Shun Example

A host at 172.21.4.8 is discovered to be involved in malicious activity. (In this example, only a Telnet connection is shown for simplicity.) A shun will be configured on the firewall to stop any current or future connections involving that host. First, look at an active connection involving 172.21.4.8 TCP out 172.21.4.8 4334 in 192.168.199.100 23 idle 0 00 04 Bytes 138 flags UIOB It does have at least one active connection, so a shun is put into place Code View Scroll Show All Firewall shun...

Info

Replicating ACEs might become cumbersome if you continue to add even more DMZ hosts that need the same rules. Even worse, what if you begin adding hosts on the inside that need to receive the same types of traffic from the DMZ hosts Instead, you can use object groups to work smarter. Define one network object group for the DMZ hosts and another for the inside hosts Firewall(config) object-group network dmz hosts Firewall(config-network) network-object host 10.1.1.1 Firewall(config-network)...

Pix

Firewall(config) routing interface if name The firewall interface named if_name (inside or outside, for example) is configured for OSPF parameters. Firewall(config-if) ospf authentication-key key Firewall(config-if) ospf message-digest-key key-id md5 key Firewall(config-if) ospf authentication message-digest If authentication has been enabled for an OSPF area, you must also set up the authentication key on each interface in that area. For simple cleartext authentication, use the...

J2

3 r B D.0fi9U0 ni . 23i1 ED.07 LBS 13 . 21 IE D. 170520 172. El 36 51 . 171173 151. 8 O-S7 Tie IT , 31rJB 5D.+7BCB3 31 bi so.sspdn 11 JBlSd.-IJfliHI JJ 6 I0 iJiJto 1 J . 3,1,i,303i 3 .1. fin303 G L 5 .199.ICO. 15E. 199. MO. n.t. .sait Uft- i-.n i M -1 .r, 1W ita.lis,ioo, 21.1. i.3S2 C lie. us. im. H.I.fi-SS rt il,1,fi,303fi lia.133, CO, 23.1.6.382 fi il.i.ri.aeifi 1 ,1.iJ Bi i I H.liS.lH, ji.i,fi.303fi 23,1.fi-392fi 2 .1.i.392 6 1 8.199. 100. 3.4r ljit i ,1,i-303fi 21.1.(l393fi 15B.199.3C ....

Pix 63

Firewall show xlate detail global local ip1 -ip2 netmask mask lport gport port -port interface if1 ,if2 ,ifn state static ,dump ,portmap ,norandomseq ,identity debug count Firewall show xlate global local ip1 -ip2 netmask mask lport gport port -port interface if1 ,if2 ,ifn state static portmap identity norandomseq debug detail Remember with xlate entries, global represents the translated address on the lower-security interface, and local is the address on the higher-security interface. Use any...

Checking Failover Operation

If you have a failover pair of firewalls, you should periodically check to see that the failover mechanisms are actually working properly. Use the techniques described in the following sections to gauge the failover performance. First, you should verify that the active failover unit is indeed the one you are expecting. When a failover pair is initially configured for failover, only one of them becomes the active unit. The other assumes the standby (passive) mode. If a failover occurs, the two...

Ios Fwlb Configuration Notes

IOS FWLB is configured in two halves. One FWLB device must be placed on the outside of the firewall farm, and another is placed on the inside. Each FWLB device distributes connections toward the firewall. Therefore, the outside FWLB balances connections going into the firewall farm's outside interfaces (inbound). The inside FWLB acts similarly for connections going into the firewall farm's inside interfaces (outbound). Figure 9-2 illustrates this by showing two separate IOS FWLB devices on the...

Ios Fwlb Configuration

You can use the following steps to configure IOS FWLB on one device. Remember that FWLB requires a load-balancing device on each side of the firewall farm. Be sure to repeat the entire configuration process for the outside and inside IOS FWLB platforms. 1. Define connectivity away from the firewall farm Router(config) vlan vlan-id Router(config) interface vlan vlan-id Router(config-if) ip address ip-address subnet-mask Router(config-if) no shutdown The FWLB must be able to route packets to and...

Managing the Flash File System

Every Cisco firewall has a flash (nonvolatile) memory file system. Files such as the firewall operating system image, a firewall management application image, and the firewall configuration can be stored for use. This section discusses the various types of files and how to navigate and use the flash file system. The flash file system can be characterized by the following features The operating system for Cisco firewalls is stored in flash memory in a compressed format. In PIX 6.3 or earlier,...

Fwlb

Only one of the pair actively inspects traffic at any time. Proportional to the number of firewall units. In theory, each can be used to its full capacity with ideal load balancing. None. The active unit inspects all connections. Connections are assigned to firewalls according to a hash function. All units can inspect traffic at the same time. No traffic is forwarded or inspected. All connections shift to the standby firewall. New connections are assigned to other...

Configuring IPv6 on an Interface

Beginning with ASA 7.0, firewall interfaces can be configured with an IPv6 address in addition to a traditional IPv4 address. IPv6 addresses are 128 bits long much longer than a 32-bit IPv4 address As well, the IPv6 address format is very different and can be written in the following ways In full hexadecimal format, the address is written as eight groups of four hexadecimal digits, with colons separating the groups. For example, 1111 2222 3333 4444 5555 6666 7777 8888 represents a single IPv6...

FWLB in Hardware Configuration Notes

One FWLB device must be placed on the outside of the firewall farm, and another is placed on the inside. Each FWLB device distributes connections toward the firewall. Therefore, the outside FWLB balances connections going into the firewall farm's outside interfaces (inbound). The inside FWLB acts similarly for connections going into the firewall farm's inside interfaces (outbound). The CSM is configured differently from IOS FWLB because it supports only generic...

Configuring a Firewall as an Auto Update Client

Use the following steps to configure a firewall as an Auto Update client, so that it can periodically poll an AUS for new image and configuration files. 1. Make sure an AUS is available. The firewall should be defined in the AUS, and the new image or configuration file should be assigned to or associated with it. As soon as you load an image or configuration file into the AUS and associate it to a firewall, the firewall client can download and begin using the file the very next time it polls...

T4 S

IDE > lH.il A. 17 w etho rflfr I * D i e Q2. 4M29 171 L-4.H - li > 172.2 L .67401 -M 311 14 0I WM i 10 00 16 0& .S 14 i JZ.il A. I17.1638 > 172.21 ,67, t l .60 5 21 L412Q L3fc2l 11+20 36 QJ nn 11 00 18 06-2512 1 Z.21-6 .3(J . CCS-> ISS.lOLS.AlM u > 76 l 00 ia 06 2S42W 2fi.i .2.10.l61 > 1 T . t .67.101.1025 uip L I3i DOilB I1.S53S08 172.21,4.117.1658 > 172.21.67.LOl.BOi S21M431L36 2I 14430 36 0J 14 M 16 5- L 0i 172,21-1, 147, ItM > 17S- I At, LO L ....

Using Routing Information to Prevent IP Address Spoofing

A packet's destination address normally is used to determine how it gets forwarded. If the destination address can be found in the routing table, the firewall can forward the packet out the appropriate interface to the destination or to a next-hop router. Packet forwarding seems straightforward, but it makes certain assumptions about a packet and its sender. For example, the address or location of a packet's source normally is not part of the forwarding decision. That might be fine if all...

Asa

Firewall(config-pmap-c) set connection conn-max n embryonic-conn-max n per-client-embryonic-max n perclient-max n random-sequence-number enable disable By default, an unlimited number of simultaneous UDP and TCP connections are allowed across an address translation. The set connection command can be used in a policy map to set connection limits on traffic to and from specific hosts. The connection limits configured with set connection are very similar to the limits set in address translation...

Manually Upgrading a Failover Pair

In an active-standby pair, only one firewall is active, and both units must be running identical software releases. The only exception is during a zero downtime upgrade, where the firewalls might be running images with incrementally different release numbers. In a nutshell, as long as one of the two firewalls is operating in active mode, it continues inspecting traffic and updating state information (connections, translations, and so on) to the standby unit. The idea is to juggle the active and...

Ibb

You can use the default signature definition sig0 as-is, or you can make changes to individual signatures within sig0. Also, you can create your own customized signature definition based on sig0. To create a new definition, select Signature Definitions in the scrolling list and then select sig0 under Policy Name. You can click on the Clone button to make a copy of an existing signature definition or click on the Add button to create a new copy of sig0 with an arbitrary name. Each signature used...

Issues with Sharing Context Interfaces

If you decide to share the inside context interfaces, you should be aware of a classifier limitation. Consider the arrangement shown in Figure 4-5, where Contexts A and B share their inside interfaces. Figure 4-5. Example of Sharing Inside Context Interfaces The classifier must examine packets entering from the inside networks to decide which context should receive them. A search is made to find the packet destination addresses in the context xlate tables. In particular, the classifier can find...

Checking System Resources

A firewall inspects traffic and performs its functions by using a combination of system resources. From a hardware standpoint, these resources are very straightforward and include the CPU and system memory. The following sections analyze these resources. You get a general idea about the processing load on a Cisco firewall by using the show cpu usage command. For example, the following firewall appliance has a 5-second average of 27 percent. The command output also shows that the CPU is under a...

Appendix B Security Appliance Logging Messages

This appendix covers all the possible messages a firewall can generate. It can serve as a quick reference so that you can look up messages that are associated with the different severity levels. Cisco firewall logging messages are listed in this section grouped according to their default severity level (1 to 7) 6 Informational messages Severity level 0, Emergencies, exists but is never used by Cisco firewalls. Historically, these messages have been associated with UNIX systems and are sent only...

Analyzing Firewall Logs

The most important thing you can do with a firewall is collect and analyze its Syslog information. Firewall logs should be inspected on a regular basis. Always make sure the Syslog collector or server is configured to archive older information and that disk space is not completely consumed. The Syslog collector or server should be sized according to the following parameters The number of firewalls and other network devices sending Syslog messages to the Syslog server The number of Syslog events...

User Interface

A Cisco firewall, like any other networking device, offers several ways for the administrative user to connect to and interact with the firewall. Users usually need to make changes to the firewall's security policies and configuration, monitor firewall activity, and troubleshoot traffic handling. All interaction with a firewall is based on a common user interface, which can be described as follows A Cisco firewall supports user access by these methods - Command-line interface (CLI) by an...

Pc2

FIX 7.0 FIX 7.0* FIX 7.0+ ICMF FacHaL H SWIL One Reply Received No Other Replies Are Accepted ICMP Idle Timeout (FiBed 2 Seconds ICMP Idle Timeoui (Fined 30 Seconds) Host PC-1 sends an ICMP packet to host PC-2. The firewall needs an xlate entry for one or both of the hosts. This is created from either a static xlate or a dynamic assignment, depending on the configuration. The ICMP packet must also be permitted by any ACL that is applied to the firewall interface toward PC-1. As an example of...

Relaying DHCP Requests to a DHCP Server

Follow these steps to configure a firewall to act as a DHCP relay 1. Define a real DHCP server Firewall(config) dhcprelay server dhcp server ip server ifc A real DHCP server can be found at IP address dhcp_server_ip on the firewall interface named server_ifc (inside, for example). You can repeat this command to define up to four real DHCP servers. When DHCP requests (broadcasts) are received on one firewall interface, they are converted to UDP port 67 unicasts destined for the real DHCP servers...

Favoring Static Routes Based on Reachability

Normally, if a static route is configured, it stays active until it is manually removed. A static route is simply an unchanging definition of a next-hop destination regardless of whether that destination is reachable. If a single ISP is the sole means of reaching the outside world, a static default route works nicely to point all outbound traffic to the ISP's gateway address. Suppose you had connections to two ISPs one might be favored over the other, but the default routes to each ISP are...

Active Standby Failover Example with PIX Firewalls

Figure 8-7 shows the IP addresses of each interface. The addresses of the standby unit interfaces are also given. Stateful failover is used so that connection state information is passed to the standby unit in real time. An example of failover using the serial failover cable is shown first, followed by a LAN-based failover scenario. Following the failover guidelines, a separate VLAN or switch is used for stateful failover (the stateful interface) and for LAN-based failover (the lanfo interface)...

Authenticating and Authorizing Generic Users

Generic user authentication is performed using only passwords. Users are authorized to perform certain actions based on the privilege level that they are permitted to use. Passwords can be defined for the two default privilege levels 0 and 15, as well as other arbitrary levels, using the following configuration steps 1. Set the unprivileged mode password ASA FWSM Firewall(config) password passwd password encrypted PIX 6 3 Firewall(config) password passwd password The generic user at privilege...

Ospi

LSAs Exchanged 1' with Inside Neighbors Inside Networks Csm Be Redialribuled Toward lie Oulaida (Filrar with a Ftoule Map ) Outside N& tworks San Be Redistribuiez Toward the Ins de A Cisco firewall can run up to two unique OSPF processes, which makes this scenario possible. Each one runs under a different process ID or number. On the outside, LSAs are exchanged with other neighboring routers. On the inside, a different set of LSAs is exchanged with internal neighbors. By default, no routing...

Application Inspection

A stateful firewall can easily examine the source and destination parameters of packets passing through it. Many applications use protocols that also embed address or port information inside the packet, requiring special handling for examination. Application inspection allows a firewall to dig inside the packets used by certain applications. The firewall can find and use the embedded information in its stateful application layer inspection engines. Embedded address information can also become...

I

Cisco firewalls can report traffic throughput on each interface through the command-line interface (CLI). This can be handy if you are connected to a firewall over a console, Telnet, or Secure Shell (SSH) session, and you want to check the throughput. The firewall keeps running counters of input and output data on each interface while it is operational. These counters begin at bootup or at the last counter reset, and they accumulate until you issue the command to display them. The firewall also...

Fwsm

Firewall> pager Firewall> clear pager Firewall> show pager Local user authorization is configured using the following steps 1. (Optional) Display the current privilege levels for commands ASA, FWSM Firewall show privilege all command command level level PIX 6.3 Firewall show privilege all command command level level You can see the current privilege level configured for all possible firewall commands, or for only a single command command (only the first keyword). You can also see all the...

Recovering a PIX Password

On a PIX platform, a password recovery utility must be downloaded to the firewall from a TFTP server. This procedure is very similar to upgrading the OS image from the PIX monitor prompt. Follow these steps to reload and erase the PIX passwords 1. Make sure a TFTP server is available. The TFTP server should have a copy of the correct PIX Password Lockout Utility software. You can find this utility on Cisco.com at where XX is the PIX OS software release. For example, the utility for PIX OS 6.3...

Stub Multicast Routing Example

A firewall separates a multicast source from its recipients. The source is located on the outside interface, and the recipients are on internal networks found on the inside interface. Recipients can join multicast groups only in the 224.3.1.0 24 and 225.1.1.0 24 ranges. The PIX 6.3 configuration commands needed are as follows Firewall(config) access-list mcastallowed permit ip any 224.3.1.0 255.255.255.0 Firewall(config) access-list mcastallowed permit ip any 225.1.1.0 255.255.255.0...

Managing the Startup Configuration

In PIX releases 6.3 and earlier, as well as FWSM releases, a firewall has one startup configuration that is stored in flash memory. This configuration file is read upon bootup and is copied into the running configuration. ASA platforms running 7.0 or later have the capability to maintain one or more startup configuration files in flash, provided that you have sufficient space to store them. Only one of these can be used at boot time. This section discusses the tasks that can be used to maintain...

V

If the File information below looks suspicious, or you do not fully trust the source, do not open or save this File. File type Windows Installer Package This type of file could harm your computer if it contains malicious code. Would you like to open the File or save it to your computer P Alway asl before oper fflffllhi Mi-. To run the ASDM launcher application, start the local Cisco ASDM Launcher program. On a Windows PC, it can be found on the Start menu...

Pat

Translates real source addresses to a single mapped address with dynamic port numbers The static command creates a persistent translation between a real and a mapped address. This sets the stage to allow both outbound and inbound connections to be initiated. The actual xlate entries are created when the static command is entered. In each of the nat command forms shown, the translation is used for outbound connections only, initiated by an inside host. Inbound traffic is then permitted only if...

Xkq

The caret matches the beginning of a line any expression following the caret will be matched only if it appears at the beginning of a line. Example ADear matches Dear John, but not John Dear The metacharacter following will be treated as a literal character this is useful when you need to match against something that is normally interpreted as a metacharacter. Matches a carriage return character (ASCII 13 or 0x0d) Matches a newline character (ASCII 10 or 0x0a) Matches a tab character (ASCII 9...

Allocating Firewall Resources to Contexts

When a firewall platform is running in single-context security mode, you can configure and use only one operational firewall. Therefore, that firewall can use any or all of the available traffic inspection and session resources on that hardware platform. In other words, if the firewall uses most of its own resources while it does its job, its own performance is not affected. In multiple-context security mode, however, all the configured contexts must share the available resources on their...

Monitoring Access Lists

You can review an access list definition by displaying the firewall configuration with this EXEC command To jump right to the access-list in the configuration, you can use this variation Firewall show running-config begin access-list acl id Or to display only the lines of the access-list configuration and nothing else, you can use a further variation Firewall show running-config include access-list acl id Beginning with ASA 7.0, you can display an access-list configuration with this command...

Changing the Message Severity Level

Recall that each logging message has a default severity level associated with it. You can change that default behavior so that a message is sent based on a configurable severity level instead. This might be useful if you choose a severity level for a logging destination that includes most (but not all) of the messages that are interesting to you. For the messages that have a higher default level and that will not be sent, you can reconfigure their level to a lower value. To change a message's...

It

In Figure 1-6, the hosts pass messages back and forth, as if there is a connection between them. Host PC-1 begins the session by sending a UDP packet to PC-2. If the ACLs applied to the firewall interfaces permit this traffic, the firewall proceeds to define a UDP connection. To forward the traffic, the firewall needs an existing xlate table entry or needs to create one. With the first packet in the session, the firewall creates a new connection entry in the conn table. This entry identifies...

Up

URL Packets Sent and Received Stats Message STATUS_REQUEST LOOKUP_REQUEST LOG REQUEST If the firewall is having trouble reaching the content-filtering server, you might see one of the following Syslog messages ASA-2-304007 URL Server IP_address not responding, ENTERING ALLOW mode. ASA-3-304003 URL Server IP_address timed out URL url ASA-3-304006 URL Server IP_address not responding ASA-6-3 04 0 04 URL Server IP_address request failed URL url As soon as the content-filtering server again can be...

Using a Multicast Boundary to Segregate Domains

IP Multicast address space is broken down into several ranges, each reserved for a different function. Some ranges, such as link-local addresses and administratively scoped addresses, are not meant to be routed across Layer 3 boundaries. Others, such as globally scoped addresses, are free to be routed anywhere across organizational boundaries and across the Internet. Administratively scoped addresses (239.0.0.0 through 239.255.255.255) are analogous to the private address ranges defined in RFC...

Ssh

Web-based management applications such as ASDM or PDM The following sections provide information about the configuration and use of these methods. Console Connection Most Cisco firewall and security appliances have a physical console connection that can be used to access a user interface. The console port is an asynchronous serial interface operating at 9600 baud. Because of its relatively slow speed, the console should be used only to initially configure the firewall or to access it over an...

Configuring Interface MTU and Fragmentation

By default, any Ethernet interface has its maximum transmission unit (MTU) size set to 1500, which is the maximum and expected value for Ethernet frames. If a packet is larger than the MTU, it must be fragmented before being transmitted. You can use the following command to adjust an interface MTU If you need to, you can adjust the MTU of the interface named if_name to the size bytes (64 to 65,535 bytes). In some cases, you might need to reduce the MTU to avoid having to fragment encrypted...

[ fngfr [ J Hfijp J

The capture buffer for the ingress capture session is shown in the topmost box, whereas the egress session is shown in the bottom box. 7. Save the capture buffers by clicking on the Save captures button. From the screen shown in Figure 11-16, select ASCII to save the capture in plaintext or PCAP to save it in a standard format that Ethereal or Wireshark can decode. Figure 11-16. Saving the Capture Buffers Click on Save ingress capture or Save egress capture to begin saving the capture buffer to...

Configuring an Access List

You can use the steps presented in this section to configure a firewall access list. The access list exists in the firewall configuration, but does not actively do anything until you apply it to a firewall interface or to some other firewall function. Access lists are defined simply by entering ACE commands in global configuration mode. There is no need to define the access list name first just the action of entering an ACE with an ACL ID acl_id (an arbitrary text name) is enough to make it a...

Configuring Interfaces

Every firewall has one or more interfaces that can be used to connect to a network. To pass and inspect traffic, each firewall interface must be configured with the following attributes IP address and subnet mask (IPv4 beginning with Adaptive Security Appliance (ASA) 7.0 and Firewall Services Module (FWSM) 3.1(1), IPv6 is also supported). Security level (a higher level is considered more secure). By default, traffic is allowed to flow from a higher-security interface to a lower-security...

Rc4sha Aes128sha Aes256sha Descbc3sha

SSL Server outside 172.21.4.37 1041 choose cipher RC4-SHA Validating certificate chain containing 1 certificate(s). Identified client certificate within certificate chain. 00DB42F7223CD44610, subject name cn www.mycompany.com,ou Test Engineering,o My ASA-6-717022 Certificate was successfully validated. Certificate is resident and trusted, serial number 00DB42F7223CD44610, subject name cn www.mycompany.com,ou Test Engineering,o My Company,l Lexington,st Kentucky,c US. ASA-6-717028 Certificate...

Displaying Information About Ios Fwlb

Table 9-2 lists the switch commands you can use to display helpful information about IOS firewall load-balancing configuration and status. Table 9-2. Commands to Display IOS FWLB Configuration and Status Router show ip slb firewallfarms detail Router show ip slb reals sfarm firewall-farm-name detail Firewall weight and connection counters Router show ip slb conn firewall firewallfarm-name detail Load-balancing connections to firewalls Router show ip slb probe name probe name detail For the...

Active Standby Failover Example with FWSM

Now, suppose these firewalls are actually FWSMs. Suppose the inside interface uses VLAN 100, outside uses VLAN 200, stateful uses 300, and lanfo uses 400. The configuration for the primary FWSM in slot 3 would look like this, beginning with the necessary Catalyst 6500 commands Switch(config) vlan 100,200,300,400 Switch(config) firewall vlan-group 1 100,200,300,400 Switch(config) firewall module 3 vlan-group 1 Switch(config) exit Now open a session to the FWSM itself Switch session slot 3...

Generating Logging Messages

The firewall uses logging to send system messages to one or more logging destinations, where they can be collected, archived, and reviewed. Messages are generated according to a severity level, specified by a number (0 through 7) or a keyword, as shown in Table 10-1. Table 10-1. System Message Severity Levels Table 10-1. System Message Severity Levels Table 10-1. System Message Severity Levels Logging messages can be sent to any of the following destinations Telnet or SSH sessions to the...

Verifying Firewall Connectivity

When you install a firewall or make configuration changes to one, you might need to verify that it can communicate on all its interfaces. Users might also report problems they experience when trying to pass through the firewall. You need a logical approach to verifying the firewall's operation and troubleshooting its connectivity. You can follow these basic steps to verify that a firewall can communicate with its neighboring networks Step 1. Test with ping packets. Step 2. Check the ARP cache....

Ssm

In the example from Figure 12-2, the ASA interfaces are configured with the following commands interface Ethernet0 0 nameif outside security-level 0 interface Ethernet0 1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 interface Ethernet0 2 nameif dmz security-level 50 ip address 192.168.110.1 255.255.255.0 The SSM management interface will eventually be configured with IP address 192.168.110.10. This cannot be done from the ASA configuration because the AIP or CSC...

Configuring the ARP Cache

A firewall maintains a cache of Address Resolution Protocol (ARP) entries that are learned when it overhears ARP requests or ARP reply packets on its interfaces. ARP is used to resolve a host's MAC address based on its IP address, and vice versa. You can use the following commands to configure ARP operations 1. Define a static ARP entry Firewall(config) arp if name ip address mac address alias ARP entries normally are created as the firewall hears responses to ARP requests on each interface....

Overview of Firewall SNMP Support

Snmp Firwall

Firewalls can participate in SNMP by maintaining several MIBs. The MIB values are constantly updated with the current values that are in use. For example, one MIB parameter records the average firewall CPU load over a 5-second period. This is based on the CPU usage measurements that can also be shown from the firewall CLI. SNMP MIBs represent data as a hierarchical tree structure each MIB variable is referenced by its object identifier (OID). OIDs are formed by concatenating the name or number...

Checking Firewall Interfaces

You can use the show traffic command to see throughput information about firewall interfaces, but you can monitor other interface statistics as well. You can use the show interface command to see a wealth of information about the interface operation, many types of error conditions, and packet buffering. As with the Cisco IOS Software, the show interface command can produce such a condensed dump of interface parameters that it becomes difficult to interpret. To make this easier, think of the...

Configuring Application Inspection

By default, PIX 6.3 enables only the CU-SeeMe, DNS, FTP, H.323, HTTP, ILS LDAP, NetBIOS, RSH, RTSP, SIP, SKINNY SCCP, SMTP, SQL*Net, SunRPC, TFTP, VDO Live, Windows Media, and XDMCP fixups. If the fixup command is configured for an application protocol, then the firewall inspects that traffic with an inspection engine. On an ASA or FWSM platform, application inspection occurs only on traffic that has been classified and applied to a policy. When you use the inspect command, as in the following...

Acknowledgments

It is my pleasure to be involved in writing another Cisco Press book. Technical writing, for me, is great fun, although writing large books is hard work. The good folks at Cisco Press provided a wealth of help during the writing process. In particular, I'm very grateful to have worked with my friends Brett Bartow and Chris Cleveland yet again. They are amazing at what they do, and I'm very appreciative I'm also grateful to Mandie Frank for managing many of the production pieces for the final...

Ftp Ftp Ftp Ftp Ftp Ftp Ftp Ftp Ftp Ftp

220 pi FTP server ready. ---> USER pixadmin 331 Password required for pixadmin. --- > PASS * ---> STOR e or directory. 001 FTP ---> QUIT ASA-3-414001 Failed to save logging buffer to FTP server 192.168.3.14 using filename LOG-2007-05-06-010703.TXT on interface inside ASA-7-711001 FTP 221 Goodbye. 3. (Optional) Copy the buffer to Flash if it fills and wraps 3. (Optional) Copy the buffer to Flash if it fills and wraps Firewall(config) logging flash-bufferwrap Firewall(config) logging...

Saving a Running Configuration

You can view or save a firewall's running configuration with one of the methods described in the following sections. You can use the following commands to display the current running configuration The running configuration is displayed to the current terminal session. If the configuration is longer than your current session page length (24 lines by default), you have to press the spacebar to page through it. However, in ASA, FWSM, and PIX 6.3 platforms, you can filter the output by using one of...

Administering an ASA or FWSM Flash File System

An ASA platform offers two file systems a flash file system that is accessible to administrative users, and a hidden file system that contains system-related resources that are inaccessible. On an FWSM platform, both file systems are accessible. The flash file system can contain files and directories, each under user control. In an administrative session, you can take the following management actions on the flash file system and its contents You can copy files according to the basic syntax copy...

CSS Appliance Firewall Load Balancing Example

The network from the example in Section 9-2 is reused here so that you can get a feel for the difference between IOS FWLB, CSM FWLB, and CSS FWLB configurations. Performing FWLB using this method requires two CSS load-balancing devices One located externally with respect to the firewall farm One located internally with respect to the firewall farm Figure 9-7 shows a network diagram for this example. Figure 9-7. Network Diagram for the CSS FWLB Example Figure 9-7. Network Diagram for the CSS...

Step 7 Look for Active Shuns

A Cisco firewall can shun (block) traffic coming from specific source addresses on an interface. This feature is useful when a host is generating malicious traffic and needs to be stopped. If you have manually added shuns to your firewall, or if another system has added them automatically, you might forget that they are in place. In fact, when shuns are defined, they are dynamic in nature and are not added to the firewall configuration. If you are troubleshooting why a host is not receiving or...

Checking Stateful Inspection Resources

As a firewall inspects and passes traffic, it maintains two tables of entries address translations (xlates) and connections (conns). You can get an idea of the inspection load by looking at the size of these tables. To see the translation table size, use the following command The output from this command shows the current number of xlates in use and the maximum number that have been built since the firewall was booted. The firewall in the following example currently has built 15,273...

Management Vlan -in Denied Eigrp

Auth start for user user from inside_address inside_port to outside_address outside_port. Auth from inside_address inside_port to outside_address outside_port failed (server IP_address failed) on interface interface_name. Auth from inside_address to outside_address outside_port failed (all servers failed) on interface interface_name. Authentication succeeded for user user from inside_address inside_port to outside_address outside_port on interface interface_name. Authentication failed for user...

Step 9 See What Has Changed

If you have installed, configured, and tested a firewall, trusted users should be able to pass through it according to the security policies. At the same time, the firewall should deny or drop all untrusted users and traffic. Suppose things have been working like this for some time, but one day users begin to call and complain. One possible cause of a problem is that someone somewhere has changed something on your network. One good troubleshooting approach is to ask, What changed during the...

Manually Intervening in Failover

When the firewalls in a failover pair detect a failure and take action, they do not automatically revert to their original failover roles. For example, if the primary firewall is active and then fails, it is marked as failed, and the secondary firewall takes over the active role. After the primary unit is repaired and returned to service, it does not automatically reclaim the active role (unless it has been configured to preempt active control). You might occasionally find that you need to...

Accounting of Generic Users

When a firewall is configured to authenticate administrative users with only a password, you can perform user accounting only through the logging function. You should make sure the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses 611101 (6) Successful user authentication 611102 (6) Failed user authentication 111008 (5) User executed the command text 111009 (6) User executed the command show text 502103...

Ospf

Inside Networks Are Advertised Toward Area 0 (Outside Us a. Prefix List to Filler (Deny) Inside On the inside, the firewall exchanges OSPF LSAs with other inside routers in that area. On the outside, the firewall exchanges LSAs with other corporate routers in the OSPF backbone area. This topology makes it easy to maintain dynamic routing information on the routers and the firewall for a large network. Routes from the OSPF backbone (outside) are advertised toward the inside area. This poses no...

Building Connectivity

Refer to the following sections for information about these topics 3-1 Configuring Interfaces Discusses how you can configure firewall interfaces to join and communicate on a network. Physical, trunk, and logical interfaces are covered, as well as priority queue operation. 3-2 Configuring Routing Explains the configuration steps needed to define static routes on a firewall, as well as the RIP, OSPF, and EIGRP dynamic routing protocols. 3-3 DHCP Server Functions Provides information about how a...

Debugging Failover Activity

Table 8-1 summarizes some of the commands you can use to generate debugging information about firewall failover operation. Table 8-1 summarizes some of the commands you can use to generate debugging information about firewall failover operation. Table 8-1. debug Commands Relevant to Firewall Failover Operation Failover messages parsed or sent (serial cable only) Failover hello messages received or sent on all interfaces Stateful failover packets received from or sent to the other unit (not...

Updating Dynamic DNS from a DHCP Server

Traditionally, hostnames and IP addresses have been associated through the use of DNS, requiring static configurations. While this might be practical for servers, which rarely change their hostnames or addresses, it does not lend itself to timely updates for clients that frequently change IP addresses. Dynamic DNS (DDNS) solves this problem by keeping the DNS function, but allowing records to be updated dynamically, as they change. DDNS is most useful when it is teamed with a DHCP server as the...

Filtering Bidirectional PIM Neighbors

ASA 7.0 introduced the ability to enable PIM sparse mode neighbor relationships to form through an ASA. Beginning with ASA 7.2(1), bidirectional PIM relationships can also form through an ASA. In addition, you can configure an ASA to filter bidirectional neighbors so that you can control which multicast routers can participate in a bidirectional tree and a DF election. You can use the following steps to configure a bidirectional PIM neighbor filter 1. Define an access list to filter...

AIP Interfaces

The ASA and AIP are connected over the ASA chassis backplane by two hidden interfaces GigabitEthernet0 0 Used only for command and control traffic between the ASA and AIP. GigabitEthernet0 1 Used for data transfer between the ASA and AIP this is the only interface that can be monitored as a sensing interface by the AIP for IPS functions. From the ASA, neither of these interfaces is available or configurable. The interfaces can be seen and used only from the AIP itself. To perform IPS functions,...

Checking Firewall Vital Signs

After a firewall is put into production, it is important to know how to check its health. You can proactively monitor various resources and statistics in an effort to determine when the firewall has a problem or becomes underpowered. As well, when users complain of problems or slow response times, you should be able to look into some of the firewall's inner workings to quickly spot issues. How a firewall will behave under the load of a production network with real users and real applications is...

Configuring EIGRP to Exchange Routing Information

The Enhanced Interior Gateway Routing Protocol (EIGRP) is new to ASA 8.0. As its name implies, EIGRP is based on Interior Gateway Routing Protocol (IGRP), but with many enhancements. EIGRP is a distance vector routing protocol, and its routing metrics are based on a combination of delay, bandwidth, reliability, load, and MTU. EIGRP uses a neighbor discovery mechanism that works by sending hello messages to directly connected neighboring routers. Neighbors can be dynamically discovered or...

Using Capture

You can define one or more capture sessions on a firewall, each operating independently. Captured packets are stored in a memory buffer and can be viewed much like a protocol analyzer or sniffer trace. Two basic steps are involved in defining a capture session 1. Configure an access list to identify the interesting traffic for capture. 2. Define the actual capture session. An access list is used to pick out specific traffic passing through a firewall interface. You can set up a capture session...

Tcp 60514

On the Syslog server, the SSL software is installed and configured to receive SSL traffic over the same TCP port that the firewall is using (TCP 60514, for example). The software unencrypts the TCP Syslog packets from the SSL tunnel and relays them to the Syslog application's TCP port (TCP 1470). As with a regular TCP Syslog connection, the firewall monitors the status of the Syslog server by the TCP connection status. If the connection goes down, the firewall tries to bring it back up five...

Reloading a Firewall

To manually trigger a firewall reload, choose one of the options discussed in the following sections. You can initiate a firewall reload only from privileged EXEC (enable) mode. On an ASA or FWSM firewall platform running in multiple-context security mode, you can initiate a reload only from the system execution space. You can use the following command to initiate an immediate reload. Be aware that as soon as the reload begins, all existing connections through the firewall are dropped, and...

B6 Informational Syslog Severity Level 6 Messages

Table B-6 lists all the severity level 6 logging messages, along with their message numbers and text. All the messages supported by FWSM, ASA, and PIX are shown. Table B-6. Severity 6 (Informational) Logging Messages Deny IP from IP_address to IP_address, IP options hex. Deny TCP (no connection) from IP_address port to IP_address port flags tcp_flags on interface interface_name. Failed to determine the security context for the packet sourceVlan sourceIP destIP sourcePort destPort protocol....

Automatic Updates with an Auto Update Server

With an AUS, you can use one central location as a distribution point for the firewall image and configuration updates. This can be handy if you have many firewalls to maintain. Ordinarily, you would have to manually transfer a new image or configuration file to each firewall individually. With AUS, each firewall can poll periodically to see if a new file is available. If a newer file is found, the firewall automatically downloads it without any further intervention. A firewall can be...

Recovering an FWSM Password

Follow these steps to reload and erase the FWSM passwords 1. Boot the FWSM into the maintenance partition Router hw-module module slot-number reset cf 1 Router session slot slot-number processor 1 From the Catalyst 6500 Supervisor IOS EXEC prompt, the FWSM in slot slot-number can be reset so that it reboots into its maintenance partition. Log in as the user root. The default root password is cisco. 2. Reset the passwords in the compact Flash configuration file root localhost clear passwd cf...

IOS Firewall Load Balancing Example

FWLB requires two load-balancing devices One located externally with respect to the firewall farm One located internally with respect to the firewall farm Figure 9-4 shows a network diagram for this example. Note that this same example is also used in Section 9-3 to show how IOS FWLB and the CSM are configured in similar scenarios. Figure 9-4. Network Diagram for the IOS FWLB Example Figure 9-4. Network Diagram for the IOS FWLB Example The firewall farm consists of three real firewalls. The...

Phase 1 Completed

Keep-alives configured keepalive type but peer IP address support keep-alives (type keepalive type). IKE lost contact with remote peer, deleting connection (keepalive type keepalive Received DPD sequence number rcv sequence in DPD Action, description expected seq . Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list. Connection attempt to VCPIP redirected to VCA peer IP address via load balancing. Received unexpected...

Authorizing User Activity with Radius Servers

User authorization is not available as a part of the RADIUS protocol. However, if you have only RADIUS servers available and you need to set up authorization for user traffic, you can use access lists to emulate authorization. The RADIUS server can be configured to return a reference to an access list that is based on a user's authorization. The firewall can use the access list information to permit or deny the user's connections as they are initiated. You have two ways to approach RADIUS...

Recovering an ASA Password

On an ASA, the configuration register is changed to allow booting without the startup configuration file. The ASA can boot its normal operating system image. Without the startup configuration, you can move directly into the privileged EXEC mode without having to use an enable password. Follow these steps to recover from an unknown password The ASA must be reloaded so that you have a chance to break out of the normal boot sequence and change the configuration register. If the ASA is already...

Filtering PIM Neighbors

An ASA can also be configured to prevent multicast routers on one interface from establishing a PIM neighbor relationship with multicast routers on other interfaces. In this role, the ASA filters PIM messages coming from source addresses identified by an access list. You might want to use this feature to prevent rogue or unauthorized routers from becoming PIM neighbors with your protected multicast routers. You can use the following steps to configure PIM neighbor filtering 1. Define an access...

B5 Notifications Syslog Severity Level 5 Messages

Table B-5 lists all the severity level 5 logging messages, along with their message numbers and text. All the messages supported by FWSM, ASA, and PIX are shown. Table B-5. Severity 5 (Notifications) Logging Messages Table B-5. Severity 5 (Notifications) Logging Messages Authen Session End user 'user', sid number, elapsed number seconds. Begin configuration IP_address writing to device. Begin configuration IP_address reading from device. IP_address end configuration FAILED OK . Console Login...

B4 Warnings Syslog Severity Level 4 Messages

Table B-4 lists all the severity level 4 logging messages, along with their message numbers and text. All the messages supported by FWSM, ASA, and PIX are shown. Table B-4. Severity 4 (Warnings) Logging Messages Table B-4. Severity 4 (Warnings) Logging Messages Deny protocol src dst interface_name dest_address dest_port type string , code code by access_group acl_ID. Failed to determine the security context for the packet vlansource Vlan ethertype src sourceMAC dst destMAC. Maximum number of...

B2 Critical Syslog Severity Level 2 Messages

Table B-2 lists all the severity level 2 logging messages, along with their message numbers and text. All the messages supported by FWSM, ASA, and PIX are shown. Table B-2. Severity 2 (Critical) Logging Messages Inbound TCP connection denied from IP_address port to IP_address port flags tcp_flags on interface interface_name. Protocol connection denied by outbound list acl_ID src inside_address dest outside_address. Deny inbound UDP from outside_address outside_port to inside_address inside_port...

Manually Testing Logging Message Generation

If it is not apparent that the firewall is sending Syslog messages, you can use another method to force messages to be sent while watching them being received at the destination. First, make sure the logging destination has been configured for severity level 4 or greater. Then, from enable mode in a session, run the following EXEC commands with a bogus or unused IP address Firewall shun ip-address Firewall no shun ip-address This creates and deletes a temporary shun on the nonexistent address....

Configuring a Transparent Firewall

Use the following steps to configure a firewall for transparent mode. 1. Enter transparent firewall mode Firewall(config) firewall transparent By default, a firewall operates in the routed mode. You can use this command to initiate the transparent firewall mode. Transparent mode begins immediately and does not require a firewall reload. Because transparent and routed modes use different approaches to network security, the running configuration is cleared as soon as transparent mode begins. The...

Defining Object Groups

Object groups can be thought of as a type of macro used within access lists. Object groups can contain lists of IP addresses, ICMP types, IP protocols, or ports. You can define several different types of object groups, each containing a list of similar values, as follows Network object group Contains one or more IP addresses. Protocol object group Contains one or more IP protocols. ICMP object group Contains one or more ICMP types. Basic service object group Contains one or more UDP or TCP port...

C

Computer Telephony Interface Quick Buffer Encoding CTIQBE You can also specify the foreign or local IP address or range of addresses used in the connections, as well as the local port lport or foreign port fport or a range of ports. The IP protocol can also be given as tcp or udp. With connections, foreign represents the host on the lower-security interface, and local is the address of the host on the higher-security interface. Table 11-15 lists the possible display formats. Table 11-15....

Uiob

On several occasions, the xlate table might contain stale or incorrect entries. This can happen if you make configuration changes to the static, global, or nat commands on a firewall or to an interface access list. As soon as that happens, it is likely that the xlate table has existing entries that use previous or outdated translations. For example, if several hosts are using Telnet connections, and a new policy is added to an access list to deny the Telnet protocol, new Telnet connections are...

Configuring RIP to Exchange Routing Information

Cisco firewalls can passively listen to RIP updates either version 1 or 2 to learn routing information. Routing advertisements from the firewall are limited to one type a firewall interface as a default route. RIP can be used in either of the following versions RIP version 1, which supports only classful networks. Advertisements are broadcast unencrypted. RIP version 2, which supports classless networks. Advertisements can be authenticated by a cryptographic function for security purposes. RIP...

Configuring the Initial Csc Ssm Settings

The CSC SSM must be configured independently of the ASA. You can use several methods to connect to and configure the CSC. Most often, you use ASDM as your interface to the CSC, although other methods are discussed as they are needed. You should use the following steps to configure a CSC SSM After a CSC SSM is installed in an ASA chassis, you should verify that the module is powered up and available. You can do that with the show module ASA command, as shown in the following example. Here, the...

Pre-allocate Sip Rtcp Secondary Channel

Virtual-interface number, client-dynamic-ip IP_address, username user, MPPE-key-strength number. Teardown PPPOE Tunnel at interface_name, tunnel-id number, remote-peer IP_address. DHCP client interface interface_name Allocated ip IP_address, mask netmask, gw gateway_address. DHCP client interface interface_name address released. DHCP daemon interface interface_name address granted MAC_address IP_address . DHCP daemon interface interface_name address released. HTTP daemon Login failed from...