Accessing Cisco Security Appliance

A Security Appliance can be accessed by using the console port or remotely using the following methods A browser using Cisco Adaptive Security Device Manger (ASDM) Console port access allows a single user to configure Security Appliance. A user connects a PC or portable computer to Security Appliance through the console access port using a rollover cable. The following sections describe how to access Security Appliance remotely using Telnet and SSH. Chapter 15, Adaptive Security Device Manager,...

Accounting Maintains a record of user access

Cisco Security Appliance version 6.2 can maintain an internal user database for console authentication and command authorization or connect to an external AAA server. The Security Appliance supports RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP authentication technologies. Figure 17-20 shows the steps that the AAA server takes during the entire AAA process. Step 1 User initiates connection to web server and is prompted for username password. Step 5 The firewall allows the connection. Step 5 The...

ASDM Installation

Before installing ASDM, follow these steps Step 1 Save or print your Security Appliance configuration and write down your activation key. Step 2 If you are upgrading from a previous version of Security Appliance software, you must obtain the ASDM software from Cisco in the same way you download the Security Appliance software. Then, use TFTP to download the image to your Security Appliance unit. Step 3 If you upgrade your Cisco Security Appliance Software to version 7.0 and you plan to use...

Assign a Shell Command Authorization Set on a Per Network Device Group BasisIn

ACS version 3.1 and later, to apply a shell command authorization set to the TACACS+ AAA clients who belong to a particular Network Device Group (NDG), select this option, and then use the following options Device Group From the list, select the NDG to which you want to assign a shell command authorization set. Command Set From the list, select the shell command authorization set you want to apply to the NDG. Add Association Click to add the NDG and command set selected to the Device Group...

Basic Configuration Information for HQPIX

Table 20-1 lists the physical interfaces of the Cisco PIX Firewall that is installed in the Reston headquarters. This table includes the interface name, physical interface ID, assigned address, and speed duplex. Table 20-1 PIX Interface Information for HQ Table 20-1 PIX Interface Information for HQ Table 20-2 shows what routing information needs to be configured on the PIX. Note that the only route required is the default route. No specific routes are defined on the firewall. Table 20-2 PIX...

Basic Configuration Information for MNPIX

Tables 20-6 through 20-9 provide the information needed to configure the PIX Firewall at the Minneapolis office. Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-7 depicts which routes need to be configured on the PIX Firewall in the Minneapolis office. Table 20-7 Routing...

Case Study and Sample Configuration

The DUKEM consulting firm is a medium-size company with 700 employees. It has three offices across the continental United States. Twenty percent of DUKEM's employees are mobile or telecommute. Figure 20-1 shows the current DUKEM network infrastructure. Figure 20-1 DUKEM Network Infrastructure

Certification Exam and This Preparation Guide

The questions for each certification exam are a closely guarded secret. The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassing experience as soon as you arrived at your first job that required Security Appliance skills. The point is to know the material, not just to pass the exam successfully. We do know what topics you must know to complete this exam. These are, of course, the same topics required for you to be proficient with the...

Cisco ASA 5510 Security Appliance

The Cisco ASA 5510 Security Appliance is an advanced firewall and VPN solution designed for small to medium-size businesses, as well as remote offices. The ASA 5510 is a powerful security device, running on a 1.6-GHz Celeron processor, with up to 256 MB of RAM and 64 MB of Flash memory. The ASA 5510 can be configured for failover only with the Cisco ASA 5510 Security Plus license upgrade. The ASA 5510 does not support the Security Context feature. No VLAN support is available for the ASA 5510...

Cisco ASA 5520 Security Appliance

The Cisco ASA 5520 Security Appliance is a high-availability enterprise firewall and VPN. It is designed as a perimeter security device, as well as a VPN head point for all enterprise connectivity. The ASA 5520 supports a 2.0-GHz Celeron processor, with up to 512 MB of RAM and 64 MB of Flash memory. The availability of security contexts allows the ASA 5520 to support more flexible firewall design than the ASA 5510. In addition, the ASA 5520 allows the use of SSL VPNs (WebVPN) to support up to...

Cisco ASA 5540 Security Appliance

The Cisco ASA 5540 is the premiere Security Appliance for the large enterprise environment. The ASA 5540 can support up to 100 VLANs, allowing a security administrator greater flexibility when designing a corporate LAN. The ASA 5540 runs on a 2.0-GHz Pentium 4 processor, with up to 1,024 MB of RAM and 64 MB of Flash memory. The ASA 5540, like the ASA 5520, supports LAN-based failover in either Active Active or Active Standby modes. The ASA 5540 supports up to 50 security contexts with purchase...

Cisco PIX 506E

The Cisco PIX 506E Firewall was designed for the ROBO environment. It has a 300-MHz Celeron processor, 32 MB of RAM, and 8 MB of Flash memory. It has a fixed outside Ethernet interface and a fixed inside Ethernet interface. It has a 9600-baud console port that is used for local device management. The PIX 506 does not support failover. Connection capabilities for the PIX 506 are as follows Maximum clear-text throughput 100 Mbps Maximum throughput (DES) 20 Mbps Maximum throughput (3DES) 17 Mbps...

Cisco PIX 525

The Cisco PIX 525 Firewall is an enterprise firewall. It provides perimeter security for large enterprise networks. The PIX 525 is rack-mountable in a 2U (3.5-inch) configuration. It has a 600-MHz processor, up to 256 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces. The two fixed interfaces are Ethernet 0, which is the outside interface by default, and Ethernet 1, which is the inside interface by default. The PIX 525 also includes three PCI slots for the...

Cisco PIX 535

The Cisco PIX 535 Firewall is the ultimate enterprise firewall designed for enterprise networks and service providers. The PIX 535 is rack-mountable and fits a 3U configuration. It has a 1-GHz processor, up to 1 GB of RAM, and 16 MB of Flash memory. It has nine PCI slots for the installation of up to ten Ethernet interfaces. It has a 9600-baud console port that is used for local device management. The PIX 535 can be configured for failover using a failover cable connected to the 115-kbps serial...

Cisco Security Specialist in the Real World

Cisco is one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table because of their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and...

Command Level Authorization

In some organizations, there may be more than one firewall administrator for the Security Appliances. In those instances, you can provide those other admins with full rights privileges to the Security Appliances or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute. The...

Configuration 432 client mode Easy VPN Remote 417 clients Easy VPN Remote 405407 clock timezone command 163

Aaa accounting, 543 aaa authentication console, 548 aaa authentication, 543, 546 aaa authorization, 543 aaa-server command, 542 access-group command, 631 address, 91 admin-context, 229 allocate-interface, 230 area, parameters, 285 arp-inspection ethertype, 169 VPNs, troubleshooting, 358-360 debug aaa accounting, 579 debug aaa authentication, 578 debug aaa authorization, 579 debug igmp, 297 debug radius, 580 debug tacacs, 580 default-inspection-traffic, 206 dhcpd address, 443 duplex, 148 enable...

Configuring Access VPNs

The Cisco Easy VPN, a software enhancement for Cisco Security Appliances and security appliances, greatly simplifies virtual private network (VPN) deployment for remote offices and telecommuters. By centralizing VPN management across all Cisco VPN devices, Cisco Easy VPN reduces the complexity of VPN deployments. Cisco Easy VPN enables you to integrate various remote VPN solutions (Cisco IOS routers, Cisco PIX Firewalls, Cisco ASA 55X0 series firewalls, Cisco VPN 3002 Hardware Clients, and...

Configuring Failover

To configure failover, you need to become familiar with a few key commands. Table 12-4 shows the commands used to configure and verify failover. Table 12-4 Security Appliance Failover Commands Table 12-4 Security Appliance Failover Commands Enables the failover function on the PIX Firewall. Use this command after you connect the failover cable between the primary and secondary unit. Use the no failover command to disable the failover feature. Table 12-4 Security Appliance Failover Commands...

Configuring Multiple Translation Types on the Cisco Security Appliance

It is a good practice to use a combination of NAT and PAT. If you have more internal hosts than external IP addresses, you can configure both NAT and PAT. Your first group of hosts translates to the global addresses that are listed and the remaining hosts use PAT and translate to the single global address. PAT is configured separately from NAT. If NAT is configured without PAT, once the available global IP address range is depleted, additional translation attempts will be refused. If the...

Configuring Syslog on a Cisco Security Appliance

The logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 10-3 describes the parameters of the logging command. Table 10-3 logging Command Parameters Table 10-3 logging Command Parameters Enables the transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command. Allows you to disable specific syslog messages. Use the logging message message_number command to resume logging of...

Configuring the ASDM to View Logging

The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are captured in the ASDM Log buffer in the Security Appliance memory. You may select the level of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog messages at and below the logging level you choose are displayed. r-nb < .< * _ > ,> . 1 CKHI> .tMi > -tK . ' J-h -IM J rj MID hirHllipi d 1 J1 .i r 'j i i' d hr1 The ASDM logging panel has the following fields Logging...

Configuring the Central PIX Firewall HQPIX for VPN Tunneling

Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX Step 1 Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy Step 2 Configure a preshared key and associate it with the peers (Houston and Minneapolis) isakmp key C2 ghi address 192.168.3.2 isakmp key B2 def address 192.168.2.2 Step 3 Configure the supported IPSec transforms...

Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

Configuring a Security Appliance to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. The Security Appliance syslog messages are usually sent to a syslog server or servers. The Security Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog server is as follows Pixfirewall(config) Logging...

Configuring the Security Appliance DHCP Client

DHCP client support on the Cisco Security appliance is designed for use in SOHO environments in which digital subscriber line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the Security Appliance. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address. NOTE The DHCP client does not support failover configuration. The DHCP client feature on a Security Appliance is enabled by the ip address...

Configuring the Security Appliance DHCP Server

Configuring the Security Appliance to operate as a DHCP server involves the following tasks Configuring the address pool Specifying WINS, DNS, and the domain name Configuring the DHCP options Configuring the DHCP lease length NOTE Configuring the Security Appliance to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your Security Appliance. A DHCP server needs to know which addresses it...

Contents

How to Best Use This Chapter 3 Do I Know This Already Quiz 3 Foundation and Supplemental Topics 7 Overview of Network Security 7 Vulnerabilities, Threats, and Attacks 8 Vulnerabilities 8 Threats 8 Types of Attacks 8 Reconnaissance Attacks 9 Access Attacks 10 DoS Attacks 11 Security Policies 11 Step 1 Secure 12 Step 2 Monitor 13 Step 3 Test 13 Step 4 Improve 13 Network Security as a Legal Issue 13 Defense in Depth 14 Cisco AVVID and Cisco SAFE 14 Cisco AVVID 14 Cisco SAFE 16 Foundation Summary...

Cut Through Proxy

The cut-through proxy feature on a Cisco Security Appliance provides significantly better performance than application proxy firewalls because it completes user authentication at the application layer, verifies authorization against the security policy, and then opens the connection as authorized by the security policy. Subsequent traffic for this connection is no longer handled at the application layer but is statefully inspected, providing significant performance benefits over proxy-based...

Debug Command

The debug command lets you watch the VPN negotiation take place. This command is available only from configuration mode on the PIX and will not display any output in a Telnet session. Table 13-8 explains the two debug commands most commonly used to troubleshoot VPN connectivity. Displays IKE communication between the PIX and its IPSec peers Displays IPSec communication between the PIX and its IPSec peers Example 13-8 displays the output from the debug crypto isakmp command on the PIX Firewall...

Diffie Hellman group

As soon as the IKE SA negotiation is complete, the established SA is bidirectional. The phase 2 negotiations establish unidirectional SAs between two IPSec peers. The SAs determine the keying, protocols, and algorithms to be used between the peers. Two primary security protocols are included as part of the IPSec standard supported by the Cisco Security Appliance Encapsulating Security Payload (ESP) ESP provides data authentication, encryption, and antireplay services. ESP is protocol number 50...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The ten-question quiz, derived from the major sections in the Foundation and Supplemental Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already...

Do I Know This Already Quiz 1 d

What is the difference between TCP and UDP Answer TCP is a connection-oriented protocol, and UDP is a connectionless protocol. 2. What is the default security for traffic origination on the inside network segment going to the outside network Answer By default, traffic is permitted from the inside (higher security level) to the outside (lower security level) network as long as the appropriate nat global static command has been configured. 3. True or false You can have multiple translations in a...

Domain Name Inspection

To understand the DNS attack protection provided by Cisco Security Appliance, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target's spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity. The port assignment for DNS cannot be configured on...

Dynamic Routes

Besides creating static routes manually, the Cisco Security Appliance also supports some dynamic routing functionality. Dynamic routes are created based on routing protocols that automatically add entries into the Security Appliance's routing table. The Security Appliance supports the following two different routing protocols, but only one can be active on a single Security Appliance The Security Appliance can learn new routes based on the RIP routing broadcasts, but the Security Appliance does...

Easy VPN Remote Feature

The Easy VPN Remote feature enables Security Appliances, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain Cisco IOS routers to act as remote VPN clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN configuration requirements at remote locations. This cost-effective solution is ideal for remote offices with little information technology (IT) support as well as large deployments where it is impractical to configure individual remote...

Easy VPN Server

The Easy VPN Server enables Cisco IOS routers, Security Appliances, and Cisco VPN 3000 Series concentrators to serve as VPN headend devices when remote offices are running the Easy VPN Remote feature. The configuration works for both site-to-site and remote access configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to the remote VPN device, ensuring that the connection has up-to-date policies in place before the connection is established. Mobile workers...

Extended Authentication Configuration

XAUTH enables the Easy VPN Server to require username password authentication in order to establish the VPN connection. This authentication is performed by an AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the Easy VPN Server and configure it to perform XAUTH. The complete configuration process involves performing the following tasks Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for remote Cisco VPN Client...

Filtering ActiveX Objects

The filter activex command filters out ActiveX objects and other HTML < OBJECT> usages from inbound packets. These controls include custom forms, calendars, and extensive third-party forms for gathering or displaying information. The syntax for filtering ActiveX objects is as follows filter activex port local-ip local-mask foreign-ip foreign-mask Note that if the < OBJECT> and < OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of...

Filtering Long URLs

Cisco Security Appliance supports filtering URLs up to 6000 bytes for the Websense URL-filtering server. The default is 2000 bytes. In addition, Cisco Security Appliance supports the longurl-truncate and cgi-truncate parameters to allow handling of URL requests longer than the maximum permitted size. The format for these options is as follows filter url http port -port local-ip local-mask foreign-ip foreign-mask allow proxy-block longurl-truncate longurl-deny cgi-truncate Table 16-4 identifies...

Foundation Summary

The Foundation Summary provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam. Cisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters....

How to Read System Log Messages

System log messages received at a syslog server begin with a percent sign ( ) and are structured as follows P1X-level-message-number message-text PIX identifies the message facility code for messages generated by the Cisco Security Appliance. level reflects the severity of the condition described by the message. The lower the number, the more serious the condition. message-number is the numeric code that uniquely identifies the message. message-text is a text string describing the condition....

How to Use This Book

Each chapter builds upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. Chapter 20 includes additional case studies and configuration examples that might or might not work it is up to you to determine if the configurations fulfill the requirement and why. This book was written as a guide to help you prepare for the SNPA certification exam. It is a tool not the entire...

Installing Cisco Secure ACS Version 33 on Windows Server

You can download a 90-day trial version of Cisco Secure ACS from the Cisco Software Center at Cisco.com. You must register as a user to receive your CCO login. You must have the CCO login to download software from the software center. The installation of Cisco Secure ACS is an easy, step-by-step process. It is a good idea to verify that your Windows server is up to the current patch level. When you are ready to begin the installation, just run setup.exe. Figure 17-3 shows the initial Cisco...

Internet Key Exchange

Internet Key Exchange is the protocol that is responsible for negotiation. IKE is the short name for ISAKMP Oakley, which stands for Internet Security Association and Key Management Protocol (with Oakley distribution). The terms IKE and ISAKMP are used interchangeably throughout this chapter. IKE operates over User Datagram Protocol (UDP) port 500 and negotiates the key exchange between the ISAKMP peers to establish a bidirectional SA. This process requires that the IPSec systems first...

Message integrity algorithmSHA1 or MD5

Key exchange parameters Diffie-Hellman group 1, group 2, or group 5 IKE established SA lifetime The default is 86,400 seconds. Security Appliance supports an unlimited ISAKMP SA (phase 1) lifetime by using a value of 0. This allows for VPN connectivity with third-party VPN products that do not support rekeying the ISAKMP SA. An unlimited ISAKMP SA lifetime will be much less secure than a constantly rekeyed SA and should be used only if required to support connections to third-party gateways....

Nameif Command

As the name intuitively indicates, the nameif command is used to name an interface. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later. NOTE The nameif command can also be used to...

Nesting Object Groups

You can add an object group within an object group. The object-group command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration. To nest an object group within another object group, use the group-object command. Example 7-10 illustrates the use of nested object groups. Example 7-10 Configuring Nested Object Groups Example 7-10 Configuring Nested Object Groups

Network Object Type

The network object type is used to group hosts and subnets. Server and client hosts can be grouped by functions. For example, mail servers, web servers, or a group of client hosts that have special privileges on the network can be grouped accordingly. Example 7-5 shows a web servers object group. Example 7-5 Configuring an Object Group pixfirewall(config) object-group network web-servers pixfirewall(config-network) description Public web servers host 192.168.1.12 host 192.168.1.14...

Overview of Virtual Private Network Technologies

Before the creation of VPN technologies, the only way for companies to secure network communications between different locations was to purchase or lease costly dedicated connections. VPNs allow companies to create secure encrypted tunnels between locations over a shared network infrastructure such as the Internet. A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure. VPNs are broken into three types based on the business component accessing...

Password Recovery Procedure for a Diskless PIX Firewall PIX 501 506 506E 515E 515 525 and 535

Step 1 Start the terminal-emulation software, and connect your portable computer or PC to the console port of the PIX Firewall. Step 2 After you power on the Cisco PIX Firewall and the startup messages appear, send a BREAK character or press the Esc key. The monitor> prompt is displayed. Step 3 At the monitor> prompt, use the interface command to specify which interface the PIX Firewall traffic should use. Step 4 Use the address command to specify the IP address of the PIX Firewall...

Password Recovery Procedure for a PIX Firewall with a Floppy Drive PIX 520

Step 1 Create the boot disk by running the rawrite.exe file on your portable computer or PC and writing npxn.bin to the bootable floppy. Step 2 Make sure that the terminal-emulating software is running on your PC and that you connected the console cable to the Cisco PIX Firewall. NOTE Because you are locked out, you see only a password prompt. Step 3 Insert the PIX Firewall password lockout utility disk into the PIX Firewall's floppy drive. Push the Reset button on the front of the PIX...

Security Context Overview

Within a single Security Appliance, a security administrator can create more then one security context (see Figure 9-1). Each context uses a separate configuration that describes the security policy, assigned interfaces, and options that the security context manages. This reduces the amount of equipment, cost, rack space, and administrative duties that a security department would normally incur if each department required a separate firewall unit. Figure 9-1 Multiple Security Contexts Figure...

Server Functions

The Security Appliance version 6.3 VPN Server supports the following functionality Mode Configuration version 6 Extended Authentication (XAUTH) version 6 Internet Key Exchange (IKE) dead peer detection (DPD) Split tunneling control Initial contact Group-based policy control Dead peer detection (DPD) enables two IPSec peers to determine if each other is still alive during the lifetime of the VPN connection. This functionality is useful to clean up valuable VPN resources that are allocated to a...

Stateful Packet Inspection

Stateful packet inspection, also called stateful packet filtering, provides the best combination of security and performance because connections are not only applied to an ACL but also logged in to a small database known as the state table. After a connection is established, all session data is compared to the state table. If the session data does not match the state table information for that connection, the connection is dropped. Figure 2-3 depicts, using the OSI reference model, how traffic...

Static NAT

Static NAT creates a permanent, one-to-one mapping between an address on an internal network (a higher-security-level interface) and an external network (a lower-security-level interface) in all Security Appliance versions. For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host. Without the persistent translation rule, the translation cannot occur. NOTE Access from a lower-security level to a higher-security level can also be...

Step 1 Create a Class

You must assign a name to the class map. This name must be unique and should be intuitive to the content it will be matching. Use the class-map command to create and assign a name to a class map. To disable the command, use the no form of this command class-map class-map_name When this command has been executed, it will enter the class map configuration mode. Setting the different match criteria, as well as creating a description of the class map, can be done in this mode. Table 8-2 provides a...

Step 1 Create Port Forwarding Application Maps

You must create a port forwarding application map for each application the ASA 55x0 will need to port forward. This mapping information will be used by the ASA 55x0 to modify the host file on the end user's PC with mapping information. An application entry uses a hostname or IP address as a unique identifier for port forwarding. This identifier must be constant otherwise the end user will be required to modify how these applications are accessed each time the WebVPN service is used. The use of...

Step 1 Creating a Crypto Access List

Crypto access lists are used to identify which IP traffic is to be protected by encryption and which traffic is not. After the access list is defined, the crypto maps reference it to identify the type of traffic that IPSec protects. The permit keyword in the access list causes IPSec to protect all IP traffic that matches the access list criteria. If the deny keyword is used in the access list, the traffic is not encrypted. The crypto access lists specified at the remote peer should be mirror...

Step 1 Identifying the AAA Server and NAS

You must be sure to have the correct information about your AAA server before you attempt to configure your Security Appliance. You use the aaa-server command (from configuration mode on the Security Appliance) to specify the AAA server. Remember that you are dealing with at least two devices the Security Appliance and the Cisco Secure ACS. You must configure the Security Appliance to recognize the Cisco Secure ACS as its AAA server for authentication. You also must configure the Cisco Secure...

Step 2 Access WebVPN Configuration Mode

To make changes to the WebVPN global configuration, the WebVPN subcommand mode (WebVPN mode) must be accessed. Configuration of proxy services, AAA authentication servers, policies, and the portal home page are all done through the WebVPN mode. Configuration for e-mail proxies through WebVPN are done in a similar fashion, using the pop3s, imap4s, or smtps commands to access their specific subcommand modes. The commands are used as follows tgasa(config) webvpn tgasa(config-webvpn) tgasa(config)...

Step 2 Configuring a Transform

A transform set defines the combination of encryption algorithms and message integrity algorithms to be used for the IPSec tunnel. Transforms are combined to make transform sets. Both peers agree on the transform set during the IPSec negotiation. You can define multiple transform sets because both peers search for a common transform set during the IKE negotiation. If a common transform set is found, it is selected and applied to the protected traffic. Table 13-4 shows the transform sets...

Step 3 Assign Policies for Each Class

You can assign five policies, or domains, to traffic classes within a policy map. The five policies are as follows police Allows rate limiting of matched traffic flows. inspect Allows protocol inspection services on the matched traffic flows. priority Allows strict scheduling priority for matched traffic flows. Intrusion Protection Services (IPS) Allows IPS for all traffic flows that have been matched. TCP normalization Allows the limiting of TCP and UDP connections, as well as embryonic...

Step 4 Configuring Crypto Maps

Just as the isakmp policy command configures the parameters for the IKE negotiations, crypto map tells the PIX Firewall how to negotiate the IPSec SA. The crypto map command is the final piece of the puzzle that is used on both peers to establish the SA. Again, it is extremely important that the settings are compatible on both ends. If both peers do not have a compatible configuration, they cannot establish the VPN connection. This does not mean that the configuration must be an exact match...

Step 5 Assign a NetBIOS Name Server

Microsoft's Common Internet File System (SMB CIFS) requires a NetBIOS Name Server (NBNS) for queries to map a NetBIOS name to IP addresses. WebVPN will use NetBIOS to access or allow file sharing through a WebVPN connection. The initial NBNS server configured will be the primary server, and all subsequent servers will be considered redundant backups. The ASA 55X0 supports three NBNS server entries. NBNS entries are assigned in WebVPN mode nested in global-configuration mode. To assign an NBNS...

Stepby Step Configuration of a Security Context

To help with the initial configuration of multiple contexts, this section runs through a step-by-step configuration of a Cisco ASA 5510. This configuration will feature three contexts for the executive staff, sales staff, and IT staff on an enterprise site. This is a new firewall and does not contain a configuration. The Security Appliance will require basic configurations in addition to context-specific settings Step 1 Enable multiple context mode on the ASA 5510 Step 2 Configure the basic...

Steps 1 and 2 Configuring User Accounts Within the Cisco Secure ACS and Assigning Users to a Group

To configure new users in Cisco Secure ACS, click the User Setup button on the left navigation bar. When the User Setup window appears, shown in Figure 18-6, enter the username in the User box and then click Add Edit. Figure 18-6 Creating User Accounts on the Cisco Secure ACS Figure 18-6 Creating User Accounts on the Cisco Secure ACS In the Edit pane of the User Setup window, shown in Figure 18-7, you can configure many options pertaining to the user account as described in the following list....

Support for Domain Name System Messages

Security Appliance fully supports NAT and PAT Domain Name System (DNS) messages originating from either a more secure interface or less secure interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS record is translated correctly. To illustrate this point, Figure 6-2 shows a user from inside obtaining DNS resolution from the outside (maybe from an Internet service provider) for a web server on...

Sysopt connection permitipsec Command

The sysopt command reconfigures the system options. The command sysopt connection permit-ipsec implicitly permits all packets that arrive from the IPSec tunnel to bypass any checking of access lists, conduits, or access-group command statements for IPSec connections. If the sysopt connection permit-ipsec command is not specified, an explicit rule (conduit or ACL) must be coded to allow the traffic arriving from the IPSec tunnel through the firewall. Example 13-5 shows the current configuration...

Task 2 Configuring Access Rules on HQ

After configuring the basic PIX Firewall parameters, you must create the access rules for the PIX Firewall at the Reston site (HQ-PIX). The access rules are necessary to enable the remote sites to connect to the Reston location while limiting access from unauthorized locations. The following steps define the access rules needed on HQ-PIX Step 1 To allow users on the outside interface access to the mail server on the demilitarized zone (DMZ) interface, enter the following commands access-list...

Task 4 Configuring Logging

To help protect your network configuration, it is important to log events that are happening on the network. This log information provides valuable insight into what is happening on the network, especially when the network is being attacked or proved. The following steps outline the commands necessary to enable logging at the three locations Step 1 Enable logging on HQ-PIX to the logging server logging on logging trap informational logging host DMZ 172.16.31.7 logging trap informational logging...

Testing Your Configuration

Making sure that the configuration you entered works is an important part of the configuration process. At this point, you test basic connectivity from the inside interface out to the other interfaces. Use the ping and debug commands to test your connectivity. The ping command sends an Internet Control Message Protocol (ICMP) echo request message to the target IP address and expects an ICMP echo reply. By default, the Security Appliance denies all inbound traffic through the outside interface....

Translation Versus Connection

Consider this scenario A single user on a workstation located on the internal network is connecting to his web-based e-mail account, making an online stock purchase, researching a new software package that he intends to buy, and backing up a database at a remote branch office. How many connections does he have going from his workstation It is difficult to tell because many of these tasks require multiple connections between the source and destination. How many translated sessions does he have...

Transport Protocols

Traffic that traverses a network always has a source and destination address. This communication is based on the seven layers of the OSI reference model. Layers 5 through 7 (the upper layers) handle the application data, and Layers 1 through 4 (lower layers) are responsible for moving the data from the source to the destination. The data is created at the application layer (Layer 7) on the source machine. Transport information is added to the upper-layer data, and then network information is...

Troubleshooting Authentication

If you encounter issues with your AAA authentication, you can use the debug aaa authentication command to display the communication between the Cisco Security Appliance and the AAA server. This command lets you determine the method of authentication and verify successful communication between the Security Appliance and the AAA server. Example 18-12 shows where a login causes the Security Appliance to initiate a connection to the AAA server at 17.16.1.2, requesting a login using TACACS+ and...

Troubleshooting Commands

The two most important troubleshooting commands on Security Appliance are the following The debug command provides real-time information that helps you troubleshoot protocols operating with and through a Security Appliance. There are more than three dozen debug commands that are available on Security Appliance. Like the debug command, the show command also has many options available on Security Appliance. One helpful show command is the show tech-support command. The debug packet command sends...

Types of Attacks

The types of cyber attackers and their motivations are too numerous and varied to list. They range from the novice hacker who is attracted by the challenge, to the highly skilled Vulnerabilities, Threats, and Attacks 9 professional who targets an organization for a specific purpose (such as organized crime, industrial espionage, or state-sponsored intelligence gathering). Threats can originate from outside the organization or from inside. External threats originate outside an organization and...

Understanding Logical Interfaces

Your Security Appliance has a limited number of physical interfaces. This limits the number of Layer 3 networks to which the Security Appliance can be directly connected. If you use VLANs to segment your network into smaller broadcast domains, each of these VLANs represents a different Layer 3 network. By using logical interfaces, you can accommodate multiple VLANs by using trunk lines on your switch ports and configuring multiple logical interfaces on a single physical interface on your...

Upgrading Your Activation

Three important reasons might prompt you to upgrade or change your activation key Your Cisco Security Appliance does not have failover activated. Your Security Appliance does not currently have virtual private network Data Encryption Standard (VPN-DES) or virtual private network Triple DES (VPN-3DES) encryption enabled. You are upgrading from a connection-based license to a feature-based license. Before the release of PIX Firewall version 6.2, the activation keys were changed in monitor mode....

Using ASDM to Configure the Cisco Security Appliance

The Cisco Security Appliance ASDM Startup Wizard, shown in Figure 15-4, walks you through the initial configuration of your Cisco Security Appliance. You are prompted to enter information about your Security Appliance. The Startup Wizard applies these settings, so you should be able to start using your Security Appliance right away. Figure 15-4 Cisco Security Appliance Adaptive Security Device Manager Startup Wizard Figure 15-4 Cisco Security Appliance Adaptive Security Device Manager Startup...

Using ASDM to Create a Remote Access VPN

With a remote-access VPN, your local Cisco Security Appliance provides secure connectivity between individual remote users and the LAN resources protected by your local Security Appliance. To start the VPN Wizard, go to the wizard's menu on ASDM and select the VPN Wizard option Step 1 From the opening window of the ASDM VPN Wizard, shown in Figure 15-27, select the Remote Access VPN radio button to create a remoteaccess VPN configuration. This configuration enables secure remote access for VPN...

Using the Cisco Security Appliance DHCP Server

The DHCP server is usually used in, but not limited to, SOHO environments. The address pool of a Cisco Security Appliance DHCP server must be within the same subnet of the Security Appliance interface that is enabled, and you must specify the associated Security Appliance interface with if- name. In other words, the client must be physically connected to the subnet of a Security Appliance interface. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a...

Viewing the Service Policy Statistics

Security administrators like to have as much information as possible in front of them about their networks' health. To help with this, the Security Appliance gathers statistics on each service policy, including details such as the number of hits to a policy and how much traffic uses a policy. The show service-policy command displays the service policy statistics per interface show service-policy global interface intf action flow flow_description Table 8-8 describes the parameters for this...

Warning and Disclaimer

This book is designed to provide information about the Securing Networks with PIX and ASA (SNPA) 642-522 exam toward the Cisco Certified Security Professional (CCSP) certification. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any...

Configuring IPS Through ASDM

The AIP-SSM module can be configured for IPS features through the CLI or on an ASDM window. It is recommended that the administrator configure the IPS features through the ASDM as it removes most of the user error that can come from direct CLI configurations, like typos. To use the ASDM for configuration, the module will require an HTTPS web server to be enabled, as shown in Example 19-8 in the preceding section, as well as for the HTTPS web server to have an IP address that is accessible on...

Chapter

The VPN session is established, but no traffic, or just one-way traffic, is passing between the Boston firewall and Los Angeles firewall. Ellen starts debugging the problem using debug icmp trace. She pings the other end of the VPN node and gets the following results 609001 Built local-host inside 10.10.2.21 106014 Deny inbound icmp src outside 10.10.10.31 dst inside 10.10.2.21 (type 8, code 0)106014 Deny inbound icmp src 106014 Deny inbound icmp src outside 10.10.10.31 dst inside 10.10.2.21...

Viewing Accounting Information in Cisco Secure

Now that the Cisco Security Appliance is configured to perform accounting, you need to ensure that the Cisco Secure ACS is properly configured to log the events. Select System Configuration in the navigation panel to open the System Configuration window, shown in Figure 18-14 then, click the Logging link in the Select pane, and check off the log format and the items you want to log (see Figure 18-15). Logs can be saved in a CSV (flat file) or ODBC (database) format. Figure 18-14 Cisco Secure...

Configuring URLs and File Servers

Using the WebVPN home page is useful only if the end user can access resources. Internal websites and Active Directory file servers are some of the more frequently accessed resources in an enterprise network. A security administrator might not want end users to have equal access to internal websites or file servers, especially to confidential documents and information. WebVPN resolves this with the ability to configure access to internal websites and file servers on a per-user or per-group...

Installing a New Operating System

Installing a new operating system (OS) on a Cisco Security Appliance is similar in some respects to installing a new OS on your PC. You must consider fundamental questions such as whether you have enough memory and disk space (Flash size for Security Appliance) when deciding whether to upgrade the operating system. Table 4-4 shows the random-access memory (RAM) and Flash memory requirements for the different versions and releases of the Cisco Security Appliance OS prior to version 7.0. Table...

Access Lists

An access list typically consists of multiple access control entries (ACE) organized internally by Security Appliance as a linked list. When a packet is subjected to access list control, the Cisco Security Appliance searches this linked list linearly to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. By default, all access-list commands have an implicit deny unless you explicitly specify permit. In other words, by...

Configuring Login Banners on the Cisco Security Appliance

PIX Firewall version 6.3 introduced support for message-of-the-day (MOTD), EXEC, and login banners, similar to the feature included in Cisco IOS Software. Banner size is limited only by available system memory or Flash memory. You can create a message as a warning for unauthorized use of the firewall. In some jurisdictions, civil and or criminal prosecution of crackers who break into your system are made easier if you have incorporated a warning banner that informs unauthorized users that their...

Active Active Failover

Prior to version 7.0, a security administrator could only have one Security Appliance actively passing user traffic, while keeping a second Security Appliance in standby mode, only to be activated during a failure. With active-active failover, both Security Appliances are active and passing user traffic, while still acting as standby Security Appliances for each other. This feature can only be using in conjunction with virtual firewall contexts. To enable active-active failover, create two...

Step 3 Configuring IPSec Security Association Lifetimes

To preclude any opportunity to gather sufficient network traffic using a single encryption key, it is important to limit the key lifetime. This forces a key exchange, changing the encryption scheme and greatly reducing the possibility of cracking the key. Technology continues to advance, producing computers that can break code at faster rates. However, these systems require a certain amount of traffic encrypted under a single key. The idea is to change encryption keys before any system can...

Assigning Interfaces to a Context

Each context can be allocated a number of interfaces that have been enabled in the system configuration mode. Assigned interfaces will be given a mapped name that the contexts configuration file will reference for policies and network settings specific to the context. The interfaces can be physical or logical, including subinterfaces. To assign one or more interfaces to a security context, use the allocate-interface command allocate-interface physical_interface map_name visible invisible...

Cisco VPN Client Manual Configuration Tasks

When using the Cisco VPN Software Client, the Easy VPN Server can push the VPN policy to help facilitate the management of the client systems. Initially, however, you still need to install the Cisco VPN Software Client on the remote system. This manual process involves the following tasks Installing the Cisco VPN Software Client Creating a new connection entry Modifying VPN Client options (optional) Installing the Cisco VPN Software Client Installation of the Cisco VPN Software Client varies...

Cisco PIX 515E

The Cisco PIX 515E Firewall was designed for small- to medium-size businesses. The PIX 515E is the smallest firewall of the PIX family that is designed to be rack-mountable and is a standard 1U (1.75-inch) configuration. It has a 433-MHz processor, 32 MB or 64 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces that have a default configuration of outside (Ethernet 0) and inside (Ethernet 1) and contains two PCI slots for the installation of up to four additional...

About the Technical Reviewers

CISSP-ISSAP, CCNP, CCDP, CSSP, is president and principal consultant for SecureNet Consulting, LLC, an information security consulting firm in Fort Worth, Texas, specializing in vulnerability assessments, penetration testing, and the design and implementation of secure network infrastructures. Mr. Chapman divides his time between teaching Cisco security courses and writing about network security issues. He is a senior member of the IEEE. Kevin Hofstra, CCIE No. 14619, CCNP,...

How the Configuration Lines Interact

Figure 13-11 shows the completed configuration for Los Angeles, with a brief explanation for each entry. Note that each entry is connected to one or more other entries on the right. This diagram depicts how the lines of the configuration are dependent on each other. Keep this in mind when trying to troubleshoot a VPN configuration. It might help you to find which line is missing or incorrectly configured. Figure 13-11 LA Configuration with Comments PIX Version 6.2(2) nameif ethernetO outside...

Completed PIX Configurations

To reduce confusion, it is a good idea to use a common naming convention when creating access lists, transforms, and crypto maps. Example 13-18 shows the completed configuration for the Los Angeles headquarters. Example 13-18 Completed Configuration for Los Angeles 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password HtmvK15kjhtlyfvcl encrypted 8. passwd Kkjhlkf1568Hke encrypted 10. domain-name www.Chapter11.com...

Aipssm Module

The Cisco ASA Security Appliance series supports the Advanced Inspection and Protection Security Service Module (AIP-SSM). The AIP-SSM comes in two modules the AIP-SSM-10 and the AIP-SSM-20. Both modules function the same way, support the same features, and look identical. The only difference between the two modules is the processor speed and memory size of the AIP-SSM-20, which is faster and larger than that of the AIP-SSM-10. The AIP-SSM uses two physical channels to communicate with the...

Using ASDM to Create a Siteto Site VPN

The following steps and corresponding figures show a sample site-to-site VPN configuration using the VPN Wizard on ASDM Step 1 Select the VPN Wizard from the Wizard's drop-down menu, as shown in Figure 15-20, to start the VPN Wizard. Figure 15-20 ASDM with VPN Wizard Selected Figure 15-20 ASDM with VPN Wizard Selected Step 2 Select the site-to-site radial buttons, as shown in Figure 15-21, to create a site-to-site VPN configuration. This configuration is used between two IPSec security...