Time Setting and NTP Support

This topic explains how to set the clock on the security appliance and synchronize the times of devices operating over an IP data network. clock set hh mm ss day month month day year Sets the security appliance clock co Systems, Inc. All rights reserved.SNPA v4.0 3-52 The clock set command sets the security appliance clock. It enables you to specify the time, month, day, and year. The clock setting is retained in memory when the power is off by a battery on the security appliance's motherboard....

Default Protocol Inspection Policy

Class-map inspection default match default-inspection-traffic policy-map global policy class inspection default inspect dns maximum length 512 inspect ftp inspect h323 ras inspect netbios inspect sunrpc inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet inspect tftp inspect xdmcp By default, protocol inspection is enabled globally. The command class-map inspection_default identifies a class of traffic that matches the TCP and UDP port numbers delineated under the...

Configuring Downloadable ACLs in Cisco Secure ACS

There are two methods of configuring downloadable ACLs on the AAA server. The first method, downloading named ACLs, is to configure the SPC to include both the ACL name and the actual ACL, then configure a user or group authentication profile to include the SPC. If you configure a downloadable ACL as a named SPC, you can apply that ACL to any number of Cisco Secure ACS user or group profiles. This method should be used when there are frequent requests for downloading a large ACL. The second...

Easy VPN Remote Configuration

This topic describes basic commands that are useful for configuring the PIX Security Appliance. Easy VPN Remote Client Configuration Indicates group name and preshared key vpnclient username xauth username password xauth password Indicates VPN client extended authentication username and password vpnclient server ip primary ip secondary n Indicates easy VPN Server IP address pix1(config) pix1(config) pix1(config) vpngroup training password cisco12 3 vpnclient username studentl password training...

Context Configure Interfaces

Interface e0 IP address 192.168.1.2 Standby 192.168.1.7 Interface e1 IP Address 10.0.1.1 Standby 10.0.1.7 Interface e3 IP address 192.168.31.7 Standby 192.168.31.7 Interface e4 IP address 10.0.31.7 Standby 10.0.31.7 fw2(config) changeto context ctxl fw2 ctx1(config) interface ethernetO fw2 ctx1(config-if) ip address 192.168.1.2 255.255.255.0 standby 192.168.1.7 fw2 ctx1(config-if) nameif outside fw2 ctx1(config-if) exit fw2 ctx1(config) interface ethernet1 fw2 ctx1(config-if) ip address...

Ether Type ACLS

Access-list id ethertype deny permit ipx bpdu mpls-unicast mpls-multicast any hex_number The transparent firewall introduces a new type of ACL the EtherType ACL. With EtherType ACLs, an administrator can allow specific non-IP packets through the firewall. fw1(config) access-list ETHER ethertype permit ipx fw1(config) access-group ETHER in interface inside fw1(config) access-group ETHER in interface outside 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 14-12 To configure an ACL that...

Active Active Failover Cont

Under failed conditions, Unit A determines outside interface on CTX1 has failed. CTX1 is placed in failed state. Unit A has one failed and one standby context. Unit B, CTX1 becomes active. Unit B has two active contexts. Both active contexts pass traffic. Failover can be context-based or unit-based. Under failed conditions, Unit A determines outside interface on CTX1 has failed. CTX1 is placed in failed state. Unit A has one failed and one standby context. Unit B, CTX1 becomes active. Unit B...

Authenticate to the Security Appliance before accessing other services

All rights re The security appliance authenticates users via Telnet, FTP, HTTP, or HTTPS. But what if users need to access a Microsoft file server on port 139 or a Cisco IP TV server How will they be authenticated Whenever users are required to authenticate to access services other than by Telnet, FTP, HTTP, or HTTPS, they need to do one of the following Option 1 Authenticate first by accessing a Telnet, FTP, HTTP, or HTTPS server before accessing other services....

Show failover Command Secondary Security Appliance Powered

Cable status Other side not connected Failover LAN Interface N A - Serial-based Unit Poll frequency 15 seconds, holdtime 45 Monitored Interfaces 3 of 250 maximum Last Failover at 13 21 38 UTC Dec 10 2004 Other host Secondary - Not detected Stateful Failover Logical Update Statistics 2005 Cisco Systems, Inc. All rights reserved SNPA V4.0 16-15 Use the show failover command to view the failover status. The show failover command provides the following information Primary and secondary unit status...

Inbound Https Access Solution

192.168.0.0 I F 1 .2 10.0.0.0 Outside Inside fw1(config) static (DMZ,outside) 192.168.0.10 172.30.4.2 0 0 fw1(config) access-list aclout permit tcp any host 192.168.0.10 eq https Permit outside HTTPs access to e-banking web server 2005 Cisco Systems, Inc. All rights re In the example in the figure, a company locates its e-banking solution on the DMZ. The administrator wants to establish secure communications between the Internet users and the e-banking web server. To establish an inbound HTTP...

Step 2 Connecting the Failover Cable

Step 168 Connect the serial failover cable to the primary security appliance, ensuring that the end of the cable marked Primary attaches to the primary security appliance and that the end marked Secondary connects to the secondary security appliance. Do not power on the secondary security appliance. Note The cable itself determines the assignment of the primary and secondary failover unit. Step 3 Configuring the Primary Security Appliance Enable failover on the primary security appliance....

Passive Mode FTP Inspection

- Client-initiated command connection (TCP) - Client-initiated command connection (TCP) - Client-initiated data connection (TCP) For outbound connections, the security appliance handles PFTP as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens an outbound port for the data channel. For inbound connections, if an FTP ACL exists, the security appliance opens an inbound port for the data channel. Passive mode FTP (PFTP) also...

Interface Command and Subcommands

Specifies a perimeter interface and its slot location on the firewall. pix1(config) interface ethernet0 (GigabitEthernet0 0) pix1(config-if) 2004 Cisco Systems, Inc. All rights re The interface command identifies a perimeter interface and its slot location on the security appliance. The PIX Security Appliance interfaces are numbered from 0 to X (X highest-numbered interface on the PIX Security Appliance). The ASA Adaptive Security Appliance interfaces are numbered 0 0, 0 1, 0 2, and so on. For...

Configure WebVPN Port Forwarding

This topic covers how to configure WebVPN port forwarding. This topic covers how to configure WebVPN port forwarding. Enable Port Forwarding for WebVPN Users functions file-access file-browsing file-entry filter url-entry mapi port-forward none Enables port forwarding for the group fw1(config-group-webvpn) functions port-forward port-forward value listname none Enters predefined port forwarding list configured by using the fw1(config-group-webvpn) port-forward value Applications Use the...

Multimedia Rtp Rtcp

Session Initiation Protocol (SIP) is an application-layer control protocol used to set up and tear down multimedia sessions. These multimedia sessions include Internet telephony and similar applications. SIP uses RTP for media transport and RTCP for providing a quality of service (QoS) feedback loop. Using SIP, your security appliance can support any SIP Voice over IP (VoIP) gateways and VoIP proxy servers. To support SIP calls through the security appliance, signaling messages for the media...

Apply Nested Object Group to ACL

Fw1(config) access-list aclin permit tcp object-group Inside Networks any object-group Host Services_ 2005 Cisco Systems, Inc. All rights re The keyword object-group must precede the object group name in order to use object groups in your ACLs. An object group cannot be removed or emptied if it is currently being used in an ACL command. In the figure, all hosts in the Inside_Networks nested group are permitted to access any host via the services in the Host_Services group. When used with object...

Servicepolicy Applies policy to an interface or globally

All rights reserved. SNPA V4.0 10-14 To filter FTP commands, you must follow four steps. First, define in the ftp-map command which FTP commands you want to filter. Second, identify a traffic flow in the class-map command. Third, configure a policy that associates the FTP commands that are to be filtered (the ftp-map command) with the traffic flow that is identified in the class- map. And finally, use a service policy to enable the policy on an interface or on a global...

Cisco PIX Firewall 501 Security Appliance

Designed for small offices and teleworkers 7500 concurrent connections 60-Mbps throughput Interface support - Supports one 10 100BASE-T* Ethernet interface (outside) - Has four-port 10 100 switch (inside) - 4.5-Mbps 128-bit AES Ten simultaneous VPN peers '100BASE-T speed option is available in release 6.3. The PIX 501 Security Appliance measures only 1.0 x 6.25 x 5.5 inches and weighs only 0.75 pounds, yet it delivers enterprise-class security for small offices and teleworkers. Ideal for...

Enable URL Entry for WebVPN Users Cont

Functions file-access file-browsing file-entry filter url-entry mapi port-forward none Enables file access, entry, browsing, and URL entry for the group fw1(config-group-webvpn) functions url-entry file-access file-entry file-browsing Selects predefined URLs that were configured by using the url-list command fw1(config-group-webvpn) url-list value URLs 2005 Cisco Systems, Inc. All rights re Use the functions command in webvpn mode to enable file access and file browsing, MAPI proxies, and URL...

PIX License Types

UR Allows installation and use of the maximum number of interfaces and RAM supported by the platform. Restricted Limits the number of interfaces supported and the amount of RAM available within the system (no contexts and no failover). Active standby failure Places one security appliance in a failover mode for use alongside a security appliance that has a UR license. Only one unit can be actively processing user traffic the other unit acts as a hot standby. Active active failover Places a...

Account Disable

The Account Disable group box can be used to define the circumstances under which the user's Note This action is not to be confused with account expiration resulting from password aging. Password aging is defined for groups only, not for individual users. Never Select this button to keep the user's account always enabled. This is the default. Disable account Select this button to disable the account under the circumstances you specify in the following fields Date exceeds From the drop-down...

Aipssm Module No Software

Getting details from the Service Module, please wait ASA 5500 Series Security Services Module-10 You can use the show module 1 detail command to view module 1 configuration. You can view such statistics as hardware version, software version, firmware version, and status of the AIP-SSM module. The table lists the parameters of the command. show module all slot details recover show module all slot details recover Shows additional version information. Shows the settings for the hw-module module...

Viewing and Saving Your Configuration

The following commands enable you to view or save your configuration There are two configuration memories in the Cisco security appliances, running configuration and startup configuration. The show running-config command displays the current configuration in the security appliance's RAM on the terminal. Any changes made to the security appliance's configuration are written into the running configuration. This is volatile RAM. If the security appliance loses power or is rebooted, any changes to...

PPPoE and the PIX Security Appliance

This topic describes how the PIX Security Appliance works with Point-to-Point Protocol over Ethernet (PPPoE). PPPoE Access PPPoE DSL C ncentrat r Client Modem The PIX Security Appliance can be configured as a Point to Point Protocol over Ethernet (PPPoE) client. This makes it compatible with broadband offerings that require PPPoE usage. Many ISPs deploy PPPoE because it supports high-speed broadband access using their existing remote access infrastructure and because it is easy for customers to...

PIX Firewall S1SE Fast Ethernet Card Port Numbering

PIX Firewall 515E Security Appliance option cards require the UR license. PIX Firewall 515E Security Appliance option cards require the UR license. 2005 Cisco Systems, Inc. All rights reserved. SNPA v4. If one or two 1FE cards are installed in the auxiliary assembly at the left rear of the PIX Security Appliance, the cards are numbered top to bottom therefore, the top card is Ethernet2 and the bottom card is Ethernet3. The quad-port card is a 4FE card. When you connect the perimeter network...

Show Commands

Interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 192.168.2.2 255.255.255.0 interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0 Interface GigabitEthernet0 0 outside, is up, line protocol is Detected Speed 100 Mbps, Full-duplex MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input...

A default group policy named Dflt GrpPolicy always exists on the security appliance

Group-policy name internal from group-policy name fw1(config) group-policy training internal 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.0 12-25 A default group policy, named DfltGrpPolicy, always exists on the security appliance. The syntax for this command is as follows group-policy name internal from group-policy name group-policy name external server-group server group password server password group-policy name internal from group-policy name group-policy name external server-group...

Outside Multicast Server Example Inside Receiving Hosts

Host 10.0.0.11 sends an IGMP report Source 10.0.0.11 Destination 224.0.1.50 IGMP group 224.0.1.50 2. The security appliance accepts the packet, and IGMP places the inside interface on the output list for the group. 3. The security appliance forwards the IGMP packet to the multicast router Source 172.16.0.1 Destination 224.0.1.50 IGMP group 224.0.1.50 4. The router places the input interface on the output list for the group. 5. Packets from the multicast server arrive at the router, which...

Configure the Security Appliance to Use ASDM

Asdm Define Hostname

Before you can use ASDM, you need to enter the following information on the security appliance via a console terminal - Enable the HTTP server on the security appliance - IP addresses of hosts authorized to access HTTP server 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 17-10 You can either preconfigure a new security appliance through the interactive prompts, which appear after the security appliance boots, or enter the commands shown below each information item. The security...

Enable logging time stamp on syslog messages Specify the logging device identifier Enable logging

Fw1(config) logging host inside 10.0.1.11 fw1(config) logging trap warnings fw1(config) logging timestamp fw1(config) logging device-id pix6 fw1(config) logging on In the figure, the security appliance is configured to send the logging messages to syslog server 10.0.0.12. The messages that are sent will consist of warning messages and messages of higher severity. Each message is time-stamped and assigned a device identifier of pix6. Lastly, logging is turned on. In the example syslog output,...

Configuring Authentication with the Local Database

Firewall> login Username kenny Password chickadee firewall config t firewall> login Username kenny Password chickadee firewall config t aaa authentication serial console server-tag LOCAL fw1(config) privilege configure level 10 command access-list fw1(config) username kenny password chickadee privilege 10 fw1(config) aaa authorization command LOCAL fw1(config) aaa authentication enable console LOCAL fw1(config) privilege configure level 10 command access-list fw1(config) username kenny...

Aipssm Modes of Operation

All rights re An AIP-SSM can be configured to operate in one of two IPS modes, promiscuous or inline. In promiscuous mode, the IPS module is not in the traffic packet flow. You can configure a security policy (using standard rules and access control lists ACLs ) to identify traffic that will be copied and passed to the AIP-SSM module. The AIP-SSM module performs analysis of the traffic. A significant benefit of operating an IPS module in promiscuous mode is that the...

Real Networks RDP Mode

In RealNetworks RDP mode, RTSP uses three channels - Control connection (TCP) UDP data (simplex UDP) For outbound connections, the security appliance handles RealNetworks RDP mode as follows - If outbound traffic is allowed, it opens an inbound port for UDP data. - If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections, if an ACL exists, the security appliance handles RealNetworks RDP mode as follows - If outbound...

How to View Accounting Information in Cisco Secure ACS

0 F. fed Anginpii Lr'iorc'i-in U ct i Rtttort j Database Rt-pb cation Aclniirastraflon Auifa 5PI Password ChanftK hV ACS Seivicc * Mongormv Ifofr Gniiqi Acrt c.A< C< - .Wit, __ Statinn- Statin- _ _. snct mi,. _ 02 1 1 2003115.52.42 02 11 2003 li5242 oe UQ009 155203 02 11 2003 1551 59 Drfauh I Group Deb* ' I Group Default Groi Default Group 0x00000039 L Start 0x000000381 Staii 0*00000037 j Sun 0x00000036 Complete the following steps to add accounting rules in Cisco Secure ACS Step 75 Click...

Define policy actions associated with one or more classes of traffic

Pix1(config) policy-map outside_policy pix1(config-pmap) class internet pix1(config-pmap-c) MPC policy-map class configuration commands exit Exit from MPC class action configuration mode help Help for MPC policy-map configuration commands Negate or set default values of a command priority Strict scheduling priority for this class set Set QoS values or connection values 2005 Cisco Systems, Inc. All rights The last step in configuring a policy map is to associate action(s) with specific traffic...

Command Authorization Using ACS

Complete the following tasks to configure and use ACS command authorization Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute. Use the aaa-server command to specify the TACACS+ server. Use the aaa authentication command to enable authentication with a TACACS+ server. Use the aaa authorization command to enable command authorization with a TACACS+ server. 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 19-17 Only enable authorization...