© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 15 System Maintenance

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure Telnet access to the PIX Firewall console. Configure SSH access to the PIX Firewall console. Configure command authorization. Recover PIX Firewall passwords using general password recovery procedures. Use TFTP to install and upgrade the software image on the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Remote Access

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Telnet Access to the PIX Firewall Console Specifies which hosts can access the PIX Firewall console via Telnet telnet ip_address [netmask] [if_name] pixfirewall(config)# pixfirewall(config)# telnet inside pixfirewall(config)# telnet timeout 15 pixfirewall(config)# passwd telnetpass Sets the maximum time a console Telnet session can be idle before being logged off by the PIX Firewall telnet timeout minutes pixfirewall(config)# Sets the password for Telnet access to the PIX Firewall passwd password [encrypted] pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Viewing and Disabling Telnet kill telnet_id pixfirewall(config)# Terminates a Telnet session. Enables you to view which IP addresses are currently accessing the PIX Firewall console via Telnet. who [local_ip] pixfirewall(config)# Removes Telnet access from a previously authorized IP address. clear telnet pixfirewall(config)# Displays IP addresses permitted to access the PIX Firewall via Telnet. show telnet pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SSH Connections to the PIX Firewall SSH connections to the PIX Firewall Provide secure remote access. Provide strong authentication and encryption. Require RSA key pairs for the PIX Firewall. Require DES or 3DES activation keys. Allow up to five SSH clients to simultaneously access the PIX Firewall console. Use the Telnet password for local authentication.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring SSH Access to the PIX Firewall Console Removes any previously generated RSA keys. ca zeroize rsa pixfirewall(config)# Saves the CA state. ca save all pixfirewall(config)# Configures the domain name. domain-name name pixfirewall(config)# Generates an RSA key pair. ca generate rsa key | specialkey key_modulus_size pixfirewall(config)# Specifies the host or network authorized to initiate an SSH connection. ssh ip_address [netmask] [interface_name] pixfirewall(config)# Specifies how long a session can be idle before being disconnected. ssh timeout mm pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA / / / username: pix password: telnetpassword SSH client Connecting to the PIX Firewall with an SSH Client pixfirewall(config)# ca zeroize rsa pixfirewall(config)# ca save all pixfirewall(config)# domain-name cisco.com pixfirewall(config)# ca generate rsa key 768 pixfirewall(config)# ca save all pixfirewall(config)# ssh outside pixfirewall(config)# ssh timeout 30

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Viewing, Disabling, and Debugging SSH debug ssh pixfirewall(config)# Enables SSH debugging. Removes all SSH command statements from the configuration. clear ssh pixfirewall(config)# Disconnects and SSH session. ssh disconnect session_id pixfirewall(config)# show ssh sessions [ip_address] pixfirewall(config)# Enables you to view the status of your SSH sessions.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Overview Command authorization is characterized by the following: Its purpose is to securely and efficiently administer the PIX Firewall. It has the following types: –Enable-level command authorization with passwords. –Command authorization using the local user database. –Command authorization using ACS.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Enable-Level Command Authorization To configure and use enable-level command authorization, complete the following tasks: Use the enable command to create privilege levels and assign passwords to them. Use the privilege command to assign specific commands to privilege levels. Use the aaa authorization command to enable the command authorization feature. Use the enable command to access the desired privilege level.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Create and Password-Protect Your Privilege Levels Configures enable passwords for the various privilege levels. enable password pw [level priv_1evel] [encrypted] pixfirewall(config)# pixfirewall(config)# enable password Passw0rD level 10 enable [priv_1evel] pixfirewall(config)# pixfirewall> enable 10 Password: Passw0rD pixfirewall# Provides access to a particular privilege level from the > prompt.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Assign Commands to Privilege Levels and Enable Command Authorization privilege [show | clear | configure] level level [mode enable | configure] command command pixfirewall(config)# pixfirewall(config)# enable password Passw0rD level 10 pixfirewall(config)# privilege show level 8 command access-list pixfirewall(config)# privilege configure level 10 command access-list pixfirewall(config)# aaa authorization command LOCAL Configures user-defined privilege levels for PIX Firewall commands. aaa authorization command LOCAL | tacacs_server_tag pixfirewall(config)# Enables command authorization. pixfirewall> enable 10 Password: Passw0rD pixfirewall# config t pixfirewall(config)# access-list...

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Using the Local User Database To configure and use command authorization with the local user database, complete the following tasks: Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access privilege levels.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Creating User Accounts in the Local Database username username nopassword | password password [encrypted] [privilege level] pixfirewall(config)# pixfirewall(config)# username admin password passw0rd privilege 15 pixfirewall(config)# username kenny password chickadee privilege 14 Configures the username for the specified privilege level.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Authentication with the Local Database Enables user authentication. pixfirewall(config)# privilege configure level 10 command access-list pixfirewall(config)# username kenny password chickadee privilege 10 pixfirewall(config)# aaa authorization command LOCAL pixfirewall(config)# aaa authentication enable console LOCAL aaa authentication [serial | enable | telnet | ssh | http] console group_tag pixfirewall(config)# pixfirewall> login Username: kenny Password: chickadee pixfirewall# config t pixfirewall(config)# access-list...

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Command Authorization Using ACS To configure and use ACS command authorization, complete the following tasks: Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute. Use the aaa-server to specify the TACACS+ server. Use the aaa authentication command to enable authentication with a TACACS+ server. Use the aaa authorization command to enable command authorization with a TACACS+ server.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization Command for Command Authorization with ACS Enables command authorization. pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host thekey timeout 20 pixfirewall(config)# aaa authentication enable console MYTACACS pixfirewall(config)# aaa authorization command MYTACACS aaa authorization command LOCAL |tacacs_server_tag pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Viewing Your Command Authorization Configuration Displays the privileges for a command or set of commands. show privilege [all | command command | level level] pixfirewall(config)# Displays the user account that is currently logged in. show curpriv pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lockout pixfirewall(config)# privilege configure level 10 command access-list pixfirewall(config)# username kenny password chickadee privilege 10 pixfirewall(config)# aaa authorization command LOCAL pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall> login Username: kenny Password: chickadee pixfirewall# config t pixfirewall(config)# access-list...

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SNMP

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SNMP Overview Management station Managed device Trap Set Get Response Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA MIB Support The Cisco Firewall MIB, Cisco Memory Pool MIB, and Cisco Process MIB provide the following PIX Firewall information through SNMP: Buffer use from the show block command. Connection count from the show conn command. CPU use through the show cpu usage command. Failover status. Memory use from the show memory command.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SNMP to the PIX Firewall Configures the SNMP community string, a shared secret among the NMS and the managed devices. snmp-server host [if_name] ip_addr [trap | poll] pixfirewall(config)# pixfirewall(config)# logging on pixfirewall(config)# logging history debugging pixfirewall(config)# snmp-server host inside pixfirewall(config)# snmp-server community OURCOMMUNITY pixfirewall(config)# snmp-server enable traps Identifies the management station. snmp-server community key pixfirewall(config)# Enables sending log messages as SNMP trap notifications. snmp-server enable traps pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SNMP Through the PIX Firewall Traps outside to inside Polling outside to inside Managed device Management station Managed device Management station pixfirewall(config)# static (inside,outside) netmask pixfirewall(config)# access-list TRAPSIN permit udp host host eq snmptrap pixfirewall(config)# access-group TRAPSIN in interface outside pixfirewall(config)# static (inside,outside) netmask pixfirewall(config)# access-list POLLIN permit udp host host eq snmp pixfirewall(config)# access-group POLLIN in interface outside Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Management Tools

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Device Manager PDM is a browser-based configuration tool designed to help configure and monitor your PIX Firewall. SSL secure tunnel Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Cisco Secure Policy Manager

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Management Center

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Activation Keys

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Entering a New Activation Key Updates the activation key on your PIX Firewall. activation-key activation-key-four-tuple pixfirewall(config)# pixfirewall(config)# activation-key 0x xabcdef01 0x ab 0xcdef01234

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Upgrading the Image and the Activation Key To upgrade the image and the activation key at the same time, complete the following steps: Step 1Install the new image. Step 2Reboot the system. Step 3Update the activation key. Step 4Reboot the system.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Troubleshooting the Activation Key Upgrade Message Problem and Resolution The activation key you entered is the same as the Running key. Either the activation key has already been upgraded or you need to enter a different key. The Flash image and the Running image differ. Reboot the PIX Firewall and re-enter the activation key. The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Password Recovery and Image Upgrade

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Password Recovery Download the following file from CCO: npXX.bin (where XX = the PIX Firewall image version number). Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to tftp the previously downloaded image. Follow the directions displayed.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Image Upgrade pixfirewall(config)# copy tftp:// /pix611. bin flash copy tftp[:[[//location][/tftp_pathname]]] flash[:[image | pdm]] pixfirewall(config)# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary SSH provides secure remote management of the PIX Firewall. TFTP is used to upgrade the software image on PIX Firewalls. You can configure three different types of command authorization: enable-level with password, local command authorization, and ACS command authorization. The PIX Firewall can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the PIX Firewall on all interfaces. Password recovery for the PIX Firewall requires a TFTP server.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC PIX Firewall SSH client TFTP server Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB PIX Firewall Student PC SSH client TFTP server