A 15fX

Ciii, Group Setup Click Submit + Restart when finished J Click Submit + Restart when finished J specified protocol has been selected under Hetwoih r.niifi i ition. Forexample, RADIUS settings appear t jl Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS Step 1 In the navigation bar, click Group Setup. The Group Setup window opens. Step 2 Scroll down in Group Setup until you find IOS Commands. Step 4 Under Unmatched Cisco IOS commands,...

AAA Configuration

This section discusses how to configure The Cisco IOS Firewall to work with a AAA server and enable the authentication proxy feature. Enables the AAA functionality on the router (default disabled) Use the aaa new-model global configuration command to enable the AAA access control system. Use the no form of this command to disable the AAA access control model. Note After you have enabled AAA, TACACS and extended TACACS commands are no longer available. If you initialize AAA functionality and...

AAA Server Configuration

This section discusses how to configure the AAA server to provide authentication and authorization for the Cisco IOS Firewall authorization proxy. Create auth-proxy Service in CSACS-NT ift Us co be cure AL-b lor windows N 1 - Netscape lu- l I Interface tI 1 Configuration 1 i-i H , 1 Administration V f Control rl) J 1 External User 1 JO 1 Databases W Advanced TACACS+ Features P Display a Time-of-Day access service where you can oveirr .< j ar every TACACS+ fi' default Tlme-of-Oav 1 p& l...

Accesslist Command

Access-list acl_name deny permit protocol src_addr src_mask operator port dest_addr Allows you to create an access control list Access control lists associated with IPSec are known as crypto access control lists access-group acl_name in interface interfacename Binds an access control list to an interface The access-list command uses the same syntax as the Cisco IOS software accesslist command except that the subnet mask in the PIX Firewall access-list command is reversed from the Cisco IOS...

ActiveX Blocking

ActiveX controls are applets that can be inserted in Web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls. ActiveX controls, formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding control (OCX), are applets that can be inserted in web pages often used in animations or in other applications. ActiveX controls create a potential security problem because they can...

Authentication of Console Access

Aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication Use the aaa authentication console command to require authentication verification to access the PIX Firewall's serial, enable, or Telnet consoles. The serial console options also log to a Syslog server change made to the configuration from the serial console....

Authentication Proxy Configuration

This section discusses how to configure the authentication proxy settings on a Cisco router. Authorization cache timeout va l ue in minutes (defau l t 60 minutes) Router(config) ip auth-proxy auth-cache-time 120 2000, Cisco Systems, Inc. WWW.cisco.com To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity), use the ip auth-proxy auth-cache-time global configuration...

Configuration of Virtual Telnet Authentication

- For inbound clients, this must be an unused global address. - For outbound clients, this must be an unused global address routed directly to the PIX Firewall. pixfirewall(config) virtual telnet 192.168.0.3 When using virtual Telnet to authenticate inbound clients, the IP address must be an unused global address. When using virtual Telnet to authenticate outbound clients, this must be an unused global address routed directly to the PIX Firewall. The syntax for the virtual telnet command is as...

Configure the PIX Firewall to Work with WebSENSE

Filter url http local_ip loca.l_ma.sk foreign_ip foreign mask allow Prevents outbound users from accessing World Wide Web URLs that are designated with the WebSENSE filtering application pixfirewall(config) filter url http 0 0 0 0 allow Use the filter url command to tell the PIX Firewall how to filter requests After designating which server uses WebSENSE, use the filter url command to tell the PIX Firewall to send URL requests to WebSENSE for filtering. The example command in the figure above...

Create User Authorization Profile in Csacsnt

CiscoSecure ACS lor Windows NT - Netscape CiscoSecure ACS lor Windows NT - Netscape Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Step 6 In the navigation bar, click Group Setup. The Group Setup frame opens. Step 7 Scroll down in the Group Setup frame until you find the newly created auth-proxy service. Step 8 Select...

Custom URLs

When using the Master Database the list of URLs that should be blocked as determined and updated daily by the WebSENSE corporate office you may need to permit one of the blocked URLs. If you need to permit URLs that are normally blocked by the parameters of the Master Database, you can add the URLs to a special permit list. URLs in this list will never be blocked by WebSENSE. When accessing a URL that has been added to the permit list, WebSENSE logs the access as normal. To add a URL to the...

Cut Through Proxy Operation

1 The user makes a request to access the web server. 1 The user makes a request to access the web server. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through the PIX Firewall, and the local username and password are passed to the web server to authenticate. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through...

Define a RADjIS Server and jts

Specifies the RADjIS server jP address Router(config) radius-server host 10.0.0.3 Router(config) radius-server key secretkey To specify the IP address of a RADIUS server, use the radius-server host global configuration command. Use the no form of this command to delete the specified IP address. You can use multiple radius-server host commands to specify additional servers. The Cisco IOS Firewall software searches for servers in the order in which you specify them. The syntax of the...

DNS Guard

After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. - The default UDP timer expires in two minutes. The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. - The DNS server does not wait for UDP timer to expire. DNS Guard identifies an outbound DNS query request and only allows a single DNS response back to the sender. A host may query several servers for a response in case the first server is...

Enable Accounting

Aaa accounting include exclude acctg_service inbound outbound if_name local_ip local mask foreign ip foreign mask group tag Defines traffic that requires AAA server accounting acctg_service any, ftp, http, or telnet - any All TCP traffic The syntax for the aaa accounting command is as follows aaa accounting include exclude acctgservice inbound outbound ifname localip localmask foreignip foreign_mask grouptag no aaa accounting include exclude authenservice inbound outbound if name group tag...

Example Configurations

The following tables show an example configuration for PIX1 and PIX2. You may experience differences between the example configuration and your own configuration. The example in the following table is a summary of the configuration for PIX1. Table 12-1. PIX1 Example Configuration Table 12-1. PIX1 Example Configuration ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.1.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.0.0 Configures the IP addresses for each PIX Firewall...

Example Crypto Map for PIX1

Crypto Map peer2 10 ipsec-isakmp access-list 101 permit ip host 192.168 Security association lifetime 4608000 2000, Cisco Systems, Inc. WWW.CiSCO.COITl CSPFA 1.01 7-28 Use the show crypto map command to verify the crypto map configuration. Consider the example of a crypto map for PIX1 in the figure.

Example Two Interface Firewall

Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all ICMP and HTTP traffic only to 10.0.0.3 Allow all ICMP and HTTP traffic only to 10.0.0.3 As an example, configure the router to be a firewall between two networks inside and outside. The security policy to implement is as follows allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet. ICMP traffic will...

Global Half Open Connection Limits

Ip inspect max-incomplete high number * Defines the number of existing half-open sessions that cause the software to start deleting half-open sessions (aggressive mode) ip inspect max-incomplete low number * Defines the number of existing half-open sessions that cause the software to stop deleting half-open sessions (normal mode) An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a DoS attack is occurring. For TCP, half-open...

Global Timeouts and Thresholds

This section discusses how to configure the following global timeouts and thresholds TCP, SYN, and FIN wait times TCP, UDP, and Domain Name System (DNS) idle times Specifies time CSIS waits for a TCP session to reach the established state Specifies time CSIS waits for a FIN exchange to complete before quitting the session 2000, Cisco Systems, Inc. WWW.ClsCO.CO CSPFA 1.01 8-17 CBAC uses timeouts and thresholds to determine how long to manage state information for a session, and to determine when...

Half Open Connection Limits by Host

Ip inspect tcp max-incomplete host number block-time seconds Defines the number of half-open TCP sessions with the same host destination address that can exist at a time before CSIS starts deleting half-open sessions to the host After the number of half-open connections is exceeded to a given host, the software deletes half-open sessions on that host in the following fashion - If block-time is 0, the oldest half-open session is deleted, per new connection request, to let new connections through...

How CBAC Works

(J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 (J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 ( CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and...

How to Add Users to Csacsnt

To add users to the Cisco Secure ACS, complete the following steps Step 1 In the navigation bar, click User Setup. The Select window opens. Step 2 Enter a name in the User field. Note The username can contain up to 32 characters. Names cannot contain the following special characters *> < Leading and trailing spaces are not allowed. Step 3 Click Add Edit. The Edit window opens. The username being added or edited appears at the top of the window. Click the Account Disabled check box to deny...

IKE Phase One Policy Parameters

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration. IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers...

IPSec Enables PIX Firewall VPN Features

Data confidentiality Data integrity Data authentication Anti-replay The PIX 5.1 Firewall uses the industry-standard IP Security (IPSec) protocol suite to enable advanced VPN features. The PIX IPSec implementation is based on Cisco IOS IPSec that runs in Cisco routers. IPSec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPSec enables the following PIX...

Java Applet Filtering Commands

Filter java port -port local_ip mask foreign_ip mask The filter javacommand filters out Java applets that return to the PIX Firewall from an outbound connection. Some Java applets can contain malicious code that can manipulate data on the internal network. Use the outbound and apply commands to block Java applets. 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 3-10 Java filtering lets an administrator prevent Java applets from being downloaded by an inside system. Java applets are...

Multiple Interface Configurations

This section discusses the configuration of multiple interfaces to the PIX Firewall. The PIX Firewall supports up to four additional perimeter interfaces for platform extensibility and security policy enforcement on publicly accessible services. The multiple perimeter interfaces enable the PIX Firewall to protect publicly accessible Internet, mail, and Domain Name System (DNS servers on the DMZ. Web-based and traditional electronic data interchange (EDI) applications that link vendors and...

Provides dynamic peruser authentication and authorization via Tacacs and Radius protocols

The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user's IP address, or a single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy...

Scale PIX Firewall VPNs

The use of pre-shared keys for IKE authentication only works when you have a few IPSec peers. Certificate Authorities enable scaling to a large number of IPSec peers. CA Server Fulfilling Requests from IPSec Peers - Each IPSec peer individually enrolls with the CA server. 2000, Cisco Systems, Inc. www.cisco.com Using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a perpeer basis. The CA server...

Step 3Configure the Crypto

Pixfirewall(config) crypto map map-name seq-num. ipsec-isakmp pixfirewall(config) crypto map map-name seq-nummatch address access-list-name pixfirewall(config) crypto map map-name seq-num set peer hostname ip-address seq-num. set transform-name2, transform-set- pixfirewall(config) crypto map miap-name set transform-set-namel transform-set-name9 pixfirewall(config) crypto map map-name seq-num set pfs groupl group2 pixfirewall(config) crypto map map-name association lifetime seconds seconds...

Step 3Configure the IKE Preshared

Isakmp key keystring address peer-address netmask mask Pre-shared keystring must be identical at both peers Use any combination of alphanumeric characters up to 128 bytes for keystring Specify peer-address as host or wildcard address Easy to configure, yet is not scalable Step 3 Configure the IKE pre-shared key. pixf irewall (conf ig) isaknp key keystring address peer-address netmask The keystring is any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be...

Student Guide Version 101

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice . All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual ....

Supports multimedia with or without NAT

Additional UDP or TCP high ports may be opened Additional UDP or TCP high ports may be opened Multimedia applications may transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, may use the same port for source and destination, and so on. Every application behaves in a different way. Implementing support for all multimedia applications using a single secure method is very difficult. Two examples of multimedia applications are given below RealAudio sends the originating request...

System Defined Port Mapping

PAM creates a table, or database, of system-defined mapping entries using the well-known or registered port mapping information set up during the system startup. The system-defined entries comprise all the services supported by CBAC, which requires the system-defined mapping information to function properly. Note The system-defined mapping information cannot be deleted or changed that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP). The following lists the...

Task 1 Configure the Primary PIX Firewall for Failover to the Secondary PIX Firewall

Perform the following lab steps to configure the primary PIX Firewall for failover to the secondary PIX Firewall Step 1 Enter the configure terminal command to enter into config mode Step 2 Configure another interface for Stateful failover, for later in Task 3. Step 3 Assign the PIX Firewall with a Failover interface a name (failover) and security level (55) pixfirewall (config) nameif e3 MYFAIL VER security55 Step 4 Enable the interface for an Intel full duplex. pixfirewall (config) interface...

Task 1Prepare to Configure VPN Support

Determining the IKE (IKE phase one) policy Step 2. Determining the IPSec (IKE phase two) policy Step 3. Ensuring that the network works without encryption Step 4. Implicitly permitting IPSec packets to bypass PIX Firewall access lists, access groups, and conduits Configuring IPSec encryption can be complicated. You must plan in advance if you want to configure IPSec encryption correctly the first time and minimize misconfiguration. You should begin this task by defining the overall...

Task 2 Configure IKE Parameters

The next major task in configuring PIX Firewall IPSec is to configure IKE parameters gathered in the previous task. This section presents the steps used to configure IKE parameters for IKE pre shared keys Step 2 Configure an IKE phase one policy. Step 3 Configure the IKE pre-shared key. Step 4 Verify IKE phase one details. * Enables or disables IKE on the PIX Firewall interfaces * Disable IKE on interfaces not used for IPSec Step 1 Enable or disable IKE (ISAKMP) negotiation pixfirewall(config)...

Task 3 Test and Verify CBAC

Router show access-lists Step 2 From your workstation command prompt, ping the backbone server Pinging 172.30.0.50 with 32 bytes of data Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-36ms TTL-125 Step 3 Use your Web browser to connect to the backbone Web server. Enter http l 72.30.1.50 in the URL field. Step 4 Connect to the backbone FTP server using...

Task 4 Test and Verify Authentication Proxy

Step 1 On your router, use the show access-list command to check your access lists. Fill in the blanks below using the output from this command Step 2 On your router, use the show ip inspect command to see CBAC sessions. Fill in the blanks below using the output from this command Step 3 Use the show ip auth-proxy configuration command to verify the authorization proxy configuration. Fill in the blanks below using the output from this command Router show ip auth-proxy configuration...

Task 4 Test and Verify IPSec Configuration

Perform the following steps to test and verify VPN configuration Step 1 Verify the IKE policy you just created. Note the default values. pixP(config) show isaknp isakmp enable outside isaknp key ciscol23 address 192.168.Q.2 netmask 255.255.255.255 isaknp policy 10 authentication pre-share What five policy items are configured in an IKE policy A authentication method, encryption algorithm, hash algorithm, D-H group, and ISAKMP SA lifetime. Which IKE policy value did you configure in a previous...

Three Interface Configuration

Pixfirewall(config) nameif ethernetO outside secO pixfirewall(config) nameif ethernetl inside seclOO pixfirewall (config) nameif ethernet2 dmz sec5O pixfirewall(config) ip address outside 192.168.O.2 255.255.255.O pixfirewall(config) ip address inside 1O.O . O.1 255.255.255.O pixfirewall(config) ip address dmz 172.16.O.1 255.255.255.O pixfirewall(config) nat (inside) 1 1O.O.O.O 255.255.255.O pixfirewall(config) global (outside) 1 192.168.O.1O-192.168.O.254 netmask 255.255.255.O...

User Authorization Profiles

Proxyacl n permit protocol any any host ip_addr ip_addr wildcard_mask eq auth_service Defines the allowable protocols, services, and destination addresses Source address is always any - Is replaced in the router with the IP address of host making the request The privilege level must be set to 15 for all user The privilege level must be set to 15 for all user 2000, Cisco Systems, Inc. WWW.CiSCO.COn CSPFA 1.01 9-13 2000, Cisco Systems, Inc. WWW.CiSCO.COn CSPFA 1.01 9-13 Use the proxyacl n...

What Is the Authentication Prox

Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols Valid for all types of application traffic Works on any interface type for inbound or outbound traffic The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user's IP address, or a single security policy had to be applied to an entire user...

What the User Sees

Username smith john Password 2bon2b v1v10k4 Enter username for CCG at www.cisco.conn User Name smith john Password 2bon2b vlv 0k4 You can authenticate with the PIX Firewall in one of three ways Telnet You get a prompt generated by the PIX Firewall. You have up to four chances to log in. If the username or password fail after the fourth attempt, the PIX Firewall drops the connection. If authentication and authorization are successful, you are prompted for a user name and password by the...

NAT Example

Destination Addr 200.200.200.10 Source Port 49090 200.200.200.10 I Destination Addr When an outbound IP packet that is sent from a device on the inside network reaches the PIX Firewall, the source address is extracted and compared to an internal table of existing translations. If the device's address is not already in the table, it is translated and a new entry is created for that device and it is assigned a global IP address from a pool of global IP addresses. The table is then updated and the...

Configuring H323 Fixup

Defines ports for H.323 connections. Default 1720 - Performs NAT in H.323 messages as required - Dynamically opens TCP and UDP connections as required If disabled, H.323 applications are disallowed pixfirewall(config) fixup protocol h323 1720 pixfirewall(config) fixup protocol h323 7720-7740 pixfirewall(config) no fixup protocol h323 By default, the PIX Firewall inspects port 1720 connections for H.323 traffic. If you have H.323 servers using ports other than port 1720, you must use the fixup...

Specify AAA Servers

Aaa-server group tag protocol auth protocol Assigns TACACS+ or RADIUS protocol to a group tag pixfirewall (config) aaa-server group_tag ( f_name) host server_ip key timeout seconds Identifies the AAA server for a given group tag pixfirewall(config) aaa-server MYTACACS protocol tacacs+ pixfirewall(config) aaa-server MYTACACS (inside) host 10.0.0.2 secretkey timeout 10 Use the aaa-server command to specify AAA server groups. The PIX Firewall lets you define separate groups of TACACS+ or RADIUS...

Determine IKE Phase One Policy

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration. You should determine IKE policy details for each IPSec peer before configuring IKE. The figure shows a summary of some IKE policy details that will be configured in the examples in this chapter. Select IPSec algorithms and parameters for...

Lab Visual Objective

Task 1 Install Cisco Secure ACS for Windows NT Server Perform the following steps to install Cisco Secure ACS on your Windows NT server Step 1 Install Cisco Secure ACS on your Windows NT server from the CD-ROM or from the files on your hard drive, as indicated by the instructor. When installing from the CD-ROM, complete the following < Windows NT will automatically start the autorun.exe program and you are prompted to install Cisco Secure ACS. < Click Install to start the installation...

SYN Flood Guard Configuration

Static (interna.l_if_na.me, external_if_name) global_ip local ip netmask network mask max conns em limit - Use the em_limitto limit the number of embryonic connections - Set the limit to a number lower than the server can handle pixfirewall (config)C nat (if_name) nat_id local_ip netmask max_conns em limit - Use the em_limitto limit the number of embryonic connections - Set the limit to a number lower than the server can handle pixfirewall(config) nat (inside) 10 0 0 10000 pixfirewall(config)...

Tcp Udp and DNS Idle Times

Specifies time allowed for a TCP or UDP session with no activity Specifies time allowed for a DNS session with no activity To specify the TCP idle timeout (the length of time a TCP session will still be managed after no activity), use the ip inspect tcp idle-time global configuration command. Use the no form of this command to reset the timeout to default. To specify the UDP idle timeout (the length of time a UDP session will still be managed after no activity), use the ip inspect udp...

Real Networks RDT Mode

- UDP resend (simplex UDP) Outbound connections - If outbound traffic is allowed, open inbound port for UDP data - If outbound traffic is not allowed, open inbound port for UDP data and open outbound port UDP resend - If outbound traffic is allowed, open inbound port for UDP resend - If outbound traffic is not allowed, open outbound port for UDP data and open inbound port UDP resend transport5 x-real-rdt udp client_port 3057 server_port 5000 In RealNetworks' RDT mode, the following three...

Lab Exercise Configure WebSENSE

Rip Routing Protocol

Complete the following lab exercise to practice what you learned in this chapter. In this lab exercise you will complete the following tasks Filter malicious active code. Configure the PIX Firewall to work with WebSENSE. Install WebSENSE on a Windows NT Server. Configure WebSENSE to block a web site. The following figure displays the configuration you will complete in this lab exercise. Web, FTP, and TFTP server Web, WebSENSE and FTP server Web, FTP, and TFTP server Web, WebSENSE and FTP server...

Example Three Interface Firewall

Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all ICMP and HTTP traffic only to 172.16.0.2 Allow all ICMP and HTTP traffic only to 172.16.0.2 As an example, configure the router to be a firewall between three networks inside, outside, and DMZ. The security policy to implement is as follows allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet and the...

Define Inspection Rules

This section discusses how to configure the rules used to define the application protocols for inspection. Inspection Rules for _ Application Protocols _ ip inspect name inspection-name protocol alert on off audit-trail on off timeout seconds Defines the application protocols to inspect Will be applied to an interface - Available protocols tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive. - alert, audit-trail, and timeout are...

Fragmentation Guard

Protects hosts against fragmentation attacks. Default disabled - Each non-initial IP fragment is required to be associated with an already-seen valid initial IP fragment - IP fragments are rated to 100 full IP fragmented packets per second to each internal host pixfirewall(config) sysopt security fragguard pixfirewall(config) no sysopt security fragguard 2000, Cisco Systems. Inc. WWW.CiSCO.COm CSPFA 1.01 5-23 Use the sysopt security fragguard command to enable the Fragmentation Guard feature....

PIX Firewall Primary Commands

The following are the basic configuration commands for the PIX Firewall The basic PIX Firewall commands are as follows nameif Assigns a name to each interface and specifies a security level for each interface. interface Configures the type and capability of each perimeter interface. ip address Assigns an IP address to each interface. route Defines a static or default route for an interface. Note Inside and outside interface names can be changed, but this is not recommended. These terms are used...

SQLNet Fixup Configuration

Defines ports for SQL*Net connections. Default 1521 - Performs NAT in packet payload - Dynamically opens TCP port redirected client connection - Port 1521 is the default port used by Oracle lANA-compliant applications use port 66 - Outbound SQL*Net is allowed if not explicitly disallowed - Inbound SQL*Net is disallowed pixfirewall(config) fixup protocol sqlnet 66 pixfirewall(config) fixup protocol sqlnet 6666-6686 pixfirewall(config) no fixup protocol sqlnet 2000, Cisco Systems. Inc....

Certificate Authorities CA

WWW.cisco.com CSPFA 1.01-7-7 The PIX Firewall supports the following IPSec and related standards IPSec (IP Security Protocol) Internet Key Exchange (IKE) Data Encryption Standard (DES) Secure Hash Algorithm-1 (SHA-1) Ravist-Shamir-Adelman signatures (RSA) Certificate Authorities (CA) IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers at the IP layer. IPSec can be used to...

ASA Security Levels

The ASA security levels designate whether an interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is considered inside in relation to another interface if its security level is higher than that of the other interface, and is considered outside in relation to another interface if its security level is lower than that of the other interface. The primary rule for security levels is that an interface with a higher security level can access an interface...

Four Interface Configuration

Pixfirewall(config) nameif ethernet0 outside sec0 pixfirewall(config) nameif ethernet1 inside sec100 pixfirewall(config) nameif ethernet2 dmz sec50 pixfirewall(config) nameif ethernet3 partnernet sec20 pixfirewall(config) ip address outside 192.168.0.2 pixfirewall(config) ip address inside 10.0.0.1 pixfirewall(config) ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config) ip address partnernet 172.26.26.1 pixfirewall(config) nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config) global...

Step 1Configure Interesting Traffic

Access-list access-list-name deny permit ip source source-netmask destination destination-netmask Access list selects IP traffic by address, network, or subnet 2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA 1.01 7-22 Step 1 Configure interesting traffic with crypto access lists pixfirewall(config) access-list access-list-name deny permit) protocol source source-netmask destination destination-netmask permit causes all IP traffic that matches the specified conditions to be protected by crypto,...

Inspection Rules and ACLs Applied to Router Interfaces

This section discusses the application of inspection rules and ACLs to router interfaces. Apply an Inspection Rule to an Interface ip inspect name inspection-name in out Applies named inspection rule to an interface Router(config-if) ip inspect FWRULE in Applies inspection rule to interface e0 0 in inward direction 2000, Cisco Systems, Inc. WWW.ClSCO.CO To apply a set of inspection rules to an interface, use the ip inspect interface configuration command. Use the no form of this command to...

Group Default Group 1 user

Step 9 Click Edit Settings to go to the Group Settings for your group. Step 10 Scroll down the Group Settings until you find IOS Commands. Select the IOS Commandstcheckbox.t Step 11 Check the Command checkbox under IOS Commands. Step 12 Enter ftp in the Command field. Step 13 Enter permit 172.30.1.50 in the Arguments field. Step 14 Click Submit to save the changes. Wait for the interface to return to the Group Setuptmaintwindow.t Step 15 Click Edit Settings to go to the Group Settings for your...

Conduit Command

Conduit permit deny protocol global_ip global_pia.sk operator port port foreign_ip foreign pask operator port port Maps specific IP addresses and TCP or UDP connections from the outside host to the inside host. pixfirewall(config) conduit permit tcp host 192.168.1.10 eq ftp any The conduit command permits or denies connections from outside the PIX Firewall to access TCP or UDP services on hosts inside the network. The conduit statement creates an exception to the PIX Firewall ASA by permitting...