denial of service.
Appendix A Acronyms and Abbreviations Table A-1 Acronyms and Abbreviations (continued) Acronym Description IFP Internet Filtering Protocol. IGMP Internet Group Management Protocol. IGRP Interior Gateway Routing Protocol. IKE Internet Key Exchange. IKMP Internet Key Management Protocol. IP Internet Protocol. IPCP IP Control Protocol. Protocol that establishes and configures IP over PPP. IPinIP IP-in-IP encapsulation protocol.
Appendix A Table A-1 Acronyms and Abbreviations Acronyms and Abbreviations (continued) Acronym Description NSSA not so stubby area. NTP Network Time Protocol—Set system clocks via the network. NVT Network virtual terminal. OSPF Open Shortest Path First protocol. PAP Password Authentication Protocol. Authentication protocol that lets PPP peers authenticate one another. PAT Port Address Translation. PDM PIX Device Manager. PFS perfect forward secrecy. PFSS PIX Firewall Syslog Server.
Appendix A Acronyms and Abbreviations Table A-1 Acronyms and Abbreviations (continued) Acronym Description SSH Secure Shell. SMR Stub Multicast Routing. SMTP Simple Mail Transfer Protocol—Mail service. The fixup protocol smtp command enables the Mail Guard feature. The PIX Firewall Mail Guard feature is compliant with both the RFC 1651 EHLO and RFC 821 section 4.5.1 commands. SNMP Simple Network Management Protocol—Set attributes with the snmp-server command. SPC Shared Profile Component.
Appendix A Acronyms and Abbreviations Cisco PIX Firewall and VPN Configuration Guide A-6 78-15033-01
A P P E N D I X B Configuration Examples for Other Remote Access Clients This appendix describes different scenarios and examples of using PIX Firewall with different remote access clients and configuration options. It includes the following sections: • Xauth with RSA Ace/Server and RSA SecurID, page B-1 • L2TP with IPSec in Transport Mode, page B-8 • Windows 2000 Client with IPSec and L2TP, page B-11 • Using Cisco VPN Client Version 1.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID Tokencode: The code displayed by the token. The tokencode along with the PIN make up the RSA SecurID authentication system. PIN: The user’s personal identification number. Two-Factor authentication: The authentication method used by the RSA ACE/Server system in which the user enters a secret PIN (personal identification number) and the current code generated by the user’s assigned SecurID token.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID PIX Firewall Configuration Following is a sample configuration that is necessary for using token-based Xauth by the PIX Firewall for the VPN clients using RSA ACE/Server and RSA SecurID as the AAA server to establish a secure connection. Step 1 Create a pool of IP addresses for your clients to use: ip local pool mypool 3.3.48.100-3.3.48.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID SecurID with Cisco VPN Client Version 3.x This section describes how to use the Cisco VPN Client Version 3.x in the three token modes. It contains the following topics: • Token Enabled, page B-4 • Next Tokencode Mode, page B-4 • New PIN Mode, page B-5 Token Enabled When a connection is being established to the PIX Firewall with the Cisco VPN Client Version 3.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID New PIN Mode This mode is seen when the user is first assigned a token and needs to connect before a PIN can be assigned or created by the user (Case 1), or if for some reason the administrator puts the token in the New PIN Mode (Case 2). Case 1: User has no previous PIN or the PIN has been cleared.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID Token Enabled When a connection is being established to the PIX Firewall, the user is prompted to enter the username and passcode.
Appendix B Configuration Examples for Other Remote Access Clients Xauth with RSA Ace/Server and RSA SecurID In this case, enter the PIN in the Software Token dialog box or on the Pinpad and use the value thus obtained as the passcode when prompted for username and passcode. On a Windows NT operating system, enter the username and PIN instead of passcode. The next prompt, in either case, is for the new PIN.
Appendix B Configuration Examples for Other Remote Access Clients L2TP with IPSec in Transport Mode Next Tokencode Mode If the user enters an incorrect passcode, then the token status is changed to the Next Tokencode mode. In this case, when the user tries to connect the next time, and enters a correct password in the first Software Token dialog box, another Software Token dialog box appears, prompting the user to enter the next tokencode.
Appendix B Configuration Examples for Other Remote Access Clients L2TP with IPSec in Transport Mode L2TP Overview Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol which allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC).
Appendix B Configuration Examples for Other Remote Access Clients L2TP with IPSec in Transport Mode information in the IP header. However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately, transmitting the IP header in clear text, transport mode allows an attacker to perform some traffic analysis.
Appendix B Configuration Examples for Other Remote Access Clients Windows 2000 Client with IPSec and L2TP Step 7 (Optional) Instruct the PIX Firewall to send WINS server IP addresses to the client: vpdn group group_name client configuration wins wins_server_ip1 wins_server_ip2 Step 8 Specify authentication using the PIX Firewall local username/password database. If set to aaa, authenticate using the AAA server.
Appendix B Configuration Examples for Other Remote Access Clients Windows 2000 Client with IPSec and L2TP Overview The example shows the use of IPSec with L2TP, which requires that IPSec be configured in transport mode. For detailed command reference information, refer to the Cisco PIX Firewall Command Reference.
Appendix B Configuration Examples for Other Remote Access Clients Windows 2000 Client with IPSec and L2TP This command is stored in the configuration. 1 is the retry period, 20 is the retry count, and the crloptional option disables CRL checking. Step 7 Authenticate the CA by obtaining its public key and its certificate: ca authenticate abcd This command is entered at the command line and does not get stored in the configuration.
Appendix B Configuration Examples for Other Remote Access Clients Windows 2000 Client with IPSec and L2TP Step 16 Configure a transform set that defines how the traffic will be protected: crypto ipsec transform-set basic esp-des esp-md5-hmac crypto ipsec transform-set basic mode transport Note Step 17 The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode should be selected on the transform set.
Appendix B Configuration Examples for Other Remote Access Clients Windows 2000 Client with IPSec and L2TP Step 25 The following debug commands (some of which can only be used from the console) can be used for troubleshooting: debug debug debug debug debug debug debug debug Step 26 cry isa cry ipsec cry ca vpdn packet vpdn event vpdn error ppp error ppp negotiation Verify/display tunnel configuration: show vpdn tunnel Note The PIX Firewall does not establish an L2TP/IPSec tunnel with Windows 2000 if
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 How to Install a Certificate for Use with IP Security (IPSec): http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/h elp/sag_VPN_us26.htm How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections: http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 Configuring the PIX Firewall Follow these steps to configure the PIX Firewall to interoperate with the Cisco Secure VPN Client: Step 1 Define AAA related parameters: aaa-server TACACS+ protocol tacacs+ aaa-server partnerauth protocol tacacs+ aaa-server partnerauth (dmz) host 192.168.101.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 Step 12 Tell PIX Firewall to implicitly permit IPSec traffic: sysopt connection permit-ipsec Example B-1 provides the complete PIX Firewall configuration. Example B-1 PIX Firewall with VPN Client and Manual IP Address nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 crypto ipsec transform-set strong-des esp-3des esp-sha-hmac crypto dynamic-map cisco 4 set transform-set strong-des crypto map partner-map 20 ipsec-isakmp dynamic cisco crypto map partner-map client authentication partnerauth crypto map partner-map interface outside isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 Step 8 In the Network Security Policy window, expand Security Policy and set the following preferences in the panel on the right: a. Under Select Phase 1 Negotiation Mode, click Main Mode. b. Select the Enable Replay Detection check box. Leave any other values as they were in the panel.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.1 Making an Exception to Xauth for a Site-to-Site VPN Peer If you have both a site-to-site VPN peer and VPN client peers terminating on the same interface, and have the Xauth feature configured, configure the PIX Firewall to make an exception to this feature for the site-to-site VPN peer. With this exception, the PIX Firewall will not challenge the site-to-site peer for a username and password.
Appendix B Configuration Examples for Other Remote Access Clients Using Cisco VPN Client Version 1.
A P P E N D I X C MS-Exchange Firewall Configuration This appendix explains how you can configure the PIX Firewall to support Microsoft Exchange by creating access-list command statements for NetBIOS and TCP. The example that follows will work for two Windows NT Servers; one on the inside network of the PIX Firewall, and the other on the external network from where you want to send and receive mail.
Appendix C MS-Exchange Firewall Configuration Configuring the PIX Firewall Table C-1 Names and Addresses System Name IP Address Domain Outside Windows NT Server outserver 209.165.201.2 pixout Inside Windows NT Server inserver 192.168.42.2 pixin PIX Firewall outside interface None 209.165.201.1 None PIX Firewall inside interface None 192.168.42.1 None The PIX Firewall static command statement uses 209.165.201.5 as its global address.
Appendix C MS-Exchange Firewall Configuration Configuring the Outside Server Configuring the Outside Server Follow these steps to configure the outside Microsoft Exchange server: Step 1 On the outside Microsoft Exchange server, click the Network entry in the Start>Settings>Control Panel. In the Ethernet adapter Properties section, set the primary WINS (Windows Internet Name System) address to the IP address of the outside system, in this case, 209.165.201.2.
Appendix C MS-Exchange Firewall Configuration Configuring Both Systems After Rebooting Step 3 Step 4 Establish a trusted, trusting relationship between the inside server’s domain, pixin and the outside server’s domain, pixout. a. Click Start>Programs>Administrative Tools>User Manager for Domains. b. Click Policies>Trust Relationship, and click Trusting Domain. c. Add a trusting domain for the outside server’s domain and assign a password to it. d.
A P P E N D I X D TCP/IP Reference Information This appendix includes the following sections: • IP Addresses, page D-1 • Ports, page D-2 • Protocols and Applications, page D-5 • Using Subnet Masks, page D-7 IP Addresses • IP address classes are defined as follows: – Class A—If the first octet is between 1 and 127 (inclusive), the address is a Class A address. In a Class A address, the first octet is the one-byte net address and the last three octets are the host address.
Appendix D TCP/IP Reference Information Ports • In this guide, the use of “address” and “IP address” are synonymous. • IP addresses are primarily one of these values: – local_ip—An untranslated IP address on the internal, protected network. In an outbound connection originated from local_ip, the local_ip is translated to the global_ip. On the return path, the global_ip is translated to the local_ip. The local_ip to global_ip translation can be disabled with the nat 0 0 0 command.
Appendix D TCP/IP Reference Information Ports Table D-1 Port Literal Values (continued) Literal TCP or UDP? Value Description citrix-ica TCP 1494 Citrix Independent Computing Architecture (ICA) protocol cmd TCP 514 Similar to exec except that cmd has automatic authentication ctiqbe TCP 2748 Computer Telephony Interface Quick Buffer Encoding daytime TCP 13 Day time, RFC 867 discard TCP, UDP 9 Discard domain TCP, UDP 53 DNS (Domain Name System) dnsix UDP 195 DNSIX Session Ma
Appendix D TCP/IP Reference Information Ports Table D-1 Port Literal Values (continued) Literal TCP or UDP? Value Description netbios-ssn TCP 139 NetBIOS Session Service nntp TCP 119 Network News Transfer Protocol ntp UDP 123 Network Time Protocol pcanywhere-status UDP 5632 pcAnywhere status pcanywhere-data TCP 5631 pcAnywhere data pim-auto-rp TCP, UDP 496 Protocol Independent Multicast, reverse path flooding, dense mode pop2 TCP 109 Post Office Protocol - Version 2 pop3
Appendix D TCP/IP Reference Information Protocols and Applications Protocols and Applications This section provides information about the protocols and applications with which you may need to work when configuring PIX Firewall. It includes the following topics: • Supported Multimedia Applications • Supported Protocols and Applications Possible literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp. You can also specify any protocol by number.
Appendix D TCP/IP Reference Information Protocols and Applications Supported Multimedia Applications PIX Firewall supports the following multimedia and video conferencing applications: • CUseeMe Networks CU-SeeMe • CUseeMe Networks CU-SeeMe Pro • CUseeMe Networks MeetingPoint • Intel Internet Video Phone • Microsoft NetMeeting • Microsoft NetShow • NetMeeting • RealNetworks RealAudio and RealVideo • Point-to-Point Protocol over Ethernet (PPPoE) • VDOnet VDOLive • VocalTec Internet Ph
Appendix D TCP/IP Reference Information Using Subnet Masks • Transmission Control Protocol (TCP) • Trivial File Transfer Protocol (TFTP) • User Datagram Protocol (UDP) • RFC 1700 Using Subnet Masks This section lists information by subnet mask and identifies which masks are for networks, hosts, and broadcast addresses. Note In some networks, broadcasts are also sent on the network address.
Appendix D TCP/IP Reference Information Using Subnet Masks In these examples, the ip address commands specify addresses for the inside and outside network interfaces. The ip address command only uses network masks. The inside interface is a Class A address, but only the last octet is used in the example network and therefore has a Class C mask. The outside interface is part of a subnet so the mask reflects the .224 subnet value. The nat command lets users start connections from the inside network.
Appendix D TCP/IP Reference Information Using Subnet Masks Uses for Subnet Information Use subnet information to ensure that your host addresses are in the same subnet and that you are not accidentally using a network or broadcast address for a host. The network address provides a way to reference all the addresses in a subnet, which you can use in the global, outbound, and static commands. For example, you can use the following net static command statement to map global addresses 192.168.1.
Appendix D TCP/IP Reference Information Using Subnet Masks Addresses in the .192 Mask Table D-5 lists valid addresses for the .192 subnet mask. This mask permits up to 4 subnets with enough host addresses for 62 hosts per subnet. Table D-5 .192 Network Mask Addresses Network Subnet Number Address Starting Host Address Ending Host Address Broadcast Address 1 .0 .1 .62 .63 2 .64 .65 .126 .127 3 .128 .129 .190 .191 4 .192 .193 .254 .255 Addresses in the .
Appendix D TCP/IP Reference Information Using Subnet Masks Table D-7 .240 Network Mask Addresses (continued) Network Subnet Number Address Starting Host Address Ending Host Address Broadcast Address 4 .48 .49 .62 .63 5 .64 .65 .78 .79 6 .80 .81 .94 .95 7 .96 .97 .110 .111 8 .112 .113 .126 .127 9 .128 .129 .142 .143 10 .144 .145 .158 .159 11 .160 .161 .174 .175 12 .176 .177 .190 .191 13 .192 .193 .206 .207 14 .208 .209 .222 .223 15 .224 .225 .
Appendix D TCP/IP Reference Information Using Subnet Masks Table D-8 .248 Network Mask Addresses (continued) Network Subnet Number Address Starting Host Address Ending Host Address Broadcast Address 15 .112 .113 .118 .119 16 .120 .121 .126 .127 17 .128 .129 .134 .135 18 .136 .137 .142 .143 19 .144 .145 .150 .151 20 .152 .153 .158 .159 21 .160 .161 .166 .167 22 .168 .169 .174 .175 23 .176 .177 .182 .183 24 .184 .185 .190 .191 25 .192 .193 .198 .
Appendix D TCP/IP Reference Information Using Subnet Masks Table D-9 .252 Network Mask Addresses (continued) Network Subnet Number Address Starting Host Address Ending Host Address Broadcast Address 10 .36 .37 .38 .39 11 .40 .41 .42 .43 12 .44 .45 .46 .47 13 .48 .49 .50 .51 14 .52 .53 .54 .55 15 .56 .57 .58 .59 16 .60 .61 .62 .63 17 .64 .65 .66 .67 18 .68 .69 .70 .71 19 .72 .73 .74 .75 20 .76 .77 .78 .79 21 .80 .81 .82 .83 22 .84 .85 .
Appendix D TCP/IP Reference Information Using Subnet Masks Table D-9 .252 Network Mask Addresses (continued) Network Subnet Number Address Starting Host Address Ending Host Address Broadcast Address 45 .176 .177 .178 .179 46 .180 .181 .182 .183 47 .184 .185 .186 .187 48 .188 .189 .190 .191 49 .192 .193 .194 .195 50 .196 .197 .198 .199 51 .200 .201 .202 .203 52 .204 .205 .206 .207 53 .208 .209 .210 .211 54 .212 .213 .214 .215 55 .216 .217 .218 .
A P P E N D I X E Supported VPN Standards and Security Proposals This appendix lists the VPN standards supported by PIX Firewall. It contains the following sections: • IPSec, page E-1 • Internet Key Exchange (IKE), page E-2 • Certification Authorities (CA), page E-3 • Supported Easy VPN Proposals, page E-3 • IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers.
Appendix E Supported VPN Standards and Security Proposals Internet Key Exchange (IKE) • ESP—Encapsulating Security Payload. A security protocol that provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected. The ESP protocol (RFC 2406) allows for the use of various cipher algorithms and (optionally) various authentication algorithms.
Appendix E Supported VPN Standards and Security Proposals Certification Authorities (CA) Certification Authorities (CA) IKE interoperates with the following standard: X.509v3 certificates—Used with the IKE protocol when authentication requires public keys. Certificate support that allows the IPSec-protected network to scale by providing the equivalent of a digital ID card to each device.
Appendix E Supported VPN Standards and Security Proposals Supported Easy VPN Proposals Table E-1 Easy VPN Client IKE (Phase 1) Proposals (continued) Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie- Hellman Group IKE-AES192-SHA Preshared Keys SHA/HMAC-160 AES-192 Group 2 (1024 bits) IKE-AES256-MD5 Preshared Keys MD5/HMAC-128 AES-256 Group 2 (1024 bits) IKE-AES256-SHA Preshared Keys SHA/HMAC-160 AES-256 Group 2 (1024 bits) CiscoVPNClient-3DES-MD5-RS
Appendix E Supported VPN Standards and Security Proposals Supported Easy VPN Proposals Table E-1 Easy VPN Client IKE (Phase 1) Proposals (continued) Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie- Hellman Group IKE-DES-MD5-RSA-DH1 RSA Digital Certificate MD5/HMAC-128 DES-56 Group 1 (768 bits) IKE-3DES-MD5-RSA-DH5 RSA Digital Certificate MD5/HMAC-128 3DES-168 Group 5 (1536 bits) IKE-3DES-SHA-RSA-DH5 RSA Digital Certificate SHA/HMAC-160 3DES-168 Grou
Appendix E Supported VPN Standards and Security Proposals Supported Easy VPN Proposals Cisco PIX Firewall and VPN Configuration Guide E-6 78-15033-01
INDEX addresses A global AAA IP configuring 3-8 3-13 See ARP 3-10 abbreviating commands address translation 1-27 See NAT access control See PAT example 3-14 AES features 1-6 AH services 3-16 1-16, 6-3 configuring access control lists standard See ACLs 1-25 feature applying to object groups comments 3-27 downloading 1-11 clearing 1-7 2-4 packet capture, example 3-20 ARP test 2-22 ASA instead of conduits and outbounds 6-17 1-7 1-3, 5-1 attacks 1-8 authenticating web c
Index Cipher Block Chaining B See CBC backing up configurations 1-27 Cisco Catalyst 6500 VPN Service Module Baltimore Technologies CA server support Cisco Intrusion Detection System 6-9 See IDS blocking Cisco IOS CLI ActiveX controls Java applets 1-10 1-10 AAA exemption 3-13 application inspection 11-12 Broadcast Ping test with DHCP 10-8 5-20 4-19 Cisco Secure Intrusion Detection System broadcasts See IDS See multicasts Cisco Secure VPN Client buffer usage SNMP 1-25 Cisco IP Ph
Index command line interface copying See CLI configurations commands software command line editing 1-29 configuring privilege levels creating comments displaying 9-2 to 9-3 1-29 CRLs time restrictions entries compiling MIBs 6-9 See CTIQBE 6-28 See also dynamic crypto maps CTIQBE conduits 6-17 6-15 load sharing 9-45 Computer Telephony Interface Quick Buffer Encoding 1-12, 5-14 CU-SeeMe application inspection converting to ACLs defined 1-8 cut-through proxy 5-15 1-6 1-8 using
Index DHCP leases E renewing viewing 4-22 Easy VPN Remote device 4-22 DHCP Relay configuring 1-20, 4-20 DHCP servers configuring described 1-19, 4-15 described 4-19 8-1 to 8-6 1-18 identifying Diffie-Hellman 4-4 load balancing E-2 groups supported 1-18 using PIX Firewall with 6-3 directory application inspection editing command lines 5-27 4-2, 8-3 1-28 EIGRP DMZ configuration example not supported 2-29 B-2 Encapsulating Security Payload DNS application inspection inbound
Index VLANs models supporting 2-35 VPN with manual keys network tests B-16 Windows 2000 VPN client Xauth network connections 7-35 wildcard pre-shared key 1-24 power loss B-12 10-8 10-7 B-16 prerequisites 10-8 Extended Authentication primary unit 10-6 see Xauth secondary unit serial cable 10-6 10-5 software versions F standby state 10-2 10-3 Stateful Failover factory defaults See default configurations 10-4 10-3 identifying the link 1-30 overview failover 10-11 10-3 ac
Index FTP filtering application inspection 1-10, 3-34 filtering HTTPS 5-7 downloading software using packet capture, example 11-8 filtering 3-34 redirecting logging 1-23 server access packet capture, example redirecting 9-30 3-7 3-1 Hyptertext Translation Protocol 9-30 See HTTP 3-7 secondary ports full duplex 3-34 1-12 2-6 I IANA URL G D-5 ICMP gateway addresses application inspection 2-12 generating RSA keys Configurable Proxy Pinging 6-10 global addresses specifying c
Index ILS IP addresses application inspection feature IM configuring 5-28 address, IP addresses 1-14 2-5 IP Phones 5-24 images, software See Cisco IP Phones See also software images upgrading IPSec ACLs 1-24, 11-5 to 11-16 inbound connectivity 6-17 clearing SAs 3-2 Individual user authentication configuring See IUA 6-29 6-13 crypto map entries in-house CA, configuring 6-15 crypto map load sharing 7-13 Instant Messaging defined See IM 1-15 enabling debug interfaces 6-28 ma
Index L M L2TP MAC addresses, failover configuring B-10 configuring Windows 2000 client description B-11, B-14 transport mode 6-26 6-3 E-1, E-2 6-3 Message Digest 5 LAN-to-LAN VPNs See MD5 See site-to-site VPNs MIBs Layer 2 Tunneling Protocol 9-41 MIB II groups updating file B-9 LDAP 9-41 9-45 Microsoft Challenge Handshake Authentication Protocol application inspection See MS-CHAP 5-28 Microsoft Exchange 1-14 lease configuring releasing DHCP 4-22 renewing DHCP 4-22 See MSR
Index network object groups N configuring N2H2 filtering server identifying Network Time Protocol 3-32 supported See NTP 1-10 NFS URL for website 1-10 access named ACLs 5-29 application inspection downloading 3-21 5-29 testing with showmount NAT 5-29 NT application inspection configuring 2-9 description 1-5 dynamic 2-8 function 2-7 outside 1-11 See Windows NT NTP configuring feature 9-11 to 9-15 1-22 2-37, 2-38 overlapping networks policy 2-39 2-40 5-29 RTSP not suppo
Index PIX 506/506E P DHCP client configuration packet capture DHCP client feature support configuring feature 9-27 to 9-31 failover not supported 1-22 9-29 viewing buffer 9-28 paging screen displays 1-24 4-2, 8-3 PIX 520 backing up configuration 1-29 1-27 PIX Firewall Syslog Server PAP See PFSS supported 8-20 PIX Firewall VPN Client Password Authentication Protocol PKCS PAT E-3 PKI protocol addresses 2-11 1-11 See PPTP 2-9 policy NAT DHCP clients and dynamic 2-8 function 2-
Index privilege levels remote access VPN configuring 9-2 to 9-3 configuring 8-1 to 8-21 description 1-21 description 1-18 viewing Remote Authentication Dial-In User Server 9-5 protocols See RADIUS object groups Remote Procedure Call 3-28 packet capture formats (table) port numbers supported See RPC 9-29 renewing DHCP lease D-5 reverse route lookup 1-11 proxy servers SIP and 4-22 See Unicast RPF revoked certificates 5-23 public key cryptography RFC 2637 6-8 Public-Key Cryptog
Index show command S filtering output SAs show commands clearing IPSec description 6-29 1-16 10-17 showmount command 6-15 6-19 application inspection with 5-29 Simple Client Control Protocol saving configurations 2-3, 2-24 See SCCP Command Authorization (caution) upgrading versions (caution) 9-6 11-1 SCCP Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol support for 1-13 See SNMP secondary Easy VPN Server secondary unit, failover 4-4 SIP 10-6 1-13, 5-22
Index SNMPc (Cisco Works for Windows) support for 9-45 switch configuration, failover 10-8 SYN packet attack 1-22 traps 9-41 protection from using 9-41 to 9-51 1-9 syslog software Cisco MIB copying with HTTP MIB files 11-5 9-45 9-45 downgrading 11-13 SNMP downloading 11-6 SNMP traps downloading with FTP upgrading system 11-7 9-44 support for 1-23 system clock 9-15 11-8 downloading with HTTP 9-42 system recovery 1-24 11-12 SOHO networks configuring features SSH 4-1 to
Index Trace Channel upgrading description feature licenses 9-21 disadvantages (note) image 9-21 transform sets 11-6 to 11-16 images 1-24 configuring 6-26 UR license description 6-15 URLs transport mode 1-24 filtering 10-2 1-10 description B-9 filtering, configuration traps, SNMP 9-41 logging Triple DES 3-39 1-23 user authentication description See also Xauth E-2 IKE policy keyword (table) 6-3 Trivial File Transfer Protocol servers See TFTP servers to the PIX Firewall
Index VLANs X configuration defined 2-33 to 2-37 X.
Index Cisco PIX Firewall and VPN Configuration Guide IN-16 78-15033-01
