Lesson 3b © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—3-1 Getting Started with Cisco Security Appliances

Lesson 3b

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—3-1

Getting Started with Cisco Security Appliances


User Interface


Security Appliance Access Modes

firewall>

firewall#

firewall<config>#

monitor>

A Cisco security appliance has four administrative access modes:• Unprivileged• Privileged• Configuration• Monitor


Internet

pixfirewall> enablepassword:pixfirewall#

enable [priv_level]firewall>

• Used to control access to the privileged mode• Enables you to enter other access modes

Access Privilege Mode


Access Configuration Mode: configure terminal Command

configure terminalfirewall#

• Used to start configuration mode to enter configuration commands from a terminal

pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)# exitpixfirewall# exitpixfirewall>

exitfirewall#

• Used to exit from an access mode


pixfirewall > help ?

enable Turn on privileged commands exit Exit the current command mode login Log in as a particular user logout Exit from current command mode, and to unprivileged mode quit Exit the current command mode

pixfirewall > help enable

USAGE:

enable [<priv_level>]

DESCRIPTION:

enable Turn on privileged commands

help Command


File Management


Viewing and Saving Your Configuration

The following commands enable you to view or save your configuration:• copy run start

– show running-config– show startup-config

• write memory– write terminal

To save configuration changes:copy run start

running-config

startup-config(saved)

Configuration Changes


Clearing Running Configuration

firewall(config)#

clear configure all

• Clears the running-configuration

fw1(config)# clear config all

Clear the running configuration:clear config all

running-config

startup-config

(default)


Clearing Startup Configuration

firewall#

write erase

• Clears the startup configuration

Fw1# write erase

Clear the startup configuration:Write erase

running-config

startup-config

(default)


Reload the Configuration: reload Command

• Reboots the security appliance and reloads the configuration• Reboots can be scheduled

fw1# reload

Proceed with reload?[confirm] y

Rebooting...

reload [noconfirm] [cancel] [quick] [save-config] [max-hold-time [hh:]mm [{in [hh:]mm |{at hh:mm [{month day} | {day month}]}] [reason text]

firewall(config)#


File System

• Software Image• Configuration file• Private data file• PDM image• Crash

information

Release 6.and earlier

Release 7.and later

• Software image• Configuration file• Private data• PDM image• Backup image*• Backup

configuration file*• Virtual firewall

Configuration file*

* Space available

10.0.0.11


Displaying Stored Files: System and Configuration

• Display the directory contents.

firewall(config)#

10.0.0.11

PIX FirewallFlash:

ASADisk0:Disk1:

firewall# dir

Directory of flash:/

3 -rw- 4902912 13:37:33 Jul 27 2005 pix-701.bin4 -rw- 6748932 13:21:13 Jul 28 2005 asdm-501.bin

16128000 bytes total (4472832 bytes free)

dir [/recursive] [[{disk0:|disk1:|flash:}][<path>}]]


Selecting Boot System File

• Can store more than one system image and configuration file• Designates which system image and startup configuration

file to boot

fw1(config)# boot system flash:/pix-701.bin

Boot [system | config} <url>firewall(config)#

firewall# dir

Directory of flash:/

3 -rw- 4902912 13:37:33 Jul 27 2005 pix-701.bin4 -rw- 6748932 13:21:13 Jul 28 2005 asdm-501.bin

16128000 bytes total (4472832 bytes free)


Verifying the Startup System Image

• Display the system boot image.

fw1# show bootvar

BOOT variable = flash:/pix-701.binCurrent BOOT variable = flash:/pix-701.binCONFIG_FILE variable =Current CONFIG_FILE variable =

show bootvarfirewall(config)#

10.0.0.11

Boot Imageflash:/pix-701.bin

ConfiguredRunning


Security Appliance Security Levels


Functions of the Security Appliance: Security Algorithm

• Implements stateful connection control through the security appliance.

• Allows one-way (outbound) connections with a minimum number of configuration changes. An outbound connection is a connection originating from a host on a more-protected interface and destined for a host on a less-protected network.

• Monitors return packets to ensure that they are valid.• Randomizes the first TCP sequence number to minimize

the risk of attack.


Security Level Example

Outside NetworkEthernet0• Security level 0• Interface name = outside

DMZ NetworkEthernet2• Security level 50• Interface name = DMZ

Inside NetworkEthernet1• Security level 100• Interface name = inside

e0

e2

e1Internet


Basic Security Appliance Configuration


Assigning Hostname to Security Appliance:

Changing the CLI Prompt

pixfirewall(config)# hostname BostonBoston(config)#

hostname newnamepixfirewall(config)#

• Changes the hostname in the PIX Firewall CLI prompt

ServerBoston

ServerNew_York

ServerDallas

pixfirewall(config)# hostname BostonBoston(config)#

hostname newname


Basic CLI Commands for Security Appliances

• hostname• interface

– nameif– ip address– security-level– speed– duplex– no shutdown

• nat-control• nat• global• route

e0

e2

e1Internet


interface hardware_id

firewall(config)#

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)#

interface Command and Subcommands

• Specifies a perimeter interface and its slot location on the firewall

Ethernet0

Ethernet2

Ethernet1e0

e2

e1Internet


interface vlan_id

firewall(config)#

fw1(config)# interface vlan 2fw1(config-if)#

interface Commands for Vlans

• Specifies a perimeter interface and its slot location on the firewall

Ethernet0

Ethernet2

Ethernet1e0

e2

e1Internet


nameif hardware_id if_name

firewall(config-if)#

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outside

Assign an Interface Name:nameif Subcommand

• Assigns a name to each perimeter interface on the PIX Firewall Security Appliance.

Ethernet0• Interface name = outside

Ethernet2• Interface name = dmz

Ethernet1• Interface name = inside

e0

e2

e1Internet


ip address ip_address [netmask]


Assign Interface IP Address: ip address Subcommand

• Assigns an IP address to each interface

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2 255.255.255.0

Ethernet0• Interface name = outside• IP address = 192.168.1.2

e0

e2

e1Internet


DHCP-Assigned Address

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outside fw1(config-if)# ip address dhcp


ip address if_name dhcp [setroute] [retry retry_cnt]

• Enables the DHCP client feature on the outside interface

e0Internet

DHCP Assigned

Ethernet0• Interface name = outside• IP address = DHCP


security-level number


Assign a Security Level: security-level SubCommands

• Assigns a security level to the interface

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2fw1(config-if)# security-level 0

e0

e2

e1Internet

Ethernet0• Interface name = outside• IP address = 192.168.1.2• Security level = 0


speed [hardware_speed]duplex [duplex_operation]


Assign an Interface Speed and Duplex: speed and duplex SubCommands

• Enables an interface speed and duplex

fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2fw1(config-if)# security-level 0 fw1(config-if)# speed 100fw1(config-if)# duplex full

e0

e2

e1Internet

Ethernet0• Speed =100• Duplex = full


management-onlyno management-only


ASA Management Interface

• To set an interface to accept management traffic only

fw1(config)# interface management 0/0fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2fw1(config-if)# security-level 0

e0

e2

e1Internet

Ethernet0• Management = only


Network Address Translation

Inside Local

Outside Mapped Pool

10.0.0.11192.168.0.20

10.0.0.11

10.0.0.4Translation Table

10.0.0.11192.168.0.20

192.168.10 .11

NAT

Internet


Enable NAT Control

Inside Local

Outside Mapped Pool

10.0.0.11192.168.0.20

10.0.0.11

10.0.0.4Translation Table

10.0.0.11192.168.0.20

200.200.200.11

NAT

Internet

fw1(config)# nat-control

• Enable or disable NAT configuration requirement


nat [(if_name)] nat_id address [netmask] [dns] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

firewall(config)#

nat Command

• Enables IP address translation

fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

10.0.0.11

10.0.0.4

10.0.0.11X.X.X.X

NAT

Internet


global Command

• Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, for example, 192.168.0.20-192.168.0.254

fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

fw1(config)# global (outside) 1 192.168.0.20-192.168.0.254

firewall(config)#

global[(if_name)] nat_id {mapped_ip[-mapped_ip][netmask mapped_mask]} | interface

10.0.0.11

10.0.0.4

10.0.0.11192.168.0.20

NAT

Internet


route if_name ip_address netmask gateway_ip [metric]

firewall(config)#

Configure a Static Route: route Command

• Defines a static or default route for an interface

fw1(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1fw1(config)# route inside 10.0.1.0 255.255.255.0 10.0.0.102 1

192.168.0.110.0.1.11

10.0.1.4

Default Route

10.0.0.102

Static Route

Internet


fw1(config)# namesfw1(config)# name 172.16.0.2 bastionhostfw1(config)# name 10.0.0.11 insidehost

HostName-to-IP-Address Mapping: name Command

• Configures a list of name-to-IP-address mappings on the security appliance

name ip_address namefirewall(config)#

“bastionhost”172.16.0.2

172.16.0.0.2

.110.0.0.0

.1 .11

“insidehost”10.0.0.11


Configuration Example

write terminalinterface ethernet0 nameif outside security-level 0 speed 100 duplex full ip address 192.168.2.2 255.255.255.0interface ethernet1 nameif inside security-level 100 speed 100 duplex full ip address 10.0.1.1 255.255.255.0

172.16.6.0

.1 10.0.6.0.1

192.168.6.0.2

10.1.6.0.1

Ethernet0• Interface name = outside• Security level = 0• IP address = 192.168.6.2

Ethernet1• Interface name = inside • Security level = 100• IP address = 10.0.6.1

Internet


Configuration Example (Cont.)

interface ethernet2 nameif dmz security-level 50 speed 100 duplex full ip address 172.16.2.2 255.255.255.0 passwd 2KFQnbNIdI.2KYOU encrypted hostname fw1 names name 172.16.6.2 bastionhost name 10.1.6.11 insidehost

172.16.6.0.1 10.0.6.0

.1192.168.6.0

.210.1.6.0

.1

Ethernet2• Interface name = dmz• Security level = 50• IP address = 172.16.6.1

Internet




Configuration Example (Cont.)

nat-controlnat (inside) 1 0.0.0.0 0.0.0.0 0 0global (outside) 1 192.168.6.20-192.168.6.254route outside 0.0.0.0 0.0.0.0 192.168.6.1 1route inside 10.1.6.0 255.255.255.0 10.0.6.102 1

10.0.0.0Mapped Pool

192.168.6.20 - 254

172.16.6.0 .2

.1

.102



10.0.6.0.1

192.168.6.0.2.1

10.1.6.0.1

Default Route Static Route

Internet


Examining Security Appliance Status


fw1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 100 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets

show Commands

fw1# show run interface!interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 192.168.2.2 255.255.255.0!interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0

show run interface

show interface


fw1# show memoryFree memory: 49046552 bytesUsed memory: 18062312 bytes------------- ----------------Total memory: 67108864 bytes

show memory Command

• Displays system memory usage information

firewall#

show memory


fw1# show cpu usageCPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

show cpu usage Command

• Displays CPU use

firewall#

show cpu usage

10.0.0.11

10.0.0.4

Internet


show version Command

• Displays the security appliance’s software version, operating time since its last reboot, processor type, Flash memory type, interface boards, serial number (BIOS identification), and activation key value.

firewall#

show version

Cisco PIX Security Appliance Software Version 7.0(1)

Compiled on Thu 31-Mar-05 14:37 by buildersSystem image file is "flash:/pix-701.bin"Config file at boot was "startup-config"

pixfirewall up 12 mins 24 secs

Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHzFlash i28F640J5 @ 0x300, 16MB……………


fw1# show ip addressSystem IP Addresses:Interface Name IP address Subnet maskEthernet0 outside 192.168.1.2 255.255.255.0CONFIGEthernet1 inside 10.0.1.1 255.255.255.0CONFIG Ethernet2 dmz 172.16.1.1 255.255.255.0CONFIG Current IP Addresses:Interface Name IP address Subnet maskEthernet0 outside 192.168.1.2 255.255.255.0CONFIG Ethernet1 inside 10.0.1.1 255.255.255.0CONFIG Ethernet2 dmz 172.16.1.1 255.255.255.0CONFIG

show ip address Command

172.16.6.0

.1 10.0.6.0.1

192.168.6.0.2

10.1.6.0.1Internet


fw1# show interfaceinterface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0050.54ff.653a IP address 192.168.0.2, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 4 packets input, 282 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 20 packets output, 1242 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0 output queue (curr/max blocks): hardware (0/1) software (0/1)

show interface Command


show nameif Command

fw1# show nameifInterface Name SecurityEthernet0 outside 0Ethernet1 inside 100Ethernet2 dmz 50

Ethernet0• Interface name = outside• Security level = 0

Ethernet2• Interface name = dmz• Security level = 50

Ethernet1• Interface name = inside • Security level = 100

e0

e2

e1Internet


show run nat Command

fw1# show run natnat (inside) 1 10.0.0.0 255.255.255.0 0 0

10.0.0.11

10.0.0.4

10.0.0.XX.X.X.X

NAT

• Displays a single host or range of hosts to be translated

firewall#

show run nat

Internet


show run global Command

fw1# show run globalglobal (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

Mapped Pool192.168.0.20-192.168.0.254

10.0.0.11

10.0.0.4

10.0.0.X

• Displays the pool of mapped addresses

firewall#

show run global

Internet


show xlate Command

fw1# show xlate1 in use, 1 most usedGlobal 192.168.0.20 Local 10.0.0.11

192.168.0.20 10.0.0.11

10.0.0.4

10.0.0.11

• Displays the contents of the translation slots

firewall#

show xlate

Inside local

Outside mapped pool

10.0.0.11192.168.0.20Xlate Table

Internet


ping Command

• Determines whether other IP addresses are visible from the security appliance

fw1# ping 10.0.1.11Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

ping host firewall#

10.0.0.11

10.0.0.4

Internet


show route Command

fw1(config)# sh route

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outsideC 10.0.1.0 255.255.255.0 is directly connected, insideC* 127.0.0.0 255.255.0.0 is directly connected, cplaneC 172.16.1.0 255.255.255.0 is directly connected, dmzC 192.168.1.0 255.255.255.0 is directly connected, outside

e0

e2

e1Internet

* ASA 55X0 only

• Works only with the ASA 5500 Series Adaptive Security Appliances


Setting Time and Using NTP Support


clock Command

• Sets the security appliance clock

fw1# clock set 21:0:0 jul 23 2003

clock set hh:mm:ss {day month | month day} yearfirewall#

10.0.0.11

10.0.0.4

Wed 23-Jul-03 21:00

Internet


Setting Daylight Saving Time and Time Zones

• Specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m.

fw1(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00

clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

firewall(config)#

clock timezone zone hours [minutes] firewall(config)#

• Sets the clock display to the time zone specified

• Displays summertime hours during the specified summertime date range


ntp Command

• Synchronizes the security appliance with an NTP server

fw1(config)# ntp authentication-key 1234 md5 cisco123fw1(config)# ntp trusted-key 1234fw1(config)# ntp server 10.0.0.12 key 1234 source inside preferfw1(config)# ntp authenticate

ntp server ip_address [key number] source if_name [prefer]

firewall(config)#

10.0.0.11

10.0.0.12

NTP Server

Internet


Syslog Configuration


Configure Syslog Output to a Syslog Server

Syslog Server

Syslog Messages

Internet


Logging Options

Console – Output to console

Buffered – Output to internal buffer

Monitor – Output to Telnet

Host – Output to syslog server

SNMP – Output to SNMP server

Syslog Server

Internet

LoggingOptions

ConsoleTelnet

Internal Buffer

SNMP Server


Logging Levels

0 – Emergencies1 – Alerts2 – Critical3 – Errors 4 – Warnings5 – Notifications6 – Informational7 – Debugging

Syslog Server

Internet

ConsoleTelnet

Internal Buffer

SNMP Server

LoggingLevels


Configure Message Output to a Syslog Server

• Designate the syslog host server. • Set the logging level.• Enable logging time stamp on syslog messages.• Specify the logging device identifier.• Enable logging.

Syslog Server

10.0.1.11

Syslog Messages

fw1(config)# logging host inside 10.0.1.11fw1(config)# logging trap warningsfw1(config)# logging timestampfw1(config)# logging device-id pix6fw1(config)# logging on

fw1Internet


Syslog Output Example

Message IdentifierLogging Device Identifier

Logging Date and Time StampLogging Device IP Address

Logging Level


Customize Syslog Output

fw1(config)# logging trap warnings fw1(config)# logging message 302013 level 4fw1(config)# logging message 302014 level 4

logging message syslog_id level levelfirewall(config)#

• Enables you to change the level of specific syslog messages

fw1(config)# no logging message 710005

no logging message syslog_idfirewall(config)#

• Disallows unwanted syslog messages


show logging Command

Syslog Server

10.0.1.11

Syslog Messages

fw1

InternalBuffer

fw1(config)# show loggingSyslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Ambiguous interface parameters: 97 Console logging: disabled Monitor logging: disabled Buffer logging: level warnings, 0 messages logged Trap logging: level warnings, facility 20, 0 messages logged Logging to inside 10.0.1.11 History logging: disabled Device ID: fw1 Mail logging: disabled PDM logging: disabled

Internet


Summary

• Cisco security appliances have four administrative access modes: unprivileged, privileged, configuration, and monitor.

• Interfaces with a higher security level can access interfaces with a lower security level, but interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.

• The security appliance show commands help you manage the security appliance.


Summary (Cont.)

• The basic commands that are necessary to configure Cisco security appliances are the following: interface, nameif, nat, global, and route.

• The nat and global commands work together to translate IP addresses.

• The security appliance can send syslog messages to a syslog server.

• The security appliance can function as a DHCP client.

Documents

Lesson 3b © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—3-1 Getting Started with Cisco Security Appliances