Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.

Published byJoseph Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College of San Francisco Spring 2007

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode 8.2 Configure PIX Security Appliance Failover 8.3 Configure Transparent Firewall Mode 8.4 PIX Security Appliance Management

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Security Contexts

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Common Uses for Security Contexts

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Contexts Example

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Context Configuration Files

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Packet Classification

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Backing up the Single Mode Configuration

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Admin Context

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Context Mode

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Adding a Context

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Removing a Context

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Changing the Admin Context

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Changing Between Contexts

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Context Information

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.2 Configure PIX Security Appliance Failover

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Hardware Failover

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Hardware and Stateful Failover

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Failover Triggers The unit can fail if one of the following events occurs: The unit has a hardware failure or a power failure. The unit has a software failure. Too many monitored interfaces fail. The no failover active command is entered on the active unit or the failover active command is entered on the standby unit.

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Failover Behavior

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Failover Requirements

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Failover Hardware Requirements The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM.

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Software Requirements The two units in a failover configuration must be in the operating modes (routed or transparent, single or multiple context). They have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.

26 26 © 2005 Cisco Systems, Inc. All rights reserved. License Requirements On the PIX security appliance platform, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO or FO_AA licenses cannot be used together as a failover pair. The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty.

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Failover Link The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link: The unit state (active or standby). Power status (cable-based failover only—available only on the Cisco PIX security appliance platform). Hello messages (keep-alives). Network link status. MAC address exchange. Configuration replication and synchronization.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Types of Failover Cabling

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Serial Cable – Active/Standby Failover

30 30 © 2005 Cisco Systems, Inc. All rights reserved. LAN-Based Failover You can use any unused Ethernet interface on the device as the failover link. Provides long-distance failover functionality Uses an Ethernet cable rather than the serial failover cable The failover link interface is not configured as a normal networking interface; it exists only for failover communication. Requires a dedicated switch, hub, or VLAN Uses message encryption and authentication to secure failover transmissions

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Serial Cable Failover The serial Failover cable, or "cable-based failover," is only available on the PIX security appliance platform. The two units must be no more than six feet apart The cable that connects the two units is a modified RS-232 serial link cable that transfers data at 117,760 bps (115 Kbps). One end of the cable is labeled "Primary". The unit attached to this end of the cable automatically becomes the primary unit. The other end of the cable is labeled "Secondary".

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Stateful Failover To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Active/Active Failover

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Active/Active Failover

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.3 Configure Transparent Firewall Mode

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Versus Routed Firewall

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Firewall Benefits Easily integrated and maintained in existing network: IP readdressing not necessary. No NAT to configure. No IP routing to troubleshoot.

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Firewall Guidelines Layer 3 traffic must be explicitly permitted. Each directly connected network must be on the same subnet. A management IP address is required for each context, even if you do not intend to use Telnet to the context. The management IP address must be on the same subnet as the connected network. Do not specify the PIX management IP address as the default gateway for connected devices. Devices need to specify the router on the other side of the PIX as the default gateway. Each interface must be a different VLAN interface

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Unsupported Features The following features are not supported in transparent firewall mode: NAT Dynamic routing protocols IPv6 DHCP relay Quality of Service Multicast VPN termination for through traffic

40 40 © 2005 Cisco Systems, Inc. All rights reserved. View the Current Firewall Mode

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Enable Transparent Firewall Mode

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Assigning the Management IP Address

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Configure ACLs

44 44 © 2005 Cisco Systems, Inc. All rights reserved. ARP Inspection

45 45 © 2005 Cisco Systems, Inc. All rights reserved. MAC Address Table

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Disable MAC Address Learning

47 47 © 2005 Cisco Systems, Inc. All rights reserved. Adding a Static MAC Address

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Viewing the MAC Address Table

49 49 © 2005 Cisco Systems, Inc. All rights reserved. debug Commands

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.4 PIX Security Appliance Management

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Configure Telnet Access

52 52 © 2005 Cisco Systems, Inc. All rights reserved. SSH Connections to the PIX SSH connections to the PIX Security Appliance: Provide secure remote access. Provide strong authentication and encryption. Require RSA key pairs for the PIX. Require AES or 3DES activation keys. Allow up to five SSH clients to simultaneously access the PIX console. Use the Telnet password for local authentication.

53 53 © 2005 Cisco Systems, Inc. All rights reserved. SSH Connections

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Command authorization Overview The purpose of command authorization is to securely and efficiently administer the PIX Security Appliance. It has the following types: Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS

55 55 © 2005 Cisco Systems, Inc. All rights reserved. Create and Password Protect Privilege Levels

56 56 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Command Authorization

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Command Authorization Configuration

58 58 © 2005 Cisco Systems, Inc. All rights reserved. Password Recovery ASA

59 59 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Directory Contents

60 60 © 2005 Cisco Systems, Inc. All rights reserved. Viewing File Contents

61 61 © 2005 Cisco Systems, Inc. All rights reserved. Directory Management

62 62 © 2005 Cisco Systems, Inc. All rights reserved. Copying Files

63 63 © 2005 Cisco Systems, Inc. All rights reserved. Installing Software

64 64 © 2005 Cisco Systems, Inc. All rights reserved. File Backup

65 65 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Version Information

66 66 © 2005 Cisco Systems, Inc. All rights reserved. Image Upgrade

67 67 © 2005 Cisco Systems, Inc. All rights reserved. Entering a New Activation Key

68 68 © 2005 Cisco Systems, Inc. All rights reserved. Upgrading the Image and Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.

69 69 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting the Activation Key Upgrade

70 70 © 2005 Cisco Systems, Inc. All rights reserved. 70 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.

 WAN uses Serial ports  Ethernet Ports:  Straight through  Cross over.
Ver 1,12/09/2012Kode :CIJ 340,Jaringan Komputer Lanjut FASILKOM Routing Protocols and Concepts – Chapter 2 Static Routing CCNA.

Ver 1,12/09/2012Kode :CIJ 340,Jaringan Komputer Lanjut FASILKOM Routing Protocols and Concepts – Chapter 2 Static Routing CCNA.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Static Routing Routing Protocols and Concepts – Chapter 2.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Static Routing Routing Protocols and Concepts – Chapter 2.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Prototyping the WAN Designing and Supporting Computer Networks – Chapter 8.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Prototyping the WAN Designing and Supporting Computer Networks – Chapter 8.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Troubleshooting Working at a Small-to-Medium Business or ISP – Chapter 9.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Troubleshooting Working at a Small-to-Medium Business or ISP – Chapter 9.
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—5-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
M2M Gateway Features Jari Lahti, CTO www.violasystems.com.

M2M Gateway Features Jari Lahti, CTO
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
VLAN Trunking Protocol (VTP) W.lilakiatsakun. VLAN Management Challenge (1) It is not difficult to add new VLAN for a small network.

VLAN Trunking Protocol (VTP) W.lilakiatsakun. VLAN Management Challenge (1) It is not difficult to add new VLAN for a small network.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Configuring Network Devices Working at a Small-to-Medium Business or ISP – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Configuring Network Devices Working at a Small-to-Medium Business or ISP – Chapter.
1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen

1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen

Similar presentations

Ads by Google