© 2006 cisco systems, inc. all rights reserved. network security 2 module 8 – pix security...

© 2006 Cisco Systems, Inc. All rights reserved.

Network Security 2

Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved.

Lesson 8.4 PIX Security Appliance Management

Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-3

Managing System Access


telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

ciscoasa(config)#

asa1(config)# telnet 10.0.0.11 255.255.255.255 inside

asa1(config)# telnet timeout 15

asa1(config)# passwd telnetpass

Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance

Sets the password for Telnet access to set the security appliance

passwd password [encrypted]

ciscoasa(config)#

10.0.0.11Telnet

Internet

Configuring Telnet Access to the Security Appliance Console


Viewing and Disabling Telnet

kill telnet_id

ciscoasa#

Terminates a Telnet session

Enables you to view which IP addresses are currently accessing the security appliance console via Telnet

who [local_ip]

ciscoasa#

Removes the Telnet connection and the idle timeout from the configuration

clear configure telnet

ciscoasa(config)#

Displays IP addresses permitted to access the security appliance via Telnet

show running-config telnet [timeout]

ciscoasa#


SSH Connections to the Security Appliance

SSH connections to the security appliance: Provide secure remote access

Provide strong authentication and encryption

Require RSA key pairs for the security appliance

Require 3DES/AES or DES activation keys

Allow up to five SSH clients to simultaneously access the security appliance console

Use the Telnet password for local authentication


crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]

Configuring SSH Access to the Security Appliance Console

Removes any previously generated RSA keys

ciscoasa(config)#

Saves the CA state

write memory

ciscoasa(config)#

Configures the domain name

domain-name name

ciscoasa(config)#

Generates an RSA key pair

crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]

ciscoasa(config)#

Specifies the host or network authorized to initiate an SSH connection

ssh {ip_address mask | ipv6_address/prefix} interface

ciscoasa(config)#

Specifies how long a session can be idle before being disconnected

ssh timeout number

ciscoasa(config)#


asa1(config)# crypto key zeroize rsa

asa1(config)# write memory

asa1(config)# domain-name cisco.com

asa1(config)# crypto key generate rsa modulus 1024

asa1(config)# write memory

asa1(config)# ssh 172.26.26.50 255.255.255.255 outside

asa1(config)# ssh timeout 30

172.26.26.50

SSH

username: pix

password: telnetpassword

Internet

Connecting to the Security Appliance with an SSH Client


debug ssh

ciscoasa(config)#

Enables SSH debugging

Removes all SSH command statements from the configuration

clear configure ssh

ciscoasa(config)#

Disconnects an SSH session

ssh disconnect session_id

ciscoasa#

show ssh sessions [ip_address]

ciscoasa#

Enables you to view the status of your SSH sessions

Viewing, Disabling, and Debugging SSH


Managing User Access Levels


Command Authorization Overview

The purpose of command authorization is to securely and efficiently administer the security appliance. You can configure the following types of command authorization: Command authorization with password-protected privilege levels

Command authorization with username and password authentication


Command Authorization with Password-Protected Privilege Levels

The following tasks are required to configure command authorization with password-protected privilege levels:

– Use the enable command to create privilege levels and assign passwords to them.

– Use the privilege command to assign specific commands to privilege levels.

– Use the aaa authorization command to enable the command authorization feature.

Users must complete the following steps to use command authorization with password-protected privilege levels:

– Use the enable command with the level option to access the desired privilege level.

– Provide the password for the privilege level when prompted.

The user can then execute any command assigned to that privilege level or to a lower privilege level.


Configuring Command Authorization with Password-Protected Privilege Levels

Creates and password-protects privilege levels by configuring enable passwords for the various privilege levels

enable password password [level level] [encrypted]

ciscoasa(config)#

asa1(config)# enable password Passw0rD level 10

enable [level]

ciscoasa

asa1> enable 10

Password: Passw0rD

asa1#

• Provides access to a particular privilege level from the > prompt

10.0.0.11

Internet

asa1> enable 10

password: PasswOrD


privilege [show | clear | configure] level level [mode command_mode] command command

ciscoasa(config)#

asa1(config)# enable password Passw0rD level 10

asa1(config)# privilege show level 8 command access-list

asa1(config)# privilege configure level 10 command access-list

asa1(config)# aaa authorization command LOCAL

Configures user-defined privilege levels for security appliance commands

aaa authorization command {LOCAL | server-tag [LOCAL]}

ciscoasa(config)#

Enables command authorization

ciscoasa> enable 10

Password: Passw0rD

ciscoasa# config t

ciscoasa(config)# access-list . . .

Configuring Command Authorization with Password-Protected Privilege Levels (Cont.)


Command Authorization with Username and Password Authentication

The following tasks are required to configure command authorization with username and password authentication:

– Use the privilege command to assign specific commands to privilege levels.

– Use the username command to create user accounts in the local user database and assign privilege levels to the accounts.

– Use the aaa authorization command to enable command authorization.

– Use the aaa authentication command to enable authentication using the local database.


Command Authorization with Username and Password Authentication

Users must complete one of the following tasks to use command authorization with username and password authentication:

– Enter the login command at the > prompt and log in with a username and password.

– Enter the enable command at the > prompt and log in with a username and password.

The user can then execute any command assigned to the same privilege level as the user account or to a lower privilege level.


username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]

ciscoasa(config)#

asa1(config)# username admin password passw0rd privilege 15

asa1(config)# username kenny password chickadee privilege 10

Creates a user account in the local database

Can be used to configure a privilege level for the user account

10.0.0.11

Local database:admin passw0rd 15kenny chickadee 10

Internet

Configuring Command Authorization with Username and Password Authentication


aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}

Enables you to configure authentication with the local databaseasa1(config)# privilege configure level 10 command access-list

asa1(config)# username kenny password chickadee privilege 10

asa1(config)# aaa authorization command LOCAL

asa1(config)# aaa authentication enable console LOCAL

ciscoasa(config)#

ciscoasa> login

Username: kenny

Password: chickadee

ciscoasa# config t

ciscoasa(config)# access-list . . .10.0.0.11

Internet

Configures command authorization with username and password authentication using the local database

Configuring Command Authorization with Username and Password Authentication (Cont.)


Displays the privileges for a command or set of commands.show running-config [all] privilege [all | command command | level level]

ciscoasa#

Displays the user account that is currently logged in

show curpriv

ciscoasa#

10.0.0.11

TACACS+ server

10.0.0.2

Internet

Displays the privilege levels assigned to commands

Viewing Your Command Authorization Configuration


Lockout

You can lock yourself out of the security appliance by:

Configuring authentication using the local database without configuring any user accounts in the local database

Configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured

Do not save your command authorization configuration until you are sure it works as intended.

10.0.0.11

TACACS+ server

10.0.0.2

X

Local database:

X

Internet


Password Recovery for the Cisco ASA Security Appliance

Enables password recovery

On by default

service password-recovery

ciscoasa(config)#

asa1(config)# no service password-recovery

WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.

10.0.0.3

10.0.0.11

192.168.0.0

Password?

Internet


Password Recovery for the Cisco PIX Security Appliance

Download the following file from Cisco.com: npXX.bin, where XX is the Cisco PIX security appliance image version number.

Reboot the system and break the boot process when prompted to go into monitor mode.

Set the interface, IP address, gateway, server, and file to access the previously downloaded image via TFTP.

Follow the directions displayed.


Managing Software, Licenses, and Configurations


Viewing Directory Contents

Displays the directory contents

dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]

ciscoasa#

asa1# dir

Directory of disk0:/

4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin

6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin

7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg

62947328 bytes total (29495296 bytes free)

10.0.0.3

10.0.0.11

192.168.0.0

dirInternet

You can use the pwd command to display the current working directory.


Directory Management

Creates a new directory

mkdir [/noconfirm] [disk0: | disk1: | flash:]path

ciscoasa#

Removes a directory

rmdir [/noconfirm] [disk0: | disk1: | flash:]path

ciscoasa#

Changes the current working directory to the one specified

cd [disk0: | disk1: | flash:][path]

ciscoasa#

10.0.0.3

10.0.0.11

192.168.0.0

mkdirInternet


Copying Files

Copies a file from one location to another

copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}

ciscoasa#

asa1# copy disk0:MYCONTEXT.cfg startup-config

10.0.0.3

10.0.0.11

192.168.0.0

copyInternet

Copies the file MYCONTEXT.cfg from disk0 to the startup configuration


Installing Application or ASDM Software Example

Enables you to copy the application software or ASDM software to the flash file system from a TFTP server

copy tftp://server[/path]/filename flash:/filename

ciscoasa#

asa1# copy tftp://www.example.com/cisco/123file.bin flash:/123file.bin

10.0.0.3

10.0.0.11

192.168.0.0 ASDM

TFTP server

Internet

asa1# copy tftp://10.0.0.3/cisco/123file.bin flash:/123file.bin

Copies the file 123file.bin from 10.0.0.3 to the security appliance

Copies the file 123file.bin from www.example.com to the security appliance


ciscoasa#

ciscoasa#

Downloading and Backing Up Configuration Files Example

Copies the configuration file from an FTP server

copy ftp://[user[:password]@]server[/path] /filename[;type=xx] startup-config

asa1# copy ftp://admin:[email protected]/configs/startup.cfg;type=an startup-config

Copies the configuration file to an FTP server

copy {startup-config | running-config | disk0:[path/]filename} ftp://[user[:password]@]server[/path]/filename[;type=xx]

10.0.0.3

10.0.0.11

192.168.0.0

FTP server

configInternet


Image Upgrade and Activation Keys


Viewing Version Information

asa1# show version

Cisco Adaptive Security Appliance Software Version 7.2(1)Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by rootSystem image file is “disk0:/asa721-k8.bin”Config file at boot was “startup-config”

asa1 up 17 hours 40 mins . . .

show version

ciscoasa#

Displays the software version, hardware configuration, license key, and related uptime data

10.0.0.3

10.0.0.11version?

Internet


Image Upgrade

asa1# copy tftp://10.0.0.3/asa721-k8.bin flash

copy tftp://server[/path]/filename flash:/filename

ciscoasa#

Enables you to change software images without accessing the TFTP monitor mode.

The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.

10.0.0.3

10.0.0.11

TFTPInternet


Entering a New Activation Key

Updates the activation key on the security appliance

Used to enable licensed features on the security appliance

activation-key [noconfirm] {activation-key-four-tuple | activation-key-five-tuple}

ciscoasa(config)#

asa1(config)# activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234

10.0.0.3

10.0.0.11

192.168.0.0

Activation Key

Internet


Upgrading the Image and the Activation Key

Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image.

Step 2: Reboot the system.

Step 3: Update the activation key.

Step 4: Reboot the system.


Troubleshooting the Activation Key Upgrade

Message Problem and Resolution

The activation key you entered is the same as the running key.

Either the activation key has already been upgraded or you need to enter a different key.

The flash image and the running image differ.

Reboot the security appliance and re-enter the activation key.

The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.


Summary


Summary

SSH provides secure remote management of the security appliance.

TFTP is used to upgrade the software image on security appliances.

You can configure the following types of command authorization:

– Command authorization with password-protected privilege levels

– Command authorization with username and password authentication

The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet.

You can enable Telnet to the security appliance on all interfaces.

Password recovery for the security appliance requires a TFTP server.

© 2006 cisco systems, inc. all rights reserved. network security 2 module 8 – pix security...

Documents

privilege command

username command

password slide

password passw0rd level

password authentication

command authorization

aaa authentication command

level level mode command