Cisco PIX Firewall John Joo APAC Channels Technical Operations © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Technical Development Program Agenda • Product Review • Six Primary Commands • VLAN Support • Syslog Configuration • Access Control Lists • Java and Active X filtering • URL Filtering • Fixup Protocols © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Technical Development Program Agenda • Attack Guards • IDS • Failover • VPNs • System Maintenance • OSPF • PDM 3.0 • Lab Instructions © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Firewall—Review Stateful firewall with high security and fast performance • Secure, real-time, embedded operating system— no UNIX or NT security holes • Adaptive security algorithm provides stateful security • Cut-through proxy for Authentication eliminates application-layer bottlenecks • Easy management through CLI or PDM GUI © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Firewall Family Lineup Price PIX 535 Catalyst 6500 Firewall Services Module PIX 525 PIX 515E PIX 506E Gigabit Ethernet PIX 501 SOHO ROBO SMB Enterprise Enterprise/SP Functionality © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Firewall Product Line Overview GigE Enabled Model 501 506E 515E-UR 525-UR 535-UR Market SOHO ROBO SMB Enterprise Ent.+, SP MSRP $595 or $845 $1,395 $7,495 $13,995 $37,995 Licensed Users 10, 50 or Unlimited Unlimited Unlimited Unlimited Unlimited Max VPN Peers 10 25 2,000 2,000 2,000 Size (RU) nslookup Default server: server1.domain.com Address: 172.16.0.4 ls domain.com © 2002, Cisco Systems, Inc. All rights reserved. 3 The PIX Firewall drops the connection and logs an IDS message to 10.0.0.3. PIX Advanced Configure IDS pixfirewall(config)# ip audit name audit_name info [action [alarm] [drop] [reset]] • Create a policy for informational signatures. pixfirewall(config)# ip audit name audit_name attack [action [alarm] [drop] [reset]] • Create a policy for attack signatures. pixfirewall(config)# ip audit interface if_name audit_name • Apply a policy to an interface. pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset pixfirewall(config)# ip audit interface outside ATTACKPOLICY • When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Specify Default Actions for Signatures pixfirewall(config)# ip audit attack [action [alarm] [drop] [reset]] • Specifies the default actions for attack signatures. pixfirewall(config)# ip audit info [action [alarm] [drop] [reset]] • Specifies the default actions for informational signatures. pixfirewall(config)# ip audit info action alarm drop • When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Disable Intrusion Detection Signatures pixfirewall(config)# ip audit signature signature_number disable • Excludes a signature from auditing pixfirewall(config)# ip audit signature 6102 disable • Disables signature 6102 © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NDSB Example © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Understanding Failover © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Failover Primary PIX Firewall Internet failover cable The primary and secondary units must: • be the same model number. • have identical software versions and activation key types. • have the same amount of Flash memory and RAM. © 2002, Cisco Systems, Inc. All rights reserved. Secondary PIX Firewall PIX Advanced IP Address for Failover on PIX Firewalls Primary PIX Firewall Internet (active/standby) (system IP/failover IP) 10.0.0.0 /24 192.168.0.0 /24 .1 e0 .2 e1 .1 e0 .7 e1 .7 .3 Secondary PIX Firewall (standby/active) (failover IP/system IP) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Configuration Replication Configuration replication occurs: • When the standby firewall completes its initial bootup. • As commands are entered on the active firewall. • By entering the write standby command. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Configuring Failover http://www.cisco.com/warp/customer/110/failover.html#lan © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Failover and Stateful Failover • Failover – Connections are dropped. – Client applications must reconnect. – Provides redundancy . • Stateful failover – TCP Connections remain active. – No client applications need to reconnect. – Provides redundancy and stateful connection. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Failover Interface Test-In order • Link Up/Down test—Test the NIC card itself. • Network Activity test—Received network activity test. • ARP test—Reading the PIX Firewall’s ARP cache for the 10 most recently acquired entries. • Broadcast Ping test—Sending out a broadcast ping request. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced failover Commands pixfirewall(config)# failover • The failover command enables failover between the active and standby PIX Firewalls. pixfirewall(config)# failover ip address if_name ip_address • The failover ip address command creates an IP address for the standby PIX Firewall. pixfirewall# failover ip address inside 10.0.0.4 pixfirewall(config)# failover link [stateful_if_name] • The failover link command enables stateful failover. pixfirewall(config)# failover [active] • The failover active command makes a PIX Firewall the primary firewall. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced failover poll Command pixfirewall(config)# failover poll seconds •Specifies how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable. pixfirewall(config)# failover poll 10 •Failover waits ten seconds before sending special failover "hello“ packets. •Failover will wait until 2 times the poll interval. Default is 15 seconds © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced LAN Based Failover Active Mode Inside Network Stateful Failover LAN interface Outside Network Dedicated switch or Hub • Same hot standby failover model Standby Mode • Can now operate over a dedicated LAN interface, overcomes distance limitation of serial cable • Dedicated switch or hub for detection of LAN interface failure instead of crossconnect cable • Message encryption and authentication using manual pre-shared key • Same LAN interface may be used for stateful failover feature on lightly loaded system • PIX Firewall requires that unused interfaces be connected to the standby unit and that each unused interface be assigned an IP address. Even if an interface is administratively shut down, the PIX Firewall will try to send the failover check up messages to all internal interfaces. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Long Distance (LAN) Based Failover New subcommand (6.2) •pix(config)# failover lan ? •Usage: [no] failover [active] • failover ip address • failover mac address • failover reset • failover link • failover poll • failover replication http • failover lan unit primary|secondary | • interface | • key | • enable • show failover [lan [detail]] •pix(config)# © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Basic Lan-Based Failover Config for Primary Basic Commands pixfirewall(config)# hostname PIX !--- Naming the PIX is optional PIX(config)# nameif ethernet2 fo security20 !--- Naming the interface is optional. It is recommended that you --- Hardcode the speed/duplex. PIX(config)# interface ethernet2 100full !--- Bring up the interface PIX(config)# ip address fo 192.168.1.1 255.255.255.0 !--- Assign an IP address Failover Commands PIX(config)# failover ip address fo 192.168.1.2 !--- IP address for failover link PIX(config)# failover lan unit primary !--- This unit will be primary PIX(config)# failover lan interface fo !--- fo interface will be used for LAN failover PIX(config)# failover lan key cisco !--- Pre-shared key PIX(config)# failover lan enable !--- Enabling failover PIX(config)# failover active !--- This unit will be active unit © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Basic Lan Failover Config-Standby Basic Commands pixfirewall(config)# hostname PIX PIX(config)# nameif ethernet2 fo security20 !--- It is recommended that you hardcode the speed/duplex PIX(config)# interface ethernet2 100full PIX(config)# ip address fo 192.168.1.1 255.255.255.0 Failover Commands PIX(config)# failover ip address fo 192.168.1.2 PIX(config)# failover lan unit secondary !--- This unit will be secondary PIX(config)# failover lan interface fo PIX(config)# failover lan key cisco PIX(config)# failover lan enable PIX(config)# failover !--- This unit will be secondary because the "active" keyword is not used © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced show failover Command Before failover pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Active Active time: 360 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Stateful Failover Logical Update Statistics Link : dmz © 2002, Cisco Systems, Inc. All rights reserved. After failover pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Other host: Secondary - Active Active time: 150 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Stateful Failover Logical Update Statistics Link : dmz PIX Advanced Useful URLs for Failover -http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/failover.htm -http://www.cisco.com/warp/public/110/failover.html -http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/install/failover.htm -http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced The PIX Firewall Enables a Secure VPN © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Firewall VPN Topologies Internet PIX Firewall to PIX Firewall VPN gateway Internet PIX Firewall to router VPN gateway VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network Internet Other vendors to PIX Firewall VPN © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced What Is IPSec? Internet IPSec • IETF standard that enables encrypted communication between peers – Consists of open standards for securing private communications – Network layer encryption ensuring data confidentiality, integrity, and authentication – Scales from small to very large networks – Included in PIX Firewall version 5.0 and later © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced ISAKMP-Internet Security Association and Key Management Protocol RFC 2408: ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. ISAKMP is distinct from key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced IPSec Standards Supported by Cisco IOS and PIX Firewall • IPSec (IP Security Protocol) – Authentication Header (AH) – Encapsulating Security Payload (ESP) • DES • Triple DES (3DES) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced IPSec Standards Supported by Cisco IOS and PIX Firewall (cont.) • Diffie-Hellman • Establish shared key over insecure medium • Group 1 = 768 bit • Group 2 = 1024 bit • Message Digest 5 (MD5) • 128 bit digest • Secure Hash Algorithm (SHA) • 160 bit digest • RSA Signatures • Inventors: Rivest, Shamir, and Adleman • Internet Key Exchange (IKE) • Establishes shared security policy and authenticated keys • Certificate Authorities • Third party entity that issues and revokes certificates © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Authentication Header Router A Router B All data in clear text • Ensures data integrity • Provides origin authentication • Ensures packets definitely came from peer router • Does NOT provide confidentiality (no encryption) • Uses a keyed-hash mechanism • Provides replay protection © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced AH Authentication and Integrity IP header + Data IP header + Data Hash Hash Authentication data (00ABCDEF) Authentication data (00ABCDEF) IP HDR Router A © 2002, Cisco Systems, Inc. All rights reserved. AH Data Router B PIX Advanced AH Tunnel vs. Transport Mode IP HDR Data Transport mode IP HDR AH Data Authenticated except for mutable fields Tunnel mode New IP HDR AH IP HDR Data Authenticated except for mutable fields in new IP Header © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Encapsulating Security Payload Router B Router A Data payload is encrypted • Data confidentiality (encryption) • Limited traffic flow confidentiality • Data integrity • Optional data origin authentication • Anti-replay protection • Does not protect IP header © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced ESP Tunnel vs. Transport Mode IP HDR Data Transport mode IP HDR ESP HDR Data ESP ESP Trailer Auth Encrypted Authenticated Tunnel mode New IP HDR ESP HDR IP HDR Data ESP ESP Trailer Auth Encrypted Authenticated © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced IPsec Security Options? (Reccomended) How much encryption do you need? •DES (56b), 3DES (168b) or AES (128, 192, 256) –DES Challenge III (1/18/99)—22h, 15m, $50K USD How much packet integrity do you need? •MD5 (128b) or SHA (160b) How much random initialization do you need? •Diffie-Hellman Group 1,2,5 –The strength of the exponentiation used to seed the initial authentication and encryption •Perfect Forward Secrecy (PFS) Group 1,2,5 –Forces new DH exponentiation during every phase two rekey © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Configure IKE Parameters © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 1—Enable or Disable IKE pixfirewall(config)# isakmp enable interface-name • Enables or disables IKE on the PIX Firewall interfaces • IKE is enabled by default • Disable IKE on interfaces not used for IPSec © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 2—Configure an IKE Phase One Policy Internet Key Exchange (IKE) negotiates the IPSec security associations. This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP shared keys. In phase 1, IKE creates an authenticated, secure channel between the two ISAKMP peers which is called the ISAKMP Security Association. pixfirewall(config)# isakmp policy encryption des|3des pixfirewall(config)# isakmp policy md5|sha pixfirewall(config)# isakmp policy authentication pre-share|rsa-sig pixfirewall(config)# isakmp policy pixfirewall(config)# isakmp policy seconds priority priority hash priority priority group 1|2 priority lifetime • Creates a policy suite grouped by priority number • Creates policy suites that match peers • Can use default values © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 3—Configure the IKE Pre-shared Key pixfirewall(config)# isakmp key keystring address peer-address [netmask] • Pre-shared keystring must be identical at both peers • Use any combination of alphanumeric characters up to 128 bytes for keystring • Specify peer-address as a host or wildcard address • Easy to configure, yet is not scalable © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 4—Verify IKE Phase One Policies pixfirewall# show isakmp policy Protection suite of priority 10 encryption algorithm: hash algorithm: authentication method: Diffie-Hellman group: lifetime: Default protection suite encryption algorithm: hash algorithm: authentication method: Diffie-Hellman group: lifetime: DES - Data Encryption Standard (56 bit keys). Secure Hash Standard Pre-Shared Key #1 (768 bit) 86400 seconds, no volume limit DES - Data Encryption Standard (56 bit keys). Secure Hash Standard Rivest-Shamir-Adleman Signature #1 (768 bit) 86400 seconds, no volume limit • Displays configured and default IKE protection suites © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Configure IPSec Parameters © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 1—Configure Interesting Traffic pixfirewall(config)# access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask • permit = encrypt • deny = do not encrypt • access-list selects IP traffic by address, network, or subnet © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Example Crypto ACLs Site 1 10.0.1.3 PIX2 PIX1 Site 2 Internet e0 192.168.1.2 e0 192.168.2.2 10.0.2.3 PIX1 pix1(config)# show static static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0 pix1(config)# show access-list access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 pix2(config)# show static static (inside,outside) 192.168.2.10 10.0.2.3 netmask 255.255.255.255 0 0 pix2(config)# show access-list access-list 101 permit ip host 192.168.2.10 host 192.168.1.10 • Lists are symmetrical © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 2—Configure an IPSec Transform Set In phase 2, IKE negotiates the security associations, and generates the required key material for IPSec. pixfirewall(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] • Sets are limited to up to one AH and up to two ESP transforms • Default mode is tunnel • Configure matching sets between IPSec peers © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Available IPSec Transforms ah-md5-hmac ah-sha-hmac esp-des esp-3des esp-md5-hmac esp-sha-hmac © 2002, Cisco Systems, Inc. All rights reserved. AH-HMAC-MD5 transform AH-HMAC-SHA transform ESP transform using DES cipher (56 bits) ESP transform using 3DES cipher(168 bits) ESP transform using HMAC-MD5 auth ESP transform using HMAC-SHA auth PIX Advanced Step 3—Configure the Crypto Map Pixfirewall(config)#crypto ipsec transform-set TRANSFORM1 espdes esp-sha-hmac pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp pixfirewall(config)# crypto map map-name seq-num match address access-list-name pixfirewall(config)# crypto map map-name seq-num set peer hostname | ip-address pixfirewall(config)# crypto map map-name seq-num set transformset transform-set-name1 [transform-set-name2, transform-setname9] pixfirewall(config)# crypto map map-name seq-num set pfs [group1 | group2] pixfirewall(config)# crypto map map-name seq-num set securityassociation lifetime seconds seconds | kilobytes kilobytes • Specifies IPSec (IKE phase two) parameters • Map names and sequence numbers group entries into a policy • Perfect Forward Secrecy re-calculates DH Public/Private Keys on Refresh and will consume more resources on pix. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Step 4—Apply the Crypto Map to an Interface pixfirewall(config)# crypto map map-name interface interface-name • Applies the crypto map to an interface • Activates IPSec policy © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Example Crypto Map for PIX1 PIX1 Site 1 10.0.1.3 PIX2 Site 2 Internet e0 192.168.1.2 e0 192.168.2.2 10.0.2.3 pix1(config)# show crypto map Crypto Map "peer2" 10 ipsec-isakmp Peer = 192.168.2.2 access-list 101 permit ip host 192.168.1.3 host 192.168.2.3 (hitcnt=0) Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, } © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Example Crypto Map for PIX2 PIX1 Site 1 10.0.1.3 PIX2 Site 2 Internet e0 192.168.1.2 e0 192.168.2.2 10.0.2.3 pix2(config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = 192.168.1.2 access-list 101 permit ip host 192.168.2.3 host 192.168.1.3 (hitcnt=0) Current peer: 192.168.1.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Advanced Encryption Standard (6.3) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Advanced Encryption Standard IETF will mandate AES as required privacy transforms for both IPSec and IKE. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Advanced Encryption Standard crypto ipsec transform-set trans-name [ah-md5-hmac|ah-sha-hmac] [esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-3des|esp-null] [esp-md5-hmac|esp-sha-hmac] The following example uses the new AES 192 bit key transform: crypto ipsec transform-set standard esp-aes-192 esp-md5-hmac The isakmp usage the new command syntax: isakmp policy priority encryption aes|aes-192|aes-256|des|3des © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Test and Verify VPN Configuration © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Test and Verify VPN Configuration • Verify ACLs and interesting traffic show access-list • Verify correct IKE configuration show isakmp show isakmp policy • Verify correct IPSec configuration show crypto ipsec transform-set © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Test and Verify VPN Configuration (cont.) • Verify the correct crypto map configuration show crypto map Verify tunnel state • Show crypto engine connection active • Clear the IPSec SA clear crypto sa • Clear the IKE SA clear isakmp • Debug IKE and IPSec traffic through the PIX Firewall debug crypto ipsec debug crypto isakmp © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NAT Transparency (6.3) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NAT Transparency(NAT-T) Allows tunneling through NAT/PAT devices/firewall Needed because of IPSec incompatibilities with NAT/PAT For example, PIX doing PAT drops IPSec frames because PAT works with port numbers, and IPSec does not use port numbers Can be turned on and off Default: OFF for site to site deployment Default: ON for hardware VPN client IETF UDP-based currently used on VPN 3000 products (UDP 4500 is used) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NAT-T: Example 1 VPN Client PAT device Internet 10.0.1.5 Hash Data IP 1 ESP UDP IP UDP header applied between IP encapsulation header and ESP header © 2002, Cisco Systems, Inc. All rights reserved. 205.151.254.10 2 Translation based on new UDP header 3 UDP header, IP encapsulation head, and ESP header stripped PIX Advanced NAT-T: How it works Detects if both ends support NAT-T ƒ Peers exchange Vendor ID (VID) packets Detects intermediate NAT devices along transmission path ƒ Peers exchange NAT discovery (NAT-D) packets If both ends support NAT-T and NAT devices are discovered in path, ESP traffic is encapsulated in UDP datagrams Translations are based on the new UDP header © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NAT-T: Limitations May be troublesome in networks that do not allow UDP traffic Does not fix all IPSec/NAT incompatibilities. For example, • Incompatibility between IKE IP address and NAT • Incompatibilities between embedded IP addresses and NAT Small performance impact due to adding UDP header to each IPSec packet © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced NAT-T: New Commands New commands: Setting for a VPN head end pix(config)# isakmp nat-traversal [] • Will appear in the configuration if isakmp is enabled and • • • NAT traversal is enabled Valid values for the keepalive: 10 to 3600 seconds Default: 20 seconds pix(config)# no isakmp nat-traversal • Turns off NAT traversal © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Password Recovery © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PIX Firewall Floppy Password Recovery • Works on any older PIX with a floppy drive • Download the following files from Cisco Connection Online: – npXXX.bin, where XXX is the PIX Firewall image version number – rawrite.exe • Use rawrite to create a floppy using npXXX.bin. • Boot the PIX Firewall from the floppy diskette. • Follow the directions displayed. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Password Recovery for the PIX Firewall 501, 506, 515, 525, and 535 • Download the following file from Cisco Connection Online: npXXX.bin, where XXX is the PIX Firewall image version number. • Put the file on a TFTP server. • Reboot the system and break the boot process when prompted to go into monitor mode. • Set the interface, IP address, gateway, server, and file to tftp the previously downloaded image. • Follow the directions displayed. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Example Output monitor> interface 0 0: i8255X @ PCI(bus:0 dev:13 irq:10) 1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9 monitor> address 10.21.1.99 address 10.21.1.99 monitor> server 172.18.125.3 server 172.18.125.3 monitor> file np52.bin file np52.bin monitor> gateway 10.21.1.1 gateway 10.21.1.1 monitor> ping 172.18.125.3 Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> tftp tftp np52.bin@172.18.125.3 via 10.21.1.1 ................................... Received 73728 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000 Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] y Passwords have been erased. Rebooting.... © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Image Upgrade © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Image Upgrade for PIX Firewall Models 501, 506, 515, 525, and 535 There are eight steps to upgrade the PIX Firewall image from ROMMON mode: • Interrupt the boot process to enter monitor mode. • Specify the PIX Firewall interface to use for TFTP. • Specify the PIX Firewall interface’s IP address. • Specify the default gateway (if needed). • Verify connectivity to server. • Specify the server name or address. • Specify the image filename. • Start the TFTP process. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced copy tftp flash Command pixfirewall(config)# copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] • Enables you to change software images without accessing the TFTP monitor mode. pixfirewall(config)# copy tftp://172.26.26.50/pix611.bin flash • The TFTP server at IP address 172.26.26.50 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced OSPF (6.3) © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced OSPF: Reasons for implementation Offers faster convergence (seconds rather than minutes) than RIP Offers greater flexibility and features © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced OSPF (Continued) Supported features – Support of intra-area, inter-area and External (Type I and Type II) routes. – Support for virtual links being configured. – OSPF LSA flooding – Authentication for OSPF packets (both clear text and MD5 authentication) – Support for configuring the PIX as a DR and ABR. The ability to configure the PIX as an ASBR is limited to default-information only. – Supports for Stub areas and NSSA. – ABR type 3 LSA Filtering – Route redistribution between OSPF processes – ECMP (Equal Cost Multiple Pass) support © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Mini Q&A for PIX OSPF Q. How can I configure interface related ospf commands in the PIX??? A. Introduction of new command “routing interface ” Q. Can the PIX get 2 default gateway on the one interface using OSPF? A. Yes, using ECMP Q. Can I configure 2 outside interface for ECMP? A. No, PIX still restricts one outside interface Q. Can I run RIP and OSPF at same time? A. Running both OSPF and RIP concurrently on the same PIX Firewall is unsupported. Q. Does Failover works with OSPF A. When the failover occurs, newly activated PIX has to restart the OSPF process © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Managing/Monitoring OSPF •show ospf •show ospf interface •show ospf neighbor •show ospf database © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PDM 3.0 Overview © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced What Is PDM? • PDM is a browser-based configuration tool designed to help configure and monitor your PIX Firewall. Internet SSL secure tunnel © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PDM Features • Works with PIX Firewall software versions 6.0 and higher. • Can operate on PIX Firewall models 506, 515, 525, and 535. • Implemented in Java to provide robust, real-time monitoring. • Runs on a variety of platforms. • Does not require a plug-in software installation. • Comes preloaded into Flash memory on new PIX Firewalls running versions 6.0 and higher. • For upgrading from a previous version of PIX Firewall, it can be downloaded from Cisco and then copied to the PIX Firewall via TFTP. • Works with SSL to ensure secure communication with the PIX Firewall. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced PDM’s PIX Firewall Requirements A PIX Firewall must meet the following requirements to run PDM: • You must have version 6.0 installed on the PIX Firewall before using PDM. If you are using a new (version 6.0) PIX Firewall, you have all the requirements. • You must have an activation key that enables DES or the more secure 3DES, which PDM requires for support of the SSL protocol. • You must have at least 8 MB of Flash memory on the PIX Firewall. • Ensure that your configuration is less than 100 KB (approximately 1500 lines). Configurations over 100 KB cause PDM performance degradation. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Administrator Systems Supported Native JVM Java Plug-in 1.3.1 1.4.0 1.4.1 Microsoft Windows 98, ME, NT 4.0 (SP 4+), 2000 (SP 3) and XP 9 9 9 9 9 9 9 9 9 Internet Explorer 5.5 and 6.0 9 Netscape Navigator 4.7.x Netscape Navigator 7.0 9 9 Sun Solaris 2.8 and 2.9 (using CDE Window Manager) Netscape Navigator 4.7.8 9 Red Hat Linux 7.0, 7.1, 7.2 and 7.3 (using GNOME or KDE) Netscape Navigator 4.7.x 9 Red Hat Linux 8.0 (using GNOME or KDE) Mozilla 1.0.1 © 2002, Cisco Systems, Inc. All rights reserved. 9 PIX Advanced Configure the PIX Firewall to Use PDM • Before you can use or install PDM, you need to enter the following information on the PIX Firewall via a console terminal: – Password – Time – Inside IP address – Inside network mask – Hostname – Domain name – IP address of host running the PDM • You must also enable the HTTP server on the PIX Firewall © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Setup Dialog • Pre-configure PIX Firewall now through interactive prompts [yes]? • Enable Password []: ciscopix • Clock (UTC): • Year [2002]: • Month [Aug]: • Day [27]: 28 • Time [22:47:37]: 14:22:00 • Inside IP address: 10.0.P.1 • Inside network mask: 255.255.255.0 • Host name: pixP • Domain name: cisco.com • IP address of host running PIX Device Manager: 10.0.P.11 • Use this configuration and write to flash? Y © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Using PDM to Configure the PIX Firewall © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Overview Intuitive, web-based interface for securely managing a single remote Cisco PIX Security Appliance Powerful Java interface provides rich user experience for configuration and real-time health monitoring Supports all new features found in Cisco PIX Security Appliance software (PIX OS) v6.3, including: • • • • • • • Virtual interface support (802.1q VLANs) OSPF dynamic routing Enhanced ACL editing Comments in ACLs Syslog per ACL entry AES, DH Group 5 VPN support H.323 v3/4 and MGCP support Improved performance via applet caching and decreased image size © 2002, Cisco Systems, Inc. All rights reserved. Available on all Cisco PIX Security Appliance models including: • 501, 506E, 515E, 525, 535 and other supported models PIX Advanced New “Dashboard” Home Page Provides Complete System Status in a Single View New toolbar gives easy access to primary functions System information including software versions installed, device type and licensed features Detailed info for each physical/virtual interface, including IP address, link status, and current throughput Current number of active VPN tunnels Current/historical trending data for CPU and memory utilization Historical trending data for connections and traffic going in/out the “outside” interface Status message Current time at the remote Cisco PIX Security Appliance Current administrator logged in and their access level (0 – 15) © 2002, Cisco Systems, Inc. All rights reserved. Status of connection to remote Cisco PIX Security Appliance PIX Advanced Startup Wizard Simplifies Installation of Cisco PIX Security Appliances Easy-to-use, web-based wizard enables users to get up and running quickly Users enter the minimal amount of information needed (with rest of policy downloaded from an Auto Update Server) • Static IP / DHCP / PPPoE • Easy VPN Remote (hardware VPN client) • Auto Update info Supports configuration of additional options on high end platforms (PIX 515 - 535) • Interface configuration • NAT / PAT configuration © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Simplifies Access Control and NAT Policy Definition Easy-to-use interface for access control, NAT, AAA and content filtering policy definition Supports logging on a per Access Control List (ACL) entry basis Network object groups enable policies to be easily applied to a group of network devices Includes over 100 pre-defined applications and protocols that can be leveraged for simplified access control policy definition Service object groups simplify creation and maintenance of consistent “cookie cutter” policies for a set of associated services Supports associating a comment with each ACL entry for improved long-term ACL maintenance © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced VPN Wizard Simplifies Setting Up Secure Network Connectivity Easy-to-use wizard provides effortless configuration of both site-to-site and remote access VPNs Site-to-Site VPN • Shared secret and certificate support Remote Access VPN • Full Easy VPN Server support with dynamic policy push to Cisco hardware and software VPN clients • Microsoft L2TP/IPsec & PPTP client support © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Provides Extensive VPN Support Flexible interface gives complete control over site-to-site VPNs, including IKE and IPsec policies • Authentication policy (shared secret or X.509 certificate) • Encryption policy (DES, 3DES, AES) • Tunnel lifetimes, keepalive intervals and NAT traversal policies Provides comprehensive remote access VPN support for Cisco hardware and software VPN clients, as well as L2TP/IPsec and PPTP clients • User authentication policies • Primary / backup Easy VPN Servers • DHCP address pools, NAT traversal, split DNS and split tunneling policies • And much more Configure the Easy VPN Remote (hardware VPN client) feature on select PIX models © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Delivers Rich OSPF Configuration Capabilities Easy-to-use interface for managing all aspects of OSPF dynamic routing: • Process, area and route setup • Route redistribution • Route filtering Edit OSPF area types (Normal, Stub, NSSA) and area authentication policies Supports tuning advanced OSPF parameters including route distances, timers and default information Provides in-depth configuration options for route redistribution, route filtering, route metrics and much more © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Provides Robust Platform Management Features Easy-to-use interface for managing all aspects of connectivity: • Physical / virtual (802.1q) interfaces • Stateful failover (std / long distance) • RIP, OSPF and static routing • DHCP Client, Server and Relay • PPPoE Client Establish policies for wide-range of remote management methods: • Administrator authentication policies • PDM, SSH, telnet, etc. access policies • Create/maintain local user accounts Define up to 16 different levels of customizable administrator access Tune syslog output using variety of methods including enabling, disabling and changing level of specific syslog messages, in addition to configuring syslogs on a per ACL entry basis © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Cisco PIX Device Manager v3.0 Provides Comprehensive Device Health Monitoring Provides real-time status of: • Event log (syslog) • Administrative connections to PIX via PDM/HTTPS, SSH and telnet • Authenticated users • DHCP client lease information • PPPoE connection information • User licenses in use (on PIX 501) Provides real-time visibility into site-to-site VPN connections and the variety of remote access VPN methods supported (Cisco Easy VPN, L2TP/IPsec and PPTP) Provides wealth of real-time / historical graphs and exportable data tables for the following: • Memory and CPU utilization • Connections/xlates • IPsec, LT2P, PPTP VPN tunnels • Attacks detected by type/protocol • Byte/packet counts per interface © 2002, Cisco Systems, Inc. All rights reserved. Also supports creating bookmarks to your favorite, commonly used real-time graphs! PIX Advanced Part of the Wide Range of Management Solutions for Cisco PIX Security Appliances Integrated Remote Management Capabilities Within PIX • Configuration: Auto Update, SSH, telnet, XML/HTTPS and PDM • Monitoring: Syslog, SNMP, HTTPS and PDM • Software updates: Auto Update, HTTP, HTTPS and TFTP VPN/Security Management Solution (VMS) • Scalable firewall, VPN, IDS, NAT and syslog management solution for Enterprise network environments • Supports device grouping for simplified policy maintenance • Provides role-based admin access and workflow capabilities • Auto Update Server provides scalable configuration and software management of dynamically addressed PIX appliances • Available on Windows NT/2000 (Solaris versions coming soon) IP Solutions Center (ISC) • Highly scalable cross-platform firewall, VPN, IDS and NAT management solution for Large Enterprise and SP environments • Four-tier architecture provides highly scalable solution via distributed interface, process and collection services • Open XML/HTTPS interface for integration with other solutions • Available on © 2002, Cisco Systems, Inc. All rightsSolaris reserved. PIX Advanced Lab Instructions - Logon to www.labgear.net - Use your username/password - Follow the instructions : please be sure all devices are on default . If not, pls do a ‘write erase’ and then a ‘reload’ to return to factory default. © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Lab Topology If your device won’t let you in © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced Clearing the console line If your console is giving you an error, and you cannot log back on, it should be because the console line is already captured by a previous session. Pls go onto ‘Device Management’ on your top-left, and press ‘Clear Console Line’ as indicated below © 2002, Cisco Systems, Inc. All rights reserved. PIX Advanced [...]... interface pixfirewall(config)# pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 4: nat pixfirewall(config)# nat [(if_name)] nat_id local_ip [netmask] • The nat command shields IP addresses on the inside network from the outside network pixfirewall(config)# pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 © 2002, Cisco Systems,... server © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Modifiable syslog levels (6.3) Gives user ability to modify the level at which a particular syslog is issued Syslog Levels: 0 - or – emergencies 1 - or – alerts 2 - or – critical 3 - or – errors 4 - or – warning 5 - or – notifications 6 - or – informational 7 - or - debugging © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... Syslog Messages © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Syslog Messages The PIX Firewall sends Syslog messages to either: - An internal buffer - A Syslog Server Syslog documents the following events: • Security • Resources • System • Accounting © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Configure Message Output to the PIX Firewall Buffer pixfirewall(config)# logging...Command 2: interface pixfirewall(config)# interface hardware_id hardware_speed • The interface command configures the type and capability of each perimeter interface pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 10 pixfirewall(config)# interface ethernet2 100 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 3: ip address pixfirewall(config)#... seconds © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Summary • The PIX Firewall can generate Syslog messages for system events • Syslog messages can be sent to the PIX Firewall buffer • The PIX Firewall can forward Syslog messages to any Syslog server © 2002, Cisco Systems, Inc All rights reserved PIX Advanced Access Control Lists © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... buffer pixfirewall(config)# show logging • Step 2—View messages in the internal buffer pixfirewall(config)# clear logging • Step 3—Clear the internal buffer pixfirewall(config)# [no] logging message syslog_id • Enable or disable specific Syslog message type logging pixfirewall(config)# logging standby • Allow a standby unit to send Syslog messages © 2002, Cisco Systems, Inc All rights reserved PIX Advanced... Syslog Server pixfirewall(config)# logging host [in_if_name] ip_address {protocol/port] • Step 1—Designate the Syslog host server pixfirewall(config)# logging trap level • Step 2—Set the logging level pixfirewall(config)# logging facility facility • Step 3—Set the facility marked on all messages pixfirewall(config)# [no] logging timestamp • Step 4—Start and stop sending timestamp messages pixfirewall(config)#... web, FTP, and TFTP server 10.0.0.0 /24 3 Inside host, and web and FTP server pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 nat (dmz) 1 172.16.0.0 255.255.255.0 global (outside) 1 192.168.0.2 0-1 92.168.0.254 netmask 255.255.255.0 global(dmz) 1 172.16.0.2 0-1 72.16.0.254 netmask 255.255.255.0 • Inside users can start outbound connections... reserved PIX Advanced Command 5: global pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface • Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.2 0-1 92.168.0.254... 2002, Cisco Systems, Inc All rights reserved PIX Advanced Command 6: route pixfirewall(config)# route if_name ip_address netmask gateway_ip [metric] • The route command defines a static or default route for an interface pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced New 6.3 feature VLAN SUPPORT(802.1Q tagging) © 2002, Cisco ... Systems, Inc All rights reserved PIX Advanced PIX Firewall Family Lineup Price PIX 535 Catalyst 6500 Firewall Services Module PIX 525 PIX 515E PIX 506E Gigabit Ethernet PIX 501 SOHO ROBO SMB Enterprise... PIX Advanced The Six Primary Commands (Review) © 2002, Cisco Systems, Inc All rights reserved PIX Advanced PIX Firewall Primary Commands There are six primary configuration commands for the PIX. .. interface pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 10 pixfirewall(config)# interface ethernet2 100 © 2002, Cisco Systems, Inc All rights reserved PIX Advanced