A DNS server must be configured for WebVPN and MAPI to function

Fw1(config-webvpn) enable outside fw1(config) pop3s 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 13-13 To enable WebVPN or e-mail proxy access on a previously configured interface, use the enable command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S, POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To disable WebVPN on an interface, use the no version of the command.

A separate global pool is used for each internal network

Fwl(config) nat (inside) 1 10.0.0.0 255.255.255.0 fwl(config) nat (inside) 2 10.2.0.0 255.255.255.0 fwl(config) global (outside) 1 192.168.0.3-192.168.0.16 netmask 255.255.255.0 fwl(config) global (outside) 2 192.168.0.17-192.168.0.32 netmask 255.255.255.0 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 4-14 In the figure, the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using IP addresses from a mapped pool. The second nat command...

Ability to create multiple security contexts virtual firewalls within a single security appliance

All rights re Cisco PIX and ASA Security Appliance Software v7.0 introduces the ability to create multiple security contexts (virtual firewalls) within a single appliance, with each context having its own set of security policies, logical interfaces, and administrative domain. In the figure, the security appliance on the right is logically divided into four virtual firewalls. This provides businesses with a convenient way to consolidate multiple firewalls into a single...

ACL Comments

Access-list aclout line 1 remark web server 1 http < C p access-list access-list aclout line 2 permit tcp any host 192.168.0.8 eq www (hitcnt 0) access-list aclout line 3 remark web server 2 http access-list access-list aclout line 4 permit tcp any host access-list id line line-num remark text ACL remark fw1(config) access-list outside line 1 remark web server http access-list 2005 Cisco Systems, Inc. All rights reser ecl.SNPA v4.0 5-20 The access-list remark command enables users to include...

ACL Line Number

Access-list aclout line 2 permit tcp any host 192.168.0.7 eq www (hitcnt 0) access-list aclout line 3 permit tcp any host 192.168.0.8 eq www (hitcnt 0) < -1 Insert access-list aclout line 4 permit tcp any host 192.168.0.10 eq www (hitcnt 0) access-list aclout line 5 permit tcp any host access-list id line line-number extended deny permit tcp udp host sip sip mask any operator port host dip dip mask any operator port fw1(config) access-list aclout line 4 permit tcp any host 192.168.0.9 eq www...

Activate a group or unit Change CTX2 from standby to active

Fw2(config) failover active group 2 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 16-43 You can activate a unit by using the failover active command. You can activate a group by adding the group keyword to the command string, as in the failover active group command. In the example in the figure, the administrator wants to activate standby CTX2 in the primary unit. To activate CTX2, enter the failover active group 2 command in the primary unit. To deactivate a context, you can use the...

Active Mode FTP Inspection

- Client-initiated command connection (TCP) - Server-initiated data connection (TCP) For outbound connections, the security appliance handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the security appliance handles active mode FTP as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens a temporary outbound connection for the data. Active mode FTP uses...

Adding a Static MAC Address

Interface MAC Address Type Time Left outside 0009.7cbe.2100 static -inside 0010.7cbe.6101 static - Interface MAC Address Type Time Left outside 0009.7cbe.2100 static -inside 0010.7cbe.6101 static - mac-address-table static interface name mac address Adds a static entry to the MAC address table. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. fw1(config) mac-address-table static inside 0010.7cbe.6101 Added <...

Administrator can set connection limits

Emb_lin - Maximum number of embryonic connections per host. An embryonic connection is a connection request that has not completed a TCP three-way handshake between the source and the destination. TCP_max_conns - Maximum number of simultaneous TCP connections that each real IP host is allowed to use. Idle connections are closed after the time specified by the timeout conn command. udp_max_conns - Maximum number of simultaneous UDP connections that each real IP host is allowed to use. Protection...

Aipssm Ethernet Connections

All rights re The AIP-SSM supports an internal Gigabit Ethernet and a 10 100 Ethernet interface to the ASA 5500 Family main card. The Gigabit Ethernet interface is the primary IPS data-path interface for both inline and promiscuous IPS packets. An internal 10 100 Ethernet interface provides a control channel to the ASA 5500 main card. The external 10 100 1000 Ethernet interface is primarily used for downloading AIP-SSM software and for ASDM access to the AIP-SSM...

Aipssm Overview

This topic provides on overview of the AIP-SSM module. There are two AIP-SSM models, the AIP-SSM-10 and the AIP-SSM-20. Both modules appear identical, but the AIP-SSM-20 has a faster processor and more memory than the AIP-SSM-10. Only one module can populate the slot at a time. On the front bezel of the AIP-SSM module, there are four LEDs and one 10 100 1000 Ethernet port. The table lists the states of the AIP-SSM LEDs. On when the security appliance has power. Flashing when the power-up...

An designates an admin context

disk0 admin.cfg disk0 disk0 Total active Security Contexts 3 2005 Cisco Systems, Inc. All rights reserved SNPA V4.0 15-23 Use the show context command to view all contexts. From the system execution space, you can view a list of contexts including the name, interfaces, and configuration file. In the system execution space, the security appliance displays all contexts if you do not specify a name. The detail option shows additional information. The count option shows the total number of...

Antireplay

All rights reserved. SNPA V4.0 11-4 Cisco PIX Security Appliance Software v5.0 and higher use the industry-standard IPSec protocol suite to enable advanced VPN features. IPSec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPSec enables the following security appliance VPN features Data confidentiality The IPSec sender can...

Applies the crypto map to an interface Activates IPSec policy

Fw1(config) crypto map FW1MAP interface outside 2005 Cisco Systems, Inc. All rights re Step 108 Apply the crypto map to an interface firewall(config) crypto map map-name interface interface-name firewall(config) crypto map map-name interface interface-name Specifies the interface for the SA to use for establishing tunnels with VPN peers. If ISAKMP is enabled and you are using a CA to obtain certificates, this should be the interface with the address specified in the CA certificates. Specifies...

Apply access control list to outside interface

In the figure, a company's network administrator needs to enable Internet users to access the company's public web server. The web server is isolated on the security appliance DMZ. By default, any inbound access to the web server from the Internet is denied. To grant access to Internet users, the administrator must complete the following steps Configure a static translation for the web server address. In this way, the web server address is hidden from the Internet users. Configure an inbound...

Apply or View Service Policy Rule

All rights 2005 Cisco Systems, Inc. All rights The last step is to apply the service policy rule. Click Apply to initiate the new IPS service policy. In the example in the figure, the outside traffic class, defined as those packets from any source to a destination address of 172.16.1.0 24 will be inspected and analyzed by the AIP-SSM module.

ASA Adaptive Security Appliance Licensing

This topic explains the licensing options for the Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA Security Appliance licensing is a feature-based license key system. The Cisco ASA Security Appliance license determines the number of contexts, the type of VPN encryption, and the number of VPN peers that an ASA Security Appliance can support. Two contexts Available Context Licenses 50 contexts Upgrade Licenses Two contexts Available Context Licenses 50 contexts Upgrade Licenses The...

ASDM is a browserbased configuration tool designed to help configure and monitor your security appliance

All rights reserved. SNPA V4.0 17-3 ASDM is a browser-based configuration tool designed to help the administrator set up, configure, and monitor a Cisco PIX Firewall and Adaptive Security Algorithm (ASA) Security Appliance graphically, without requiring an extensive knowledge of the security appliance command-line interface (CLI). ASDM monitors and configures a single security appliance. You can use ASDM to create a new configuration, or to monitor and maintain current...

Assign an Interface Speed and Duplex speed and duplex Sub Commands

Fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 Enables an interface speed and duplex fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-27 The hardware speed is set to automatic speed sensing by default it is recommended that you specify the speed of the network interfaces. This enables the security appliance to operate in network environments that may...

Assign an Security Level securitylevel Subcommands

Assigns a security level to the interface. pix1(config) interface ethernet0 pix1(config-if) nameif outside pix1(config-if) ip address 192.1 pix1(config-if) security-level 0 The security-level interface configuration subcommand specifies the security appliance security level (except for the inside and outside security appliance interfaces, which are assigned security levels by default). The inside interface has a default security level of 100 the outside interface has a default security level of...

Assign Commands to Privilege Levels and Enable Command Authorization

Firewall> enable 10 Password PasswOrD firewall config t firewall(config) access-list privilege show clear configure level level mode enable configure command command Configures user-defined privilege levels for security appliance commands firewall(config) aaa authorization command LOCAL server-tag Enables command authorization fw1(config) enable password PasswOrD level 10 fw1(config) privilege show level 8 command access-list fw1(config) privilege configure level 10 command access-list...

Assigning a Class Map Name

System Engineers To configure a class map System Engineers To configure a class map Assign a name to the class of traffic pix1(config) class-map s2s_voice pix1(config) class-map internet The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two-step process, naming the class of traffic and defining the attributes of the traffic. A name is assigned to each individual class of traffic. In the example in the figure,...

Assigning a Policy Map Name

Associate action(s) with the class Assign one or more classes to the policy map pix1(config) policy-map outside_policy pix1(config-pmap) class internet pix1(config-pmap-c) Defining a policy-map is a three-step process naming the policy, identifying a class of traffic covered by this policy, and associating one or more actions with each traffic flow. The first step is to name the policy maps. In the example in the figure, there are two policy maps, the outside_policy policy map and the...

Assigning Hostname to Security Appliance Changing the CLI Prompt

Pixfirewall(config) hostname newname pixfirewall(config) hostname newname Changes the hostname in the PIX Firewall CLI prompt pixfirewall(config) hostname Boston Boston(config) 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-20 In the example in this figure, notice that the default hostname label for the security appliance is pixfirewall. This default hostname is for PIX Security Appliances. The default hostname for the ASA Adaptive Security Appliances is ciscoasa. In a network of...

Assigning the Management IP Address

Ip address ip_address mask standby ip_address Sets the IP address for an interface (in routed mode) or for the management address (transparent mode). For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. In transparent mode, enter this command in global configuration mode. fw1 ip address 10.0.1.1 255.255.255.0 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 14-10 2005 Cisco Systems, Inc. All rights...

Assigning VLAN Names and Security Levels

Fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-5 With the nameif command, the administrator defines a name for each VLAN. The interface name is used in all configuration commands on the security appliance instead of the interface type...

Assigns a name to an ICMPtype group and enables the ICMPtype subcommand mode

Fwl(config) object-group icmp-type PING fwl(config-icmp) icmp-object echo fwl(config-icmp) icmp-object echo-reply 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-11 To configure an ICMP-type object group, first enter the object-group icmp-type command to name the ICMP-type object group and enable the ICMP-type subcommand mode. After you are inside the subcommand mode, you can use the icmp-object command to add an ICMP message type to the object group. The syntax for the icmp-object...

Assigns a name to the group and enables the network subcommand mode

Fw1(config) object-group network Inside Eng fw1(config-network) network-object host 10.0.0.1 fw1(config-network) network-object host 10.0.0.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-8 To configure a Network object group, first enter the object-group network command to name the network object group and enable the network object subcommand mode. After you are inside the subcommand mode, you can use the network-object command to add a single host or network to the network object...

Augmenting a Global Pool with PAT

When hosts on the 10.0.0.0 network access the outside network through the security appliance, they are assigned public addresses from the 192.168.0.20-192.168.0.253 range. When the addresses from the global pool are exhausted, PAT begins with the next available IP address, in this case, 192.168.0.254. 2005 Cisco Systems, Inc. All rights reserved. You can augment a pool of mapped addresses with PAT. When all IP addresses from the mapped pool are in use, the security appliance begins PAT, using...

Authentication Authorization and Accounting

AAA is used to tell the security appliance who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Suppose you have 100 users and you want only six of these users to be able to use FTP, Telnet, HTTP, or HTTPS from outside the network. Configure the security appliance to authenticate inbound traffic and give each of the six users an identification on the AAA server. With simple...

Authentication Server Configuration

Authentication-server-group group tag Specifies the authorization server that WebVPN users should use. Authorization server must be previously configured using aaa-server commands fw1(config-webvpn) authentication-server-group AUTHSERVER 2005 Cisco Systems, Inc. All rights re The authentication-server-group command specifies the set of authentication servers to use with WebVPN or one of the e-mail proxies. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S, POP3S, or...

Authorization of Non Telnet Ftp Http or Https Traffic

Aaa authorization include exclude author_service if_name local_ip local_ma.sk foreign_ip foreign_ma.sk server_tag author_service protocol or port - protocol tcp (6), udp (17), icmp (1), or others (protocol ) - Port number and message type Port number is used for TCP, UDP, or ICMP Single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports) ICMP message type (8 echo request, 0 echo reply) authorization include udp 0 outside 0.0.0.0 authorization include tcp 30-100 inside...

Authorization of Non Telnet FTP or HTTP Traffic on Cisco Secure ACS

All rights reserved C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny Complete the following steps to add authorization rules for specific non-Telnet, -FTP, -HTTP, or -HTTPS services to any group in Cisco Secure ACS Step 63 Click...

Authorization Rules Allowing Specific Services

Unmatched Security Appliance commands 2005 Cisco Systems, Inc. All rights reserved The security appliance aaa authorization command defines which traffic flows to authorize. Clicking the Group Setup button, then selecting the Per Group Command Authorization radio button in the Cisco Secure ACS enables the administrator to permit or deny specific security appliance commands and arguments at the group level. For example, the Executive group might have FTP and HTTP access to all 172.26.26.0 24...

Authorization Rules Allowing Specific Services to Specific Hosts

Unmatched Security Appliance commands Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS Step 54 Click Group Setup from the navigation bar. The Group Setup window opens. Step 55 Scroll down in Group Setup to the Shell Command Authorization Set area. Step 56 Select Per Group Command Authorization. Step 57 Select Deny, which is found under Unmatched Cisco IOS commands. When the administrator selects Deny, the user can issue only listed...

Available IPSec Transforms

The security appliance supports the transforms listed in the figure. Choosing IPSec transform combinations can be complex. The following tips may help you select transforms that are appropriate for your situation If you want to provide data confidentiality, include an ESP encryption transform. Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set To ensure data authentication for the outer IP header as well as the...

Backing Up PAT Addresses by Using Multiple PATs

Fw1(config) nat (inside) 1 10.0.0.0 255.255.252.0 fw1(config) global (outside) 1 192.168.0.8 netmask 255.255.255.255 fw1(config) global (outside) 1 192.168.0.9 netmask 255.255.255.255 Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. Address 192.168.0.9 will be used only when the port pool from 192.168.0.8 is at maximum capacity. With PIX Firewall Security Appliance Software v5.2 and higher, you also can back up your PAT address by having multiple...

Backing Up the Single Mode Configuration

When you convert from single mode to multiple mode, the running configuration is converted into two files When you convert from single mode to multiple mode, the running configuration is converted into two files New startup configuration that comprises the system configuration Admin.cfg that comprises the admin context The original running configuration is saved as old_running.cfg (in disk). When you convert from single mode to multiple mode, the security appliance converts the running...

Benefits of Huband Spoke VPNs

Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Very easy to add...

Broadcast Ping test Sending out a broadcast ping request

All rights reserved. SNPA v4.0 16-7 Both the primary and secondary security appliances send special failover hello packets to each other over all network interfaces and the failover cable every fifteen seconds (the default), to make sure that everything is working. When a failure occurs in the active security appliance, and the failure is not caused by a loss of power in the standby security appliance, failover begins a series of tests to determine which security...

By entering the write standby command

Configuration replication is the configuration of the primary security appliance being replicated to the secondary security appliance. To perform configuration replication, both the primary and secondary security appliances must be exactly the same and run the same software release (not required starting with Security Appliance Version 7.0). The configuration can be replicated from the active security appliance to the standby security appliance in these three ways When the standby security...

Centrally managed IPSec policies are pushed to the clients by the server minimizing configuration by the end users

All rights reserved. SNPA V4.0 12-4 The Easy VPN Server enables Cisco IOS routers, security appliances, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote access VPNs, where the remote office devices are using the Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, insuring that those connections have up-to-date policies in place before the connection is...

Certificate Authority

The CA support of the security appliance enables the IPSec-protected network to scale by providing the equivalent of a digital identification card to each device. When two IPSec peers wish to communicate, they exchange digital certificates to prove their identities (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer). The digital certificates are obtained from a CA. CA support on the security appliance uses Directory System...

Cisco 1700 Series

All rights reserved SNPA V4.0 12-6 The Easy VPN Remote feature enables Cisco IOS routers, security appliances, and Cisco VPN 3002 Hardware Clients and Software Clients to act as remote VPN Clients. As such, these devices can receive security policies from an Easy VPN Server, minimizing VPN configuration requirements at the remote location. This cost-effective solution is ideal for remote offices with little IT support or large customer premises equipment (CPE)...

Cisco Easy VPN

Cisco VPN 3GGG > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re Cisco VPN 3GGG > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re Cisco Easy VPN, a software enhancement for existing security appliances, greatly simplifies VPN deployment for remote offices and teleworkers. Based on the Cisco Unified Client framework, Cisco Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments. Easy VPN...

Cisco Firewall Services Module

This topic describes the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switch and Cisco 7600 Series Internet Router. Designed for campus data center and service provider environments Runs in Cisco Catalyst 6500 Series Switches and 7600 Series Routers Up to 1 million concurrent connections Supports 100 security contexts - 256 interfaces per security context 1000 VLANs (maximum per FWSM) Supports active standby failover 2005 Cisco Systems, Inc. All rights reserved. The FWSM is...

Cisco VPN Client Features and Benefits

Cisco VPN Client provides the following features and benefits Intelligent peer availability detection Command-line options for connecting, disconnecting, and connection status Configuration file with option locking Support for Microsoft network login (all platforms) DNS, WINS, and IP address assignment Load balancing and backup server support Centrally controlled policies Integrated personal firewall (stateful firewall) Zone Labs technology (Windows only) Personal firewall enforcement Zone...

Cisco VPN Client Program Menu

This figure displays the Cisco VPN Client program menu as viewed on a Windows 2000 PC. After the VPN Software Client has been installed, access the VPN Software Client program menu by choosing Start > Programs > Cisco Systems VPN Client. Under the Cisco Systems VPN Client menu, a number of options are available Help Accesses Software Client help text. Help is also available by doing the following Press F1 at any window while using the Cisco VPN Client. Click the Help button on windows that...

Cisco VPN Client Statistics Menu

Tunnel Details Route Details Firewall Client 10.0.21.1 Server 192.168.1.2 Encrypted 134 Decrypted 0 Discarded 124 Bypassed 5EI Transparent Tunneling Inactive Local LAN Disabled The Cisco VPN Client Statistics menu provides information regarding the current status of the VPN connection. Three tabs contain details on the tunnel, route, and firewall parameters in use.

Cisco VPN Software Client for Windows

& VPN Client - Version 4.0.1 (Rel) Connection Entries Status Certificates Log Options Connection Entries j Certificates j Log j 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 12-11 This figure displays the Cisco VPN Client splash window. Users can preconfigure the connection entry (name of connection) and hostname or IP address of remote Easy VPN Servers. Clicking Connect initiates Internet Key Exchange (IKE) Phase 1. The Cisco VPN Client can be preconfigured for mass deployments,...

Cisco Works VMS for firewalls

All rights reserved. SNPA v4.0 A2-6 There are several configuration and management options for FWSM, including the following Console to command-line interface Telnet to inside interface of FWSM Telnet over IPSec to outside interface of FWSM Secure Shell Protocol (SSH) to CLI Secure Socket Layer (SSL) to PIX Device Manager CiscoWorks Virtual Private Network Security Management Solution (VMS) for firewalls Note All FWSM interfaces, including the console, are mapped via...

Clear accesslist counters Command

Fw1(config) clear access-list aclout counters fw1(config) show access-list access-list ACLOUT line 1 permit tcp 192.168.1.0 2 55.255.255.0 host 192.168.6.11 eq www (hitcnt 0) access-list ACLOUT line 2 permit tcp host 192.168.1.10 host 192.168.6.11 eq ftp (hitcnt 0) access-list ACLOUT line 3 permit tcp any host 192.168.6.10 eq www (hitcnt 0) access-list ACLOUT line 4 deny ip any any (hitcnt 4) access-list ICMPDMZ 1 elements access-list ICMPDMZ line 1 permit icmp host bastionhost any echo-reply...

Command Authorization Overview

The purpose of command authorization is to securely and efficiently administer the security appliance. Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 19-10 Command authorization is a way of facilitating and controlling administration of the security appliance. There are three types of command authorizations that can be used to control which users execute...

Command Authorization Using the Local User Database

Complete the following tasks to configure and use command authorization with the local user database Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access...

Common Uses for Security Contexts

Multiple security contexts can be used in the following situations Service provider wanting to sell firewall services to many customers You might want to use multiple security contexts in the following situations You are a service provider and want to sell firewall services to many customers. You are a large enterprise or a college campus and want to keep departments completely separate. You are an enterprise that wants to provide distinct security policies to different departments. You have a...

Completes Connection

After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 12-21 After IPSec SAs are created, the connection is complete.

Config Context Submode Designating the Configuration File

Identifies the URL from which the system downloads the context configuration. When you add a context URL, the system immediately loads the context so that it is running. If the system cannot retrieve the context configuration file, the system creates a blank context. Also used to change the URL of a previously configured context. fw1(config-ctx) config-url disk0 context3.cfg fw1(config-ctx) show run allocate-interface GigabitEthernet0 0 allocate-interface GigabitEthernet0 1 config-url disk0...

Configuration of Contexts

Each context has its own configuration file, which is specified using the config-url command. Until the config-url command has been entered, the context is not operational. The config-url command accepts the following URL types diskO flash Configurations stored on the Flash filesystem of the device diskl Configurations stored on the compact Flash memory card of the device tftp TFTP server-based configurations ftp FTP server-based configurations https Webserver-based configurations (read-only)...

Configure a Virtual Private DialUp Networking Group

Vpdn group group_name request dialout pppoe Defines a VPDN group to be used for PPPoE vpdn group group_name ppp authentication PAP CHAP MSCHAP Selects an authentication method vpdn group group_name localname username Associates the username assigned by your ISP with the VPDN group vpdn group group_name localname username Associates the username assigned by your ISP with the VPDN group 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 A1-12 2005 Cisco Systems, Inc. All rights...

Configure ACLS

Access-list id line line-number extended deny permit protocol object-group protocol_obj_grp_id host sip sip mask interface ifc_name object-group network_obj_grp_id any host dip dip mask interface ifc_name object-group network_obj_grp_id any log level interval secs disable default inactive time-range time_range_name Determines which traffic should be allowed through the firewall. Remember that by default, no traffic is allowed through the firewall regardless of the security level that is...

Configure Huband Spoke VPN

VPN spokes can be terminated on a single interface. Traffic from the same security level can also be permitted. same-security-traffic permit inter-interface intrainterface Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface fw1(config) same-security-traffic permit intra-interface 2005 Cisco Systems, Inc. All rights reservecl.SNPA V4.0-12-5B All of the VPN spokes can be terminated on a single interface by using the...

Configure Syslog Output to a Syslog Server

All rights re 2005 Cisco Systems, Inc. All rights re The security appliance generates syslog messages for system events, such as alerts and resource depletion. Syslog messages can be used to create log files or can be displayed on the console of a designated syslog host. The security appliance can send syslog messages to any syslog server. In the event that all syslog servers or hosts are offline, the security appliance syslog server stores up to 512 messages in its...

Configure the Fwsm Vlans

All rights reserved. SNPA V4.0 A2-14 With a security appliance, you take it out of the box, hook up LAN cables, power-on the device, and then start to configure the security policy. But an FWSM is not a standalone device. It is a security module within a Catalyst chassis. Before you can begin configuring a security policy in a FWSM, you must complete the following tasks Configure the switch VLANs. Associate VLANs with the FWSM. You can access the switch CLI through a...

Configure WebVPN Servers and URLs

This topic covers how to configure WebVPN servers and URLs. This topic covers how to configure WebVPN servers and URLs. Enable WebVPN Protocol for Group Policy Enters the group-policy attributes subcommand mode fw1(config) group-policy WEBVPN1 attributes vpn-tunnel-protocol webvpn IPSec fw1(config-group-policy) vpn-tunnel-protocol webvpn Use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode to configure a VPN tunnel type (IPSec or WebVPN) for the...

Configures the Ike Dpd parameters

Fw1(config) tunnel-group training ipsec-attributes fw1(config-ipsec) isakmp keepalive threshold 30 retry 10 2005 Cisco Systems, Inc. All rights reservecl.SNPA V4.0 12-51 DPD allows two IPSec peers to determine if the other is still alive during the lifetime of a VPN connection. DPD is useful because a host may reboot or the dialup link of a remote user may disconnect without notifying the peer that the VPN connection has gone away. When the IPSec host determines that a VPN connection no longer...

Configuring Four Interfaces

Fw1(config) interface ethernet0 fw1(config-if) nameif outside fw1(config-if) ip address 192.168.0.2 255.255.255.0 fw1(config) interface ethernet1 fw1(config-if) nameif inside fw1(config-if) ip address 10.0.0.1 255.255.255.0 fw1(config) interface ethernet2 fw1(config-if) nameif dmz fw1(config-if) sec 50 fw1(config-if) ip address 172.16.0.1 255.255.255.0 fw1(config) interface ethernet3 fw1(config-if) nameif partnernet fw1(config-if) sec 40 fw1(config-if) ip address 172.18.0.1 255.255.255.0...

Configuring LAN Failover Primary

Fw2(config) interface ethernet3 fw2(config-if) no shut fw2(config) failover lan interface LANFAIL ethernet3 fw2(config) failover interface ip LANFAIL 172.17.2.1 255.255.255.0 standby 172.17.2.7 fw2(config) failover lan unit primary 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 16-25 The following steps provide more details about configuring LAN-based failover Step 181 Complete the following substeps to configure the primary security appliance before 16. Use the clock set command on...

Configuring PIM

Pim rp-address ip_address acl bidir Configures the address of the PIM rendezvous point. j Changes the designated router priority value fw1(config) multicast-routing fw1(config) pim rp-address 192.168.10.1 fw1(config) interface ethernet1 fw1(config-if) pim dr-priority 5 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-27 Devices use PIM to maintain forwarding tables for forwarding multicast packets. To enable IP multicast routing on the security appliance, use the multicast routing...

Configuring SSH Access to the Security Appliance Console

Specifies the host or network authorized to initiate an SSH connection Specifies the host or network authorized to initiate an SSH connection Specifies how long a session can be idle before being disconnected Complete the following steps to configure an SSH connection to your security appliance Step 189 Obtain an SSH client and install it on the system from which you want to establish the SSH connection. Step 190 Use the crypto key zeroize rsa command to delete any previously created RSA Step...

Configuring Three Interfaces

Fw1(config) interface ethernet0 fw1(config-if) nameif outside fw1(config-if) ip address 192.168.0.2 255.255.255.0 fw1(config) interface ethernet1 fw1(config-if) nameif inside fw1(config-if) ip address 10.0.0.1 255.255.255.0 fw1(config) interface ethernet2 fw1(config-if) nameif dmz fw1(config-if) sec 50 fw1(config-if) ip address 172.16.0.1 255.255.255.0 fw1(config) nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config) global (outside) 1 192.168.0.20192.168.0.254 netmask 255.255.255.0 fw1(config)...

Congestion detection and avoidance mechanisms

All rights reserved. SNPA v4.0 4-4 TCP is a connection-oriented protocol. When a session from a more secure host inside the security appliance is started, the security appliance creates an entry in the session state filter. The security appliance is able to extract network sessions from the network flow and actively verify their validity in real time. This stateful filter maintains the state of each network connection and checks subsequent protocol units against its...

Connecting to the Security Appliance with an SSH Client

Fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30 fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30...

Connections Versus Translations

Translations NAT - Mapped address to real address PAT - Mapped address and port to real address and port Connections Host address and port to host address and port 2005 Cisco Systems, Inc. All rights re Translations are at the IP layer. For NAT translations, it is the mapped to real IP address. For PAT translations, it is the mapped address and mapped port number to the real address and real port number. Connections are at the transport layer specifically, TCP. Connections are from a host and...

Context Allocate Interfaces and Assign a Failover Group Number

Fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface ethernetl fw2(config-ctx) config-url flash ctx1.cfg fw2(config-ctx) join-failover-group 1 fw2(config) context ctx2 fw2(config-ctx) allocate-interface ethernet3 fw2(config-ctx) allocate-interface ethernet4 fw2(config-ctx) config-url flash ctx2.cfg fw2(config-ctx) join-failover-group 2 Associate interfaces and a group to a context fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface...

Context Configuration Files

Context configuration files have the following characteristics Each context has its own configuration file. The security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. System Config Security Context Admin Each context has its own configuration file that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. You can store context configurations on...

Context Monitoring

You can monitor specific context-related statistics by selecting a context from the Context dropdown menu and then clicking Monitoring. From the Context Monitoring window, you can monitor context interfaces, routing, administration, connections, logging, and IP audit statistics.

Course Flow

Course Introduction Lesson 1 Cisco Security Appliance Technology and Features Lesson 2 Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families Lesson 5 Access Control Lists and Content Filtering Lesson 6 Object Grouping Lesson 9 Modular Policy Framework Lesson 10 Advanced Protocol Handling Lesson 13 Configuring ASA for WebVPN Lesson 14 Configuring Transparent Firewall Lesson 17 Cisco Security Appliance Device Manager Lesson 18 AIP-SSM Getting Started Lesson 3 Getting Started...

Course Goal and Objectives

This topic describes the course goal and objectives. This topic describes the course goal and objectives. To provide the learner with the skills necessary to configure, maintain, and operate PIX and ASA security appliances. Securing Networks with PIX and ASA v4.0 stems, Inc. All rights reserved. SNPA v4.0 4 Upon completing this course, you will be able to meet these objectives Describe firewall technology and security appliance features Describe security appliance models, option cards, and...

Create a Security Policy

Identify a class of traffic Associate IPS policy with class of traffic Activate the policy globally or on an interface 2005 Cisco Systems, Inc. All rights reserved. Identify a class of traffic Activate the policy globally or on an interface 2005 Cisco Systems, Inc. All rights reserved. The last step in the process is to create a security policy on the ASA security appliance. A security policy enables the ASA security appliance to prefilter, then pass selected traffic to the AIP-SSM module for...

Create a Service Policy

Enable policy globally, or on an interface Enable policy globally, or on an interface The Add Service Policy Rule Wizard dialog box guides you through the addition of a new service policy rule. The new security policy rule can be applied to a specific interface, such as the outside or inside interface, or can be applied globally to all interfaces. A description of the fields in the Create a service policy and apply to group box is as follows Interface radio button Applies the rule to a...

Create a Static Translation for Web Server

Fw1(config) static (dmz,outside) 192.168.0.9 172.16.0.2 0 0 Map an inside private address to an outside public address 2005 Cisco Systems, Inc. All rights re The first step is to map the IP address of the web server to a fixed outside address. This hides the true address of the web server. Internet hosts access the DMZ web server via the mapped outside IP address. The security appliance performs the necessary translations to send the packet from the outside interface to the DMZ interface. To...

Create and Password Protect Your Privilege Levels

Fw1> enable 10 password PasswOrD fw1> enable 10 password PasswOrD enable password password level level encrypted Configures enable passwords for the various privilege levels fw1(config) enable password Passw0rD level 10 Provides access to a particular privilege level from the > prompt fw1> enable 10 Password Passw0rD fw1 The security appliance supports up to sixteen privilege levels levels zero through fifteen. You can create privilege levels and secure them by using the enable password...

Create IKE Policies for a Purpose

IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, an SA established at each peer identifies the security parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation. You can create multiple, prioritized policies at each peer to ensure that at least one...

Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values

Step 97 Configure an IKE Phase 1 policy with the isakmp policy command to match expected IPSec peers by completing the following substeps 16. Identify the policy with a unique priority designation, according to the table. firewall(config) isakmp policy priority firewall(config) isakmp policy priority Specifies that encrypted IKE messages protected by this suite are encrypted using AES with a 128-bit key. Specifies that encrypted IKE messages protected by this suite are encrypted using AES with...

Creates a username and password pair for the PPPoE connection

All rights reserved SNPA V4.0 A1-13 Step 211 Use the vpdn username command to create a username and password pair for the PPPoE connection. This username and password combination is used to authenticate the PIX Security Appliance to the access concentrator. The username must be a username that is already associated with the VPDN group specified for PPPoE. The clear vpdn command removes all vpdn commands from the configuration. The clear vpdn group command removes all...

Creates an optional local address pool if the remote client is using the remote server as an external DHCP server

Fw1(config) ip local pool MYPOOL 10.0.11.1-10.0.11.254 2005 Cisco Systems, Inc. All rights re If you are using a local IP address pool, you must also configure that pool. Use the ip local pool command. The syntax for this command is as follows ip local pool poolname first-address last-address mask mask ip local pool poolname first-address last-address mask mask Specifies the starting address in the range of IP addresses Specifies the final address in the range of IP addresses (Optional)...

Cut Through Proxy Operation

Types of cut-through proxy user authentication The user makes a request to access the web server. The local username and password are passed to the web server to authenticate. The user is prompted by the Security Appliance. The user makes a request to access the web server. The user is prompted by the Security Appliance. Cisco Secure ACS server The security appliance queries Cisco Secure ACS for the remote username and password. authenticates, the user is cut through the security appliance. The...

Debug Commands

debug arp-inspection To track code path of ARP forwarding and ARP inspection module in transparent firewall debug mac-address-table To track insert delete update to the bridge table maintained for transparent firewall fw1 debug arp-inspection fw1 debug mac-address-table 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 14-19 Two new debug commands have been introduced with regard to transparent firewall mode debug arp-inspection Shows debug messages for ARP inspection debug...

Debug IKE and IPSec traffic through the security appliance

All rights reserved. SNPA V4.0 11-50 You also can perform these actions to test and verify that you have correctly configured the VPN on the security appliance Verify the correct crypto map configuration with the show run crypto map command. Clear IPSec SAs for testing of SA establishment with the clear crypto ipsec sa command. Clear IKE SAs for testing of IKE SA establishment with the clear crypto isakmp sa command. Debug IKE and IPSec traffic through the security...

Default Traffic Inspection and Port Numbers

All rights reserved SNPA V4.0 10-5 By default, protocol inspection is enabled. In the example in the figure, by default, the security appliance is configured to inspect the listed protocols on the specified TCP or UDP port numbers. For example, the security appliance inspects FTP traffic on TCP port 21.

Define IKE Policy Parameters

You can select specific values for each IKE parameter, per the IKE standard. You choose one value over another based on the security level you desire and the type of IPSec peer to which you will connect. There are five parameters to define in each IKE policy, as outlined in the previous figure and in the following table. The figure shows the relative strength of each parameter, and the table shows the default values. 56-bit DES 168-bit 3DES AES 128-bit key AES 192-bit key AES 256-bit key SHA-1...

Define IPS Policy

All rights reserved. IfWuslon rrevemion CiinriirtSmri Sittings I W fcna le IPS tor Ihis iralllc 1l w Mode The Intrusion Prevention tab enables you to configure the IPS action to take on the selected traffic class. This window appears only if IPS software and AIP-SSM hardware is installed in the security appliance. The fields in the Intrusion Prevention area are as follows Enable IPS for this traffic flow This check box enables or disables intrusion prevention for the...

Defines a controlled VLAN on the MSFC Assigns an IP address

Switch(config) vlan 100,200,300 switch(config-vlan) exit witch(config) int vlan 100 switch(config-if) ip address 192.168.1.2 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 200 switch(config-if) ip address 10.1.1.1 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 300 switch(config-if) ip address 172.16.1.1 255.255.255.0 switch(config-if) no shut 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 A2-17 You can install the FWSM in the Catalyst 6500 Series...

Defines the type of VPN connection that is to be established

Fw1(config) tunnel-group 192.168.6.2 type ipsec-l2l 2005 Cisco Systems, Inc. All rights re firewall(config) tunnel-group name type type firewall(config) tunnel-group name type type Specifies the name of the tunnel group. This can be any string you choose. If the name is an iP address, it is usually the IP address of the peer. A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define...

Defining Authentication Type

Authentication aaa certificate mailhost piggyback Specifies the authentication method(s) that are used with the - aaa Use previously configured AAA server for authentication - certificate Use certificate for authentication - mailhost Authenticates via the remote mail server (SMTPS only) - piggyback Requires use of an established HTTPS WebVPN session fw1(config-pop3s) authentication piggyback Use the authentication command to configure authentication methods for the e-mail proxy. To restore the...

Defining Class Match Criteria

System Engineers To configure a class map System Engineers To configure a class map Define a class of traffic identified by a class map name pix1(config) class-map se pix1(config-cmap) match tunnel-group se pix1(config-cmap) match flow ip destination-address pix1(config) class-map s2s_voice pix1(config-cmap) match tunnel-group site_c pix1(config-cmap) match dscp cs5 You may want to police the traffic of remote access users. You also may want to route VPN site-to-site voice traffic through the...

Defining EMail Server and Authentication Server

Specifies the default server for use with the e-mail proxy authentication-server-group group tag Specifies the authentication server to use with the e-mail proxy fw1(config-pop3s) authentication-server-group AUTHSERVER 2005 Cisco Systems, Inc. All rights re Use the server command in the applicable e-mail proxy mode to specify a default e-mail proxy server. The security appliance sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server....

Defining Proxy Servers

Enters the appropriate e-mail proxy subcommand mode fw1(config) pop3s fw1(config-pop3s) 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 13-29 Proxy servers are defined by entering the appropriate subcommand mode in global configuration mode. Proxy servers are available for POP3S, SMTPS, and IMAP4S. The following attributes can be configured in each subcommand mode port This specifies the port the POP3S proxy listens to. The default is 995. The value is limited to valid port numbers....

Designate the URLFiltering Server

Url-server (if_name) vendor websense host local_ip timeout seconds protocol TCP UDP version 1 4 Designates a server that runs a Websense URL-filtering application url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol TCP UDP Designates a server that runs an N2H2 URL-filtering application fw1(config) url-server (dmz) vendor n2h2 host 172.16.0.3 protocol TCP Before you can begin URL filtering, you must designate at least one server on which the Websense or N2H2...

Determine IKE Phase 1 Policy

All rights reserved. SNPA V4.0 11-28 An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration.