ACL Comments

Access-list aclout line 1 remark web server 1 http < C p access-list access-list aclout line 2 permit tcp any host 192.168.0.8 eq www (hitcnt 0) access-list aclout line 3 remark web server 2 http access-list access-list aclout line 4 permit tcp any host access-list id line line-num remark text ACL remark fw1(config) access-list outside line 1 remark web server http access-list 2005 Cisco Systems, Inc. All rights reser ecl.SNPA v4.0 5-20 The access-list remark command enables users to include...

Active Mode FTP Inspection

- Client-initiated command connection (TCP) - Server-initiated data connection (TCP) For outbound connections, the security appliance handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the security appliance handles active mode FTP as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens a temporary outbound connection for the data. Active mode FTP uses...

Administrator can set connection limits

Emb_lin - Maximum number of embryonic connections per host. An embryonic connection is a connection request that has not completed a TCP three-way handshake between the source and the destination. TCP_max_conns - Maximum number of simultaneous TCP connections that each real IP host is allowed to use. Idle connections are closed after the time specified by the timeout conn command. udp_max_conns - Maximum number of simultaneous UDP connections that each real IP host is allowed to use. Protection...

Apply or View Service Policy Rule

All rights 2005 Cisco Systems, Inc. All rights The last step is to apply the service policy rule. Click Apply to initiate the new IPS service policy. In the example in the figure, the outside traffic class, defined as those packets from any source to a destination address of 172.16.1.0 24 will be inspected and analyzed by the AIP-SSM module.

ASA Adaptive Security Appliance Licensing

This topic explains the licensing options for the Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA Security Appliance licensing is a feature-based license key system. The Cisco ASA Security Appliance license determines the number of contexts, the type of VPN encryption, and the number of VPN peers that an ASA Security Appliance can support. Two contexts Available Context Licenses 50 contexts Upgrade Licenses Two contexts Available Context Licenses 50 contexts Upgrade Licenses The...

Assign an Interface Speed and Duplex speed and duplex Sub Commands

Fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 Enables an interface speed and duplex fw1(config) interface ethernet0 (GigabitEthernet0 0) fw1(config-if) ip address 192.168.1.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-27 The hardware speed is set to automatic speed sensing by default it is recommended that you specify the speed of the network interfaces. This enables the security appliance to operate in network environments that may...

Assign an Security Level securitylevel Subcommands

Assigns a security level to the interface. pix1(config) interface ethernet0 pix1(config-if) nameif outside pix1(config-if) ip address 192.1 pix1(config-if) security-level 0 The security-level interface configuration subcommand specifies the security appliance security level (except for the inside and outside security appliance interfaces, which are assigned security levels by default). The inside interface has a default security level of 100 the outside interface has a default security level of...

Assign Commands to Privilege Levels and Enable Command Authorization

Firewall> enable 10 Password PasswOrD firewall config t firewall(config) access-list privilege show clear configure level level mode enable configure command command Configures user-defined privilege levels for security appliance commands firewall(config) aaa authorization command LOCAL server-tag Enables command authorization fw1(config) enable password PasswOrD level 10 fw1(config) privilege show level 8 command access-list fw1(config) privilege configure level 10 command access-list...

Assigning a Class Map Name

System Engineers To configure a class map System Engineers To configure a class map Assign a name to the class of traffic pix1(config) class-map s2s_voice pix1(config) class-map internet The class-map command is used to classify a set of traffic with which security actions may be associated. Configuring a class map is a two-step process, naming the class of traffic and defining the attributes of the traffic. A name is assigned to each individual class of traffic. In the example in the figure,...

Assigning a Policy Map Name

Associate action(s) with the class Assign one or more classes to the policy map pix1(config) policy-map outside_policy pix1(config-pmap) class internet pix1(config-pmap-c) Defining a policy-map is a three-step process naming the policy, identifying a class of traffic covered by this policy, and associating one or more actions with each traffic flow. The first step is to name the policy maps. In the example in the figure, there are two policy maps, the outside_policy policy map and the...

Assigning the Management IP Address

Ip address ip_address mask standby ip_address Sets the IP address for an interface (in routed mode) or for the management address (transparent mode). For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. In transparent mode, enter this command in global configuration mode. fw1 ip address 10.0.1.1 255.255.255.0 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 14-10 2005 Cisco Systems, Inc. All rights...

Assigning VLAN Names and Security Levels

Fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 fwl(config) interface ethernet3.1 fw1(config-subif) vlan 10 fw1(config-subif) nameif dmzl fw1(config-subif) security-level 10 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-5 With the nameif command, the administrator defines a name for each VLAN. The interface name is used in all configuration commands on the security appliance instead of the interface type...

Assigns a name to the group and enables the network subcommand mode

Fw1(config) object-group network Inside Eng fw1(config-network) network-object host 10.0.0.1 fw1(config-network) network-object host 10.0.0.2 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-8 To configure a Network object group, first enter the object-group network command to name the network object group and enable the network object subcommand mode. After you are inside the subcommand mode, you can use the network-object command to add a single host or network to the network object...

Augmenting a Global Pool with PAT

When hosts on the 10.0.0.0 network access the outside network through the security appliance, they are assigned public addresses from the 192.168.0.20-192.168.0.253 range. When the addresses from the global pool are exhausted, PAT begins with the next available IP address, in this case, 192.168.0.254. 2005 Cisco Systems, Inc. All rights reserved. You can augment a pool of mapped addresses with PAT. When all IP addresses from the mapped pool are in use, the security appliance begins PAT, using...

Authentication Authorization and Accounting

AAA is used to tell the security appliance who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Suppose you have 100 users and you want only six of these users to be able to use FTP, Telnet, HTTP, or HTTPS from outside the network. Configure the security appliance to authenticate inbound traffic and give each of the six users an identification on the AAA server. With simple...

Authorization of Non Telnet FTP or HTTP Traffic on Cisco Secure ACS

All rights reserved C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny C Assign a Shell Command Authorization Set for any network device < * Per Group Command Authorization Unmatched Cisco IOS commands C Permit Deny Complete the following steps to add authorization rules for specific non-Telnet, -FTP, -HTTP, or -HTTPS services to any group in Cisco Secure ACS Step 63 Click...

Available IPSec Transforms

The security appliance supports the transforms listed in the figure. Choosing IPSec transform combinations can be complex. The following tips may help you select transforms that are appropriate for your situation If you want to provide data confidentiality, include an ESP encryption transform. Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set To ensure data authentication for the outer IP header as well as the...

Benefits of Huband Spoke VPNs

Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Very easy to add...

Cisco Firewall Services Module

This topic describes the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switch and Cisco 7600 Series Internet Router. Designed for campus data center and service provider environments Runs in Cisco Catalyst 6500 Series Switches and 7600 Series Routers Up to 1 million concurrent connections Supports 100 security contexts - 256 interfaces per security context 1000 VLANs (maximum per FWSM) Supports active standby failover 2005 Cisco Systems, Inc. All rights reserved. The FWSM is...

Command Authorization Using the Local User Database

Complete the following tasks to configure and use command authorization with the local user database Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access...

Config Context Submode Designating the Configuration File

Identifies the URL from which the system downloads the context configuration. When you add a context URL, the system immediately loads the context so that it is running. If the system cannot retrieve the context configuration file, the system creates a blank context. Also used to change the URL of a previously configured context. fw1(config-ctx) config-url disk0 context3.cfg fw1(config-ctx) show run allocate-interface GigabitEthernet0 0 allocate-interface GigabitEthernet0 1 config-url disk0...

Configure Huband Spoke VPN

VPN spokes can be terminated on a single interface. Traffic from the same security level can also be permitted. same-security-traffic permit inter-interface intrainterface Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface fw1(config) same-security-traffic permit intra-interface 2005 Cisco Systems, Inc. All rights reservecl.SNPA V4.0-12-5B All of the VPN spokes can be terminated on a single interface by using the...

Configuring SSH Access to the Security Appliance Console

Specifies the host or network authorized to initiate an SSH connection Specifies the host or network authorized to initiate an SSH connection Specifies how long a session can be idle before being disconnected Complete the following steps to configure an SSH connection to your security appliance Step 189 Obtain an SSH client and install it on the system from which you want to establish the SSH connection. Step 190 Use the crypto key zeroize rsa command to delete any previously created RSA Step...

Connecting to the Security Appliance with an SSH Client

Fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30 fw1(config) crypto key zeroize rsa fw1(config) write memory fw1(config) domain-name cisco.com fw1(config) crypto key generate rsa modulus 1024 fw1(config) write memory fw1(config) ssh 172.26.26.50 255.255.255.255 outside fw1(config) ssh timeout 30...

Context Allocate Interfaces and Assign a Failover Group Number

Fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface ethernetl fw2(config-ctx) config-url flash ctx1.cfg fw2(config-ctx) join-failover-group 1 fw2(config) context ctx2 fw2(config-ctx) allocate-interface ethernet3 fw2(config-ctx) allocate-interface ethernet4 fw2(config-ctx) config-url flash ctx2.cfg fw2(config-ctx) join-failover-group 2 Associate interfaces and a group to a context fw2(config-ctx) allocate-interface ethernetO fw2(config-ctx) allocate-interface...

Course Goal and Objectives

This topic describes the course goal and objectives. This topic describes the course goal and objectives. To provide the learner with the skills necessary to configure, maintain, and operate PIX and ASA security appliances. Securing Networks with PIX and ASA v4.0 stems, Inc. All rights reserved. SNPA v4.0 4 Upon completing this course, you will be able to meet these objectives Describe firewall technology and security appliance features Describe security appliance models, option cards, and...

Create a Static Translation for Web Server

Fw1(config) static (dmz,outside) 192.168.0.9 172.16.0.2 0 0 Map an inside private address to an outside public address 2005 Cisco Systems, Inc. All rights re The first step is to map the IP address of the web server to a fixed outside address. This hides the true address of the web server. Internet hosts access the DMZ web server via the mapped outside IP address. The security appliance performs the necessary translations to send the packet from the outside interface to the DMZ interface. To...

Create and Password Protect Your Privilege Levels

Fw1> enable 10 password PasswOrD fw1> enable 10 password PasswOrD enable password password level level encrypted Configures enable passwords for the various privilege levels fw1(config) enable password Passw0rD level 10 Provides access to a particular privilege level from the > prompt fw1> enable 10 Password Passw0rD fw1 The security appliance supports up to sixteen privilege levels levels zero through fifteen. You can create privilege levels and secure them by using the enable password...

Cut Through Proxy Operation

Types of cut-through proxy user authentication The user makes a request to access the web server. The local username and password are passed to the web server to authenticate. The user is prompted by the Security Appliance. The user makes a request to access the web server. The user is prompted by the Security Appliance. Cisco Secure ACS server The security appliance queries Cisco Secure ACS for the remote username and password. authenticates, the user is cut through the security appliance. The...

Define IKE Policy Parameters

You can select specific values for each IKE parameter, per the IKE standard. You choose one value over another based on the security level you desire and the type of IPSec peer to which you will connect. There are five parameters to define in each IKE policy, as outlined in the previous figure and in the following table. The figure shows the relative strength of each parameter, and the table shows the default values. 56-bit DES 168-bit 3DES AES 128-bit key AES 192-bit key AES 256-bit key SHA-1...

Defines a controlled VLAN on the MSFC Assigns an IP address

Switch(config) vlan 100,200,300 switch(config-vlan) exit witch(config) int vlan 100 switch(config-if) ip address 192.168.1.2 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 200 switch(config-if) ip address 10.1.1.1 255.255.255.0 switch(config-if) no shut switch(config-if) int vlan 300 switch(config-if) ip address 172.16.1.1 255.255.255.0 switch(config-if) no shut 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 A2-17 You can install the FWSM in the Catalyst 6500 Series...

Defines the type of VPN connection that is to be established

Fw1(config) tunnel-group training type ipsec-ra 2005 Cisco Systems, Inc. All rights re Step 128 To enable remote access, the tunnel group type must be named and set to remote access using the ipsec-ra command. Step 2 Configure IKE Pre-Shared Key tunnel-group name general-attributes ipsec-attributes Enters tunnel-group ipsec-attributes submode to configure the key Associates a pre-shared key with the connection policy fw1(config) tunnel-group training ipsec-attributes fw1(config-ipsec)...

Defining Authentication Type

Authentication aaa certificate mailhost piggyback Specifies the authentication method(s) that are used with the - aaa Use previously configured AAA server for authentication - certificate Use certificate for authentication - mailhost Authenticates via the remote mail server (SMTPS only) - piggyback Requires use of an established HTTPS WebVPN session fw1(config-pop3s) authentication piggyback Use the authentication command to configure authentication methods for the e-mail proxy. To restore the...

Defining Proxy Servers

Enters the appropriate e-mail proxy subcommand mode fw1(config) pop3s fw1(config-pop3s) 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 13-29 Proxy servers are defined by entering the appropriate subcommand mode in global configuration mode. Proxy servers are available for POP3S, SMTPS, and IMAP4S. The following attributes can be configured in each subcommand mode port This specifies the port the POP3S proxy listens to. The default is 995. The value is limited to valid port numbers....

Designate the URLFiltering Server

Url-server (if_name) vendor websense host local_ip timeout seconds protocol TCP UDP version 1 4 Designates a server that runs a Websense URL-filtering application url-server (if_name) vendor n2h2 host local_ip port number timeout seconds protocol TCP UDP Designates a server that runs an N2H2 URL-filtering application fw1(config) url-server (dmz) vendor n2h2 host 172.16.0.3 protocol TCP Before you can begin URL filtering, you must designate at least one server on which the Websense or N2H2...

Determine IPSec IKE Phase 2 Policy

Traffic (packet type) to be encrypted 2005 Cisco Systems, Inc. All rights re Determining network design details includes defining a more detailed security policy for protecting traffic. You can then use the detailed policy to help select IPSec transform sets and modes of operation. Your security policy should answer the following questions What protections are required or are acceptable for the protected traffic What traffic should or should not be protected Which security appliance interfaces...

Determines whether other IP addresses are visible from the security appliance

Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds Success rate is 100 percent (5 5), round-trip min avg max 10 12 20 ms 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.0 3-49 The ping command determines if the security appliance has connectivity and if a host is available (visible to the security appliance) on the network. The command output shows if the ping was received. If the ping was received, then the host exists on the network. If the ping was not received, the...

DHCP Server Configuration

This topic describes how to configure the PIX Security Appliance DHCP server on the PIX Security Appliance 501 or PIX Security Appliance 506 506E. The PIX Firewall DHCP server can be used to 2005 Cisco Systems, Inc. All rights reserved. DHCP provides automatic allocation of reusable network addresses on a TCP IP network. This provides ease of administration and dramatically reduces the margin of human error. Without DHCP, IP addresses must be manually entered at each computer or device that...

Displays object groups in the configuration

All rights reserved. SNPA v4.0 6-20 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-20 Use the show running-config object-group command to display a list of the currently configured object groups. The security appliance displays defined object groups by their group identifier when the show running-config object-group id grp_id command form is entered and by group type when the show running-config object-group command is entered with the protocol, service,...

DNS Record Translation

Who is cisco.com Source 192.168.0.20 Destination 172.26.26.50 Who is cisco.com Source 192.168.0.20 Destination 172.26.26.50 cisco.com 192.168.0.17 Source 172.26.26.50 Destination 192.168.0.20 Source 172.26.26.50 Destination 10.0.0.5 cisco.com 192.168.0.17 Source 172.26.26.50 Destination 192.168.0.20 Source 172.26.26.50 Destination 10.0.0.5 fw1(config) nat (inside) 1 10.0.0.0 255.255.255.0 dns fw1(config) global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 fw1(config) static...

Downloadable ACLs

The HTTP request to Global IP address 192.168.1.10 is intercepted by the Security Appliance. 2. An authentication request is sent to AAA server. 3. The authentication response contains the ACL name from AAA server. 4. The Security Appliance checks to see if the user's ACL is already present. 5. A request is sent from the Security Appliance to the AAA server for the user's ACL. 6. The ACL is sent to the Security Appliance. 7. The HTTP request is forwarded to the WWW server. 2005 Cisco Systems,...

Each IPSec peer individually enrolls with the CA server

All rights reserved. SNPA V4.0 11-52 The use of pre-shared keys for IKE authentication works only when you have a few IPSec peers. CAs enable scaling to a large number of IPSec peers. Although there are a number of scaling methods, using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a per-peer basis. The CA server enrollment process can be largely automated so that it...

Easy VPN Servers

All rights re Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) 2005 Cisco Systems, Inc. All rights re The Easy VPN Remote feature requires that the destination peer be a VPN gateway or concentrator that supports the Easy VPN Server. This includes the following platforms when running the indicated software releases Cisco 806, Cisco 826, Cisco 827, and Cisco 828 Routers Cisco IOS Software Release 12.2(8)T or later release Cisco 1700 Series Routers Cisco IOS Software...

Enable accounting match

Aaa accounting match acl name interface name server tag Identify a traffic flow with an access-list command. Enable accounting of traffic matching access-list command statement. fw1(config) access-list 110 permit tcp any host 192.168.2.10 eq ftp fw1(config) access-list 110 permit tcp any host 192.168.2.10 eq www fw1(config) aaa accounting match 110 outside NY ACS To enable the generation of an accounting record, the administrator identifies a traffic flow with an ACL and applies the ACL to the...

Enables DHCP server

All rights re Enable the DHCP daemon within the PIX Security Appliance to listen for DHCP client requests on the enabled interface by executing the dhcpd enable command. Currently, you can only enable the DHCP server feature on the inside interface, which is the default. Use the no form of the command to disable the DHCP daemon. The syntax for the dhcpd enable command is as follows Name of the PIX Security Appliance interface. The default is the inside interface. The...

Enables you to configure a virtual MAC address for a security appliance failover pair

Fw2(config) failover mac address etherntO 00a0.c989.e481 00a0.c969.c7f1 fw2(config) failover mac address ethernetl 00a0.c97 6.cde5 00a0.c922.9176 2005 Cisco Systems, Inc. All rights re When the primary security appliance is replaced with a new primary security appliance, the secondary security appliance acquires the MAC address of the new primary security appliance and sends out gratuitous ARPs on all interfaces to update the devices connected to the security appliance. You can prevent the MAC...

Enabling OSPF Routing

Enables OSPF routing through the security appliance 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 8-16 To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is as follows Internally used identification parameter for an OSPF routing process valid values are from 1 through 65535. The process ID (PID) on one router does not need to match the OSPF PIDs on other routers. The security appliance can be configured for one or two processes, or OSPF...

Enhanced HTTP Inspection

Has the ability to control and filter HTTP traffic flowing through the security appliance - Checks whether HTTP message is RFC compliant - Specifies which RFC HTTP request methods are permitted - Specifies which extension methods are permitted - Specifies maximum header length for HTTP request and response messages - Specifies minimum and maximum content length - Confirms content-type in the message header is the same as the body of the HTTP message - Specifies maximum URI length in a request...

Example Crypto ACLs

E0 192.168.1.2 x e0 192.168.6.2 e0 192.168.1.2 x e0 192.168.6.2 fw1 show run access-list access-list 101 permit ip 255.255.255.0 fw6 show run access-list access-list 101 permit ip 255.255.255.0 2005 Cisco Systems, Inc. All rights re 2005 Cisco Systems, Inc. All rights re Use the show run access-list command to display currently configured ACLs. The figure contains an example ACL for each of the peer security appliances. In the Security Appliance 1 ACL, the source network is 10.0.1.0 and the...

Example Intrusion Prevention Policy

IPS inline promiscuous fail-close fail-open Sends the Internet class of packets to the AIP-SSM If the AIP-SSM fails, permits traffic pix1(config) policy-map outside_policy pix1(config-pmap) class internet pix1(config-pmap-c) IPS inline fail-open 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 9-17 To configure the intrusion prevention action, you use the IPS command to configure two items, the AIP-SSM mode and the AIP-SSM failure action. In the example in the figure, the Internet class...

Example Servers and URL Configuration

Appliance Superserver CIFS Share 10.0.1.0 Need to launch WebVPN interface Click on Superserver or CIFS Share link Web access Security Appliance parameters Example url-list URLs Superserver http 10.0.1.10 CIFS access Security Appliance parameters Example url-list URLs CIFS Share cifs 10.0.1.10 training 2005 Cisco Systems, Inc. All rights re This example illustrates the various parameters that must be configured on the security appliance to enable WebVPN access to the resources on the private...

Ftp

All rights re In the example in the figure, the administrator wants to enable selected hosts to establish HTTP, HTTPS, and FTP outbound sessions. The administrator configures an object group for selected Inside_Eng and Inside_Mktg hosts. These two groups are nested inside another group, Inside_Networks. To ease configuration, the three protocols are grouped.

Functions of the Security Appliance Security Algorithm

Implements stateful connection control through the security appliance. Allows one-way (outbound) connections with a minimum number of configuration changes. An outbound connection is a connection originating from a host on a more-protected interface and destined for a host on a less-protected network. Monitors return packets to ensure that they are valid. Randomizes the first TCP sequence number to minimize the risk of attack. 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 3-17 The...

Group names applied to ACL

Fwl(config) access-list outside permit tcp any object-group DMZ Servers object-group DMZ Services You can group network objects such as hosts and services to simplify the task of creating and applying ACLs. This reduces the number of access control entries (ACEs) that are required to implement complex security policies. For example, a security policy that normally contains 3,300 ACEs within an ACL might require only several hundred ACEs within that ACL after hosts and services are properly...

Groups and Users

Within a corporation, not everyone has the same access requirements customer service engineers may require seven-day, 24-hour access sales entry personnel need five-day, eight-hour access, and contract help might need access from 9 a.m. to 5 p.m., with restricted server access. The security appliance can accommodate different access and usage requirements. You can define different rights and privileges on a group basis. A customer service engineer, sales entry person, and contractor can be...

Hardware and Stateful Failover

- Client applications must reconnect. - Provides hardware redundancy. - Provided by serial or LAN-based failover link. - TCP connections remain active. - No client applications need to reconnect. - Provides redundancy and stateful connection. - Client applications must reconnect. - Provides hardware redundancy. - Provided by serial or LAN-based failover link. - TCP connections remain active. - No client applications need to reconnect. - Provides redundancy and stateful connection. 2005 Cisco...

Home Page Look and Feel Configuration

Title Bar Color Secondary Bar Color Title Bar Color Secondary Bar Color Specifies the title that WebVPN users should see. firewall(config-webvpn) Specifies the title color. Supported formats include HTML color name string, HTML color value, and HTML RGB value. 2005 Cisco Systems, Inc. All rights re Many of the commands in the webvpn subcommand mode control and customize the look and feel of the end user's home page. Some of the items that can be configured include HTML title The HTML title...

Host NametoIPAddress Mapping name Command

Configures a list of name-to-IP-address mappings on the security appliance fw1(config) name 172.16.0.2 bastionhost fw1(config) name 10.0.0.11 insidehost The use of the name command enables you to configure a list of name-to-IP-address mappings on the security appliance. This allows the use of names in the configuration instead of IP addresses. In the figure, the server's and the PC's IP addresses are mapped to names, bastionhost and insidehost. Bastionhost and insidehost can be used in place of...

HTTP Map Application and Encoding Inspection

Define HTTP application and encoding inspection port-misuse Application inspection transfer-encoding Transfer encoding inspection action Defines actions when a violation occurs. port-misuse im p2p tunneling action allow drop reset log transfer-encoding chunked compress deflate gzip identity action allow drop reset log 2005 Cisco Systems, Inc. All rights reser d.SNPA v4.0 10-23 You can define application and encoding inspection, and you can limit the HTTP traffic that is allowed through the...

Identify a Class of Traffic

Defining traffic matching criteria 2005 Cisco Systems, Inc. All rights reserved. Add Service Policy Rule Wizard - Traffic Classification Criteria Description (optional Ttafllc match criteria Default Inspection Traffic P - o re - and Destination j.p Addresc I- Tunnel Group I- TCP or UDP Destination Poll RTF Range r IP DiffSeiv CodePomts (DSCP) I- IP Precedence Anytraflic if traffic does not match a existing traffic class, ttien it will match the c lass-default traffic class Class-defaultcan be...

Installation Wizard

Note Close all Windows programs before you run the setup program. (Optional) If Cisco Secure ACS is already installed, the Previous Installation window opens. You are prompted to remove the previous version and save the existing database information. Click Yes, keep existing database and click Next to keep the existing data. To use a new database, deselect the check box and click Next. If you selected the check box, the setup program backs up the existing database information and removes the...

Installing Application or ASDM Software Example

Copy tftp server path filename flash filename copy tftp server path filename flash filename When you log into the security appliance during normal operation, you can copy the application software or ASDM software to the Flash file system from a TFTP, FTP, HTTP, or HTTPS server. fw1(config) copy tftp 1G.G.G.3 cisco 123file.bin flash 123file.bin When you install the ASA software, the existing activation key is extracted from the original image and stored in a file in the security appliance file...

IP Multicasting

An IP datagram is transmitted to a set of hosts identified by a single IP destination address. Clients that wish to receive multicasts must join a multicast host group. The multicast router discovers group hosts by sending IGMP query messages. Host group members respond with IGMP reports. The security appliance supports SMR-IGMP proxying. 2005 Cisco Systems, Inc. All rights re IP multicasting is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream...

Limitations of Benefits of Huband Spoke VPNs

IPSec performance is aggregated at the hub. All spoke-spoke packets are decrypted and reencrypted at the hub. IPSec performance is aggregated at the hub. All spoke-spoke packets are decrypted and reencrypted at the hub. When using hub-and-spoke with dynamic crypto maps, the IPSec encryption tunnel must be initiated by the spoke routers. 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0-12-57 The hub-and-spoke design is the most suitable configuration when the majority of traffic is...

Limits information that is allowed into a network based on the destination and source address

All rights re A firewall can use packet filtering to limit information that enters a network and information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables. This method is effective when a protected network receives a packet from an unprotected network. Any packet that is sent to the protected network and does not fit the...

Maps names and sequence numbers of group entries into a policy

Step 107 Configure the crypto map with the crypto map command by completing the following substeps 1. Assign an ACL to the crypto map entry firewall(config) crypto map map-name seq-num match address acl name firewall(config) crypto map map-name seq-num match address acl name Assigns an ACL to a crypto map entry The number you assign to the crypto map entry Specifies the name of the crypto map set 2. Specify the peer to which the IPSec-protected traffic can be forwarded firewall(config) crypto...

Maximum Number of Interfaces

Physical Virtual interfaces interfaces Physical Virtual interfaces interfaces Maximum number of interfaces supported by Cisco PIX and ASA Security Appliance Software v7. VLANs are not supported on the PIX 501, 506, and 506E Security Appliances. The number of logical interfaces that you can configure on the other Cisco security appliances varies by platform and license type. The chart in the figure defines the maximum number of interfaces that the security appliance family supports beginning...

Microsoft Challenge Handshake Authentication Protocol MSCHAP

Note ISPs that use CHAP or MS-CHAP may refer to the username as the remote system name, and may refer to the password as the CHAP secret. Step 210 Use the vpdn group command to associate the username assigned by your ISP to the VPDN group. The syntaxes for the vpdn commands are as follows vpdn group group name request dialout pppoe vpdn group group name ppp authentication PAP vpdn group group name localname username clear vpdn group username tunnel all Local username. However, when used as a...

Modular Policy Framework Overview

Cisco Modular Policy Framework provides greater granularity and more flexibility when configuring network policies. Associate security policy to traffic flows Enable a set of security policies on an interface or globally 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 9-3 Cisco Modular Policy Framework provides greater granularity and more flexibility when configuring network policies. Associate security policy to traffic flows Enable a set of security policies on an interface or...

Need for Advanced Protocol Handling

Some popular protocols or applications behave as follows - They negotiate connections to dynamically assigned source and destination ports and IP addresses. - They embed source and destination port and IP address information above the network layer. A good security appliance has to inspect packets above the network layer and do the following as required by the protocol or application - Securely open and close negotiated ports and IP addresses for legitimate client-server connections through...

PAT Using Outside Interface Address

Fw1(configs-if) ip address inside 10.0.0.1 255.255.255.0 fw1(configs-if) ip address outside dhcp fw1(configs) nat (inside) 1 10.0.0.0 255.255.0.0 fw1(config) global (outside) 1 interface The outside interface is configured as a DHCP client. The interface option of the global command enables use of a DHCP address as the PAT address. The source addresses of hosts in network 10.0.0.0 are translated into a DHCP address for outgoing access, in this case, 192.168.0.2. The source port is changed to a...

Peer authentication methods

All rights reserved. SNPA V4.0 11-13 When conducting business over the Internet, you must know who is at the other end of the tunnel. The device on the other end of the VPN tunnel must be authenticated before the communications path is considered secure. The last exchange of IKE Phase 1 is used to authenticate the remote peer. The security appliance supports two data origin authentication methods Pre-shared keys A secret key value entered for each peer is manually used...

Permanently maps the FTP server IP address

Fw1(config) static (dmz,outside) 192.168.1.4 172.16.1.10 netmask 255.255.255.255 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0 4-29 In the example in the figure, the administrator wants the IP address of the FTP server on the DMZ to be permanently translated or mapped to a different IP address on the outside interface. The two interfaces are DMZ and outside. The two IP addresses are 192.168.1.4 and 172.16.1.10. Recommended when you want to translate multiple addresses with a single...

Permits outbound engineering Http Https and FTP traffic

Fw1(config) access-list inside permit tcp object-group Inside Eng any object-group Host Services_ The last step is to add the object groups to an ACL. In the figure, Inside_Eng and Host_Services are defined within the ACL statement. Hosts within the Inside_Eng group can access outbound any host with the protocols defined within the Host_Services object group. The following is the syntax for the protocol-object command

PIX Firewall 515E Front Panel LEDs

The behavior of the LEDs on the front panel of the PIX 515E Security Appliance is described here POWER When the device is powered on, the light is green. ACT(ive) When the PIX Security Appliance is used in a standalone configuration, the light is green. When the PIX Security Appliance is configured for failover operations, the light is green on the active PIX Security Appliance. NETWORK The light is green when at least one network interface is passing traffic. The PIX 515E Security Appliance...

Prevents users from accessing HTTPS and Ftp Urls that are designated with the Websensebased URLfiltering application

Fw1(config) filter https 0 0 0 0 allow This feature extends web-based URL filtering to HTTPS and File Transfer Protocol (FTP). The filter ftp and filter https commands were added to the filter command in Cisco PIX Security Appliance Software v6.3. The filter ftp command enables FTP filtering. The filter https command enables HTTPS filtering. The filter ftp and filter https commands are available with Websense URL filtering only. The example command in the figure instructs the security appliance...

Provides rich Layers 2 through 7 security services as a Layer 2 device

All rights reserved. SNPA v4.0 1-18 Cisco PIX and ASA Security Appliance Software v7.0 debuts the ability to deploy a security appliance in a secure bridging mode as a Layer 2 device to provide rich Layers 2 through 7 security services for the protected network. This enables businesses to deploy security appliances into existing network environments without requiring readdressing of the network. Although the security appliance can be completely invisible to devices on...

Recover IPS Image

Debug module-boot enabled at level 1 asa1(config) hw module 1 recover boot The module in slot 1 will be recovered. This may erase all configuration and all data on that device attempt to download a new image for it. asa1(config) The module in slot 1 is unresponsive The module in slot 1 is recovering. Slot-1 8> tftp Slot-1 9> The module in slot 1 is recovering. Slot-1 7 9> Slot-1 80> Received 2 3140374 bytes Slot-1 81> Launching TFTP Image The module in slot 1 is recovering. The module...

Remote Shell

The rsh protocol uses two channels - Client-initiated command connection (TCP) - Server-initiated standard error connection (TCP) For outbound connections, the security appliance opens an inbound port for standard error output For inbound connections, if an rsh ACL exists, the security appliance handles rsh as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens the outbound port for standard error output. 2005 Cisco Systems,...

Removes all dhcpd command statements from the configuration

All rights reserved. SNPA V4.0 A1-28 The debug dhcpd command displays information associated with the DHCP server. Use the debug dhcpd event command to display event information about the DHCP server, and use the debug dhcpd packet command to display packet information about the DHCP server. Use the no form of the debug dhcpd command to disable debugging. The syntax for the debug dhcpd command is as follows The syntax for the debug dhcpd command is as follows Displays...

Removing a Security Context

You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts. Contexts can be removed or created on the fly no reboot is required. WARNING Removing context 'context3' Proceed with removing the context confirm Removes all contexts, including the admin context 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 15-20 You can only remove a context by editing the system configuration. To remove a context, use the...

Routed Firewall and Transparent Firewall Modes

FWSM is considered to be a router hop in It performs NAT between connected networks. OSPF or passive RIP (in single context mode). Supports up to 256 interfaces per context, with a maximum of 1000 interfaces across all contexts. FWSM acts like a bump in the wire and is not a router hop. The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT. Transparent mode only supports two interfaces per context. A...

Security Appliance Access Authentication Configuration

This topic discusses how to configure authentication on Cisco security appliances. Types of Security Appliance Access Authentication Types of security appliance console authentication Types of security appliance console authentication The aaa authentication serial console command enables you to require authentication verification to access the console of the security appliance unit. Authenticated access to the security appliance console involves different types of prompts, depending on the...

Security Appliance User Authorization

Classic user authorization, where a TACACS+ AAA server is configured with rules and consulted for every connection on demand Download of a per-user ACL from a RADIUS AAA server during authentication If you want to allow all authenticated users to engage in all operations HTTP, HTTPS, FTP, and Telnet through the security appliance, authentication is sufficient and authorization is not needed. But if there is reason to allow only some subset of users or to limit users to certain sites or...

Serial Cable Active Standby Failover

Primary Active Security Appliance 192.168.2.2 10.0.2.1 Secondary Standby Security Appliance 2005 Cisco Systems, Inc. All rights re 192.168.2.2 10.0.2.1 Secondary Active Security Appliance Serial cable-based failover is supported on the PIX Security Appliance only. In serial cable-based active standby failover, there are two security appliances interconnected with a serial failover cable a primary unit and a secondary unit. In the top example in the figure, the primary security appliance is...

Service Policy Overview

Enable the policy globally or on an interface Enable the policy globally or on an interface service-policy outside_policy interface outside service-policy outside_policy interface outside service-policy policymap_name global interface intf Enables outside_policy service policy on outside interface. pixl (config) service-policy outside_policy interface outside To activate a policy map globally on all interfaces or on a targeted interface, use the service-policy command in privileged EXEC mode....

Service subcommand mode

Fw1(config) object-group service Host Services tcp fw1(config-service) port-object eq http fw1(config-service) port-object eq https fw1(config-service) port-object eq ftp 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 6-9 To configure a service object group, first enter the object-group service command to name the service object group and enable the service subcommand mode. Using the tcp option specifies that the service object group contains ports that are used for TCP only. Using the...

Session Setup Command

Continue with configuration dialog yes < yes> Enter IP interface 10.1.9.201 24,10.1.9.1 10.0.1.41 24,10 Enter telnet-server status disabled Modify current access list no yes 0 Go to the command prompt wi thout saving this config. 1 Return back to the setup wi thout saving this config. 2 Save this configuration and exit setup. Warning Reboot is required before the configuration change Warning The node must be rebooted for the changes to go into effect. 2005 Cisco Systems, Inc. All rights...

Session Setup Default

All rights reserved. SNPA V4.0 18-14 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0 18-14 After installing and loading software on the AIP-SSM module, you must initialize the AIP-SSM module using the setup command. With the setup command, you can configure basic AIP-SSM settings, including the host name, IP interfaces, Telnet server, web server port, access control lists, and time settings. The example in the figure displays the default setup parameters....

Setting MTU Size

All rights re This figure displays the SetMTU window, which is where you set the MTU size. The Set MTU option is used primarily for troubleshooting connectivity problems. For specific applications where fragmentation is still an issue, Set MTU can change the MTU size to fit the specific scenario. The Cisco VPN Client automatically adjusts the MTU size to suit your environment, so running this application should not be necessary. To implement a different MTU size,...

Show aaaserver CommandRADIUS

Status ACTIVE, Last transaction at 14 33 13 utc Thu Aug 26 2004 The administrator can also view the AAA server messaging statistics. In the example in the figure, there was an authentication request, a challenge, and an accept message. There were no rejects or retransmissions. When per-user-override is present, the security appliance allows the permit or deny ACE from the downloaded per-user access-list to override the permit or deny ACE from the access-group command. When per-user-override is...

Show conn Command

Displays only the number of used connections. The precision of the displayed count may vary depending on traffic volume and the type of traffic passing through the security appliance. If specified, displays translation type and interface information. Displays active connections by protocol type. protocol is a protocol specified by number. foreign local ip -ip2 netmask mask Displays active connections by the foreign IP address or the local IP address. Qualifies foreign or local active...

Show Downloaded ACLs

Access-list ACSACL -IP-RADIUSAUTH-3ddb8ab6 3 elements access-list ACSACL -IP-RADIUSAUTH-3ddb8ab6 line 1 extended permit tcp any host 192.168.2.10 eq www (hitcnt 5) access-list ACSACL -IP-RADIUSAUTH-3ddb8ab6 line 2 extended permit tcp any host 192.168.2.11 eq ftp (hitcnt 0) access-list ACSACL -IP-RADIUSAUTH-3ddb8ab6 line 3 extended deny ip any any (hitcnt 0) After a user is authenticated, the administrator can view the downloaded ACL using the show access-list command. In the example in the...

Show failover Command

Detected an active mate Beginning configuration replication to mate. End configuration replication to mate. fw2 show failover Failover On Cable s tatus Normal Failover unit Primary Failover LAN Interface N A - Serial-based failover enabled Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Last Failover at 13 21 38 UTC Dec 10 2004 Interface outside (192.168.2.2) Normal Interface inside (10.0.2.1)...

Show localhost Command

Interface dmz 0 active, 0 maximum active, 0 denied Interface inside 1 active, 5 maximum active, 0 denied local host < 10.0.0.11 > , TCP flow count limit 2 300 TCP embryonic count to host 0 TCP intercept watermark 25 UDP flow count limit 0 unlimited TCP out 192.168.10.11 80 in 10.0.0.11 2824 idle 0 00 05 bytes 466 flags UIO TCP out 192.168.10.11 80 in 10.0.0.11 2823 idle 0 00 05 bytes 1402 flags UIO Interface outside 1 active, 1 maximum active, 0 denied local host < 192.168.10.11 > , TCP...

Show run service policy Command

Service-policy global_policy interface global service-policy outside_policy interface outside service-policy global_policy interface global service-policy outside_policy interface outside Shows the global policy security policy and the outside policy security policy pix1 Service-policy global_policy interface global service-policy global_policy global service-policy outside_policy interface outside 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0 9-26 To display all currently running...

Specifies DHCP lease length

All rights re The dhcpd lease command specifies the amount of time in seconds that the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds. The syntax for the dhcpd lease command is as follows The length of the lease in seconds granted to the DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default...

Specifies the name of the dedicated interface used for stateful failover

All rights reservecl.SNPA v4.0 16-26 The following step provides more details about configuring the failover link Step 182 The stateful failover feature passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. End-user applications are not required to do a reconnect to keep the same communication session. The state information passed to the standby unit includes the...

Standard RTP Mode

In standard RTP mode, RTP uses three channels For outbound connections, the security appliance opens inbound ports for RTP data and RTCP reports. For inbound connections, if an ACL exists, the security appliance handles standard RTP mode as follows - If outbound traffic is allowed, no special handling is required. - If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP. In standard RTP mode, the following three channels are used by RTSP TCP control channel Standard TCP...

Stateful Packet Filtering

Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content Stateful packet filtering is the method that is used by the Cisco security appliances. This technology maintains complete session state. Each time a TCP or User Datagram Protocol (UDP) connection is established for inbound or outbound connections, the information is logged in a stateful session flow table. The stateful session flow table, also...