A separate global pool is used for each internal network

Fwl(config) nat (inside) 1 10.0.0.0 255.255.255.0 fwl(config) nat (inside) 2 10.2.0.0 255.255.255.0 fwl(config) global (outside) 1 192.168.0.3-192.168.0.16 netmask 255.255.255.0 fwl(config) global (outside) 2 192.168.0.17-192.168.0.32 netmask 255.255.255.0 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 4-14 In the figure, the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using IP addresses from a mapped pool. The second nat command...

Ability to create multiple security contexts virtual firewalls within a single security appliance

All rights re Cisco PIX and ASA Security Appliance Software v7.0 introduces the ability to create multiple security contexts (virtual firewalls) within a single appliance, with each context having its own set of security policies, logical interfaces, and administrative domain. In the figure, the security appliance on the right is logically divided into four virtual firewalls. This provides businesses with a convenient way to consolidate multiple firewalls into a single...

ACL Comments

Access-list aclout line 1 remark web server 1 http < C p access-list access-list aclout line 2 permit tcp any host 192.168.0.8 eq www (hitcnt 0) access-list aclout line 3 remark web server 2 http access-list access-list aclout line 4 permit tcp any host access-list id line line-num remark text ACL remark fw1(config) access-list outside line 1 remark web server http access-list 2005 Cisco Systems, Inc. All rights reser ecl.SNPA v4.0 5-20 The access-list remark command enables users to include...

Activate a group or unit Change CTX2 from standby to active

Fw2(config) failover active group 2 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 16-43 You can activate a unit by using the failover active command. You can activate a group by adding the group keyword to the command string, as in the failover active group command. In the example in the figure, the administrator wants to activate standby CTX2 in the primary unit. To activate CTX2, enter the failover active group 2 command in the primary unit. To deactivate a context, you can use the...

Active Mode FTP Inspection

- Client-initiated command connection (TCP) - Server-initiated data connection (TCP) For outbound connections, the security appliance handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the security appliance handles active mode FTP as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens a temporary outbound connection for the data. Active mode FTP uses...

Adding a Static MAC Address

Interface MAC Address Type Time Left outside 0009.7cbe.2100 static -inside 0010.7cbe.6101 static - Interface MAC Address Type Time Left outside 0009.7cbe.2100 static -inside 0010.7cbe.6101 static - mac-address-table static interface name mac address Adds a static entry to the MAC address table. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. fw1(config) mac-address-table static inside 0010.7cbe.6101 Added <...

Administrator can set connection limits

Emb_lin - Maximum number of embryonic connections per host. An embryonic connection is a connection request that has not completed a TCP three-way handshake between the source and the destination. TCP_max_conns - Maximum number of simultaneous TCP connections that each real IP host is allowed to use. Idle connections are closed after the time specified by the timeout conn command. udp_max_conns - Maximum number of simultaneous UDP connections that each real IP host is allowed to use. Protection...

Aipssm Ethernet Connections

All rights re The AIP-SSM supports an internal Gigabit Ethernet and a 10 100 Ethernet interface to the ASA 5500 Family main card. The Gigabit Ethernet interface is the primary IPS data-path interface for both inline and promiscuous IPS packets. An internal 10 100 Ethernet interface provides a control channel to the ASA 5500 main card. The external 10 100 1000 Ethernet interface is primarily used for downloading AIP-SSM software and for ASDM access to the AIP-SSM...

Aipssm Overview

This topic provides on overview of the AIP-SSM module. There are two AIP-SSM models, the AIP-SSM-10 and the AIP-SSM-20. Both modules appear identical, but the AIP-SSM-20 has a faster processor and more memory than the AIP-SSM-10. Only one module can populate the slot at a time. On the front bezel of the AIP-SSM module, there are four LEDs and one 10 100 1000 Ethernet port. The table lists the states of the AIP-SSM LEDs. On when the security appliance has power. Flashing when the power-up...

An designates an admin context

disk0 admin.cfg disk0 disk0 Total active Security Contexts 3 2005 Cisco Systems, Inc. All rights reserved SNPA V4.0 15-23 Use the show context command to view all contexts. From the system execution space, you can view a list of contexts including the name, interfaces, and configuration file. In the system execution space, the security appliance displays all contexts if you do not specify a name. The detail option shows additional information. The count option shows the total number of...

Applies the crypto map to an interface Activates IPSec policy

Fw1(config) crypto map FW1MAP interface outside 2005 Cisco Systems, Inc. All rights re Step 108 Apply the crypto map to an interface firewall(config) crypto map map-name interface interface-name firewall(config) crypto map map-name interface interface-name Specifies the interface for the SA to use for establishing tunnels with VPN peers. If ISAKMP is enabled and you are using a CA to obtain certificates, this should be the interface with the address specified in the CA certificates. Specifies...

Apply or View Service Policy Rule

All rights 2005 Cisco Systems, Inc. All rights The last step is to apply the service policy rule. Click Apply to initiate the new IPS service policy. In the example in the figure, the outside traffic class, defined as those packets from any source to a destination address of 172.16.1.0 24 will be inspected and analyzed by the AIP-SSM module.

ASA Adaptive Security Appliance Licensing

This topic explains the licensing options for the Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA Security Appliance licensing is a feature-based license key system. The Cisco ASA Security Appliance license determines the number of contexts, the type of VPN encryption, and the number of VPN peers that an ASA Security Appliance can support. Two contexts Available Context Licenses 50 contexts Upgrade Licenses Two contexts Available Context Licenses 50 contexts Upgrade Licenses The...

Assign an Interface Speed and Duplex speed and duplex Sub Commands

Fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 Enables an interface speed and duplex fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-27 The hardware speed is set to automatic speed sensing by default it is recommended that you specify the speed of the network interfaces. This enables the security appliance to operate in network environments that may...

Assign an Security Level securitylevel Subcommands

Assigns a security level to the interface. pix1(config) interface ethernet0 pix1(config-if) nameif outside pix1(config-if) ip address 192.1 pix1(config-if) security-level 0 The security-level interface configuration subcommand specifies the security appliance security level (except for the inside and outside security appliance interfaces, which are assigned security levels by default). The inside interface has a default security level of 100 the outside interface has a default security level of...

Assign Commands to Privilege Levels and Enable Command Authorization

Firewall> enable 10 Password PasswOrD firewall config t firewall(config) access-list privilege show clear configure level level mode enable configure command command Configures user-defined privilege levels for security appliance commands firewall(config) aaa authorization command LOCAL server-tag Enables command authorization fw1(config) enable password PasswOrD level 10 fw1(config) privilege show level 8 command access-list fw1(config) privilege configure level 10 command access-list...

Assigning a Class Map Name

System Engineers To configure a class map System Engineers To configure a class map Assign a name to the class of traffic pix1(config) class-map s2s_voice pix1(config) class-map internet The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two-step process, naming the class of traffic and defining the attributes of the traffic. A name is assigned to each individual class of traffic. In the example in the figure,...

Assigning a Policy Map Name

Associate action(s) with the class Assign one or more classes to the policy map pix1(config) policy-map outside_policy pix1(config-pmap) class internet pix1(config-pmap-c) Defining a policy-map is a three-step process naming the policy, identifying a class of traffic covered by this policy, and associating one or more actions with each traffic flow. The first step is to name the policy maps. In the example in the figure, there are two policy maps, the outside_policy policy map and the...

Assigning Hostname to Security Appliance Changing the CLI Prompt

Pixfirewall(config) hostname newname pixfirewall(config) hostname newname Changes the hostname in the PIX Firewall CLI prompt pixfirewall(config) hostname Boston Boston(config) 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-20 In the example in this figure, notice that the default hostname label for the security appliance is pixfirewall. This default hostname is for PIX Security Appliances. The default hostname for the ASA Adaptive Security Appliances is ciscoasa. In a network of...

Assigning the Management IP Address

Ip address ip_address mask standby ip_address Sets the IP address for an interface (in routed mode) or for the management address (transparent mode). For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. In transparent mode, enter this command in global configuration mode. fw1 ip address 10.0.1.1 255.255.255.0 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 14-10 2005 Cisco Systems, Inc. All rights...

Assigning VLAN Names and Security Levels

Fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-5 With the nameif command, the administrator defines a name for each VLAN. The interface name is used in all configuration commands on the security appliance instead of the interface type...

Assigns a name to the group and enables the network subcommand mode

Fw1(config) object-group network Inside Eng fw1(config-network) network-object host 10.0.0.1 fw1(config-network) network-object host 10.0.0.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-8 To configure a Network object group, first enter the object-group network command to name the network object group and enable the network object subcommand mode. After you are inside the subcommand mode, you can use the network-object command to add a single host or network to the network object...

Augmenting a Global Pool with PAT

When hosts on the 10.0.0.0 network access the outside network through the security appliance, they are assigned public addresses from the 192.168.0.20-192.168.0.253 range. When the addresses from the global pool are exhausted, PAT begins with the next available IP address, in this case, 192.168.0.254. 2005 Cisco Systems, Inc. All rights reserved. You can augment a pool of mapped addresses with PAT. When all IP addresses from the mapped pool are in use, the security appliance begins PAT, using...

Authentication Authorization and Accounting

AAA is used to tell the security appliance who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Suppose you have 100 users and you want only six of these users to be able to use FTP, Telnet, HTTP, or HTTPS from outside the network. Configure the security appliance to authenticate inbound traffic and give each of the six users an identification on the AAA server. With simple...

Authentication Server Configuration

Authentication-server-group group tag Specifies the authorization server that WebVPN users should use. Authorization server must be previously configured using aaa-server commands fw1(config-webvpn) authentication-server-group AUTHSERVER 2005 Cisco Systems, Inc. All rights re The authentication-server-group command specifies the set of authentication servers to use with WebVPN or one of the e-mail proxies. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S, POP3S, or...

Authorization of Non Telnet Ftp Http or Https Traffic

Aaa authorization include exclude author_service if_name local_ip local_ma.sk foreign_ip foreign_ma.sk server_tag author_service protocol or port - protocol tcp (6), udp (17), icmp (1), or others (protocol ) - Port number and message type Port number is used for TCP, UDP, or ICMP Single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports) ICMP message type (8 echo request, 0 echo reply) authorization include udp 0 outside 0.0.0.0 authorization include tcp 30-100 inside...

Authorization of Non Telnet FTP or HTTP Traffic on Cisco Secure ACS

All rights reserved C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny Complete the following steps to add authorization rules for specific non-Telnet, -FTP, -HTTP, or -HTTPS services to any group in Cisco Secure ACS Step 63 Click...

Authorization Rules Allowing Specific Services

Unmatched Security Appliance commands 2005 Cisco Systems, Inc. All rights reserved The security appliance aaa authorization command defines which traffic flows to authorize. Clicking the Group Setup button, then selecting the Per Group Command Authorization radio button in the Cisco Secure ACS enables the administrator to permit or deny specific security appliance commands and arguments at the group level. For example, the Executive group might have FTP and HTTP access to all 172.26.26.0 24...

Authorization Rules Allowing Specific Services to Specific Hosts

Unmatched Security Appliance commands Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS Step 54 Click Group Setup from the navigation bar. The Group Setup window opens. Step 55 Scroll down in Group Setup to the Shell Command Authorization Set area. Step 56 Select Per Group Command Authorization. Step 57 Select Deny, which is found under Unmatched Cisco IOS commands. When the administrator selects Deny, the user can issue only listed...

Available IPSec Transforms

The security appliance supports the transforms listed in the figure. Choosing IPSec transform combinations can be complex. The following tips may help you select transforms that are appropriate for your situation If you want to provide data confidentiality, include an ESP encryption transform. Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set To ensure data authentication for the outer IP header as well as the...

Backing Up the Single Mode Configuration

When you convert from single mode to multiple mode, the running configuration is converted into two files When you convert from single mode to multiple mode, the running configuration is converted into two files New startup configuration that comprises the system configuration Admin.cfg that comprises the admin context The original running configuration is saved as old_running.cfg (in disk). When you convert from single mode to multiple mode, the security appliance converts the running...

Benefits of Huband Spoke VPNs

Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Very easy to add...

Cisco Easy VPN

Cisco VPN 3GGG > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re Cisco VPN 3GGG > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re Cisco Easy VPN, a software enhancement for existing security appliances, greatly simplifies VPN deployment for remote offices and teleworkers. Based on the Cisco Unified Client framework, Cisco Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments. Easy VPN...

Cisco Firewall Services Module

This topic describes the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switch and Cisco 7600 Series Internet Router. Designed for campus data center and service provider environments Runs in Cisco Catalyst 6500 Series Switches and 7600 Series Routers Up to 1 million concurrent connections Supports 100 security contexts - 256 interfaces per security context 1000 VLANs (maximum per FWSM) Supports active standby failover 2005 Cisco Systems, Inc. All rights reserved. The FWSM is...

Cisco VPN Client Program Menu

This figure displays the Cisco VPN Client program menu as viewed on a Windows 2000 PC. After the VPN Software Client has been installed, access the VPN Software Client program menu by choosing Start > Programs > Cisco Systems VPN Client. Under the Cisco Systems VPN Client menu, a number of options are available Help Accesses Software Client help text. Help is also available by doing the following Press F1 at any window while using the Cisco VPN Client. Click the Help button on windows that...

Cisco VPN Client Statistics Menu

Tunnel Details Route Details Firewall Client 10.0.21.1 Server 192.168.1.2 Encrypted 134 Decrypted 0 Discarded 124 Bypassed 5EI Transparent Tunneling Inactive Local LAN Disabled The Cisco VPN Client Statistics menu provides information regarding the current status of the VPN connection. Three tabs contain details on the tunnel, route, and firewall parameters in use.

Cisco VPN Software Client for Windows

& VPN Client - Version 4.0.1 (Rel) Connection Entries Status Certificates Log Options Connection Entries j Certificates j Log j 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 12-11 This figure displays the Cisco VPN Client splash window. Users can preconfigure the connection entry (name of connection) and hostname or IP address of remote Easy VPN Servers. Clicking Connect initiates Internet Key Exchange (IKE) Phase 1. The Cisco VPN Client can be preconfigured for mass deployments,...

Cisco Works VMS for firewalls

All rights reserved. SNPA v4.0 A2-6 There are several configuration and management options for FWSM, including the following Console to command-line interface Telnet to inside interface of FWSM Telnet over IPSec to outside interface of FWSM Secure Shell Protocol (SSH) to CLI Secure Socket Layer (SSL) to PIX Device Manager CiscoWorks Virtual Private Network Security Management Solution (VMS) for firewalls Note All FWSM interfaces, including the console, are mapped via...

Clear accesslist counters Command

Fw1(config) clear access-list aclout counters fw1(config) show access-list access-list ACLOUT line 1 permit tcp 192.168.1.0 2 55.255.255.0 host 192.168.6.11 eq www (hitcnt 0) access-list ACLOUT line 2 permit tcp host 192.168.1.10 host 192.168.6.11 eq ftp (hitcnt 0) access-list ACLOUT line 3 permit tcp any host 192.168.6.10 eq www (hitcnt 0) access-list ACLOUT line 4 deny ip any any (hitcnt 4) access-list ICMPDMZ 1 elements access-list ICMPDMZ line 1 permit icmp host bastionhost any echo-reply...

Command Authorization Using the Local User Database

Complete the following tasks to configure and use command authorization with the local user database Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access...

Config Context Submode Designating the Configuration File

Identifies the URL from which the system downloads the context configuration. When you add a context URL, the system immediately loads the context so that it is running. If the system cannot retrieve the context configuration file, the system creates a blank context. Also used to change the URL of a previously configured context. fw1(config-ctx) config-url disk0 context3.cfg fw1(config-ctx) show run allocate-interface GigabitEthernet0 0 allocate-interface GigabitEthernet0 1 config-url disk0...

Configuration of Contexts

Each context has its own configuration file, which is specified using the config-url command. Until the config-url command has been entered, the context is not operational. The config-url command accepts the following URL types diskO flash Configurations stored on the Flash filesystem of the device diskl Configurations stored on the compact Flash memory card of the device tftp TFTP server-based configurations ftp FTP server-based configurations https Webserver-based configurations (read-only)...

Configure a Virtual Private DialUp Networking Group

Vpdn group group_name request dialout pppoe Defines a VPDN group to be used for PPPoE vpdn group group_name ppp authentication PAP CHAP MSCHAP Selects an authentication method vpdn group group_name localname username Associates the username assigned by your ISP with the VPDN group vpdn group group_name localname username Associates the username assigned by your ISP with the VPDN group 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 A1-12 2005 Cisco Systems, Inc. All rights...

Configure Huband Spoke VPN

VPN spokes can be terminated on a single interface. Traffic from the same security level can also be permitted. same-security-traffic permit inter-interface intrainterface Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface fw1(config) same-security-traffic permit intra-interface 2005 Cisco Systems, Inc. All rights reservecl.SNPA V4.0-12-5B All of the VPN spokes can be terminated on a single interface by using the...

Configure Syslog Output to a Syslog Server

All rights re 2005 Cisco Systems, Inc. All rights re The security appliance generates syslog messages for system events, such as alerts and resource depletion. Syslog messages can be used to create log files or can be displayed on the console of a designated syslog host. The security appliance can send syslog messages to any syslog server. In the event that all syslog servers or hosts are offline, the security appliance syslog server stores up to 512 messages in its...

Configure WebVPN Servers and URLs

This topic covers how to configure WebVPN servers and URLs. This topic covers how to configure WebVPN servers and URLs. Enable WebVPN Protocol for Group Policy Enters the group-policy attributes subcommand mode fw1(config) group-policy WEBVPN1 attributes vpn-tunnel-protocol webvpn IPSec fw1(config-group-policy) vpn-tunnel-protocol webvpn Use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode to configure a VPN tunnel type (IPSec or WebVPN) for the...

Configures the Ike Dpd parameters

Fw1(config) tunnel-group training ipsec-attributes fw1(config-ipsec) isakmp keepalive threshold 30 retry 10 2005 Cisco Systems, Inc. All rights reservecl.SNPA V4.0 12-51 DPD allows two IPSec peers to determine if the other is still alive during the lifetime of a VPN connection. DPD is useful because a host may reboot or the dialup link of a remote user may disconnect without notifying the peer that the VPN connection has gone away. When the IPSec host determines that a VPN connection no longer...

Configuring Four Interfaces

Fw1(config) interface ethernet0 fw1(config-if) nameif outside fw1(config-if) ip address 192.168.0.2 255.255.255.0 fw1(config) interface ethernet1 fw1(config-if) nameif inside fw1(config-if) ip address 10.0.0.1 255.255.255.0 fw1(config) interface ethernet2 fw1(config-if) nameif dmz fw1(config-if) sec 50 fw1(config-if) ip address 172.16.0.1 255.255.255.0 fw1(config) interface ethernet3 fw1(config-if) nameif partnernet fw1(config-if) sec 40 fw1(config-if) ip address 172.18.0.1 255.255.255.0...

Configuring LAN Failover Primary

Fw2(config) interface ethernet3 fw2(config-if) no shut fw2(config) failover lan interface LANFAIL ethernet3 fw2(config) failover interface ip LANFAIL 172.17.2.1 255.255.255.0 standby 172.17.2.7 fw2(config) failover lan unit primary 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 16-25 The following steps provide more details about configuring LAN-based failover Step 181 Complete the following substeps to configure the primary security appliance before 16. Use the clock set command on...

Configuring SSH Access to the Security Appliance Console

Specifies the host or network authorized to initiate an SSH connection Specifies the host or network authorized to initiate an SSH connection Specifies how long a session can be idle before being disconnected Complete the following steps to configure an SSH connection to your security appliance Step 189 Obtain an SSH client and install it on the system from which you want to establish the SSH connection. Step 190 Use the crypto key zeroize rsa command to delete any previously created RSA Step...

Configuring Three Interfaces

Fw1(config) interface ethernet0 fw1(config-if) nameif outside fw1(config-if) ip address 192.168.0.2 255.255.255.0 fw1(config) interface ethernet1 fw1(config-if) nameif inside fw1(config-if) ip address 10.0.0.1 255.255.255.0 fw1(config) interface ethernet2 fw1(config-if) nameif dmz fw1(config-if) sec 50 fw1(config-if) ip address 172.16.0.1 255.255.255.0 fw1(config) nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config) global (outside) 1 192.168.0.20192.168.0.254 netmask 255.255.255.0 fw1(config)...

Connecting to the Security Appliance with an SSH Client

Fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30 fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30...

Connections Versus Translations

Translations NAT - Mapped address to real address PAT - Mapped address and port to real address and port Connections Host address and port to host address and port 2005 Cisco Systems, Inc. All rights re Translations are at the IP layer. For NAT translations, it is the mapped to real IP address. For PAT translations, it is the mapped address and mapped port number to the real address and real port number. Connections are at the transport layer specifically, TCP. Connections are from a host and...

Context Allocate Interfaces and Assign a Failover Group Number

Fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface ethernetl fw2(config-ctx) config-url flash ctx1.cfg fw2(config-ctx) join-failover-group 1 fw2(config) context ctx2 fw2(config-ctx) allocate-interface ethernet3 fw2(config-ctx) allocate-interface ethernet4 fw2(config-ctx) config-url flash ctx2.cfg fw2(config-ctx) join-failover-group 2 Associate interfaces and a group to a context fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface...

Context Monitoring

You can monitor specific context-related statistics by selecting a context from the Context dropdown menu and then clicking Monitoring. From the Context Monitoring window, you can monitor context interfaces, routing, administration, connections, logging, and IP audit statistics.

Course Goal and Objectives

This topic describes the course goal and objectives. This topic describes the course goal and objectives. To provide the learner with the skills necessary to configure, maintain, and operate PIX and ASA security appliances. Securing Networks with PIX and ASA v4.0 stems, Inc. All rights reserved. SNPA v4.0 4 Upon completing this course, you will be able to meet these objectives Describe firewall technology and security appliance features Describe security appliance models, option cards, and...

Create a Security Policy

Identify a class of traffic Associate IPS policy with class of traffic Activate the policy globally or on an interface 2005 Cisco Systems, Inc. All rights reserved. Identify a class of traffic Activate the policy globally or on an interface 2005 Cisco Systems, Inc. All rights reserved. The last step in the process is to create a security policy on the ASA security appliance. A security policy enables the ASA security appliance to prefilter, then pass selected traffic to the AIP-SSM module for...

Create a Service Policy

Enable policy globally, or on an interface Enable policy globally, or on an interface The Add Service Policy Rule Wizard dialog box guides you through the addition of a new service policy rule. The new security policy rule can be applied to a specific interface, such as the outside or inside interface, or can be applied globally to all interfaces. A description of the fields in the Create a service policy and apply to group box is as follows Interface radio button Applies the rule to a...

Create a Static Translation for Web Server

Fw1(config) static (dmz,outside) 192.168.0.9 172.16.0.2 0 0 Map an inside private address to an outside public address 2005 Cisco Systems, Inc. All rights re The first step is to map the IP address of the web server to a fixed outside address. This hides the true address of the web server. Internet hosts access the DMZ web server via the mapped outside IP address. The security appliance performs the necessary translations to send the packet from the outside interface to the DMZ interface. To...

Create and Password Protect Your Privilege Levels

Fw1> enable 10 password PasswOrD fw1> enable 10 password PasswOrD enable password password level level encrypted Configures enable passwords for the various privilege levels fw1(config) enable password Passw0rD level 10 Provides access to a particular privilege level from the > prompt fw1> enable 10 Password Passw0rD fw1 The security appliance supports up to sixteen privilege levels levels zero through fifteen. You can create privilege levels and secure them by using the enable password...

Create IKE Policies for a Purpose

IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, an SA established at each peer identifies the security parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation. You can create multiple, prioritized policies at each peer to ensure that at least one...

Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values

Step 97 Configure an IKE Phase 1 policy with the isakmp policy command to match expected IPSec peers by completing the following substeps 16. Identify the policy with a unique priority designation, according to the table. firewall(config) isakmp policy priority firewall(config) isakmp policy priority Specifies that encrypted IKE messages protected by this suite are encrypted using AES with a 128-bit key. Specifies that encrypted IKE messages protected by this suite are encrypted using AES with...

Creates an optional local address pool if the remote client is using the remote server as an external DHCP server

Fw1(config) ip local pool MYPOOL 10.0.11.1-10.0.11.254 2005 Cisco Systems, Inc. All rights re If you are using a local IP address pool, you must also configure that pool. Use the ip local pool command. The syntax for this command is as follows ip local pool poolname first-address last-address mask mask ip local pool poolname first-address last-address mask mask Specifies the starting address in the range of IP addresses Specifies the final address in the range of IP addresses (Optional)...

Cut Through Proxy Operation

Types of cut-through proxy user authentication The user makes a request to access the web server. The local username and password are passed to the web server to authenticate. The user is prompted by the Security Appliance. The user makes a request to access the web server. The user is prompted by the Security Appliance. Cisco Secure ACS server The security appliance queries Cisco Secure ACS for the remote username and password. authenticates, the user is cut through the security appliance. The...

Default Traffic Inspection and Port Numbers

All rights reserved SNPA V4.0 10-5 By default, protocol inspection is enabled. In the example in the figure, by default, the security appliance is configured to inspect the listed protocols on the specified TCP or UDP port numbers. For example, the security appliance inspects FTP traffic on TCP port 21.

Define IKE Policy Parameters

You can select specific values for each IKE parameter, per the IKE standard. You choose one value over another based on the security level you desire and the type of IPSec peer to which you will connect. There are five parameters to define in each IKE policy, as outlined in the previous figure and in the following table. The figure shows the relative strength of each parameter, and the table shows the default values. 56-bit DES 168-bit 3DES AES 128-bit key AES 192-bit key AES 256-bit key SHA-1...

Define IPS Policy

All rights reserved. IfWuslon rrevemion CiinriirtSmri Sittings I W fcna le IPS tor Ihis iralllc 1l w Mode The Intrusion Prevention tab enables you to configure the IPS action to take on the selected traffic class. This window appears only if IPS software and AIP-SSM hardware is installed in the security appliance. The fields in the Intrusion Prevention area are as follows Enable IPS for this traffic flow This check box enables or disables intrusion prevention for the...

Defines a controlled VLAN on the MSFC Assigns an IP address

Switch(config) vlan 100,200,300 switch(config-vlan) exit witch(config) int vlan 100 switch(config-if) ip address 192.168.1.2 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 200 switch(config-if) ip address 10.1.1.1 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 300 switch(config-if) ip address 172.16.1.1 255.255.255.0 switch(config-if) no shut 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 A2-17 You can install the FWSM in the Catalyst 6500 Series...

Defines the type of VPN connection that is to be established

Fw1(config) tunnel-group training type ipsec-ra 2005 Cisco Systems, Inc. All rights re Step 128 To enable remote access, the tunnel group type must be named and set to remote access using the ipsec-ra command. Step 2 Configure IKE Pre-Shared Key tunnel-group name general-attributes ipsec-attributes Enters tunnel-group ipsec-attributes submode to configure the key Associates a pre-shared key with the connection policy fw1(config) tunnel-group training ipsec-attributes fw1(config-ipsec)...

Defining Authentication Type

Authentication aaa certificate mailhost piggyback Specifies the authentication method(s) that are used with the - aaa Use previously configured AAA server for authentication - certificate Use certificate for authentication - mailhost Authenticates via the remote mail server (SMTPS only) - piggyback Requires use of an established HTTPS WebVPN session fw1(config-pop3s) authentication piggyback Use the authentication command to configure authentication methods for the e-mail proxy. To restore the...

Defining Class Match Criteria

System Engineers To configure a class map System Engineers To configure a class map Define a class of traffic identified by a class map name pix1(config) class-map se pix1(config-cmap) match tunnel-group se pix1(config-cmap) match flow ip destination-address pix1(config) class-map s2s_voice pix1(config-cmap) match tunnel-group site_c pix1(config-cmap) match dscp cs5 You may want to police the traffic of remote access users. You also may want to route VPN site-to-site voice traffic through the...

Defining EMail Server and Authentication Server

Specifies the default server for use with the e-mail proxy authentication-server-group group tag Specifies the authentication server to use with the e-mail proxy fw1(config-pop3s) authentication-server-group AUTHSERVER 2005 Cisco Systems, Inc. All rights re Use the server command in the applicable e-mail proxy mode to specify a default e-mail proxy server. The security appliance sends requests to the default e-mail server when the user connects to the e-mail proxy without specifying a server....

Defining Proxy Servers

Enters the appropriate e-mail proxy subcommand mode fw1(config) pop3s fw1(config-pop3s) 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 13-29 Proxy servers are defined by entering the appropriate subcommand mode in global configuration mode. Proxy servers are available for POP3S, SMTPS, and IMAP4S. The following attributes can be configured in each subcommand mode port This specifies the port the POP3S proxy listens to. The default is 995. The value is limited to valid port numbers....

Designate the URLFiltering Server

Url-server (if_name) vendor websense host local_ip timeout seconds protocol TCP UDP version 1 4 Designates a server that runs a Websense URL-filtering application url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol TCP UDP Designates a server that runs an N2H2 URL-filtering application fw1(config) url-server (dmz) vendor n2h2 host 172.16.0.3 protocol TCP Before you can begin URL filtering, you must designate at least one server on which the Websense or N2H2...

Determine IKE Phase 1 Policy

All rights reserved. SNPA V4.0 11-28 An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration.

Determine IPSec IKE Phase 2 Policy

Traffic (packet type) to be encrypted 2005 Cisco Systems, Inc. All rights re Determining network design details includes defining a more detailed security policy for protecting traffic. You can then use the detailed policy to help select IPSec transform sets and modes of operation. Your security policy should answer the following questions What protections are required or are acceptable for the protected traffic What traffic should or should not be protected Which security appliance interfaces...

Determines whether other IP addresses are visible from the security appliance

Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds Success rate is 100 percent (5 5), round-trip min avg max 10 12 20 ms 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.0 3-49 The ping command determines if the security appliance has connectivity and if a host is available (visible to the security appliance) on the network. The command output shows if the ping was received. If the ping was received, then the host exists on the network. If the ping was not received, the...

DHCP Server Configuration

This topic describes how to configure the PIX Security Appliance DHCP server on the PIX Security Appliance 501 or PIX Security Appliance 506 506E. The PIX Firewall DHCP server can be used to 2005 Cisco Systems, Inc. All rights reserved. DHCP provides automatic allocation of reusable network addresses on a TCP IP network. This provides ease of administration and dramatically reduces the margin of human error. Without DHCP, IP addresses must be manually entered at each computer or device that...

Displays multicast routes

All rights reserved. SNPA v4.0 8-28 The following commands can be used to view the current multicast and IGMP configuration show mfib Displays the Multicast Forwarding Information Base (MFIB) in terms of forwarding entries and interfaces show mfib active Displays active multicast sources show mfib count Displays MFIB route and packet count data show mfib interface Displays packet statistics for interfaces that are related to the MFIB process show mfib reserved Displays...

Displays object groups in the configuration

All rights reserved. SNPA v4.0 6-20 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-20 Use the show running-config object-group command to display a list of the currently configured object groups. The security appliance displays defined object groups by their group identifier when the show running-config object-group id grp_id command form is entered and by group type when the show running-config object-group command is entered with the protocol, service,...

Displays the contents of the translation slots

All rights re The command show xlate displays the contents of the translation slot. In the figure, the number of currently used translations is 1 with a maximum count of 1. The current translation is a local IP address of 10.0.0.11 to a mapped IP address of 192.168.0.20.

Displays the pool of mapped addresses

Global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 2005 Cisco Systems, Inc. All rights re Show run global displays the mapped pool(s) of addresses configured in the security appliance. The figure shows one pool currently configured. The pool is configured on the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The NAT ID is 1.

Displays tunnel information

All rights reserved. SNPA v4.0 A1-15 The show vpdn command displays PPPoE tunnel and session information. To view only session information, use the show vpdn session command. To view only tunnel information, use the show vpdn tunnel command. The following example shows the kind of information provided by the show vpdn commands pix1 sh vpdn time since change 65862 secs Remote Internet Address 172.31.31.1 Local Internet Address 192.168.10.2 6 packets sent, 6 received, 84...

Distributes list of TFTP servers for IP Phone connections

Pix1(config) dhcpd option 150 ip 10.0.0.11 pix1(config) dhcpd option 66 ip 10.0.0.11 2005 Cisco Systems, Inc. All rights reserved SNPA V4.0 A1-24 The dhcpd option commands enable the PIX Security Appliance DHCP server to distribute the IP address of a TFTP server to serve DHCP clients. These options are useful for IP Phones, which may need to obtain configuration files from a TFTP server. With the dhcpd option 66 command, the PIX Security Appliance distributes the IP address of a single TFTP...

DNS Record Translation

Who is cisco.com Source 192.168.0.20 Destination 172.26.26.50 Who is cisco.com Source 192.168.0.20 Destination 172.26.26.50 cisco.com 192.168.0.17 Source 172.26.26.50 Destination 192.168.0.20 Source 172.26.26.50 Destination 10.0.0.5 cisco.com 192.168.0.17 Source 172.26.26.50 Destination 192.168.0.20 Source 172.26.26.50 Destination 10.0.0.5 fw1(config) nat (inside) 1 10.0.0.0 255.255.255.0 dns fw1(config) global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 fw1(config) static...

Downloadable ACLs

The HTTP request to Global IP address 192.168.1.10 is intercepted by the Security Appliance. 2. An authentication request is sent to AAA server. 3. The authentication response contains the ACL name from AAA server. 4. The Security Appliance checks to see if the user's ACL is already present. 5. A request is sent from the Security Appliance to the AAA server for the user's ACL. 6. The ACL is sent to the Security Appliance. 7. The HTTP request is forwarded to the WWW server. 2005 Cisco Systems,...

Downloading and Backing Up Configuration Files Example

Copy ftp user password server path filename type xx startup-config Copies the configuration file from an FTP server firewall(config) fw1 copy startup-config running-config disk0 path filename Copies the configuration file to an FTP server startup-config 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 19-29 In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or a configuration file by name on disk (such...

Dynamic translations

Fwl(config) nat (inside) 1 10.0.0.0 255.255.255.0 fwl(config) global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 2005 Cisco Systems, Inc. All rights re Dynamic inside translations are used for local hosts and their outbound connections, and they hide the host address from the Internet. With dynamic translations, you must first define which hosts are eligible for translation with the nat command, then define the address pool with the global command. The pool for address...

Each IPSec peer individually enrolls with the CA server

All rights reserved. SNPA V4.0 11-52 The use of pre-shared keys for IKE authentication works only when you have a few IPSec peers. CAs enable scaling to a large number of IPSec peers. Although there are a number of scaling methods, using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a per-peer basis. The CA server enrollment process can be largely automated so that it...

Easy VPN Server Configuration Summary

--- Configure Phase 1 Internet Security Association -- and Key Management Protocol (ISAKMP) parameters. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share --- Configure IPSec transform set and dynamic crypto map. crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map rmt-dyna-map 10 set transform-set myset crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map --- Apply crypto map to the outside interface. crypto map rmt-user-map...

Easy VPN Server Configuration Summary Cont

--- Configure AAA-Server parameters. aaa-server MYTACACS protocol tacacs+ --- Specify nonat access list. access-list 101 permit ip 10.0.0.0 255.255 --- Configure Network Address Translation ---Port Address Translation (PAT) for regular traffic, --- as well as NAT for IPSec traffic. 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 12-54 This figure highlights the authentication, NAT 0, NAT, and global parameters of the configuration. Any traffic between 10.0.0.0 24 and 10.0.11.0 24 will...

Easy VPN Servers

All rights re Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re The Easy VPN Remote feature requires that the destination peer be a VPN gateway or concentrator that supports the Easy VPN Server. This includes the following platforms when running the indicated software releases Cisco 806, Cisco 826, Cisco 827, and Cisco 828 Routers Cisco IOS Software Release 12.2(8)T or later release Cisco 1700 Series Routers Cisco IOS Software...

Enable accounting match

Aaa accounting match acl name interface name server tag Identify a traffic flow with an access-list command. Enable accounting of traffic matching access-list command statement. fw1(config) access-list 110 permit tcp any host 192.168.2.10 eq ftp fw1(config) access-list 110 permit tcp any host 192.168.2.10 eq www fw1(config) aaa accounting match 110 outside NY ACS To enable the generation of an accounting record, the administrator identifies a traffic flow with an ACL and applies the ACL to the...

Enable URL Entry for WebVPN Users

Enters the group-policy attributes subcommand mode fw1(config) group-policy WEBVPN1 attributes Enters WebVPN group-policy attributes subcommand mode 2005 Cisco Systems, Inc. All rights re Use the webvpn command in group-policy configuration mode or in username configuration mode to enter the webvpn subcommand mode. These webvpn commands apply to the username or group policy from which you configure them. webvpn commands for group policies and usernames define access to files, MAPI proxies, URLs...

Enables DHCP server

All rights re Enable the DHCP daemon within the PIX Security Appliance to listen for DHCP client requests on the enabled interface by executing the dhcpd enable command. Currently, you can only enable the DHCP server feature on the inside interface, which is the default. Use the no form of the command to disable the DHCP daemon. The syntax for the dhcpd enable command is as follows Name of the PIX Security Appliance interface. The default is the inside interface. The...

Enables NetBIOS resolution for CIFS File Shares

Fw1(config-webvpn) nbns-server 10.0.1.10 2005 Cisco Systems, Inc. All rights re The security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems. There is a maximum of three server entries. The first server that is configured is the primary server, and the others are backups for redundancy. The nbns-server command adds an NBNS) server for Common Internet File System (CIFS) name resolution. Specifying the master...

Enables PPPoE client

Pix1(config) ip address outside pppoe 2005 Cisco Systems, Inc. All rights re Step 212 PPPoE client functionality is disabled by default. Use the ip address pppoe command to enable PPPoE on the PIX Security Appliance. The syntax for the ip address pppoe command is as follows The name of the outside interface of the PIX Security Appliance. Tells the PIX Security Appliance to set the default route using the default gateway parameter that the DHCP or PPPoE server returns. Reenter the ip address...

Enables you to configure a virtual MAC address for a security appliance failover pair

Fw2(config) failover mac address etherntO 00a0.c989.e481 00a0.c969.c7f1 fw2(config) failover mac address ethernetl 00a0.c97 6.cde5 00a0.c922.9176 2005 Cisco Systems, Inc. All rights re When the primary security appliance is replaced with a new primary security appliance, the secondary security appliance acquires the MAC address of the new primary security appliance and sends out gratuitous ARPs on all interfaces to update the devices connected to the security appliance. You can prevent the MAC...

Enables you to view all active connections

All rights reserved. SNPA v4.0 4-42 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 4-42 The show conn command displays the number of active TCP connections and information about them. In the figure, there are two connections between host 10.0.0.11 and web server 192.168.10.11. Connections are addressed to TCP port 80 on the web server. The replies are addressed to host 10.0.0.11, ports 2824 and 2823. The syntax for the show conn command is as follows show conn...

Enabling OSPF Routing

Enables OSPF routing through the security appliance 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-16 To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is as follows Internally used identification parameter for an OSPF routing process valid values are from 1 through 65535. The process ID (PID) on one router does not need to match the OSPF PIDs on other routers. The security appliance can be configured for one or two processes, or OSPF...