Thông tin tài liệu
Cisco PIX Firewall
John Joo
APAC Channels Technical Operations
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Technical Development Program Agenda
• Product Review
• Six Primary Commands
• VLAN Support
• Syslog Configuration
• Access Control Lists
• Java and Active X filtering
• URL Filtering
• Fixup Protocols
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Technical Development Program Agenda
• Attack Guards
• IDS
• Failover
• VPNs
• System Maintenance
• OSPF
• PDM 3.0
• Lab Instructions
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall—Review
Stateful firewall with high security and fast
performance
• Secure, real-time, embedded operating system—
no UNIX or NT security holes
• Adaptive security algorithm provides stateful
security
• Cut-through proxy for Authentication eliminates
application-layer bottlenecks
• Easy management through CLI or PDM GUI
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Family Lineup
Price
PIX 535
Catalyst 6500
Firewall Services
Module
PIX 525
PIX 515E
PIX 506E
Gigabit Ethernet
PIX 501
SOHO
ROBO
SMB
Enterprise
Enterprise/SP
Functionality
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Product Line Overview
GigE
Enabled
Model
501
506E
515E-UR
525-UR
535-UR
Market
SOHO
ROBO
SMB
Enterprise
Ent.+, SP
MSRP
$595 or $845
$1,395
$7,495
$13,995
$37,995
Licensed Users
10, 50 or Unlimited
Unlimited
Unlimited
Unlimited
Unlimited
Max VPN Peers
10
25
2,000
2,000
2,000
Size (RU)
nslookup
Default server: server1.domain.com
Address: 172.16.0.4
ls domain.com
© 2002, Cisco Systems, Inc. All rights reserved.
3 The PIX Firewall
drops the
connection and logs
an IDS message to
10.0.0.3.
PIX Advanced
Configure IDS
pixfirewall(config)#
ip audit name audit_name info [action [alarm] [drop] [reset]]
• Create a policy for informational signatures.
pixfirewall(config)#
ip audit name audit_name attack [action [alarm] [drop] [reset]]
• Create a policy for attack signatures.
pixfirewall(config)#
ip audit interface if_name audit_name
• Apply a policy to an interface.
pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset
pixfirewall(config)# ip audit interface outside ATTACKPOLICY
• When the PIX Firewall detects an attack signature on its outside interface,
it reports an event to all configured Syslog servers, drops the offending
packet, and closes the connection if it is part of an active connection.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Specify Default Actions for Signatures
pixfirewall(config)#
ip audit attack [action [alarm] [drop] [reset]]
• Specifies the default actions for attack signatures.
pixfirewall(config)#
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for informational signatures.
pixfirewall(config)# ip audit info action alarm
drop
• When the PIX Firewall detects an info signature, it reports an
event to all configured Syslog servers and drops the
offending packet.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Disable Intrusion Detection
Signatures
pixfirewall(config)#
ip audit signature signature_number
disable
• Excludes a signature from auditing
pixfirewall(config)# ip audit signature
6102 disable
• Disables signature 6102
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NDSB Example
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Understanding Failover
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Failover
Primary
PIX Firewall
Internet
failover
cable
The primary and secondary units
must:
• be the same model number.
• have identical software versions and
activation key types.
• have the same amount of Flash
memory and RAM.
© 2002, Cisco Systems, Inc. All rights reserved.
Secondary
PIX Firewall
PIX Advanced
IP Address for Failover
on PIX Firewalls
Primary PIX Firewall
Internet
(active/standby)
(system IP/failover IP)
10.0.0.0 /24
192.168.0.0 /24
.1
e0 .2
e1 .1
e0 .7
e1 .7
.3
Secondary PIX Firewall
(standby/active)
(failover IP/system IP)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Configuration Replication
Configuration replication occurs:
• When the standby firewall completes its initial
bootup.
• As commands are entered on the active firewall.
• By entering the write standby command.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Configuring Failover
http://www.cisco.com/warp/customer/110/failover.html#lan
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Failover and Stateful Failover
• Failover
– Connections are dropped.
– Client applications must reconnect.
– Provides redundancy .
• Stateful failover
– TCP Connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Failover Interface Test-In order
• Link Up/Down test—Test the NIC card itself.
• Network Activity test—Received network activity
test.
• ARP test—Reading the PIX Firewall’s ARP cache
for the 10 most recently acquired entries.
• Broadcast Ping test—Sending out a broadcast
ping request.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
failover Commands
pixfirewall(config)#
failover
• The failover command enables failover between the active and standby PIX
Firewalls.
pixfirewall(config)#
failover ip address if_name ip_address
• The failover ip address command creates an IP address for the standby PIX
Firewall.
pixfirewall# failover ip address inside 10.0.0.4
pixfirewall(config)#
failover link [stateful_if_name]
• The failover link command enables stateful failover.
pixfirewall(config)#
failover [active]
• The failover active command makes a PIX Firewall the primary firewall.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
failover poll Command
pixfirewall(config)#
failover poll seconds
•Specifies how long failover waits before sending special
failover “hello” packets between the primary and standby units
over all network interfaces and the failover cable.
pixfirewall(config)# failover poll 10
•Failover waits ten seconds before sending special failover "hello“
packets.
•Failover will wait until 2 times the poll interval. Default is 15 seconds
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
LAN Based Failover
Active Mode
Inside
Network
Stateful
Failover
LAN
interface
Outside
Network
Dedicated switch
or Hub
• Same hot standby failover model
Standby Mode
• Can now operate over a dedicated LAN interface, overcomes distance limitation
of serial cable
• Dedicated switch or hub for detection of LAN interface failure instead of crossconnect cable
• Message encryption and authentication using manual pre-shared key
• Same LAN interface may be used for stateful failover feature on lightly loaded
system
• PIX Firewall requires that unused interfaces be connected to the standby unit
and that each unused interface be assigned an IP address. Even if an interface is
administratively shut down, the PIX Firewall will try to send the failover check up
messages to all internal interfaces.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Long Distance (LAN) Based Failover
New subcommand (6.2)
•pix(config)# failover lan ?
•Usage: [no] failover [active]
•
failover ip address
•
failover mac address
•
failover reset
•
failover link
•
failover poll
•
failover replication http
•
failover lan unit primary|secondary |
•
interface |
•
key |
•
enable
•
show failover [lan [detail]]
•pix(config)#
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Basic Lan-Based Failover Config for
Primary
Basic Commands
pixfirewall(config)# hostname PIX
!--- Naming the PIX is optional
PIX(config)# nameif ethernet2 fo security20
!--- Naming the interface is optional. It is recommended that you
--- Hardcode the speed/duplex.
PIX(config)# interface ethernet2 100full
!--- Bring up the interface
PIX(config)# ip address fo 192.168.1.1 255.255.255.0
!--- Assign an IP address
Failover Commands
PIX(config)# failover ip address fo 192.168.1.2
!--- IP address for failover link
PIX(config)# failover lan unit primary
!--- This unit will be primary
PIX(config)# failover lan interface fo
!--- fo interface will be used for LAN failover
PIX(config)# failover lan key cisco !--- Pre-shared key
PIX(config)# failover lan enable !--- Enabling failover
PIX(config)# failover active !--- This unit will be active unit
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Basic Lan Failover Config-Standby
Basic Commands
pixfirewall(config)# hostname PIX
PIX(config)# nameif ethernet2 fo security20
!--- It is recommended that you hardcode the speed/duplex
PIX(config)# interface ethernet2 100full
PIX(config)# ip address fo 192.168.1.1 255.255.255.0
Failover Commands
PIX(config)# failover ip address fo 192.168.1.2
PIX(config)# failover lan unit secondary
!--- This unit will be secondary
PIX(config)# failover lan interface fo
PIX(config)# failover lan key cisco
PIX(config)# failover lan enable
PIX(config)# failover
!--- This unit will be secondary because the "active" keyword is not used
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
show failover Command
Before failover
pixfirewall(config)# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Active
Active time: 360 (sec)
Interface dmz (172.16.0.1): Normal
Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.1): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface dmz (172.16.0.4): Normal
Interface outside (192.168.0.4): Normal
Interface inside (10.0.0.4): Normal
Stateful Failover Logical Update Statistics
Link : dmz
© 2002, Cisco Systems, Inc. All rights reserved.
After failover
pixfirewall(config)# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Standby
Active time: 0 (sec)
Interface dmz (172.16.0.4): Normal
Interface outside (192.168.0.4): Normal
Interface inside (10.0.0.4): Normal
Other host: Secondary - Active
Active time: 150 (sec)
Interface dmz (172.16.0.1): Normal
Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.1): Normal
Stateful Failover Logical Update Statistics
Link : dmz
PIX Advanced
Useful URLs for Failover
-http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/failover.htm
-http://www.cisco.com/warp/public/110/failover.html
-http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/install/failover.htm
-http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
The PIX Firewall Enables a
Secure VPN
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall VPN Topologies
Internet
PIX Firewall to PIX Firewall
VPN gateway
Internet
PIX Firewall to router
VPN gateway
VPN Client to PIX Firewall
VPN via dialup
VPN Client to PIX Firewall
VPN via network
Internet
Other vendors to
PIX Firewall VPN
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
What Is IPSec?
Internet
IPSec
• IETF standard that enables encrypted communication
between peers
– Consists of open standards for securing private
communications
– Network layer encryption ensuring data
confidentiality, integrity, and authentication
– Scales from small to very large networks
– Included in PIX Firewall version 5.0 and later
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
ISAKMP-Internet Security Association and
Key Management Protocol
RFC 2408:
ISAKMP defines procedures and packet formats to establish, negotiate,
modify and delete Security Associations. SAs contain all the information
required for execution of various network security services, such as the IP
layer services (such as header authentication and payload encapsulation),
transport or application layer services, or self-protection of negotiation traffic.
ISAKMP defines payloads for exchanging key generation and authentication data.
These formats provide a consistent framework for transferring key and
authentication data which is independent of the key generation technique,
encryption algorithm and authentication mechanism.
ISAKMP is distinct from key exchange protocols in order to cleanly separate
the details of security association management (and key management) from the
details of key exchange. There may be many different key exchange protocols,
each with different security properties. However, a common framework is required
for agreeing to the format of SA attributes, and for negotiating, modifying, and
deleting SAs. ISAKMP serves as this common framework.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
IPSec Standards Supported by Cisco IOS
and PIX Firewall
• IPSec (IP Security Protocol)
– Authentication Header (AH)
– Encapsulating Security Payload
(ESP)
• DES
• Triple DES (3DES)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
IPSec Standards Supported by Cisco IOS and
PIX Firewall (cont.)
• Diffie-Hellman
• Establish shared key over insecure medium
• Group 1 = 768 bit
• Group 2 = 1024 bit
• Message Digest 5 (MD5)
• 128 bit digest
• Secure Hash Algorithm (SHA)
• 160 bit digest
• RSA Signatures
• Inventors: Rivest, Shamir, and Adleman
• Internet Key Exchange (IKE)
• Establishes shared security policy and authenticated keys
• Certificate Authorities
• Third party entity that issues and revokes certificates
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Authentication Header
Router A
Router B
All data in clear text
• Ensures data integrity
• Provides origin authentication
• Ensures packets definitely came
from peer router
• Does NOT provide confidentiality (no encryption)
• Uses a keyed-hash mechanism
• Provides replay protection
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
AH Authentication and Integrity
IP header + Data
IP header + Data
Hash
Hash
Authentication
data (00ABCDEF)
Authentication
data (00ABCDEF)
IP HDR
Router A
© 2002, Cisco Systems, Inc. All rights reserved.
AH
Data
Router B
PIX Advanced
AH Tunnel vs. Transport Mode
IP HDR
Data
Transport mode
IP HDR
AH
Data
Authenticated except for mutable fields
Tunnel mode
New IP HDR
AH
IP HDR
Data
Authenticated except for mutable fields in new IP Header
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Encapsulating Security Payload
Router B
Router A
Data payload is encrypted
• Data confidentiality (encryption)
• Limited traffic flow confidentiality
• Data integrity
• Optional data origin authentication
• Anti-replay protection
• Does not protect IP header
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
ESP Tunnel vs. Transport Mode
IP HDR
Data
Transport mode
IP HDR
ESP HDR
Data
ESP
ESP
Trailer Auth
Encrypted
Authenticated
Tunnel mode
New IP HDR
ESP HDR
IP HDR
Data
ESP ESP
Trailer Auth
Encrypted
Authenticated
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
IPsec Security Options?
(Reccomended)
How much encryption do you need?
•DES (56b), 3DES (168b) or AES (128, 192, 256)
–DES Challenge III (1/18/99)—22h, 15m, $50K USD
How much packet integrity do you need?
•MD5 (128b) or SHA (160b)
How much random initialization do you need?
•Diffie-Hellman Group 1,2,5
–The strength of the exponentiation used to seed the
initial authentication and encryption
•Perfect Forward Secrecy (PFS) Group 1,2,5
–Forces new DH exponentiation during every phase
two rekey
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Configure IKE Parameters
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 1—Enable or Disable IKE
pixfirewall(config)#
isakmp enable interface-name
• Enables or disables IKE on the PIX
Firewall interfaces
• IKE is enabled by default
• Disable IKE on interfaces not used
for IPSec
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 2—Configure an IKE Phase One Policy
Internet Key Exchange (IKE) negotiates the IPSec security associations. This process requires that the
IPSec systems first authenticate themselves to each other and establish ISAKMP shared keys. In phase
1, IKE creates an authenticated, secure channel between the two ISAKMP peers which is called the
ISAKMP Security Association.
pixfirewall(config)# isakmp policy
encryption des|3des
pixfirewall(config)# isakmp policy
md5|sha
pixfirewall(config)# isakmp policy
authentication pre-share|rsa-sig
pixfirewall(config)# isakmp policy
pixfirewall(config)# isakmp policy
seconds
priority
priority hash
priority
priority group 1|2
priority lifetime
• Creates a policy suite grouped by priority number
• Creates policy suites that match peers
• Can use default values
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 3—Configure the IKE Pre-shared Key
pixfirewall(config)#
isakmp key keystring address peer-address
[netmask]
• Pre-shared keystring must be identical at both peers
• Use any combination of alphanumeric characters up to
128 bytes for keystring
• Specify peer-address as a host or wildcard address
• Easy to configure, yet is not scalable
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 4—Verify IKE Phase One Policies
pixfirewall# show isakmp policy
Protection suite of priority 10
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
Default protection suite
encryption algorithm:
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
DES - Data Encryption Standard (56 bit keys).
Secure Hash Standard
Pre-Shared Key
#1 (768 bit)
86400 seconds, no volume limit
DES - Data Encryption Standard (56 bit keys).
Secure Hash Standard
Rivest-Shamir-Adleman Signature
#1 (768 bit)
86400 seconds, no volume limit
• Displays configured and default IKE protection suites
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Configure IPSec Parameters
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 1—Configure Interesting Traffic
pixfirewall(config)#
access-list access-list-name {deny | permit} ip
source source-netmask destination destination-netmask
• permit = encrypt
• deny = do not encrypt
• access-list selects IP traffic by address, network, or subnet
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Example Crypto ACLs
Site 1
10.0.1.3
PIX2
PIX1
Site 2
Internet
e0 192.168.1.2
e0 192.168.2.2
10.0.2.3
PIX1
pix1(config)# show static
static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255
0 0
pix1(config)# show access-list
access-list 110 permit ip host 192.168.1.10 host 192.168.2.10
PIX2
pix2(config)# show static
static (inside,outside) 192.168.2.10 10.0.2.3 netmask 255.255.255.255
0 0
pix2(config)# show access-list
access-list 101 permit ip host 192.168.2.10 host 192.168.1.10
• Lists are symmetrical
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 2—Configure an IPSec Transform Set
In phase 2, IKE negotiates the security associations, and generates the required key material for IPSec.
pixfirewall(config)#
crypto ipsec transform-set transform-set-name
transform1 [transform2 [transform3]]
• Sets are limited to up to one AH and up to two ESP transforms
• Default mode is tunnel
• Configure matching sets between IPSec peers
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Available IPSec Transforms
ah-md5-hmac
ah-sha-hmac
esp-des
esp-3des
esp-md5-hmac
esp-sha-hmac
© 2002, Cisco Systems, Inc. All rights reserved.
AH-HMAC-MD5 transform
AH-HMAC-SHA transform
ESP transform using DES cipher (56 bits)
ESP transform using 3DES cipher(168 bits)
ESP transform using HMAC-MD5 auth
ESP transform using HMAC-SHA auth
PIX Advanced
Step 3—Configure the Crypto Map
Pixfirewall(config)#crypto ipsec transform-set TRANSFORM1 espdes esp-sha-hmac
pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp
pixfirewall(config)# crypto map map-name seq-num match address
access-list-name
pixfirewall(config)# crypto map map-name seq-num set peer
hostname | ip-address
pixfirewall(config)# crypto map map-name seq-num set transformset transform-set-name1 [transform-set-name2, transform-setname9]
pixfirewall(config)# crypto map map-name seq-num set pfs [group1
| group2]
pixfirewall(config)# crypto map map-name seq-num set securityassociation lifetime seconds seconds | kilobytes kilobytes
• Specifies IPSec (IKE phase two) parameters
• Map names and sequence numbers group entries into a policy
• Perfect Forward Secrecy re-calculates DH Public/Private Keys on
Refresh and will consume more resources on pix.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Step 4—Apply the Crypto Map to an
Interface
pixfirewall(config)#
crypto map map-name interface interface-name
• Applies the crypto map to an interface
• Activates IPSec policy
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Example Crypto Map for PIX1
PIX1
Site 1
10.0.1.3
PIX2
Site 2
Internet
e0 192.168.1.2
e0 192.168.2.2
10.0.2.3
pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp
Peer = 192.168.2.2
access-list 101 permit ip host 192.168.1.3 host 192.168.2.3 (hitcnt=0)
Current peer: 192.168.2.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ pix2, }
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Example Crypto Map for PIX2
PIX1
Site 1
10.0.1.3
PIX2
Site 2
Internet
e0 192.168.1.2
e0 192.168.2.2
10.0.2.3
pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp
Peer = 192.168.1.2
access-list 101 permit ip host 192.168.2.3 host 192.168.1.3 (hitcnt=0)
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ pix1, }
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Advanced Encryption
Standard (6.3)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Advanced Encryption Standard
IETF will mandate AES as required privacy transforms for
both IPSec and IKE.
The AES algorithm is capable of using cryptographic keys of
128, 192 and 256 bits to encrypt and decrypt data in blocks of
128 bits.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Advanced Encryption Standard
crypto ipsec transform-set trans-name [ah-md5-hmac|ah-sha-hmac]
[esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-3des|esp-null]
[esp-md5-hmac|esp-sha-hmac]
The following example uses the new AES 192 bit key transform:
crypto ipsec transform-set standard esp-aes-192 esp-md5-hmac
The isakmp usage the new command syntax:
isakmp policy priority encryption aes|aes-192|aes-256|des|3des
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Test and Verify VPN Configuration
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Test and Verify VPN Configuration
• Verify ACLs and interesting traffic
show access-list
• Verify correct IKE configuration
show isakmp
show isakmp policy
• Verify correct IPSec configuration
show crypto ipsec transform-set
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Test and Verify VPN Configuration (cont.)
• Verify the correct crypto map configuration
show crypto map
Verify tunnel state
• Show crypto engine connection active
• Clear the IPSec SA
clear crypto sa
• Clear the IKE SA
clear isakmp
• Debug IKE and IPSec traffic through the
PIX Firewall
debug crypto ipsec
debug crypto isakmp
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NAT Transparency
(6.3)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NAT Transparency(NAT-T)
Allows tunneling through NAT/PAT devices/firewall
Needed because of IPSec incompatibilities with NAT/PAT
For example, PIX doing PAT drops IPSec frames because PAT works
with port numbers, and IPSec does not use port numbers
Can be turned on and off
Default: OFF for site to site deployment
Default: ON for hardware VPN client
IETF UDP-based currently used on VPN 3000 products
(UDP 4500 is used)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NAT-T: Example 1
VPN
Client
PAT
device
Internet
10.0.1.5
Hash
Data
IP
1
ESP UDP IP
UDP header
applied
between IP
encapsulation
header and
ESP header
© 2002, Cisco Systems, Inc. All rights reserved.
205.151.254.10
2
Translation
based on new
UDP header
3
UDP header, IP
encapsulation
head, and ESP
header stripped
PIX Advanced
NAT-T: How it works
Detects if both ends support NAT-T
Peers exchange Vendor ID (VID) packets
Detects intermediate NAT devices along transmission
path
Peers exchange NAT discovery (NAT-D) packets
If both ends support NAT-T and NAT devices are
discovered in path, ESP traffic is encapsulated in UDP
datagrams
Translations are based on the new UDP header
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NAT-T: Limitations
May be troublesome in networks that do not allow UDP traffic
Does not fix all IPSec/NAT incompatibilities. For example,
•
Incompatibility between IKE IP address and NAT
•
Incompatibilities between embedded IP addresses and NAT
Small performance impact due to adding UDP header to each
IPSec packet
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
NAT-T: New Commands
New commands: Setting for a VPN head end
pix(config)# isakmp nat-traversal []
• Will appear in the configuration if isakmp is enabled and
•
•
•
NAT traversal is enabled
Valid values for the keepalive: 10 to 3600 seconds
Default: 20 seconds
pix(config)# no isakmp nat-traversal
•
Turns off NAT traversal
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Password Recovery
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Floppy Password Recovery
• Works on any older PIX with a floppy drive
• Download the following files from Cisco
Connection Online:
– npXXX.bin, where XXX is the PIX Firewall image
version number
– rawrite.exe
• Use rawrite to create a floppy using npXXX.bin.
• Boot the PIX Firewall from the floppy diskette.
• Follow the directions displayed.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Password Recovery for the PIX Firewall 501, 506,
515, 525, and 535
• Download the following file from Cisco Connection
Online: npXXX.bin, where XXX is the PIX Firewall
image version number.
• Put the file on a TFTP server.
• Reboot the system and break the boot process
when prompted to go into monitor mode.
• Set the interface, IP address, gateway, server, and
file to tftp the previously downloaded image.
• Follow the directions displayed.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Example Output
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 10.21.1.99
address 10.21.1.99
monitor> server 172.18.125.3
server 172.18.125.3
monitor> file np52.bin
file np52.bin
monitor> gateway 10.21.1.1
gateway 10.21.1.1
monitor> ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds: !!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1 ...................................
Received 73728 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased. Rebooting....
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Image Upgrade
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Image Upgrade for PIX Firewall Models 501, 506, 515,
525, and 535
There are eight steps to upgrade the PIX Firewall image from
ROMMON mode:
• Interrupt the boot process to enter monitor mode.
• Specify the PIX Firewall interface to use for TFTP.
• Specify the PIX Firewall interface’s IP address.
• Specify the default gateway (if needed).
• Verify connectivity to server.
• Specify the server name or address.
• Specify the image filename.
• Start the TFTP process.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
copy tftp flash Command
pixfirewall(config)#
copy tftp[:[[//location][/pathname]]]
flash[:[image | pdm]]
• Enables you to change software images without accessing the
TFTP monitor mode.
pixfirewall(config)# copy
tftp://172.26.26.50/pix611.bin flash
• The TFTP server at IP address 172.26.26.50 receives the
command and determines the actual file location from its root
directory information. The server then downloads the TFTP
image to the PIX Firewall.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
OSPF (6.3)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
OSPF: Reasons for implementation
Offers faster convergence (seconds rather
than minutes) than RIP
Offers greater flexibility and features
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
OSPF (Continued)
Supported features
– Support of intra-area, inter-area and External (Type I and Type II)
routes.
– Support for virtual links being configured.
– OSPF LSA flooding
– Authentication for OSPF packets (both clear text and MD5
authentication)
– Support for configuring the PIX as a DR and ABR. The ability to
configure the PIX as an ASBR is limited to default-information only.
– Supports for Stub areas and NSSA.
– ABR type 3 LSA Filtering
– Route redistribution between OSPF processes
– ECMP (Equal Cost Multiple Pass) support
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Mini Q&A for PIX OSPF
Q. How can I configure interface related ospf commands in the PIX???
A. Introduction of new command “routing interface ”
Q. Can the PIX get 2 default gateway on the one interface using OSPF?
A. Yes, using ECMP
Q. Can I configure 2 outside interface for ECMP?
A. No, PIX still restricts one outside interface
Q. Can I run RIP and OSPF at same time?
A. Running both OSPF and RIP concurrently on the same PIX Firewall is
unsupported.
Q. Does Failover works with OSPF
A. When the failover occurs, newly activated PIX has to restart the OSPF process
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Managing/Monitoring OSPF
•show ospf
•show ospf interface
•show ospf neighbor
•show ospf database
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PDM 3.0 Overview
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
What Is PDM?
• PDM is a browser-based configuration tool
designed to help configure and monitor your
PIX Firewall.
Internet
SSL secure tunnel
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PDM Features
• Works with PIX Firewall software versions 6.0 and higher.
• Can operate on PIX Firewall models 506, 515, 525, and
535.
• Implemented in Java to provide robust, real-time
monitoring.
• Runs on a variety of platforms.
• Does not require a plug-in software installation.
• Comes preloaded into Flash memory on new
PIX Firewalls running versions 6.0 and higher.
• For upgrading from a previous version of PIX Firewall, it
can be downloaded from Cisco and then copied to the
PIX Firewall via TFTP.
• Works with SSL to ensure secure communication with the
PIX Firewall.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PDM’s PIX Firewall Requirements
A PIX Firewall must meet the following
requirements to run PDM:
• You must have version 6.0 installed on the PIX Firewall
before using PDM. If you are using a new (version 6.0)
PIX Firewall, you have all the requirements.
• You must have an activation key that enables DES or the
more secure 3DES, which PDM requires for support of the
SSL protocol.
• You must have at least 8 MB of Flash memory on the
PIX Firewall.
• Ensure that your configuration is less than 100 KB
(approximately 1500 lines). Configurations over 100 KB
cause PDM performance degradation.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0
Administrator Systems Supported
Native
JVM
Java Plug-in
1.3.1 1.4.0 1.4.1
Microsoft Windows 98, ME,
NT 4.0 (SP 4+), 2000 (SP 3) and XP
9
9
9
9
9
9
9
9
9
Internet Explorer 5.5 and 6.0
9
Netscape Navigator 4.7.x
Netscape Navigator 7.0
9
9
Sun Solaris 2.8 and 2.9
(using CDE Window Manager)
Netscape Navigator 4.7.8
9
Red Hat Linux 7.0, 7.1, 7.2 and 7.3
(using GNOME or KDE)
Netscape Navigator 4.7.x
9
Red Hat Linux 8.0
(using GNOME or KDE)
Mozilla 1.0.1
© 2002, Cisco Systems, Inc. All rights reserved.
9
PIX Advanced
Configure the PIX Firewall to Use PDM
• Before you can use or install PDM, you need to enter the
following information on the PIX Firewall via a console
terminal:
– Password
– Time
– Inside IP address
– Inside network mask
– Hostname
– Domain name
– IP address of host running the PDM
• You must also enable the HTTP server on the PIX Firewall
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Setup Dialog
• Pre-configure PIX Firewall now through interactive
prompts [yes]?
• Enable Password []: ciscopix
• Clock (UTC):
• Year [2002]:
• Month [Aug]:
• Day [27]: 28
• Time [22:47:37]: 14:22:00
• Inside IP address: 10.0.P.1
• Inside network mask: 255.255.255.0
• Host name: pixP
• Domain name: cisco.com
• IP address of host running PIX Device Manager:
10.0.P.11
• Use this configuration and write to flash? Y
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Using PDM to Configure
the PIX Firewall
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0
Overview
Intuitive, web-based interface for
securely managing a single remote
Cisco PIX Security Appliance
Powerful Java interface provides
rich user experience for configuration
and real-time health monitoring
Supports all new features found
in Cisco PIX Security Appliance
software (PIX OS) v6.3, including:
•
•
•
•
•
•
•
Virtual interface support (802.1q VLANs)
OSPF dynamic routing
Enhanced ACL editing
Comments in ACLs
Syslog per ACL entry
AES, DH Group 5 VPN support
H.323 v3/4 and MGCP support
Improved performance via applet
caching and decreased image size
© 2002, Cisco Systems, Inc. All rights reserved.
Available on all Cisco PIX Security
Appliance models including:
• 501, 506E, 515E, 525, 535 and
other supported models
PIX Advanced
New “Dashboard” Home Page Provides
Complete System Status in a Single View
New toolbar gives
easy access to
primary functions
System information
including software
versions installed,
device type and
licensed features
Detailed info for
each physical/virtual
interface, including
IP address, link
status, and current
throughput
Current number of
active VPN tunnels
Current/historical
trending data for
CPU and memory
utilization
Historical trending
data for connections
and traffic going
in/out the “outside”
interface
Status message
Current time at the
remote Cisco PIX
Security Appliance
Current administrator
logged in and their
access level (0 – 15)
© 2002, Cisco Systems, Inc. All rights reserved.
Status of connection
to remote Cisco PIX
Security Appliance
PIX Advanced
Startup Wizard Simplifies Installation of
Cisco PIX Security Appliances
Easy-to-use, web-based
wizard enables users to get
up and running quickly
Users enter the minimal
amount of information
needed (with rest of policy
downloaded from an
Auto Update Server)
• Static IP / DHCP / PPPoE
• Easy VPN Remote
(hardware VPN client)
• Auto Update info
Supports configuration of
additional options on high
end platforms (PIX 515 - 535)
• Interface configuration
• NAT / PAT configuration
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0 Simplifies
Access Control and NAT Policy Definition
Easy-to-use interface for access
control, NAT, AAA and content
filtering policy definition
Supports logging on a per Access
Control List (ACL) entry basis
Network object groups enable
policies to be easily applied to a
group of network devices
Includes over 100 pre-defined
applications and protocols that can
be leveraged for simplified access
control policy definition
Service object groups simplify
creation and maintenance of
consistent “cookie cutter” policies
for a set of associated services
Supports associating a comment
with each ACL entry for improved
long-term ACL maintenance
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
VPN Wizard Simplifies Setting Up
Secure Network Connectivity
Easy-to-use wizard
provides effortless
configuration of
both site-to-site and
remote access VPNs
Site-to-Site VPN
• Shared secret and
certificate support
Remote Access VPN
• Full Easy VPN Server
support with dynamic
policy push to Cisco
hardware and software
VPN clients
• Microsoft L2TP/IPsec
& PPTP client support
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0 Provides
Extensive VPN Support
Flexible interface gives complete
control over site-to-site VPNs,
including IKE and IPsec policies
• Authentication policy (shared
secret or X.509 certificate)
• Encryption policy (DES, 3DES, AES)
• Tunnel lifetimes, keepalive intervals
and NAT traversal policies
Provides comprehensive remote
access VPN support for Cisco
hardware and software VPN clients,
as well as L2TP/IPsec and PPTP clients
• User authentication policies
• Primary / backup Easy VPN Servers
• DHCP address pools, NAT traversal,
split DNS and split tunneling policies
• And much more
Configure the Easy VPN Remote
(hardware VPN client) feature on
select PIX models
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0 Delivers
Rich OSPF Configuration Capabilities
Easy-to-use interface for managing
all aspects of OSPF dynamic routing:
• Process, area and route setup
• Route redistribution
• Route filtering
Edit OSPF area types (Normal, Stub,
NSSA) and area authentication policies
Supports tuning advanced OSPF
parameters including route distances,
timers and default information
Provides in-depth configuration options
for route redistribution, route filtering,
route metrics and much more
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0 Provides
Robust Platform Management Features
Easy-to-use interface for managing
all aspects of connectivity:
• Physical / virtual (802.1q) interfaces
• Stateful failover (std / long distance)
• RIP, OSPF and static routing
• DHCP Client, Server and Relay
• PPPoE Client
Establish policies for wide-range of
remote management methods:
• Administrator authentication policies
• PDM, SSH, telnet, etc. access policies
• Create/maintain local user accounts
Define up to 16 different levels of
customizable administrator access
Tune syslog output using variety of
methods including enabling, disabling
and changing level of specific syslog
messages, in addition to configuring
syslogs on a per ACL entry basis
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Cisco PIX Device Manager v3.0 Provides
Comprehensive Device Health Monitoring
Provides real-time status of:
• Event log (syslog)
• Administrative connections to PIX
via PDM/HTTPS, SSH and telnet
• Authenticated users
• DHCP client lease information
• PPPoE connection information
• User licenses in use (on PIX 501)
Provides real-time visibility into
site-to-site VPN connections and
the variety of remote access VPN
methods supported (Cisco Easy VPN,
L2TP/IPsec and PPTP)
Provides wealth of real-time /
historical graphs and exportable
data tables for the following:
• Memory and CPU utilization
• Connections/xlates
• IPsec, LT2P, PPTP VPN tunnels
• Attacks detected by type/protocol
• Byte/packet counts per interface
© 2002, Cisco Systems, Inc. All rights reserved.
Also supports creating bookmarks to your
favorite, commonly used real-time graphs!
PIX Advanced
Part of the Wide Range of Management
Solutions for Cisco PIX Security Appliances
Integrated Remote Management Capabilities Within PIX
• Configuration: Auto Update, SSH, telnet, XML/HTTPS and PDM
• Monitoring: Syslog, SNMP, HTTPS and PDM
• Software updates: Auto Update, HTTP, HTTPS and TFTP
VPN/Security Management Solution (VMS)
• Scalable firewall, VPN, IDS, NAT and syslog management solution
for Enterprise network environments
• Supports device grouping for simplified policy maintenance
• Provides role-based admin access and workflow capabilities
• Auto Update Server provides scalable configuration and software
management of dynamically addressed PIX appliances
• Available on Windows NT/2000 (Solaris versions coming soon)
IP Solutions Center (ISC)
• Highly scalable cross-platform firewall, VPN, IDS and NAT
management solution for Large Enterprise and SP environments
• Four-tier architecture provides highly scalable solution via
distributed interface, process and collection services
• Open XML/HTTPS interface for integration with other solutions
• Available
on
© 2002,
Cisco Systems, Inc. All
rightsSolaris
reserved.
PIX Advanced
Lab Instructions
- Logon to www.labgear.net
- Use your username/password
- Follow the instructions : please be sure all
devices are on default . If not, pls do a ‘write
erase’ and then a ‘reload’ to return to
factory default.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Lab Topology
If your device
won’t let you in
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Clearing the console line
If your console is giving you an error, and you cannot log back on, it
should be because the console line is already captured by a previous
session. Pls go onto ‘Device Management’ on your top-left, and press
‘Clear Console Line’ as indicated below
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
[...]... interface pixfirewall(config)# pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 4: nat pixfirewall(config)# nat [(if_name)] nat_id local_ip [netmask] • The nat command shields IP addresses on the inside network from the outside network pixfirewall(config)# pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 © 2002, Cisco Systems,... server © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Modifiable syslog levels (6.3) Gives user ability to modify the level at which a particular syslog is issued Syslog Levels: 0 - or – emergencies 1 - or – alerts 2 - or – critical 3 - or – errors 4 - or – warning 5 - or – notifications 6 - or – informational 7 - or - debugging © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... Syslog Messages © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Syslog Messages The PIX Firewall sends Syslog messages to either: - An internal buffer - A Syslog Server Syslog documents the following events: • Security • Resources • System • Accounting © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Configure Message Output to the PIX Firewall Buffer pixfirewall(config)# logging...Command 2: interface pixfirewall(config)# interface hardware_id hardware_speed • The interface command configures the type and capability of each perimeter interface pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 10 pixfirewall(config)# interface ethernet2 100 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 3: ip address pixfirewall(config)#... seconds © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Summary • The PIX Firewall can generate Syslog messages for system events • Syslog messages can be sent to the PIX Firewall buffer • The PIX Firewall can forward Syslog messages to any Syslog server © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Access Control Lists © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... buffer pixfirewall(config)# show logging • Step 2—View messages in the internal buffer pixfirewall(config)# clear logging • Step 3—Clear the internal buffer pixfirewall(config)# [no] logging message syslog_id • Enable or disable specific Syslog message type logging pixfirewall(config)# logging standby • Allow a standby unit to send Syslog messages © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... Syslog Server pixfirewall(config)# logging host [in_if_name] ip_address {protocol/port] • Step 1—Designate the Syslog host server pixfirewall(config)# logging trap level • Step 2—Set the logging level pixfirewall(config)# logging facility facility • Step 3—Set the facility marked on all messages pixfirewall(config)# [no] logging timestamp • Step 4—Start and stop sending timestamp messages pixfirewall(config)#... web, FTP, and TFTP server 10.0.0.0 /24 3 Inside host, and web and FTP server pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 nat (dmz) 1 172.16.0.0 255.255.255.0 global (outside) 1 192.168.0.2 0-1 92.168.0.254 netmask 255.255.255.0 global(dmz) 1 172.16.0.2 0-1 72.16.0.254 netmask 255.255.255.0 • Inside users can start outbound connections... reserved PIX Advanced Command 5: global pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface • Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.2 0-1 92.168.0.254... 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 6: route pixfirewall(config)# route if_name ip_address netmask gateway_ip [metric] • The route command defines a static or default route for an interface pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced New 6.3 feature VLAN SUPPORT(802.1Q tagging) © 2002, Cisco ... Systems, Inc All rights reserved PIX Advanced PIX Firewall Family Lineup Price PIX 535 Catalyst 6500 Firewall Services Module PIX 525 PIX 515E PIX 506E Gigabit Ethernet PIX 501 SOHO ROBO SMB Enterprise... PIX Advanced The Six Primary Commands (Review) © 2002, Cisco Systems, Inc All rights reserved PIX Advanced PIX Firewall Primary Commands There are six primary configuration commands for the PIX. .. interface pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 10 pixfirewall(config)# interface ethernet2 100 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced
Ngày đăng: 23/10/2015, 18:12
Xem thêm: Tài Liệu CCNA - Cisco PIX Firewall _www.bit.ly/taiho123, Tài Liệu CCNA - Cisco PIX Firewall _www.bit.ly/taiho123