Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.
1 Passwords and Banners Cisco Devices Packet Tracer.
CCNA2 MODULE 5.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.
CCNA 2 v3.1 Module 2.
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
Enterprise Network Security Accessing the WAN Lecture week 4.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
Cisco 2 - Routers Perrine & modified by Brierley Page 18/18/2015 Chapter 5 IOS Internet Operating System (IOS)
Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.
Routers A router is a computer Computers have four basic components:
© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 9: Managing a Cisco Internetwork.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 6 Configuring a Router/ Learning About Other Devices/ Managing Cisco IOS Software.
Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
Starting the switch Configuring the Switch
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public TSHOOT v6 Chapter 1 1 Chapter 1: Planning Maintenance for Complex Networks CCNP TSHOOT:
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Instructor & Todd Lammle
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
Page 110/19/2015 Chapter 5 CCNA2 Chapter 5 Managing Cisco IOS Software.
Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.
2002 Networking Operating Systems (CO32010) 1. Operating Systems 2. Processes and scheduling 3.
Basic Router Configuration 1.1 Global configuration Cisco allows us to configure the router to support various protocols and interfaces. The router stores.
User Access to Router Securing Access.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Router Fundamentals PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—1-1 Getting Started with Cisco Unified Communications Manager Installing and Upgrading Cisco.
Will learn to use router modes and configuration methods to update a router's configuration file with current and prior versions of Cisco Internetwork.
Introduction to Routers
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
Lesson 3b © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—3-1 Getting Started with Cisco Security Appliances.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
Virtual Private Network Configuration
Configuration Modes and TFTP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Router Initialization steps.
SIS - Security Lab Introductory Session University of Pittsburgh 2008.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Understanding Cisco Router Security.
Chapter 2: Configure a Network Operating System
Sem 2v2 Chapter 5 Router Startup and Setup. A router initializes by loading the bootstrap, the operating system, and a configuration file. If the router.
1 Version 3.1 Module 5 Managing Cisco IOS Software.
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
CHAPTER 3 Router CLI Command Line Interface. Router User Interface User and privileged modes User mode --Typical tasks include those that check the router.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
1 Dr. Tom Hicks Computer Science Department Trinity University 1.
Introduction to networking (Yarnfield) Configure a router.
Managing a Cisco Devices Internetwork
VMware ESX and ESXi Module 3.
Managing Your Network Environment
CCNA Routing and Switching Routing and Switching Essentials v6.0
Chapter 10: Device Discovery, Management, and Maintenance
CCNA Routing and Switching Routing and Switching Essentials v6.0
Chapter 10: Device Discovery, Management, and Maintenance
Understanding Cisco Router Security
Lecture9: Embedded Network Operating System: cisco IOS
Lecture9: Embedded Network Operating System: cisco IOS
Presentation transcript:

Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance

Managing System Access © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-2

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-3 Configuring Telnet Access to the Security Appliance Console Specifies which hosts can access the security appliance console via Telnet. telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}} firewall(config)# fw1(config)# telnet inside fw1(config)# telnet timeout 15 fw1(config)# passwd telnetpass Sets the maximum time a console Telnet session can be idle before being logged off by the security appliance. telnet timeout minutes firewall(config)# Sets the password for Telnet access to the security appliance. {passwd | password} password [encrypted] firewall(config)# Internet Telnet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-4 Viewing and Disabling Telnet kill telnet_id firewall# Terminates a Telnet session. Enables you to view which IP addresses are currently accessing the security appliance console via Telnet. who [local_ip] firewall# Removes the Telnet connection and the idle timeout from the configuration. clear configure telnet firewall(config)# Displays IP addresses permitted to access the security appliance via Telnet. show running-config telnet [timeout] firewall#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-5 SSH Connections to the Security Appliance SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require AES or 3DES activation keys Allow up to five SSH clients to simultaneously access the security appliance console Use the Telnet password for local authentication

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-6 crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm] Configuring SSH Access to the Security Appliance Console Removes any previously generated RSA keys firewall(config)# Saves the CA state write memory firewall(config)# Configures the domain name domain-name name firewall(config)# Generates an RSA key pair crypto key generate rsa [usage-keys | general-keys] [label key-pair- label] [modulus size] [noconfirm] firewall(config)# Specifies the host or network authorized to initiate an SSH connection ssh {ip_address mask | ipv6_address/prefix} interface firewall(config)# Specifies how long a session can be idle before being disconnected ssh timeout number firewall(config)#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0— Connecting to the Security Appliance with an SSH Client fw1(config)# crypto key zeroize rsa fw1(config)# write memory fw1(config)# domain-name cisco.com fw1(config)# crypto key generate rsa modulus 1024 fw1(config)# write memory fw1(config)# ssh outside fw1(config)# ssh timeout 30 Internet SSH username: pix password: telnetpassword

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-8 Viewing, Disabling, and Debugging SSH debug ssh firewall(config)# Enables SSH debugging Removes all SSH command statements from the configuration clear configure ssh firewall(config)# Disconnects an SSH session ssh disconnect session_id firewall# show ssh sessions [ip_address] firewall# Enables you to view the status of your SSH sessions

Managing User Access Levels © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-9

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-10 Command Authorization Overview The purpose of command authorization is to securely and efficiently administer the security appliance. It has the following types: Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-11 Enable-Level Command Authorization Complete the following tasks to configure and use enable-level command authorization: Use the enable command to create privilege levels and assign passwords to them. Use the privilege command to assign specific commands to privilege levels. Use the aaa authorization command to enable the command authorization feature. Use the enable command to access the desired privilege level.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-12 Create and Password-Protect Your Privilege Levels Configures enable passwords for the various privilege levels enable password password [level level] [encrypted] firewall(config)# fw1(config)# enable password Passw0rD level 10 enable [level] firewall(config)# fw1> enable 10 Password: Passw0rD fw1# Provides access to a particular privilege level from the > prompt Internet fw1> enable 10 password: PasswOrD

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-13 Assign Commands to Privilege Levels and Enable Command Authorization privilege [show | clear | configure] level level [mode {enable | configure}] command command firewall(config)# fw1(config)# enable password Passw0rD level 10 fw1(config)# privilege show level 8 command access-list fw1(config)# privilege configure level 10 command access-list fw1(config)# aaa authorization command LOCAL Configures user-defined privilege levels for security appliance commands aaa authorization command {LOCAL | server-tag} firewall(config)# Enables command authorization firewall> enable 10 Password: Passw0rD firewall# config t firewall(config)# access-list...

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-14 Command Authorization Using the Local User Database Complete the following tasks to configure and use command authorization with the local user database: Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access privilege levels.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-15 Creating User Accounts in the Local Database username {name} {nopassword | password password [encrypted]} [privilege priv_level]} firewall(config)# fw1(config)# username admin password passw0rd privilege 15 fw1(config)# username kenny password chickadee privilege 10 Configures the username for the specified privilege level Internet Local database: admin passwOrd 15 kenny chickadee 10

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-16 Configuring Authentication with the Local Database Enables user authentication. fw1(config)# privilege configure level 10 command access-list fw1(config)# username kenny password chickadee privilege 10 fw1(config)# aaa authorization command LOCAL fw1(config)# aaa authentication enable console LOCAL aaa authentication {serial | enable | telnet | ssh | http} console server-tag [LOCAL] firewall(config )# firewall> login Username: kenny Password: chickadee firewall# config t firewall(config)# access-list... Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-17 Command Authorization Using ACS Complete the following tasks to configure and use ACS command authorization: Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute. Use the aaa-server command to specify the TACACS+ server. Use the aaa authentication command to enable authentication with a TACACS+ server. Use the aaa authorization command to enable command authorization with a TACACS+ server.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-18 aaa authorization Command for Command Authorization with ACS Enables command authorization. fw1(config)# aaa-server MYTACACS protocol tacacs+ fw1(config-aaa-server-group)# aaa-server MYTACACS (inside) host thekey timeout 20 fw1(config-aaa-server-host)# aaa authentication enable console MYTACACS fw1(config)# aaa authorization command MYTACACS aaa authorization command {LOCAL | server-tag} firewall(config)# Internet MYTACACS Authentication Authorization

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-19 Viewing Your Command Authorization Configuration Displays the privileges for a command or set of commands. show running-config [all] privilege [all | command command | level level] firewall# Displays the user account that is currently logged in show curpriv firewall# Internet MYTACACS

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-20 Lockout Internet MYTACACS X Local database: admin passwOrd 15 kenny chickadee 10 X

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-21 Password Recovery PIX Download the following file from Cisco.com: npXX.bin (where XX = the PIX Firewall image version number). Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to TFTP the previously downloaded image. Follow the directions displayed.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-22 Password Recovery ASA Enables password recovery On by default service password-recovery firewall(config)# fw1(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line Internet Password?

Managing Software, Licenses, and Configurations © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-23

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-24 Viewing Directory Contents Displays the directory contents. The pwd command displays the current working directory. dir [/all] [all-filesystems] [/recursive] [disk0: | disk1: | flash: | system:] [path] firewall(config)# fw1# dir Directory of disk:/ 8 -rw :01:10 Apr pix701.bin 9 -rw :52:39 Mar old_running2.cfg 10-rw :03:57 Apr old_running.cfg bytes total ( bytes free) Internet dir

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-25 Viewing File Contents Displays the contents of a file. more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename firewall# fw1# more test.cfg : Saved : Written by enable_15 at 10:04:01 Apr XXX Version X.X(X) nameif vlan300 outside security10 enable password 8Ry2YjIyt7RRXU24 encrypted … Internet more

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-26 Directory Management Creates a new directory mkdir [/noconfirm] [disk0: | disk1: | flash:]path firewall# Internet mkdir Removes a directory rmdir [/noconfirm] [disk0: | disk1: | flash:]path firewall# Changes the current working directory to the one specified. cd [disk0: | disk1: | flash:] [path] firewall#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-27 Copying Files Copies a file from one location to another copy [/options] {url | local:[path] | running-config | startup-config} {running-config | startup-config | url | local:[path]} firewall(config)# Internet copy fw1(config)# copy disk0:my_context/my_context.cfg startup-config fw1(config)# copy disk0:my_context/my_context.cfg running-config

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-28 Installing Application or ASDM Software Example When you log into the security appliance during normal operation, you can copy the application software or ASDM software to the Flash file system from a TFTP, FTP, HTTP, or HTTPS server. copy tftp://server[/path]/filename flash:/filename firewall(config)# Internet ASDM fw1(config)# copy tftp:// /cisco/123file.bin flash:/123file.bin TFTP server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-29 Downloading and Backing Up Configuration Files Example Copies the configuration file from an FTP server copy /filename[;type=xx] startup-config firewall(config)# Internet fw1(config)# copy startup-config FTP server Copies the configuration file to an FTP server fw1# copy {startup-config | running-config | disk0:[path/]filename} firewall(config)# config

Image Upgrade and Activation Keys © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-30

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-31 Viewing Version Information fw1# show version … This machine has a Restricted (R) license. Serial Number: Running Activation Key: 0xbd27f269 0xbc7ebd46 0x1c73e474 0xbb x071dd0a6 Configuration has not been modified since last system restart. show version firewall(config)# Displays the software version, hardware configuration, license key, and related uptime data Internet version?

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-32 Image Upgrade fw1# copy tftp:// /pix700.bin flash copy tftp://server[/path]/filename flash:/filename firewall(config)# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance Internet TFTP

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-33 Entering a New Activation Key Updates the activation key on your security appliance Used to enable licensed features on security appliance activation-key [activation-key-four-tuple| activation- key-five-tuple] firewall(config)# fw1(config)# activation-key 0x xabcdef01 0x ab 0xcdef Internet Activation Key

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-34 Upgrading the Image and the Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-35 Troubleshooting the Activation Key Upgrade MessageProblem and Resolution The activation key you entered is the same as the running key. Either the activation key has already been upgraded or you need to enter a different key. The Flash image and the running image differ. Reboot the security appliance and reenter the activation key. The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-36 Summary SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can configure three different types of command authorization: enable level with password, local command authorization, and ACS command authorization. The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the security appliance on all interfaces. Password recovery for the security appliance requires a TFTP server.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.