Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Published byLuke Woodward Modified over 11 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.4 PIX Security Appliance Management Module 8 – PIX Security Appliance Contexts, Failover, and Management

3 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-3 Managing System Access

4 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-4 telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}} ciscoasa(config)# asa1(config)# telnet 10.0.0.11 255.255.255.255 inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance Sets the password for Telnet access to set the security appliance passwd password [encrypted] ciscoasa(config)# 10.0.0.11 Telnet Internet Configuring Telnet Access to the Security Appliance Console

5 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-5 Viewing and Disabling Telnet kill telnet_id ciscoasa# Terminates a Telnet session Enables you to view which IP addresses are currently accessing the security appliance console via Telnet who [local_ip] ciscoasa# Removes the Telnet connection and the idle timeout from the configuration clear configure telnet ciscoasa(config)# Displays IP addresses permitted to access the security appliance via Telnet show running-config telnet [timeout] ciscoasa#

6 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-6 SSH Connections to the Security Appliance SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require 3DES/AES or DES activation keys Allow up to five SSH clients to simultaneously access the security appliance console Use the Telnet password for local authentication

7 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-7 crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm] Configuring SSH Access to the Security Appliance Console Removes any previously generated RSA keys ciscoasa(config )# Saves the CA state write memory ciscoasa(config)# Configures the domain name domain-name name ciscoasa(config)# Generates an RSA key pair crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm] ciscoasa(config)# Specifies the host or network authorized to initiate an SSH connection ssh {ip_address mask | ipv6_address/prefix} interface ciscoasa(config)# Specifies how long a session can be idle before being disconnected ssh timeout number ciscoasa(config)#

8 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-8 asa1(config)# crypto key zeroize rsa asa1(config)# write memory asa1(config)# domain-name cisco.com asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh 172.26.26.50 255.255.255.255 outside asa1(config)# ssh timeout 30 172.26.26.50 SSH username: pix password: telnetpassword Internet Connecting to the Security Appliance with an SSH Client

9 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-9 debug ssh ciscoasa(config)# Enables SSH debugging Removes all SSH command statements from the configuration clear configure ssh ciscoasa(config)# Disconnects an SSH session ssh disconnect session_id ciscoasa# show ssh sessions [ip_address] ciscoasa# Enables you to view the status of your SSH sessions Viewing, Disabling, and Debugging SSH

10 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-10 Managing User Access Levels

11 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-11 Command Authorization Overview The purpose of command authorization is to securely and efficiently administer the security appliance. You can configure the following types of command authorization: Command authorization with password-protected privilege levels Command authorization with username and password authentication

12 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-12 Command Authorization with Password- Protected Privilege Levels The following tasks are required to configure command authorization with password-protected privilege levels: –Use the enable command to create privilege levels and assign passwords to them. –Use the privilege command to assign specific commands to privilege levels. –Use the aaa authorization command to enable the command authorization feature. Users must complete the following steps to use command authorization with password-protected privilege levels: –Use the enable command with the level option to access the desired privilege level. –Provide the password for the privilege level when prompted. The user can then execute any command assigned to that privilege level or to a lower privilege level.

13 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-13 Configuring Command Authorization with Password-Protected Privilege Levels Creates and password-protects privilege levels by configuring enable passwords for the various privilege levels enable password password [level level] [encrypted] ciscoasa(config)# asa1(config)# enable password Passw0rD level 10 enable [level] ciscoasa asa1> enable 10 Password: Passw0rD asa1# Provides access to a particular privilege level from the > prompt 10.0.0.11 Internet asa1> enable 10 password: PasswOrD

14 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-14 privilege [show | clear | configure] level level [mode command_mode] command command ciscoasa(config)# asa1(config)# enable password Passw0rD level 10 asa1(config)# privilege show level 8 command access-list asa1(config)# privilege configure level 10 command access-list asa1(config)# aaa authorization command LOCAL Configures user-defined privilege levels for security appliance commands aaa authorization command {LOCAL | server-tag [LOCAL]} ciscoasa(config)# Enables command authorization ciscoasa> enable 10 Password: Passw0rD ciscoasa# config t ciscoasa(config)# access-list... Configuring Command Authorization with Password-Protected Privilege Levels (Cont.)

15 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-15 Command Authorization with Username and Password Authentication The following tasks are required to configure command authorization with username and password authentication: –Use the privilege command to assign specific commands to privilege levels. –Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. –Use the aaa authorization command to enable command authorization. –Use the aaa authentication command to enable authentication using the local database.

16 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-16 Command Authorization with Username and Password Authentication Users must complete one of the following tasks to use command authorization with username and password authentication: –Enter the login command at the > prompt and log in with a username and password. –Enter the enable command at the > prompt and log in with a username and password. The user can then execute any command assigned to the same privilege level as the user account or to a lower privilege level.

17 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-17 username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level] ciscoasa(config)# asa1(config)# username admin password passw0rd privilege 15 asa1(config)# username kenny password chickadee privilege 10 Creates a user account in the local database Can be used to configure a privilege level for the user account 10.0.0.11 Local database: admin passw0rd 15 kenny chickadee 10 Internet Configuring Command Authorization with Username and Password Authentication

18 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-18 aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL} Enables you to configure authentication with the local database asa1(config)# privilege configure level 10 command access-list asa1(config)# username kenny password chickadee privilege 10 asa1(config)# aaa authorization command LOCAL asa1(config)# aaa authentication enable console LOCAL ciscoasa(config )# ciscoasa> login Username: kenny Password: chickadee ciscoasa# config t ciscoasa(config)# access-list... 10.0.0.11 Internet Configures command authorization with username and password authentication using the local database Configuring Command Authorization with Username and Password Authentication (Cont.)

19 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-19 Displays the privileges for a command or set of commands. show running-config [all] privilege [all | command command | level level] ciscoasa# Displays the user account that is currently logged in show curpriv ciscoasa# 10.0.0.11 TACACS+ server 10.0.0.2 Internet Displays the privilege levels assigned to commands Viewing Your Command Authorization Configuration

20 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-20 Lockout You can lock yourself out of the security appliance by: Configuring authentication using the local database without configuring any user accounts in the local database Configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured Do not save your command authorization configuration until you are sure it works as intended. 10.0.0.11 TACACS+ server 10.0.0.2 X Local database: X Internet

21 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-21 Password Recovery for the Cisco ASA Security Appliance Enables password recovery On by default service password-recovery ciscoasa(config)# asa1(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line. 10.0.0.3 10.0.0.11 192.168.0.0 Password? Internet

22 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-22 Password Recovery for the Cisco PIX Security Appliance Download the following file from Cisco.com: npXX.bin, where XX is the Cisco PIX security appliance image version number. Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to access the previously downloaded image via TFTP. Follow the directions displayed.

23 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-23 Managing Software, Licenses, and Configurations

24 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-24 Viewing Directory Contents Displays the directory contents dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path] ciscoasa# asa1# dir Directory of disk0:/ 4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin 6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin 7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg 62947328 bytes total (29495296 bytes free) 10.0.0.3 10.0.0.11 192.168.0.0 dir Internet You can use the pwd command to display the current working directory.

25 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-25 Viewing File Contents Displays the contents of a file more [/ascii | /binary | /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:] filename ciscoasa# asa1# more ctx1.cfg : Saved : Written by enable_15 at 14:12:08.092 UTC Sat Oct 7 2006 ! ASA Version 7.2(1) ! hostname CTX1 enable password 8Ry2YjIyt7RRXU24 encrypted... 10.0.0.3 10.0.0.11 192.168.0.0 more Internet

26 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-26 Directory Management Creates a new directory mkdir [/noconfirm] [disk0: | disk1: | flash:]path ciscoasa# Removes a directory rmdir [/noconfirm] [disk0: | disk1: | flash:]path ciscoasa# Changes the current working directory to the one specified cd [disk0: | disk1: | flash:][path] ciscoasa# 10.0.0.3 10.0.0.11 192.168.0.0 mkdir Internet

27 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-27 Copying Files Copies a file from one location to another copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url} ciscoasa# asa1# copy disk0:MYCONTEXT.cfg startup-config 10.0.0.3 10.0.0.11 192.168.0.0 copy Internet Copies the file MYCONTEXT.cfg from disk0 to the startup configuration

28 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-28 Installing Application or ASDM Software Example Enables you to copy the application software or ASDM software to the flash file system from a TFTP server copy tftp://server[/path]/filename flash:/filename ciscoasa# asa1# copy tftp://www.example.com/cisco/123file.bin flash:/123file.bin 10.0.0.3 10.0.0.11 192.168.0.0 ASDM TFTP server Internet asa1# copy tftp://10.0.0.3/cisco/123file.bin flash:/123file.bin Copies the file 123file.bin from 10.0.0.3 to the security appliance Copies the file 123file.bin from www.example.com to the security appliance

29 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-29 ciscoasa# Downloading and Backing Up Configuration Files Example Copies the configuration file from an FTP server copy ftp://[user[:password]@]server[/path] /filename[;type=xx] startup-config asa1# copy ftp://admin:letmein@10.0.0.3/configs/startup.cfg;type=an startup-config Copies the configuration file to an FTP server copy {startup-config | running-config | disk0:[path/]filename} ftp://[user[:password]@]server[/path]/filename[;type=xx] 10.0.0.3 10.0.0.11 192.168.0.0 FTP server config Internet

30 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-30 Image Upgrade and Activation Keys

31 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-31 Viewing Version Information asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is disk0:/asa721-k8.bin Config file at boot was startup-config asa1 up 17 hours 40 mins... show version ciscoasa# Displays the software version, hardware configuration, license key, and related uptime data 10.0.0.3 10.0.0.11 version? Internet

32 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-32 Image Upgrade asa1# copy tftp://10.0.0.3/asa721-k8.bin flash copy tftp://server[/path]/filename flash:/filename ciscoasa# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance. 10.0.0.3 10.0.0.11 TFTP Internet

33 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-33 Entering a New Activation Key Updates the activation key on the security appliance Used to enable licensed features on the security appliance activation-key [noconfirm] {activation-key-four-tuple | activation-key-five-tuple} ciscoasa(config)# asa1(config)# activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234 10.0.0.3 10.0.0.11 192.168.0.0 Activation Key Internet

34 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-34 Upgrading the Image and the Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.

35 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-35 Troubleshooting the Activation Key Upgrade MessageProblem and Resolution The activation key you entered is the same as the running key. Either the activation key has already been upgraded or you need to enter a different key. The flash image and the running image differ. Reboot the security appliance and re-enter the activation key. The activation key is not valid.Either you made a mistake entering the activation key or you need to obtain a valid activation key.

36 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-36 Summary

37 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-37 Summary SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can configure the following types of command authorization: –Command authorization with password-protected privilege levels –Command authorization with username and password authentication The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the security appliance on all interfaces. Password recovery for the security appliance requires a TFTP server.

38 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.016-38

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."

Similar presentations

Software Version: DSS ver up01

Software Version: DSS ver up01
Introduction to the WatchGuard AP Device

Introduction to the WatchGuard AP Device
Router Configuration PJC CCNA Semester 2 Ver. 3.0 by William Kelly.

Router Configuration PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Virtual Trunk Protocol

Virtual Trunk Protocol
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.

© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Version 1.0 digitaloffice.intel.com Intel ® vPro Technology Intel ® Active Management Technology Setup and Configuration HP Laptop – Compaq 6910p Small.

Version 1.0 digitaloffice.intel.com Intel ® vPro Technology Intel ® Active Management Technology Setup and Configuration HP Laptop – Compaq 6910p Small.
2010 Labs & Tools for ITE 1 Gratitude Kudyachete, Manager - SSA CATC Lab Tools for IT E 4.1.

2010 Labs & Tools for ITE 1 Gratitude Kudyachete, Manager - SSA CATC Lab Tools for IT E 4.1.
Break Time Remaining 10:00.

Break Time Remaining 10:00.
Lesson 6: Configuring Servers for Remote Management

Lesson 6: Configuring Servers for Remote Management

Similar presentations

Ads by Google