© 2006 cisco systems, inc. all rights reserved. network security 2 module 8 – pix security...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved.
Network Security 2
Module 8 – PIX Security Appliance Contexts, Failover, and Management
© 2006 Cisco Systems, Inc. All rights reserved.
Lesson 8.4 PIX Security Appliance Management
Module 8 – PIX Security Appliance Contexts, Failover, and Management
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-3
Managing System Access
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-4
telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
ciscoasa(config)#
asa1(config)# telnet 10.0.0.11 255.255.255.255 inside
asa1(config)# telnet timeout 15
asa1(config)# passwd telnetpass
Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance
Sets the password for Telnet access to set the security appliance
passwd password [encrypted]
ciscoasa(config)#
10.0.0.11Telnet
Internet
Configuring Telnet Access to the Security Appliance Console
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-5
Viewing and Disabling Telnet
kill telnet_id
ciscoasa#
Terminates a Telnet session
Enables you to view which IP addresses are currently accessing the security appliance console via Telnet
who [local_ip]
ciscoasa#
Removes the Telnet connection and the idle timeout from the configuration
clear configure telnet
ciscoasa(config)#
Displays IP addresses permitted to access the security appliance via Telnet
show running-config telnet [timeout]
ciscoasa#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-6
SSH Connections to the Security Appliance
SSH connections to the security appliance: Provide secure remote access
Provide strong authentication and encryption
Require RSA key pairs for the security appliance
Require 3DES/AES or DES activation keys
Allow up to five SSH clients to simultaneously access the security appliance console
Use the Telnet password for local authentication
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-7
crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]
Configuring SSH Access to the Security Appliance Console
Removes any previously generated RSA keys
ciscoasa(config)#
Saves the CA state
write memory
ciscoasa(config)#
Configures the domain name
domain-name name
ciscoasa(config)#
Generates an RSA key pair
crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
ciscoasa(config)#
Specifies the host or network authorized to initiate an SSH connection
ssh {ip_address mask | ipv6_address/prefix} interface
ciscoasa(config)#
Specifies how long a session can be idle before being disconnected
ssh timeout number
ciscoasa(config)#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-8
asa1(config)# crypto key zeroize rsa
asa1(config)# write memory
asa1(config)# domain-name cisco.com
asa1(config)# crypto key generate rsa modulus 1024
asa1(config)# write memory
asa1(config)# ssh 172.26.26.50 255.255.255.255 outside
asa1(config)# ssh timeout 30
172.26.26.50
SSH
username: pix
password: telnetpassword
Internet
Connecting to the Security Appliance with an SSH Client
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-9
debug ssh
ciscoasa(config)#
Enables SSH debugging
Removes all SSH command statements from the configuration
clear configure ssh
ciscoasa(config)#
Disconnects an SSH session
ssh disconnect session_id
ciscoasa#
show ssh sessions [ip_address]
ciscoasa#
Enables you to view the status of your SSH sessions
Viewing, Disabling, and Debugging SSH
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-10
Managing User Access Levels
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-11
Command Authorization Overview
The purpose of command authorization is to securely and efficiently administer the security appliance. You can configure the following types of command authorization: Command authorization with password-protected privilege levels
Command authorization with username and password authentication
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-12
Command Authorization with Password-Protected Privilege Levels
The following tasks are required to configure command authorization with password-protected privilege levels:
– Use the enable command to create privilege levels and assign passwords to them.
– Use the privilege command to assign specific commands to privilege levels.
– Use the aaa authorization command to enable the command authorization feature.
Users must complete the following steps to use command authorization with password-protected privilege levels:
– Use the enable command with the level option to access the desired privilege level.
– Provide the password for the privilege level when prompted.
The user can then execute any command assigned to that privilege level or to a lower privilege level.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-13
Configuring Command Authorization with Password-Protected Privilege Levels
Creates and password-protects privilege levels by configuring enable passwords for the various privilege levels
enable password password [level level] [encrypted]
ciscoasa(config)#
asa1(config)# enable password Passw0rD level 10
enable [level]
ciscoasa
asa1> enable 10
Password: Passw0rD
asa1#
• Provides access to a particular privilege level from the > prompt
10.0.0.11
Internet
asa1> enable 10
password: PasswOrD
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-14
privilege [show | clear | configure] level level [mode command_mode] command command
ciscoasa(config)#
asa1(config)# enable password Passw0rD level 10
asa1(config)# privilege show level 8 command access-list
asa1(config)# privilege configure level 10 command access-list
asa1(config)# aaa authorization command LOCAL
Configures user-defined privilege levels for security appliance commands
aaa authorization command {LOCAL | server-tag [LOCAL]}
ciscoasa(config)#
Enables command authorization
ciscoasa> enable 10
Password: Passw0rD
ciscoasa# config t
ciscoasa(config)# access-list . . .
Configuring Command Authorization with Password-Protected Privilege Levels (Cont.)
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-15
Command Authorization with Username and Password Authentication
The following tasks are required to configure command authorization with username and password authentication:
– Use the privilege command to assign specific commands to privilege levels.
– Use the username command to create user accounts in the local user database and assign privilege levels to the accounts.
– Use the aaa authorization command to enable command authorization.
– Use the aaa authentication command to enable authentication using the local database.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-16
Command Authorization with Username and Password Authentication
Users must complete one of the following tasks to use command authorization with username and password authentication:
– Enter the login command at the > prompt and log in with a username and password.
– Enter the enable command at the > prompt and log in with a username and password.
The user can then execute any command assigned to the same privilege level as the user account or to a lower privilege level.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-17
username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
ciscoasa(config)#
asa1(config)# username admin password passw0rd privilege 15
asa1(config)# username kenny password chickadee privilege 10
Creates a user account in the local database
Can be used to configure a privilege level for the user account
10.0.0.11
Local database:admin passw0rd 15kenny chickadee 10
Internet
Configuring Command Authorization with Username and Password Authentication
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-18
aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}
Enables you to configure authentication with the local databaseasa1(config)# privilege configure level 10 command access-list
asa1(config)# username kenny password chickadee privilege 10
asa1(config)# aaa authorization command LOCAL
asa1(config)# aaa authentication enable console LOCAL
ciscoasa(config)#
ciscoasa> login
Username: kenny
Password: chickadee
ciscoasa# config t
ciscoasa(config)# access-list . . .10.0.0.11
Internet
Configures command authorization with username and password authentication using the local database
Configuring Command Authorization with Username and Password Authentication (Cont.)
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-19
Displays the privileges for a command or set of commands.show running-config [all] privilege [all | command command | level level]
ciscoasa#
Displays the user account that is currently logged in
show curpriv
ciscoasa#
10.0.0.11
TACACS+ server
10.0.0.2
Internet
Displays the privilege levels assigned to commands
Viewing Your Command Authorization Configuration
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-20
Lockout
You can lock yourself out of the security appliance by:
Configuring authentication using the local database without configuring any user accounts in the local database
Configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured
Do not save your command authorization configuration until you are sure it works as intended.
10.0.0.11
TACACS+ server
10.0.0.2
X
Local database:
X
Internet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-21
Password Recovery for the Cisco ASA Security Appliance
Enables password recovery
On by default
service password-recovery
ciscoasa(config)#
asa1(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.
10.0.0.3
10.0.0.11
192.168.0.0
Password?
Internet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-22
Password Recovery for the Cisco PIX Security Appliance
Download the following file from Cisco.com: npXX.bin, where XX is the Cisco PIX security appliance image version number.
Reboot the system and break the boot process when prompted to go into monitor mode.
Set the interface, IP address, gateway, server, and file to access the previously downloaded image via TFTP.
Follow the directions displayed.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-23
Managing Software, Licenses, and Configurations
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-24
Viewing Directory Contents
Displays the directory contents
dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]
ciscoasa#
asa1# dir
Directory of disk0:/
4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin
6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin
7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg
62947328 bytes total (29495296 bytes free)
10.0.0.3
10.0.0.11
192.168.0.0
dirInternet
You can use the pwd command to display the current working directory.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-25
Viewing File Contents
Displays the contents of a file
more [/ascii | /binary | /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:] filename
ciscoasa#
asa1# more ctx1.cfg
: Saved
: Written by enable_15 at 14:12:08.092 UTC Sat Oct 7 2006
!
ASA Version 7.2(1) <context>
!
hostname CTX1
enable password 8Ry2YjIyt7RRXU24 encrypted . . .
10.0.0.3
10.0.0.11
192.168.0.0
moreInternet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-26
Directory Management
Creates a new directory
mkdir [/noconfirm] [disk0: | disk1: | flash:]path
ciscoasa#
Removes a directory
rmdir [/noconfirm] [disk0: | disk1: | flash:]path
ciscoasa#
Changes the current working directory to the one specified
cd [disk0: | disk1: | flash:][path]
ciscoasa#
10.0.0.3
10.0.0.11
192.168.0.0
mkdirInternet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-27
Copying Files
Copies a file from one location to another
copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}
ciscoasa#
asa1# copy disk0:MYCONTEXT.cfg startup-config
10.0.0.3
10.0.0.11
192.168.0.0
copyInternet
Copies the file MYCONTEXT.cfg from disk0 to the startup configuration
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-28
Installing Application or ASDM Software Example
Enables you to copy the application software or ASDM software to the flash file system from a TFTP server
copy tftp://server[/path]/filename flash:/filename
ciscoasa#
asa1# copy tftp://www.example.com/cisco/123file.bin flash:/123file.bin
10.0.0.3
10.0.0.11
192.168.0.0 ASDM
TFTP server
Internet
asa1# copy tftp://10.0.0.3/cisco/123file.bin flash:/123file.bin
Copies the file 123file.bin from 10.0.0.3 to the security appliance
Copies the file 123file.bin from www.example.com to the security appliance
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-29
ciscoasa#
ciscoasa#
Downloading and Backing Up Configuration Files Example
Copies the configuration file from an FTP server
copy ftp://[user[:password]@]server[/path] /filename[;type=xx] startup-config
asa1# copy ftp://admin:[email protected]/configs/startup.cfg;type=an startup-config
Copies the configuration file to an FTP server
copy {startup-config | running-config | disk0:[path/]filename} ftp://[user[:password]@]server[/path]/filename[;type=xx]
10.0.0.3
10.0.0.11
192.168.0.0
FTP server
configInternet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-30
Image Upgrade and Activation Keys
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-31
Viewing Version Information
asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by rootSystem image file is “disk0:/asa721-k8.bin”Config file at boot was “startup-config”
asa1 up 17 hours 40 mins . . .
show version
ciscoasa#
Displays the software version, hardware configuration, license key, and related uptime data
10.0.0.3
10.0.0.11version?
Internet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-32
Image Upgrade
asa1# copy tftp://10.0.0.3/asa721-k8.bin flash
copy tftp://server[/path]/filename flash:/filename
ciscoasa#
Enables you to change software images without accessing the TFTP monitor mode.
The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.
10.0.0.3
10.0.0.11
TFTPInternet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-33
Entering a New Activation Key
Updates the activation key on the security appliance
Used to enable licensed features on the security appliance
activation-key [noconfirm] {activation-key-four-tuple | activation-key-five-tuple}
ciscoasa(config)#
asa1(config)# activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234
10.0.0.3
10.0.0.11
192.168.0.0
Activation Key
Internet
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-34
Upgrading the Image and the Activation Key
Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image.
Step 2: Reboot the system.
Step 3: Update the activation key.
Step 4: Reboot the system.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-35
Troubleshooting the Activation Key Upgrade
Message Problem and Resolution
The activation key you entered is the same as the running key.
Either the activation key has already been upgraded or you need to enter a different key.
The flash image and the running image differ.
Reboot the security appliance and re-enter the activation key.
The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-36
Summary
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-37
Summary
SSH provides secure remote management of the security appliance.
TFTP is used to upgrade the software image on security appliances.
You can configure the following types of command authorization:
– Command authorization with password-protected privilege levels
– Command authorization with username and password authentication
The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet.
You can enable Telnet to the security appliance on all interfaces.
Password recovery for the security appliance requires a TFTP server.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-38