Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Similar presentations


Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.4 PIX Security Appliance Management Module 8 – PIX Security Appliance Contexts, Failover, and Management

3 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Managing System Access

4 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}} ciscoasa(config)# asa1(config)# telnet inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance Sets the password for Telnet access to set the security appliance passwd password [encrypted] ciscoasa(config)# Telnet Internet Configuring Telnet Access to the Security Appliance Console

5 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Viewing and Disabling Telnet kill telnet_id ciscoasa# Terminates a Telnet session Enables you to view which IP addresses are currently accessing the security appliance console via Telnet who [local_ip] ciscoasa# Removes the Telnet connection and the idle timeout from the configuration clear configure telnet ciscoasa(config)# Displays IP addresses permitted to access the security appliance via Telnet show running-config telnet [timeout] ciscoasa#

6 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v SSH Connections to the Security Appliance SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require 3DES/AES or DES activation keys Allow up to five SSH clients to simultaneously access the security appliance console Use the Telnet password for local authentication

7 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm] Configuring SSH Access to the Security Appliance Console Removes any previously generated RSA keys ciscoasa(config )# Saves the CA state write memory ciscoasa(config)# Configures the domain name domain-name name ciscoasa(config)# Generates an RSA key pair crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm] ciscoasa(config)# Specifies the host or network authorized to initiate an SSH connection ssh {ip_address mask | ipv6_address/prefix} interface ciscoasa(config)# Specifies how long a session can be idle before being disconnected ssh timeout number ciscoasa(config)#

8 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v asa1(config)# crypto key zeroize rsa asa1(config)# write memory asa1(config)# domain-name cisco.com asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh outside asa1(config)# ssh timeout SSH username: pix password: telnetpassword Internet Connecting to the Security Appliance with an SSH Client

9 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v debug ssh ciscoasa(config)# Enables SSH debugging Removes all SSH command statements from the configuration clear configure ssh ciscoasa(config)# Disconnects an SSH session ssh disconnect session_id ciscoasa# show ssh sessions [ip_address] ciscoasa# Enables you to view the status of your SSH sessions Viewing, Disabling, and Debugging SSH

10 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Managing User Access Levels

11 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Command Authorization Overview The purpose of command authorization is to securely and efficiently administer the security appliance. You can configure the following types of command authorization: Command authorization with password-protected privilege levels Command authorization with username and password authentication

12 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Command Authorization with Password- Protected Privilege Levels The following tasks are required to configure command authorization with password-protected privilege levels: –Use the enable command to create privilege levels and assign passwords to them. –Use the privilege command to assign specific commands to privilege levels. –Use the aaa authorization command to enable the command authorization feature. Users must complete the following steps to use command authorization with password-protected privilege levels: –Use the enable command with the level option to access the desired privilege level. –Provide the password for the privilege level when prompted. The user can then execute any command assigned to that privilege level or to a lower privilege level.

13 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Configuring Command Authorization with Password-Protected Privilege Levels Creates and password-protects privilege levels by configuring enable passwords for the various privilege levels enable password password [level level] [encrypted] ciscoasa(config)# asa1(config)# enable password Passw0rD level 10 enable [level] ciscoasa asa1> enable 10 Password: Passw0rD asa1# Provides access to a particular privilege level from the > prompt Internet asa1> enable 10 password: PasswOrD

14 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v privilege [show | clear | configure] level level [mode command_mode] command command ciscoasa(config)# asa1(config)# enable password Passw0rD level 10 asa1(config)# privilege show level 8 command access-list asa1(config)# privilege configure level 10 command access-list asa1(config)# aaa authorization command LOCAL Configures user-defined privilege levels for security appliance commands aaa authorization command {LOCAL | server-tag [LOCAL]} ciscoasa(config)# Enables command authorization ciscoasa> enable 10 Password: Passw0rD ciscoasa# config t ciscoasa(config)# access-list... Configuring Command Authorization with Password-Protected Privilege Levels (Cont.)

15 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Command Authorization with Username and Password Authentication The following tasks are required to configure command authorization with username and password authentication: –Use the privilege command to assign specific commands to privilege levels. –Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. –Use the aaa authorization command to enable command authorization. –Use the aaa authentication command to enable authentication using the local database.

16 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Command Authorization with Username and Password Authentication Users must complete one of the following tasks to use command authorization with username and password authentication: –Enter the login command at the > prompt and log in with a username and password. –Enter the enable command at the > prompt and log in with a username and password. The user can then execute any command assigned to the same privilege level as the user account or to a lower privilege level.

17 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level] ciscoasa(config)# asa1(config)# username admin password passw0rd privilege 15 asa1(config)# username kenny password chickadee privilege 10 Creates a user account in the local database Can be used to configure a privilege level for the user account Local database: admin passw0rd 15 kenny chickadee 10 Internet Configuring Command Authorization with Username and Password Authentication

18 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL} Enables you to configure authentication with the local database asa1(config)# privilege configure level 10 command access-list asa1(config)# username kenny password chickadee privilege 10 asa1(config)# aaa authorization command LOCAL asa1(config)# aaa authentication enable console LOCAL ciscoasa(config )# ciscoasa> login Username: kenny Password: chickadee ciscoasa# config t ciscoasa(config)# access-list Internet Configures command authorization with username and password authentication using the local database Configuring Command Authorization with Username and Password Authentication (Cont.)

19 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Displays the privileges for a command or set of commands. show running-config [all] privilege [all | command command | level level] ciscoasa# Displays the user account that is currently logged in show curpriv ciscoasa# TACACS+ server Internet Displays the privilege levels assigned to commands Viewing Your Command Authorization Configuration

20 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Lockout You can lock yourself out of the security appliance by: Configuring authentication using the local database without configuring any user accounts in the local database Configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured Do not save your command authorization configuration until you are sure it works as intended TACACS+ server X Local database: X Internet

21 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Password Recovery for the Cisco ASA Security Appliance Enables password recovery On by default service password-recovery ciscoasa(config)# asa1(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line Password? Internet

22 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Password Recovery for the Cisco PIX Security Appliance Download the following file from Cisco.com: npXX.bin, where XX is the Cisco PIX security appliance image version number. Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to access the previously downloaded image via TFTP. Follow the directions displayed.

23 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Managing Software, Licenses, and Configurations

24 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Viewing Directory Contents Displays the directory contents dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path] ciscoasa# asa1# dir Directory of disk0:/ rw :01:10 Oct asa721-k8.bin rw :30:39 Oct asdm521.bin rw :03:57 Oct old_running.cfg bytes total ( bytes free) dir Internet You can use the pwd command to display the current working directory.

25 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Viewing File Contents Displays the contents of a file more [/ascii | /binary | /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:] filename ciscoasa# asa1# more ctx1.cfg : Saved : Written by enable_15 at 14:12: UTC Sat Oct ! ASA Version 7.2(1) ! hostname CTX1 enable password 8Ry2YjIyt7RRXU24 encrypted more Internet

26 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Directory Management Creates a new directory mkdir [/noconfirm] [disk0: | disk1: | flash:]path ciscoasa# Removes a directory rmdir [/noconfirm] [disk0: | disk1: | flash:]path ciscoasa# Changes the current working directory to the one specified cd [disk0: | disk1: | flash:][path] ciscoasa# mkdir Internet

27 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Copying Files Copies a file from one location to another copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url} ciscoasa# asa1# copy disk0:MYCONTEXT.cfg startup-config copy Internet Copies the file MYCONTEXT.cfg from disk0 to the startup configuration

28 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Installing Application or ASDM Software Example Enables you to copy the application software or ASDM software to the flash file system from a TFTP server copy tftp://server[/path]/filename flash:/filename ciscoasa# asa1# copy tftp://www.example.com/cisco/123file.bin flash:/123file.bin ASDM TFTP server Internet asa1# copy tftp:// /cisco/123file.bin flash:/123file.bin Copies the file 123file.bin from to the security appliance Copies the file 123file.bin from to the security appliance

29 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v ciscoasa# Downloading and Backing Up Configuration Files Example Copies the configuration file from an FTP server copy /filename[;type=xx] startup-config asa1# copy startup-config Copies the configuration file to an FTP server copy {startup-config | running-config | disk0:[path/]filename} FTP server config Internet

30 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Image Upgrade and Activation Keys

31 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Viewing Version Information asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is disk0:/asa721-k8.bin Config file at boot was startup-config asa1 up 17 hours 40 mins... show version ciscoasa# Displays the software version, hardware configuration, license key, and related uptime data version? Internet

32 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Image Upgrade asa1# copy tftp:// /asa721-k8.bin flash copy tftp://server[/path]/filename flash:/filename ciscoasa# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance TFTP Internet

33 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Entering a New Activation Key Updates the activation key on the security appliance Used to enable licensed features on the security appliance activation-key [noconfirm] {activation-key-four-tuple | activation-key-five-tuple} ciscoasa(config)# asa1(config)# activation-key 0x xabcdef01 0x ab 0xcdef Activation Key Internet

34 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Upgrading the Image and the Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.

35 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Troubleshooting the Activation Key Upgrade MessageProblem and Resolution The activation key you entered is the same as the running key. Either the activation key has already been upgraded or you need to enter a different key. The flash image and the running image differ. Reboot the security appliance and re-enter the activation key. The activation key is not valid.Either you made a mistake entering the activation key or you need to obtain a valid activation key.

36 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Summary

37 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v Summary SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can configure the following types of command authorization: –Command authorization with password-protected privilege levels –Command authorization with username and password authentication The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the security appliance on all interfaces. Password recovery for the security appliance requires a TFTP server.

38 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v


Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."

Similar presentations


Ads by Google