A 15fX

Ciii, Group Setup Click Submit + Restart when finished J Click Submit + Restart when finished J specified protocol has been selected under Hetwoih r.niifi i ition. Forexample, RADIUS settings appear t jl Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS Step 1 In the navigation bar, click Group Setup. The Group Setup window opens. Step 2 Scroll down in Group Setup until you find IOS Commands. Step 4 Under Unmatched Cisco IOS commands,...

AAA Configuration

This section discusses how to configure The Cisco IOS Firewall to work with a AAA server and enable the authentication proxy feature. Enables the AAA functionality on the router (default disabled) Use the aaa new-model global configuration command to enable the AAA access control system. Use the no form of this command to disable the AAA access control model. Note After you have enabled AAA, TACACS and extended TACACS commands are no longer available. If you initialize AAA functionality and...

AAA Server Configuration

This section discusses how to configure the AAA server to provide authentication and authorization for the Cisco IOS Firewall authorization proxy. Create auth-proxy Service in CSACS-NT ift Us co be cure AL-b lor windows N 1 - Netscape lu- l I Interface tI 1 Configuration 1 i-i H , 1 Administration V f Control rl) J 1 External User 1 JO 1 Databases W Advanced TACACS+ Features P Display a Time-of-Day access service where you can oveirr .< j ar every TACACS+ fi' default Tlme-of-Oav 1 p& l...

Access Control List

An access control list (ACL) enables you to determine which systems can establish connections through your router or PIX Firewall. - Create an ACL with the access-list and access-groupcommands. - The access-list and access-group commands are an alternative for the conduit and outbound commands. 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 3-4 An ACL is a list kept by routers and the PIX Firewall to control access to and from the router or firewall (for example, to prevent packets with a...

Access Control List Example

Pixfirewall(config) access-list 101 deny tcp any any eq www pixfirewall(config) access-group 101 in interface inside Packet filtering rules (access control lists) restrict outbound access Filters on source or destination IP address, protocol, and port or application In the figure above, the PIX Firewall denies HTTP connections from an internal network, but lets all other traffic through.

Accesslist Command

Access-list acl_name deny permit protocol src_addr src_mask operator port dest_addr Allows you to create an access control list Access control lists associated with IPSec are known as crypto access control lists access-group acl_name in interface interfacename Binds an access control list to an interface The access-list command uses the same syntax as the Cisco IOS software accesslist command except that the subnet mask in the PIX Firewall access-list command is reversed from the Cisco IOS...

ActiveX Blocking

ActiveX controls are applets that can be inserted in Web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls. ActiveX controls, formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding control (OCX), are applets that can be inserted in web pages often used in animations or in other applications. ActiveX controls create a potential security problem because they can...

Apply ACL on the inward direction that denies all traffic except traffic such as ICMP not inspected by CBAC

2000, Cisco Systems, Inc. www.cisco.co CSPFA 1.01-8-34 For the CISCO IOS Firewall to be effective, both inspection rules and ACLs must be strategically applied to all the router's interfaces. The following is the general rule of thumb for applying inspection rules and ACLs on the router On the interface where traffic initiates - Apply the ACL on the inward direction that only permits wanted traffic. - Apply the rule on the inward direction that inspects wanted traffic. - Apply the ACL on the...

Authentication Authorization and Accounting

- Can exist without authorization Authentication, Authorization, and Accounting (AAA) is used to tell the PIX Firewall who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Suppose you have 100 users inside and you want only six of these users to perform FTP, Telnet, or HTTP outside the network. Tell the PIX Firewall to authenticate outbound traffic and give all 6 users identifications on...

Authentication of Console Access

Aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication Use the aaa authentication console command to require authentication verification to access the PIX Firewall's serial, enable, or Telnet consoles. The serial console options also log to a Syslog server change made to the configuration from the serial console....

Authentication Proxy

Network administrators can create specific security policies for each user with Cisco IOS Firewall LAN-based, dynamic, per-user authentication and authorization. Previously, user identity and related authorized access were determined by a user's fixed IP address, or a single security policy had to be applied to an entire user group or subnet. Now, per-user policy can be downloaded dynamically to the router from a TACACS+ or RADIUS authentication server using Cisco IOS software authentication,...

Authentication Proxy Configuration

Inward traffic from the inside except from the AAA server. Add an ACL to b lock inward traffic from the outside. Outbound Enable the authentication proxy to intercept inward HTTP traffic from the _inside._ Outbound Enable the authentication proxy to intercept inward HTTP traffic from the _inside._ Inbound Enab le the authentication proxy to intercept inward HTTP traffic from the outside. Apply the authentication proxy in the inward direction at any interface on the router where you want...

Authorization Rules Allo Wing Specific Services

Ciii Group Setup Unmatched Cisco I0S commands C Permit f* Deny Unmatched Cisco I0S commands C Permit f* Deny specified protocol has been selected under Netuoih Configuration. Forexample, RADIUS settings appear Click Submit + Restart when finished Click Submit + Restart when finished specified protocol has been selected under Netuoih Configuration. Forexample, RADIUS settings appear Complete the following steps to add authorization rules for specific services in Cisco Secure ACS Step 1 In the...

Configuration of Virtual HTTP Authentication

- For inbound clients, this must be an unused global address. - For outbound clients, this must be an address routed directly to the PIX Firewall. pixfirewall(config) virtual http 192.168.0.3 2000, Cisco Systems, The syntax for the virtual http command is as follows virtual http ipaddress warn no virtual http ip address virtual http ipaddress warn no virtual http ip address PIX Firewall's network interface IP address. Informs virtual http command users that the command was redirected. This...

Configuration of Virtual Telnet Authentication

- For inbound clients, this must be an unused global address. - For outbound clients, this must be an unused global address routed directly to the PIX Firewall. pixfirewall(config) virtual telnet 192.168.0.3 When using virtual Telnet to authenticate inbound clients, the IP address must be an unused global address. When using virtual Telnet to authenticate outbound clients, this must be an unused global address routed directly to the PIX Firewall. The syntax for the virtual telnet command is as...

Configure the PIX Firewall to Work with WebSENSE

Filter url http local_ip loca.l_ma.sk foreign_ip foreign mask allow Prevents outbound users from accessing World Wide Web URLs that are designated with the WebSENSE filtering application pixfirewall(config) filter url http 0 0 0 0 allow Use the filter url command to tell the PIX Firewall how to filter requests After designating which server uses WebSENSE, use the filter url command to tell the PIX Firewall to send URL requests to WebSENSE for filtering. The example command in the figure above...

Context Based Access Control

* Packets are inspected entering the firewall by CBAC if not specifically denied by an ACL * CBAC permits or denies specified TCP and UDP traffic through a firewall * A state table is maintained with session information * ACLs are dynamically created or deleted * CBAC protects against DoS attacks CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. It can inspect traffic for sessions that originate on any interface of the router. CBAC inspects...

Course Agenda

Chapter 2 Cisco Secure PIX Firewall Configuration Chapter 3 Access Control Configuration and Content Filtering Chapter 4 AAA Configuration on the Cisco Secure PIX Firewall Chapter 5 Cisco Secure PIX Firewall Advanced Protocol Handling and Attack Guards Chapter 6 Cisco Secure PIX Firewall Failover Lunch Chapter 7 Cisco Internetwork Operating System Firewall Context-Based Access Control Configuration Chapter 8 Cisco IOS Firewall Authentication Proxy Configuration Chapter 8 Cisco IOS Firewall...

Course Objectives

Upon completion of this course, you will be able to perform the following tasks Configure the Cisco Secure PIX Firewall. Identify and configure AAA on the Cisco Secure PIX Firewall. Identify and configure access control and content filtering through the Cisco Secure PIX Firewall. Configure the Cisco Secure PIX Firewall for advanced protocol handling and attack guards

Create User Authorization Profile in Csacsnt

CiscoSecure ACS lor Windows NT - Netscape CiscoSecure ACS lor Windows NT - Netscape Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Step 6 In the navigation bar, click Group Setup. The Group Setup frame opens. Step 7 Scroll down in the Group Setup frame until you find the newly created auth-proxy service. Step 8 Select...

Custom URLs

When using the Master Database the list of URLs that should be blocked as determined and updated daily by the WebSENSE corporate office you may need to permit one of the blocked URLs. If you need to permit URLs that are normally blocked by the parameters of the Master Database, you can add the URLs to a special permit list. URLs in this list will never be blocked by WebSENSE. When accessing a URL that has been added to the permit list, WebSENSE logs the access as normal. To add a URL to the...

Cut Through Proxy Operation

1 The user makes a request to access the web server. 1 The user makes a request to access the web server. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through the PIX Firewall, and the local username and password are passed to the web server to authenticate. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through...

Debug Commands

WWW.CiSCo.Com CSPFA 1.01 9-28 The syntax of the debug ip auth-proxy command is as follows debug ip auth-proxy ftp function-trace http object-creation object-deletion tcp telnet timer debug ip auth-proxy ftp function-trace http object-creation object-deletion tcp telnet timer Displays FTP events related to the authentication proxy. Displays the authentication proxy functions. Displays HTTP events related to the authentication proxy. Displays additional entries to the...

Define a RADjIS Server and jts

Specifies the RADjIS server jP address Router(config) radius-server host 10.0.0.3 Router(config) radius-server key secretkey To specify the IP address of a RADIUS server, use the radius-server host global configuration command. Use the no form of this command to delete the specified IP address. You can use multiple radius-server host commands to specify additional servers. The Cisco IOS Firewall software searches for servers in the order in which you specify them. The syntax of the...

Define a Tacacs Server and Its

Specifies the TACACS+ server IP address Router(config) tacacs-server host 10.0.0.3 Router(config) tacacs-server key secretkey To specify the IP address of a TACACS+ server, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified IP address. You can use multiple tacacs-server host commands to specify additional servers. The Cisco IOS Firewall software searches for servers in the order in which you specify them. The syntax of the...

Designate the WebSENSE Server

Url-server (lf_name) host ip_address timeout seconds The url-server command designates a server that runs WebSENSE. pixfirewall(config) url-server (inside) host 1O.O.O.3 timeout lO In this example, the WebSENSE host is on the inside interface at IP address 10.0.0.3. A time value of 10 seconds is specified as the maximum allowed idle time before the PIX Firewall switches to the next WebSENSE server. Before you can begin URL filtering by configuring WebSENSE or downloading the Master Database for...

Determine IPSec IKE Phase Two Policy

Determining network design details includes defining a more detailed security policy for protecting traffic. You can then use the detailed policy to help select IPSec transform sets and modes of operation. Your security policy should answer the following questions What protections are required or are acceptable for the protected traffic What traffic should or should not be protected Which PIX interfaces are involved in protecting internal nets, external nets, or both What are the peer IPSec...

Enable Accounting

Aaa accounting include exclude acctg_service inbound outbound if_name local_ip local mask foreign ip foreign mask group tag Defines traffic that requires AAA server accounting acctg_service any, ftp, http, or telnet - any All TCP traffic The syntax for the aaa accounting command is as follows aaa accounting include exclude acctgservice inbound outbound ifname localip localmask foreignip foreign_mask grouptag no aaa accounting include exclude authenservice inbound outbound if name group tag...

Example Configurations

The following tables show an example configuration for PIX1 and PIX2. You may experience differences between the example configuration and your own configuration. The example in the following table is a summary of the configuration for PIX1. Table 12-1. PIX1 Example Configuration Table 12-1. PIX1 Example Configuration ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.1.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.0.0 Configures the IP addresses for each PIX Firewall...

Example Crypto Access Lists

E0 192.168.1.2 eO 192.168.2.2 10.0.2.3 static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0 access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 e0 192.168.1.2 eO 192.168.2.2 10.0.2.3 static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0 access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 static (inside,outside) 192.168.2.10 10.0.2.3 netmask 255.255.255.255 0 0 access-list 101 permit ip host 192.168.2.10 host 192.168.1.10...

Example Crypto Map for PIX1

Crypto Map peer2 10 ipsec-isakmp access-list 101 permit ip host 192.168 Security association lifetime 4608000 2000, Cisco Systems, Inc. WWW.CiSCO.COITl CSPFA 1.01 7-28 Use the show crypto map command to verify the crypto map configuration. Consider the example of a crypto map for PIX1 in the figure.

Example Two Interface Firewall

Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all ICMP and HTTP traffic only to 10.0.0.3 Allow all ICMP and HTTP traffic only to 10.0.0.3 As an example, configure the router to be a firewall between two networks inside and outside. The security policy to implement is as follows allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet. ICMP traffic will...

Failover and Stateful Failover

- Client applications must reconnect - No client applications need to reconnect - Provides redundancy and stateful connection 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 6-7 As stated earlier in the chapter, failover enables the standby PIX Firewall to take over the duties of the active PIX Firewall when the active PIX Firewall fails. There are two types of failover Failover When the active PIX Firewall fails and the standby PIX Firewall becomes active, all connections are lost and...

Failover Commands

The failover command enables failover between the active and standby PIX Firewalls. failover ip address if_name ip_a.dd.ress The failover ip address command creates an IP address for the standby PIX Firewall. pixfirewall failover ip address inside 10.0.P.4 The failover link command enables stateful failover. Use the failover command to enable failover between two PIX Firewalls. The syntax for the failover command is as follows Use the failover ip address command to configure the failover IP...

FTP FixUp Configuration

Default 21 - Performs NAT in packet pay load - Dynamically creates conduits for FTP-DATA connections - Logs FTP commands (when syslog is enabled) - Outbound standard FTP will not work - Outbound passive FTP will work if not explicitly disallowed - Inbound standard FTP will work if conduit exists - Inbound passive FTP will not work pixfirewall(config) fixup protocol ftp 2021 pixfirewall(config) fixup protocol ftp 2121-2141 pixfirewall(config) no fixup protocol...

Global Half Open Connection Limits

Ip inspect max-incomplete high number * Defines the number of existing half-open sessions that cause the software to start deleting half-open sessions (aggressive mode) ip inspect max-incomplete low number * Defines the number of existing half-open sessions that cause the software to stop deleting half-open sessions (normal mode) An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a DoS attack is occurring. For TCP, half-open...

Global Timeouts and Thresholds

This section discusses how to configure the following global timeouts and thresholds TCP, SYN, and FIN wait times TCP, UDP, and Domain Name System (DNS) idle times Specifies time CSIS waits for a TCP session to reach the established state Specifies time CSIS waits for a FIN exchange to complete before quitting the session 2000, Cisco Systems, Inc. WWW.ClsCO.CO CSPFA 1.01 8-17 CBAC uses timeouts and thresholds to determine how long to manage state information for a session, and to determine when...

Half Open Connection Limits by Host

Ip inspect tcp max-incomplete host number block-time seconds Defines the number of half-open TCP sessions with the same host destination address that can exist at a time before CSIS starts deleting half-open sessions to the host After the number of half-open connections is exceeded to a given host, the software deletes half-open sessions on that host in the following fashion - If block-time is 0, the oldest half-open session is deleted, per new connection request, to let new connections through...

How CBAC Works

(J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 (J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 ( CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and...

How to Add Users to Csacsnt

To add users to the Cisco Secure ACS, complete the following steps Step 1 In the navigation bar, click User Setup. The Select window opens. Step 2 Enter a name in the User field. Note The username can contain up to 32 characters. Names cannot contain the following special characters *> < Leading and trailing spaces are not allowed. Step 3 Click Add Edit. The Edit window opens. The username being added or edited appears at the top of the window. Click the Account Disabled check box to deny...

IKE Phase One Policy Parameters

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration. IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers...

Installation Wizard

Note Close all Windows programs before you run Setup. To start installation of Cisco Secure ACS for Windows NT, complete the following steps Step 1 Log in as the local system administrator to the machine on which you are installing Cisco Secure ACS. Step 2 Insert the Cisco Secure ACS CD-ROM into your CD-ROM drive. The Installation window opens. Step 3 Click Install. The Software License Agreement window opens. Step 4 Read the Software License Agreement. Click Accept to agree to the licensing...

IP Address for Failover on PIX Firewalls

(active standby) (system IP failover IP) (active standby) (system IP failover IP) (standby active) (failover IP system IP) (standby active) (failover IP system IP) When actively functioning, the primary PIX Firewall uses system IP addresses and MAC addresses. The secondary PIX Firewall, when on standby, uses failover IP addresses and MAC addresses. When the primary PIX Firewall fails and the secondary PIX Firewall becomes active, the secondary PIX Firewall assumes the system IP addresses and...

IPSec Enables PIX Firewall VPN Features

Data confidentiality Data integrity Data authentication Anti-replay The PIX 5.1 Firewall uses the industry-standard IP Security (IPSec) protocol suite to enable advanced VPN features. The PIX IPSec implementation is based on Cisco IOS IPSec that runs in Cisco routers. IPSec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPSec enables the following PIX...

Java Applet Filtering

Java applet filtering allows an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies. The PIX Firewall supports a Java applet filter that can stop potentially dangerous Java applications on a per-client or per-IP address basis. The outbound command with the java keyword is used to enable filtering of Java...

Java Applet Filtering Commands

Filter java port -port local_ip mask foreign_ip mask The filter javacommand filters out Java applets that return to the PIX Firewall from an outbound connection. Some Java applets can contain malicious code that can manipulate data on the internal network. Use the outbound and apply commands to block Java applets. 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 3-10 Java filtering lets an administrator prevent Java applets from being downloaded by an inside system. Java applets are...

Lab Configure and Test Advanced Protocol Handling and Attack Guards on the Cisco Secure PIX Firewall

Complete the following lab exercise to practice what you have learned in this chapter. Your task for this lab exercise is to Display the fixup protocol configurations. Change the fixup protocol configurations. Test the outbound FTP fixup protocol. Test the inbound FTP fixup protocol. Display the Fixup Protocol Configurations Perform the following step and enter the command as directed to see the current configurations of your PIX Firewall List the fixup protocols that are running on your PIX...

Logging

Screening Custom URLs Workstations Messages Registration Control About WebSENSE Screening Custom URLs Workstations Messages Registration Control About WebSENSE 7i Source IP Addr. P Protocol pi Dest. IP Addr. P Category PI Dest. Hostname pFullUrl Source IP Addr. P Protocol P Dest. IP Addr. P Category P Dest. Hostname pFullUrl 7i Source IP Addr. P Protocol pi Dest. IP Addr. P Category PI Dest. Hostname pFullUrl Source IP Addr. P Protocol P Dest. IP Addr. P Category P Dest. Hostname pFullUrl...

Mail Guard

Defines ports on which to activate Mail Guard. Default 25 - Only allows RFC 821, section 4.5.1 commands HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT If disabled, all SMTP commands are allowed through the firewall - Potential mail server vulnerabilities are exposed pixfirewall(config) fixup protocol smtp 2525 pixfirewall(config) fixup protocol smtp 2625-2635 pixfirewall(config) no fixup protocol smtp 25 Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from...

Multiple Interface Configurations

This section discusses the configuration of multiple interfaces to the PIX Firewall. The PIX Firewall supports up to four additional perimeter interfaces for platform extensibility and security policy enforcement on publicly accessible services. The multiple perimeter interfaces enable the PIX Firewall to protect publicly accessible Internet, mail, and Domain Name System (DNS servers on the DMZ. Web-based and traditional electronic data interchange (EDI) applications that link vendors and...

Network Address Translation and Global

Network Address Translation (NAT) allows an organization with IP addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable IP address space. Global is a select pool of registered or public addresses that are used by the internal host for connectivity to the outside network through the PIX Firewall. NAT works with global to hide the real network identity of internal systems from the outside network. The nat command lets you enable or...

Open inbound port for redirected channel

SQL*Net only uses one channel for communications but it could be redirected to a different port, and even more commonly to a different secondary server altogether. When a client first starts an SQL*Net connection, it opens a standard TCP channel from one of its high-order ports to port 1521 on the server. The server then proceeds to redirect the client to a different port or IP address. The client tears down the initial connection and establishes the second connection. For SQL*Net traffic, the...

PIX Firewall VPN Topologies

PIX Firewall to PIX Firewall VPN gateway PIX Firewall to PIX Firewall VPN gateway VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network The PIX Firewall enables VPNs in several topologies, as illustrated in the figure PIX to PIX secure VPN gateway Two or more PIX Firewalls can enable a VPN, which secures traffic from devices behind the PIX Firewalls. The secure VPN gateway...

Port Address Translation

172.30.0.50 Destination Addr 2000 Source Port _23_ Destination Port 172.30.0.50 Destination Addr 2000 Source Port _23_ Destination Port Source Addr 10.0.0.3 -172.30.0.50 I 49090 - Port Address Translation (PAT) is a combination of an IP address and a source port number, which creates a unique session. PAT uses the same IP address for all packets, but a different unique source port greater than 1024. PAT provides the following advantages PAT and NAT can be used together. The PAT address is...

Provides dynamic peruser authentication and authorization via Tacacs and Radius protocols

The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user's IP address, or a single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy...

Scale PIX Firewall VPNs

The use of pre-shared keys for IKE authentication only works when you have a few IPSec peers. Certificate Authorities enable scaling to a large number of IPSec peers. CA Server Fulfilling Requests from IPSec Peers - Each IPSec peer individually enrolls with the CA server. 2000, Cisco Systems, Inc. www.cisco.com Using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a perpeer basis. The CA server...

Show Commands cont

Show auth-prompt prompt accept reject pixfirewall(config) show auth-prompt auth-prompt prompt prompt Authenticate to the Firewall auth-prompt prompt accept You've been Authenticated auth-prompt prompt reject Authentication Failed pixfirewall(config) show timeout uauth timeout uauth 3 00 00 absolute uauth 0 30 00 inactivity pixfirewall(config) show virtual virtual http 192.168.0.2 virtual telnet 192.168.0.2 The syntax for the show auth-prompt, show timeout uauth, and the show show auth-prompt...

Step 3Configure the Crypto

Pixfirewall(config) crypto map map-name seq-num. ipsec-isakmp pixfirewall(config) crypto map map-name seq-nummatch address access-list-name pixfirewall(config) crypto map map-name seq-num set peer hostname ip-address seq-num. set transform-name2, transform-set- pixfirewall(config) crypto map miap-name set transform-set-namel transform-set-name9 pixfirewall(config) crypto map map-name seq-num set pfs groupl group2 pixfirewall(config) crypto map map-name association lifetime seconds seconds...

Step 3Configure the IKE Preshared

Isakmp key keystring address peer-address netmask mask Pre-shared keystring must be identical at both peers Use any combination of alphanumeric characters up to 128 bytes for keystring Specify peer-address as host or wildcard address Easy to configure, yet is not scalable Step 3 Configure the IKE pre-shared key. pixf irewall (conf ig) isaknp key keystring address peer-address netmask The keystring is any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be...

Step 4Verify IKE Phase One Policies

Displays configured and default IKE protection suites Step 4 Verify IKE phase one policies. The show isakmp policy command displays configured and default policies, as shown in the figure. The show isakmp command displays configured policies much as they would appear with the write terminal command, as follows pixl(config) show isaknp isakmp enable outside isaknp key ciscol23 address 192.168.2.2 netmask 255.255.255.255

Student Guide Version 101

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice . All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual ....

Supports multimedia with or without NAT

Additional UDP or TCP high ports may be opened Additional UDP or TCP high ports may be opened Multimedia applications may transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, may use the same port for source and destination, and so on. Every application behaves in a different way. Implementing support for all multimedia applications using a single secure method is very difficult. Two examples of multimedia applications are given below RealAudio sends the originating request...

SYN Flood Attack

The attacker spoofs a nonexistent source IP address and floods the target with SYN packets. The target responds to SYN packets by sending SYN-ACK packets to the spoofed hosts. The target overflows its port buffer with embryonic connections and stops responding to legitimate requests. SYN flood attacks, also known as TCP flood or half-open connections attacks, are common DoS attacks perpetrated against IP servers. The attacker spoofs a nonexistent source IP address or IP addresses on the network...

System Defined Port Mapping

PAM creates a table, or database, of system-defined mapping entries using the well-known or registered port mapping information set up during the system startup. The system-defined entries comprise all the services supported by CBAC, which requires the system-defined mapping information to function properly. Note The system-defined mapping information cannot be deleted or changed that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP). The following lists the...

Task 1 Configure the Primary PIX Firewall for Failover to the Secondary PIX Firewall

Perform the following lab steps to configure the primary PIX Firewall for failover to the secondary PIX Firewall Step 1 Enter the configure terminal command to enter into config mode Step 2 Configure another interface for Stateful failover, for later in Task 3. Step 3 Assign the PIX Firewall with a Failover interface a name (failover) and security level (55) pixfirewall (config) nameif e3 MYFAIL VER security55 Step 4 Enable the interface for an Intel full duplex. pixfirewall (config) interface...

Task 1Prepare to Configure VPN Support

Determining the IKE (IKE phase one) policy Step 2. Determining the IPSec (IKE phase two) policy Step 3. Ensuring that the network works without encryption Step 4. Implicitly permitting IPSec packets to bypass PIX Firewall access lists, access groups, and conduits Configuring IPSec encryption can be complicated. You must plan in advance if you want to configure IPSec encryption correctly the first time and minimize misconfiguration. You should begin this task by defining the overall...

Task 2 Configure IKE Parameters

The next major task in configuring PIX Firewall IPSec is to configure IKE parameters gathered in the previous task. This section presents the steps used to configure IKE parameters for IKE pre shared keys Step 2 Configure an IKE phase one policy. Step 3 Configure the IKE pre-shared key. Step 4 Verify IKE phase one details. * Enables or disables IKE on the PIX Firewall interfaces * Disable IKE on interfaces not used for IPSec Step 1 Enable or disable IKE (ISAKMP) negotiation pixfirewall(config)...

Task 2 Define and Apply Inspection Rules and Access Lists

Step 1 On your router, define a CBAC rule to inspect all TCP and FTP traffic Router(config) ip inspect name EWRULE tcp timeout 300 Router(config) ip inspect name EWRULE ftp timeout 300 Step 2 Define access-list to allow outbound ICMP traffic and CBAC traffic (FTP and WWW). Block all other inside-initiated traffic Router(config) access-list 101 permit icnp any any Router(config) access-list 101 permit tcp 10.0.P.0 0.0.0.255 any eq ftp Router(config) access-list 101 permit tcp 10.0.P.0 0.0.0.255...

Task 3 Test and Verify CBAC

Router show access-lists Step 2 From your workstation command prompt, ping the backbone server Pinging 172.30.0.50 with 32 bytes of data Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-34ms TTL-125 Reply from 172.30.1.50 bytes-32 time-36ms TTL-125 Step 3 Use your Web browser to connect to the backbone Web server. Enter http l 72.30.1.50 in the URL field. Step 4 Connect to the backbone FTP server using...

Task 4 Test and Verify Authentication Proxy

Step 1 On your router, use the show access-list command to check your access lists. Fill in the blanks below using the output from this command Step 2 On your router, use the show ip inspect command to see CBAC sessions. Fill in the blanks below using the output from this command Step 3 Use the show ip auth-proxy configuration command to verify the authorization proxy configuration. Fill in the blanks below using the output from this command Router show ip auth-proxy configuration...

Task 4 Test and Verify IPSec Configuration

Perform the following steps to test and verify VPN configuration Step 1 Verify the IKE policy you just created. Note the default values. pixP(config) show isaknp isakmp enable outside isaknp key ciscol23 address 192.168.Q.2 netmask 255.255.255.255 isaknp policy 10 authentication pre-share What five policy items are configured in an IKE policy A authentication method, encryption algorithm, hash algorithm, D-H group, and ISAKMP SA lifetime. Which IKE policy value did you configure in a previous...

Three Interface Configuration

Pixfirewall(config) nameif ethernetO outside secO pixfirewall(config) nameif ethernetl inside seclOO pixfirewall (config) nameif ethernet2 dmz sec5O pixfirewall(config) ip address outside 192.168.O.2 255.255.255.O pixfirewall(config) ip address inside 1O.O . O.1 255.255.255.O pixfirewall(config) ip address dmz 172.16.O.1 255.255.255.O pixfirewall(config) nat (inside) 1 1O.O.O.O 255.255.255.O pixfirewall(config) global (outside) 1 192.168.O.1O-192.168.O.254 netmask 255.255.255.O...

User Authorization Profiles

Proxyacl n permit protocol any any host ip_addr ip_addr wildcard_mask eq auth_service Defines the allowable protocols, services, and destination addresses Source address is always any - Is replaced in the router with the IP address of host making the request The privilege level must be set to 15 for all user The privilege level must be set to 15 for all user 2000, Cisco Systems, Inc. WWW.CiSCO.COn CSPFA 1.01 9-13 2000, Cisco Systems, Inc. WWW.CiSCO.COn CSPFA 1.01 9-13 Use the proxyacl n...

What Is IPSec

IETF standard that enables encrypted communication between peers IETF standard that enables encrypted communication between peers - Consists of open standards for securing private communications - Network layer encryption ensuring data confidentiality, integrity, and authentication - Scales from small to very large networks - Included in PIX Firewall version 5.0 and later The PIX Firewall uses the open IPSec protocol to enable secure VPNs. IPSec is a set of security protocols and algorithms...

What the User Sees

Username smith john Password 2bon2b v1v10k4 Enter username for CCG at www.cisco.conn User Name smith john Password 2bon2b vlv 0k4 You can authenticate with the PIX Firewall in one of three ways Telnet You get a prompt generated by the PIX Firewall. You have up to four chances to log in. If the username or password fail after the fourth attempt, the PIX Firewall drops the connection. If authentication and authorization are successful, you are prompted for a user name and password by the...

Static and conduit Commands

Static and conduit commands allow connections from a lower security interface to a higher security interface. static is used to create a permanent mapping between an inside IP address and a global IP address. conduit is an exception in the ASA inbound security policy for a given host. Although most connections occur from an interface with a high security level to an interface with a low security level, there are times when you will want to allow connections from an interface with a lower...

NAT Example

Destination Addr 200.200.200.10 Source Port 49090 200.200.200.10 I Destination Addr When an outbound IP packet that is sent from a device on the inside network reaches the PIX Firewall, the source address is extracted and compared to an internal table of existing translations. If the device's address is not already in the table, it is translated and a new entry is created for that device and it is assigned a global IP address from a pool of global IP addresses. The table is then updated and the...

Configuring H323 Fixup

Defines ports for H.323 connections. Default 1720 - Performs NAT in H.323 messages as required - Dynamically opens TCP and UDP connections as required If disabled, H.323 applications are disallowed pixfirewall(config) fixup protocol h323 1720 pixfirewall(config) fixup protocol h323 7720-7740 pixfirewall(config) no fixup protocol h323 By default, the PIX Firewall inspects port 1720 connections for H.323 traffic. If you have H.323 servers using ports other than port 1720, you must use the fixup...

Specify AAA Servers

Aaa-server group tag protocol auth protocol Assigns TACACS+ or RADIUS protocol to a group tag pixfirewall (config) aaa-server group_tag ( f_name) host server_ip key timeout seconds Identifies the AAA server for a given group tag pixfirewall(config) aaa-server MYTACACS protocol tacacs+ pixfirewall(config) aaa-server MYTACACS (inside) host 10.0.0.2 secretkey timeout 10 Use the aaa-server command to specify AAA server groups. The PIX Firewall lets you define separate groups of TACACS+ or RADIUS...

Determine IKE Phase One Policy

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration. You should determine IKE policy details for each IPSec peer before configuring IKE. The figure shows a summary of some IKE policy details that will be configured in the examples in this chapter. Select IPSec algorithms and parameters for...

Enable Authorization

Aaa authorization include exclude author_serv ce inbound outbound if_name local_ip local_rnask foreign_ip foreign_mask Defines traffic that requires AAA server authorization author_service any, ftp, http, or telnet 2000, Cisco Systems, 2000, Cisco Systems, The PIX Firewall uses authorization services with TACACS+ AAA servers that determine which services an authenticated user can access. Note The PIX Firewall does not support RADIUS authorization. The syntax for the aaa authorization command is...

Lab Visual Objective

Task 1 Install Cisco Secure ACS for Windows NT Server Perform the following steps to install Cisco Secure ACS on your Windows NT server Step 1 Install Cisco Secure ACS on your Windows NT server from the CD-ROM or from the files on your hard drive, as indicated by the instructor. When installing from the CD-ROM, complete the following < Windows NT will automatically start the autorun.exe program and you are prompted to install Cisco Secure ACS. < Click Install to start the installation...

SYN Flood Guard Configuration

Static (interna.l_if_na.me, external_if_name) global_ip local ip netmask network mask max conns em limit - Use the em_limitto limit the number of embryonic connections - Set the limit to a number lower than the server can handle pixfirewall (config)C nat (if_name) nat_id local_ip netmask max_conns em limit - Use the em_limitto limit the number of embryonic connections - Set the limit to a number lower than the server can handle pixfirewall(config) nat (inside) 10 0 0 10000 pixfirewall(config)...

Tcp Udp and DNS Idle Times

Specifies time allowed for a TCP or UDP session with no activity Specifies time allowed for a DNS session with no activity To specify the TCP idle timeout (the length of time a TCP session will still be managed after no activity), use the ip inspect tcp idle-time global configuration command. Use the no form of this command to reset the timeout to default. To specify the UDP idle timeout (the length of time a UDP session will still be managed after no activity), use the ip inspect udp...

Real Networks RDT Mode

- UDP resend (simplex UDP) Outbound connections - If outbound traffic is allowed, open inbound port for UDP data - If outbound traffic is not allowed, open inbound port for UDP data and open outbound port UDP resend - If outbound traffic is allowed, open inbound port for UDP resend - If outbound traffic is not allowed, open outbound port for UDP data and open inbound port UDP resend transport5 x-real-rdt udp client_port 3057 server_port 5000 In RealNetworks' RDT mode, the following three...

Lab Exercise Configure WebSENSE

Rip Routing Protocol

Complete the following lab exercise to practice what you learned in this chapter. In this lab exercise you will complete the following tasks Filter malicious active code. Configure the PIX Firewall to work with WebSENSE. Install WebSENSE on a Windows NT Server. Configure WebSENSE to block a web site. The following figure displays the configuration you will complete in this lab exercise. Web, FTP, and TFTP server Web, WebSENSE and FTP server Web, FTP, and TFTP server Web, WebSENSE and FTP server...

Example Three Interface Firewall

Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all ICMP and HTTP traffic only to 172.16.0.2 Allow all ICMP and HTTP traffic only to 172.16.0.2 As an example, configure the router to be a firewall between three networks inside, outside, and DMZ. The security policy to implement is as follows allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet and the...

Define Inspection Rules

This section discusses how to configure the rules used to define the application protocols for inspection. Inspection Rules for _ Application Protocols _ ip inspect name inspection-name protocol alert on off audit-trail on off timeout seconds Defines the application protocols to inspect Will be applied to an interface - Available protocols tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive. - alert, audit-trail, and timeout are...

Task 3 Configure the Primary PIX Firewall for Stateful Failover

Perform the following lab steps to configure the primary PIX Firewall for stateful failover Step 1 Configure the primary PIX Firewall for stateful failover to the secondary PIX Firewall by using the failover link command pixfirewall (config) failover link MYFAILOVER Step 2 Make sure that the secondary PIX Firewall has the latest changes to the configuration by using the write memory command. This will sync up the configuration on both firewalls Step 3 Verify that stateful failover is in place...

PIX Firewall 520 Image Upgrade

Complete the following steps for the image upgrade of the PIX Firewall 520 to versions lower than 5.1 Step 1 Download the file for the PIX Firewall software version you are running from Cisco Connection Online (CCO) (each version requires a different file) ftp ftp.cisco.com cisco internet pix special your version. You will need a CCO login to download this data. Step 2 Download the rawrite.exe file into the same directory as the password version you downloaded previously. Step 3 Execute the...

Fragmentation Guard

Protects hosts against fragmentation attacks. Default disabled - Each non-initial IP fragment is required to be associated with an already-seen valid initial IP fragment - IP fragments are rated to 100 full IP fragmented packets per second to each internal host pixfirewall(config) sysopt security fragguard pixfirewall(config) no sysopt security fragguard 2000, Cisco Systems. Inc. WWW.CiSCO.COm CSPFA 1.01 5-23 Use the sysopt security fragguard command to enable the Fragmentation Guard feature....

PIX Firewall Primary Commands

The following are the basic configuration commands for the PIX Firewall The basic PIX Firewall commands are as follows nameif Assigns a name to each interface and specifies a security level for each interface. interface Configures the type and capability of each perimeter interface. ip address Assigns an IP address to each interface. route Defines a static or default route for an interface. Note Inside and outside interface names can be changed, but this is not recommended. These terms are used...

SQLNet Fixup Configuration

Defines ports for SQL*Net connections. Default 1521 - Performs NAT in packet payload - Dynamically opens TCP port redirected client connection - Port 1521 is the default port used by Oracle lANA-compliant applications use port 66 - Outbound SQL*Net is allowed if not explicitly disallowed - Inbound SQL*Net is disallowed pixfirewall(config) fixup protocol sqlnet 66 pixfirewall(config) fixup protocol sqlnet 6666-6686 pixfirewall(config) no fixup protocol sqlnet 2000, Cisco Systems. Inc....

Certificate Authorities CA

WWW.cisco.com CSPFA 1.01-7-7 The PIX Firewall supports the following IPSec and related standards IPSec (IP Security Protocol) Internet Key Exchange (IKE) Data Encryption Standard (DES) Secure Hash Algorithm-1 (SHA-1) Ravist-Shamir-Adelman signatures (RSA) Certificate Authorities (CA) IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers at the IP layer. IPSec can be used to...

ASA Security Levels

The ASA security levels designate whether an interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is considered inside in relation to another interface if its security level is higher than that of the other interface, and is considered outside in relation to another interface if its security level is lower than that of the other interface. The primary rule for security levels is that an interface with a higher security level can access an interface...

Four Interface Configuration

Pixfirewall(config) nameif ethernet0 outside sec0 pixfirewall(config) nameif ethernet1 inside sec100 pixfirewall(config) nameif ethernet2 dmz sec50 pixfirewall(config) nameif ethernet3 partnernet sec20 pixfirewall(config) ip address outside 192.168.0.2 pixfirewall(config) ip address inside 10.0.0.1 pixfirewall(config) ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config) ip address partnernet 172.26.26.1 pixfirewall(config) nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config) global...

Step 1Configure Interesting Traffic

Access-list access-list-name deny permit ip source source-netmask destination destination-netmask Access list selects IP traffic by address, network, or subnet 2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA 1.01 7-22 Step 1 Configure interesting traffic with crypto access lists pixfirewall(config) access-list access-list-name deny permit) protocol source source-netmask destination destination-netmask permit causes all IP traffic that matches the specified conditions to be protected by crypto,...

Inspection Rules and ACLs Applied to Router Interfaces

This section discusses the application of inspection rules and ACLs to router interfaces. Apply an Inspection Rule to an Interface ip inspect name inspection-name in out Applies named inspection rule to an interface Router(config-if) ip inspect FWRULE in Applies inspection rule to interface e0 0 in inward direction 2000, Cisco Systems, Inc. WWW.ClSCO.CO To apply a set of inspection rules to an interface, use the ip inspect interface configuration command. Use the no form of this command to...

Group Default Group 1 user

Step 9 Click Edit Settings to go to the Group Settings for your group. Step 10 Scroll down the Group Settings until you find IOS Commands. Select the IOS Commandstcheckbox.t Step 11 Check the Command checkbox under IOS Commands. Step 12 Enter ftp in the Command field. Step 13 Enter permit 172.30.1.50 in the Arguments field. Step 14 Click Submit to save the changes. Wait for the interface to return to the Group Setuptmaintwindow.t Step 15 Click Edit Settings to go to the Group Settings for your...

Conduit Command

Conduit permit deny protocol global_ip global_pia.sk operator port port foreign_ip foreign pask operator port port Maps specific IP addresses and TCP or UDP connections from the outside host to the inside host. pixfirewall(config) conduit permit tcp host 192.168.1.10 eq ftp any The conduit command permits or denies connections from outside the PIX Firewall to access TCP or UDP services on hosts inside the network. The conduit statement creates an exception to the PIX Firewall ASA by permitting...