Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.

Published byLee Michael Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance."— Presentation transcript:

1 Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance

2 Managing System Access © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-2

3 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-3 Configuring Telnet Access to the Security Appliance Console Specifies which hosts can access the security appliance console via Telnet. telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}} firewall(config)# fw1(config)# telnet 10.0.0.11 255.255.255.255 inside fw1(config)# telnet timeout 15 fw1(config)# passwd telnetpass Sets the maximum time a console Telnet session can be idle before being logged off by the security appliance. telnet timeout minutes firewall(config)# Sets the password for Telnet access to the security appliance. {passwd | password} password [encrypted] firewall(config)# Internet 10.0.0.11 Telnet

4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-4 Viewing and Disabling Telnet kill telnet_id firewall# Terminates a Telnet session. Enables you to view which IP addresses are currently accessing the security appliance console via Telnet. who [local_ip] firewall# Removes the Telnet connection and the idle timeout from the configuration. clear configure telnet firewall(config)# Displays IP addresses permitted to access the security appliance via Telnet. show running-config telnet [timeout] firewall#

5 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-5 SSH Connections to the Security Appliance SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require AES or 3DES activation keys Allow up to five SSH clients to simultaneously access the security appliance console Use the Telnet password for local authentication

6 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-6 crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm] Configuring SSH Access to the Security Appliance Console Removes any previously generated RSA keys firewall(config)# Saves the CA state write memory firewall(config)# Configures the domain name domain-name name firewall(config)# Generates an RSA key pair crypto key generate rsa [usage-keys | general-keys] [label key-pair- label] [modulus size] [noconfirm] firewall(config)# Specifies the host or network authorized to initiate an SSH connection ssh {ip_address mask | ipv6_address/prefix} interface firewall(config)# Specifies how long a session can be idle before being disconnected ssh timeout number firewall(config)#

7 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-7 172.26.26.50 Connecting to the Security Appliance with an SSH Client fw1(config)# crypto key zeroize rsa fw1(config)# write memory fw1(config)# domain-name cisco.com fw1(config)# crypto key generate rsa modulus 1024 fw1(config)# write memory fw1(config)# ssh 172.26.26.50 255.255.255.255 outside fw1(config)# ssh timeout 30 Internet SSH username: pix password: telnetpassword

8 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-8 Viewing, Disabling, and Debugging SSH debug ssh firewall(config)# Enables SSH debugging Removes all SSH command statements from the configuration clear configure ssh firewall(config)# Disconnects an SSH session ssh disconnect session_id firewall# show ssh sessions [ip_address] firewall# Enables you to view the status of your SSH sessions

9 Managing User Access Levels © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-9

10 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-10 Command Authorization Overview The purpose of command authorization is to securely and efficiently administer the security appliance. It has the following types: Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS

11 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-11 Enable-Level Command Authorization Complete the following tasks to configure and use enable-level command authorization: Use the enable command to create privilege levels and assign passwords to them. Use the privilege command to assign specific commands to privilege levels. Use the aaa authorization command to enable the command authorization feature. Use the enable command to access the desired privilege level.

12 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-12 Create and Password-Protect Your Privilege Levels Configures enable passwords for the various privilege levels enable password password [level level] [encrypted] firewall(config)# fw1(config)# enable password Passw0rD level 10 enable [level] firewall(config)# fw1> enable 10 Password: Passw0rD fw1# Provides access to a particular privilege level from the > prompt Internet 10.0.0.11 fw1> enable 10 password: PasswOrD

13 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-13 Assign Commands to Privilege Levels and Enable Command Authorization privilege [show | clear | configure] level level [mode {enable | configure}] command command firewall(config)# fw1(config)# enable password Passw0rD level 10 fw1(config)# privilege show level 8 command access-list fw1(config)# privilege configure level 10 command access-list fw1(config)# aaa authorization command LOCAL Configures user-defined privilege levels for security appliance commands aaa authorization command {LOCAL | server-tag} firewall(config)# Enables command authorization firewall> enable 10 Password: Passw0rD firewall# config t firewall(config)# access-list...

14 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-14 Command Authorization Using the Local User Database Complete the following tasks to configure and use command authorization with the local user database: Use the privilege command to assign specific commands to privilege levels. Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. Use the aaa authorization command to enable command authorization. Use the aaa authentication command to enable authentication using the local database. Use the login command to log in and access privilege levels.

15 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-15 Creating User Accounts in the Local Database username {name} {nopassword | password password [encrypted]} [privilege priv_level]} firewall(config)# fw1(config)# username admin password passw0rd privilege 15 fw1(config)# username kenny password chickadee privilege 10 Configures the username for the specified privilege level Internet 10.0.0.11 Local database: admin passwOrd 15 kenny chickadee 10

16 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-16 Configuring Authentication with the Local Database Enables user authentication. fw1(config)# privilege configure level 10 command access-list fw1(config)# username kenny password chickadee privilege 10 fw1(config)# aaa authorization command LOCAL fw1(config)# aaa authentication enable console LOCAL aaa authentication {serial | enable | telnet | ssh | http} console server-tag [LOCAL] firewall(config )# firewall> login Username: kenny Password: chickadee firewall# config t firewall(config)# access-list... Internet 10.0.0.11

17 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-17 Command Authorization Using ACS Complete the following tasks to configure and use ACS command authorization: Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute. Use the aaa-server command to specify the TACACS+ server. Use the aaa authentication command to enable authentication with a TACACS+ server. Use the aaa authorization command to enable command authorization with a TACACS+ server.

18 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-18 aaa authorization Command for Command Authorization with ACS Enables command authorization. fw1(config)# aaa-server MYTACACS protocol tacacs+ fw1(config-aaa-server-group)# aaa-server MYTACACS (inside) host 10.0.0.2 thekey timeout 20 fw1(config-aaa-server-host)# aaa authentication enable console MYTACACS fw1(config)# aaa authorization command MYTACACS aaa authorization command {LOCAL | server-tag} firewall(config)# Internet 10.0.0.11 MYTACACS 10.0.0.2 Authentication Authorization

19 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-19 Viewing Your Command Authorization Configuration Displays the privileges for a command or set of commands. show running-config [all] privilege [all | command command | level level] firewall# Displays the user account that is currently logged in show curpriv firewall# Internet 10.0.0.11 MYTACACS 10.0.0.2

20 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-20 Lockout Internet 10.0.0.11 MYTACACS 10.0.0.2 X Local database: admin passwOrd 15 kenny chickadee 10 X

21 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-21 Password Recovery PIX Download the following file from Cisco.com: npXX.bin (where XX = the PIX Firewall image version number). Reboot the system and break the boot process when prompted to go into monitor mode. Set the interface, IP address, gateway, server, and file to TFTP the previously downloaded image. Follow the directions displayed.

22 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-22 Password Recovery ASA Enables password recovery On by default service password-recovery firewall(config)# fw1(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line. 10.0.0.3 Internet 10.0.0.11 192.168.0.0 Password?

23 Managing Software, Licenses, and Configurations © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-23

24 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-24 Viewing Directory Contents Displays the directory contents. The pwd command displays the current working directory. dir [/all] [all-filesystems] [/recursive] [disk0: | disk1: | flash: | system:] [path] firewall(config)# fw1# dir Directory of disk:/ 8 -rw- 5124096 13:01:10 Apr 19 2005 pix701.bin 9 -rw- 4908 12:52:39 Mar 16 2005 old_running2.cfg 10-rw- 4087 10:03:57 Apr 04 2005 old_running.cfg 15998976 bytes total (5573632 bytes free) 10.0.0.3 Internet 10.0.0.11 192.168.0.0 dir

25 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-25 Viewing File Contents Displays the contents of a file. more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename firewall# fw1# more test.cfg : Saved : Written by enable_15 at 10:04:01 Apr 14 2005 XXX Version X.X(X) nameif vlan300 outside security10 enable password 8Ry2YjIyt7RRXU24 encrypted … 10.0.0.3 Internet 10.0.0.11 192.168.0.0 more

26 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-26 Directory Management Creates a new directory mkdir [/noconfirm] [disk0: | disk1: | flash:]path firewall# 10.0.0.3 Internet 10.0.0.11 192.168.0.0 mkdir Removes a directory rmdir [/noconfirm] [disk0: | disk1: | flash:]path firewall# Changes the current working directory to the one specified. cd [disk0: | disk1: | flash:] [path] firewall#

27 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-27 Copying Files Copies a file from one location to another copy [/options] {url | local:[path] | running-config | startup-config} {running-config | startup-config | url | local:[path]} firewall(config)# 10.0.0.3 Internet 10.0.0.11 192.168.0.0 copy fw1(config)# copy disk0:my_context/my_context.cfg startup-config fw1(config)# copy disk0:my_context/my_context.cfg running-config

28 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-28 Installing Application or ASDM Software Example When you log into the security appliance during normal operation, you can copy the application software or ASDM software to the Flash file system from a TFTP, FTP, HTTP, or HTTPS server. copy tftp://server[/path]/filename flash:/filename firewall(config)# 10.0.0.3 Internet 10.0.0.11 192.168.0.0 ASDM fw1(config)# copy tftp://10.0.0.3/cisco/123file.bin flash:/123file.bin TFTP server

29 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-29 Downloading and Backing Up Configuration Files Example Copies the configuration file from an FTP server copy ftp://[user[:password]@]server[/path] /filename[;type=xx] startup-config firewall(config)# 10.0.0.3 Internet 10.0.0.11 192.168.0.0 fw1(config)# copy ftp://admin:letmein@10.0.0.3/configs/startup.cfg;type=an startup-config FTP server Copies the configuration file to an FTP server fw1# copy {startup-config | running-config | disk0:[path/]filename} ftp://[user[:password]@]server[/path]/filename[;type=xx] firewall(config)# config

30 Image Upgrade and Activation Keys © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-30

31 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-31 Viewing Version Information fw1# show version … This machine has a Restricted (R) license. Serial Number: 12345678 Running Activation Key: 0xbd27f269 0xbc7ebd46 0x1c73e474 0xbb782818 0x071dd0a6 Configuration has not been modified since last system restart. show version firewall(config)# Displays the software version, hardware configuration, license key, and related uptime data 10.0.0.3 Internet 10.0.0.11 version?

32 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-32 Image Upgrade fw1# copy tftp://10.0.0.3/pix700.bin flash copy tftp://server[/path]/filename flash:/filename firewall(config)# Enables you to change software images without accessing the TFTP monitor mode. The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance. 10.0.0.3 Internet 10.0.0.11 TFTP

33 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-33 Entering a New Activation Key Updates the activation key on your security appliance Used to enable licensed features on security appliance activation-key [activation-key-four-tuple| activation- key-five-tuple] firewall(config)# fw1(config)# activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234 10.0.0.3 Internet 10.0.0.11 192.168.0.0 Activation Key

34 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-34 Upgrading the Image and the Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.

35 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-35 Troubleshooting the Activation Key Upgrade MessageProblem and Resolution The activation key you entered is the same as the running key. Either the activation key has already been upgraded or you need to enter a different key. The Flash image and the running image differ. Reboot the security appliance and reenter the activation key. The activation key is not valid. Either you made a mistake entering the activation key or you need to obtain a valid activation key.

36 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-36 Summary SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can configure three different types of command authorization: enable level with password, local command authorization, and ACS command authorization. The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet. You can enable Telnet to the security appliance on all interfaces. Password recovery for the security appliance requires a TFTP server.

Download ppt "Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.

Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.
1 Passwords and Banners Cisco Devices Packet Tracer.

1 Passwords and Banners Cisco Devices Packet Tracer.
CCNA2 MODULE 5.

CCNA2 MODULE 5.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.

1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;

Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Sybex CCNA 640-802 Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.

Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
Cisco 2 - Routers Perrine & modified by Brierley Page 18/18/2015 Chapter 5 IOS Internet Operating System (IOS)

Cisco 2 - Routers Perrine & modified by Brierley Page 18/18/2015 Chapter 5 IOS Internet Operating System (IOS)
Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.

Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.
Routers A router is a computer Computers have four basic components:

Routers A router is a computer Computers have four basic components:
© Wiley Inc. 2006. All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 9: Managing a Cisco Internetwork.

© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 9: Managing a Cisco Internetwork.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 6 Configuring a Router/ Learning About Other Devices/ Managing Cisco IOS Software.

1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 6 Configuring a Router/ Learning About Other Devices/ Managing Cisco IOS Software.
Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.

Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

Similar presentations

Ads by Google