Usuario:Ciscoequip

De Wikis en Educación

Cisco IT Network Reseller Cisco Reseller Cisco Solution Cisco Services Cisco Routers Cisco Switches Cisco Security Cisco Wireless Cisco VPN Client Cisco Mobility Cisco Supports Cisco Client VPN Cisco Router Network Asset Recovery Buy Cisco Sell Cisco Irvine Cisco South Cali Cisco Orange County Cisco Los Angeles Cisco


Configuring the Cisco PIX/ASA Complete configuration from the Cisco PIX is in the evening scope with this book. However, we will cover a number of the initial steps forced to create the PIX as well as allow the website owner access to the gui (GUI), the Adaptive Security Device Manager (ASDM) (previously referred to as PIX Device Manager [PDM] for software versions before 7.0).

To initially configure a PIX as is also, connect a serial connecter towards the console port from the PIX (that's typically outlined with a light blue color). Operate the blue serial port cable that had the PIX. If you cannot discover that cable, you might also make use of a null modem or a rollover cable. The serial port settings inside the terminal emulation software using the pc really should be as indexed in


Baud

9600

Parity

None

Volume of Bits

8

Range of Stop Bits

1



Following the console connection has become established, begin the terminal emulation software (Ms windows typically contains HyperTerminal, and you can now alternatively use TeraTerm Pro) together with the settings in Table 6-1. The PIX command prompt should immediately appear (if they are not press the Enter button to the keyboard):

    pixfirewall>


Next, type the enable command gain access to the privileged mode of execution. Automatically, the enable password at a new PIX will not be set:

    pixfirewall> enable
    Password:
    pixfirewall#


Automatically, the enable command assumes that this user is attempting to find privilege level 15 (the greatest privilege level). To start out configuring the PIX for basic network access, several actions ought to be performed:

Assign IP addresses for that firewall interfaces.

Configure the firewall name, domain address, and passwords.

Configure the firewall routing settings.

Configure the firewall for remote management access.

Configure the network address translation settings for outbound access.

Configure the ACLs.

Configure logging about the firewall.

Assigning IP Addresses towards Firewall Interfaces To communicate around the network, the firewall will need IP addresses used on the firewall interfaces. The process of carrying this out changed between PIX/ASA version 6.x and 7.x, although the fundamental steps offer the same: Let the interface, configure the interface itself, and assign an IP address on the interface.

Assigning IP Addresses in PIX 6.x To assign IP addresses to your PIX interfaces, the administrator must enter configuration mode. Considering that the PIX runs on the command interface that is similar to IOS, administrators enter configuration mode while they would for a Cisco IOS-based router:

   firewall# configure terminal
   firewall(config)#


When in configure mode, the next item is to encourage the interfaces. The PIX interfaces are administratively turn off during the default configuration. Permit the interfaces, utilize interface hardware-id hardware-speed command:

   firewall(config)# interface ethernet0 auto
   firewall(config)# interface ethernet1 auto


Automagically, the Ethernet0 (or FastEthernet0) hardware-id is the outside interface along with the Ethernet1 (or FastEthernet1) hardware-id is the inside interface. The configuration on the interface is performed by the auto command word. This specifies the fact that interface speed should be dependant upon the PIX rather then be laid out in the administrator. You may as well manually define the hardware speed (one example is, 10 or 100).

An additional step to configuring the interface is usually to assign a brand and security level towards the interface. Automagically, the side interface incorporates a security volume of 0; the medial side interface has a security level of 100. The name that you simply assign would be the name that can be used through the configuration to only identify confirmed interface. For instance, this allows you to use inside to refer to the Ethernet1 interface. Feel free to use the command nameif hardware-id if-name security-lvl to configure the interface name and security level:

  firewall(config)# nameif ethernet0 outside security0
  firewall(config)# nameif ethernet1 inside security100


Using the interfaces now active and configured, the IP addresses is often assigned (it is simply as is feasible to assign the IP addresses earlier than enabling the interface, though the interfaces still will likely not work until enabled).

Assigning IP addresses is completed within the global configuration mode. The firewall supports static IP addresses on all interfaces and might additionally be configured to make use of DHCP or PPPoE-assigned addresses on the outside of interface only. To assign a static IP address, use the ip interface-name ip-address subnet-mask command:

   firewall(config)# ip outside 10.19.24.1 255.255.255.0
   firewall(config)# ip inside 192.168.122.1 255.255.255.0


To make certain the PIX can contact devices for both sides, ping the address on the system on either interface:

   firewall(config)# ping 10.19.24.100
           10.19.24.100 response received -- 0ms
           10.19.24.100 response received -- 0ms
           10.19.24.100 response received -- 0ms
   firewall(config)# ping 192.168.122.226
           192.168.122.226 response received -- 0ms
           192.168.122.226 response received -- 0ms
           192.168.122.226 response received -- 0ms
   firewall(config)#


Assigning IP Addresses in PIX/ASA 7.x For the PIX/ASA 7.0 software, the commands that should be run have changed, nevertheless the necessary steps are indifferent: Give the interface, configure the interface itself, and assign the interface Ip. In the global configuration mode, access the interface configuration mode for the interface that you might want to configure by running the interface interface-name interface-number command:

   firewall(config)# interface ethernet 2
   firewall(config-if)#


If you find yourself during the interface configuration mode, you may perform each of the interface configuration and Ip assignments. To enable the interface, run no shutdown command. To list the interface, run the nameif name command. To assign the safety level, run the security-level number command. To configure final results and duplex settings around the interface, run the incidence 100 command and also the duplex half command. Types of these commands follow:

   firewall(config-if)# no shutdown
   firewall(config-if)# nameif dmz01
   firewall(config-if)# security-level 50
   firewall(config-if)# speed auto
   firewall(config-if)# duplex auto


Configuring the IP address is a few running the ip address ip-address [mask] or even the ip address dhcp [setroute] command. The setroute option helps you configure the firewall to make use of the path assigned because of the DHCP server because the default route to the firewall. Unlike previous versions of software, PPPoE is not supported, and DHCP addresses is often allotted to any interface (not only the exterior interface). In most cases, you need to assign a static IP address, as shown here:

   firewall(config-if)# ip 10.21.67.17 255.255.255.240


Repeat these commands for anyone interfaces that should be configured.

Note

Similar to Cisco devices, changing the configuration only changes the running configuration. For your changes to be considered permanent and dedicated to memory, they should be saved to NVRAM. For PIX software running 6.x and earlier, this can be done by running the write memory command within the privileged mode of execution:


   firewall# write memory


For PIX/ASA software running 7.x and newer, this is successfully done by running the copy running-config startup-config command:

   firewall# copy running-config startup-config


You must do this as you are finished running commands and are also ready with the firewall configuration to get made permanent.

Configuring the Firewall Name, Domain, and Passwords Now that the firewall continues to be assigned IP addresses as well as the interfaces are functioning properly the next phase is to configure some basic firewall configuration values such as the firewall host name, domain, and passwords. The commands to operate these configurations are indifferent for everyone versions on the PIX/ASA software. You can configure the host name by running the hostname name command, plus the website is configured by running the domain-name domain command in the global configuration mode:

   firewall(config)# hostname houqepixfw01
   houqepixfw01(config)# domain-name houqe.lab


The two main passwords how the PIX/ASA uses by default (and you are also not using any type of AAA authentication). The first is referred to as login password and is utilized to authenticate remote access via Telnet or SSH. The command to get the login password is passwd password:

   houqepixfw01(config)# passwd ReallyDifficultPassword


Second is known as the enable password as well as being used to access the world configuration mode and to provide ASDM/PDM access. The command to get the enable password is enable password password level level and it is shown here. The amount syntax is not needed, in case left blank defaults to privilege level 15. You are able to set multiple passwords, each granting usage of a new privilege level.

   houqepixfw01(config)# enable password DifferentPasswordThanPasswd


At this time, the firewall has the ability to authenticate administrative access and remote management access connections (eventhough it still must be configured to let remote management access).

Configuring the Firewall Routing Settings With IP connectivity established, you need to to configure routing for your firewall. The firewall supports both static routes and dynamic routing using Open Shortest Path First (OSPF; for more information about configuring OSPF routing, see Cisco ASA and PIX Firewall Handbook [Cisco Press]). You can configure static routes on all software versions by running the road interface-name ip-address netmask gateway-ip [metric | tunneled] command. This same command can often set the default route for that PIX as follows:

   houqepixfw01(config)# route outside 0.0.0.0 0.0.0.0 10.21.67.2 1


The additional value 1 at the end of the road command specifies the metric to the next hop and is also optional. Usually, the default route points on the next-hop router for the firewall via the internet, such as pointing to the web service agency router.

Configuring the Firewall for Remote Management Access The PIX/ASA firewall supports three primary strategies for remote management access:

Telnet

SSH

ASDM/PDM

Both Telnet and SSH are employed provide CLI access to the firewall, whereas the ASDM/PDM gives an HTTPS-based GUI management console.

Configuring Telnet Access Telnet remote management would be the simplest, yet least secure, technique of remotely managing the firewall. The true reason for that is that Telnet doesn't encrypt the details in transmit and in fact sends the info in cleartext. It is then feasible for a malicious user to capture your data and learn the likes of the passwords necessary to get access to the firewall. As a result deficiency, it is not possible to access a PIX/ASA firewall within the outside interface using Telnet alone (although PIX/ASA does support Telnet towards you interface when it is protected by IPsec).

The configuration allowing Telnet access is the identical for all PIX/ASA software versions. This is accomplished by running the telnet ip-address mask interface-name command for the global configuration mode:

   houqepixfw01(config)# telnet 10.21.120.15 255.255.255.255 inside


You could restrict Telnet access to certain IP addresses or hosts by defining the appropriate subnet mask. By way of example, from the preceding command, exactly the host with IP address 10.21.120.15 is able to connect to the firewall. Additionally you can define the interface that the Telnet access shall be allowed to by using the appropriate interface name (including, inside or dmz01, in the event you named an interface dmz01).

Due to the general insecurity of Telnet, and because SSH provides the same functionality into the firewall, use SSH as an alternative to Telnet.

Configuring SSH Access Configuring SSH turns out to be more involved than configuring Telnet access because for a link with be established using SSH the marked host will need an RSA key pair for identity certificates. Therefore, configuring SSH access serves as a number of smaller steps that must be performed:

The first step. Assign a bunch and url of your website on the firewall.


Automobile. Generate and save the RSA key pair.


Step 3. Configure the firewall to permit SSH access.


The task for assigning the host and domain to your firewall was covered previously on this chapter. Precisely why you must do that is always that the RSA key pairs use the host and website name during the key-generation process.

Generating and saving the RSA key pair is accomplished in a of two methods depending on you may be using PIX 6.x or PIX/ASA 7.0. For PIX 6.0, you can generate the RSA key pair by running the ca generate rsa key key-size command in the global configuration mode:

   houqepixfw02(config)# ca generate rsa key 1024
   For <key_modulus_size> >= 1024, key generation could
     take nearly several minutes. Please wait.
   Keypair generation process begin.
   .Success.
   houqepixfw02(config)#


One of the bigger deficiencies of the PIX 6.x software is that, unlike another configuration setting, the RSA keys may not be saved once you issue the write memory command. Instead, carried out saved separately while using ca save all command in the global configuration mode:

   houqepixfw02(config)# ca save all


For any PIX/ASA 7.x software, generating the RSA keys necessitates the utilization of the following command:

   crypto key generate rsa [ usage-keys | general-keys ] [ label key-pair-label ]
        [ modulus size ] [ noconfirm ]


In most cases, the one syntax required is a following:

   houqepixfw01(config)# crypto key generate rsa modulus 1024
   INFO: The reputable name the keys shall be: <Default-RSA-Key>
   Keypair generation process begin. Please wait...
   houqepixfw01(config)#


It is possible to specify a modulus size 512, 768, 1024 (the default size), or 2048. Unlike previous software versions, the RSA keys are saved after you save the firewall configuration (as an example, by running the command copy running-config startup-config).

Following RSA keys have already been generated, the key to actually permit SSH accessibility firewall is similar for many software versions as well as being the same as how Telnet access is permitted. Just run the command ssh ip-address mask interface command:

   houqepixfw01(config)# ssh 10.21.120.15 255.255.255.255 inside


Like Telnet, SSH can be limited by subnets or hosts. Unlike Telnet, SSH can be configured for remote access to the outside interface.

PIX/ASA 7.x will also support running SSHv1 or SSHv2 (previous software versions supported a variant of SSHv1 1 named version 1.5). Typically, SSHv2 is recognized as more safe, additionally, the firewall might be limited by only supporting SSHv2 by running the ssh version 2 command.

Configuring ASDM/PDM Access Along with the CLI management methods, PIX/ASA firewalls support a GUI for remote management. For PIX 6.x, this management interface is recognized as the PIX Device Manager (PDM). For PIX/ASA 7.x, this management interface is referred to as the Adaptive Security Device Manager (ASDM). Both of them are extremely akin to the other, while using the ASDM being the logical upgrade and option to the PDM. The ASDM/PDM functions as a web-based management interface employing a small web server running over the firewall and Java plug-ins for the client computer to operate. Configuring the ASDM/PDM uses a number of steps that will be the exact same for many software versions. First, you must just remember to have downloaded and installed the ASDM/PDM software about the firewall (by default, it is in addition to the firewall). Second, you must encourage the HTTP server within the firewall by running the http server enable command. Third, you need to permit HTTP access in a very manner similar to Telnet and SSH by running the http ip-address mask command:

  houqepixfw02(config)# http server enable
  houqepixfw02(config)# http 10.0.0.0 255.0.0.0 inside


Configuring NAT Settings for Outbound Access Following your default route have been set, the PIX/ASA will be in a position to pass traffic amongst the inside, higher-security interface and also the outside, lower-security interface. For most situations, to provide for this outbound traffic functionality it is advisable to configure NAT because firewall will typically be hiding the internal network IP addresses in the external network resources using NAT. It is not a necessity, however (eventhough it is often recommended), along with the PIX/ASA 7.0 particularly doesn't require NAT for outbound communications. The configuration (or lack thereof) for NAT differs based on regardless if you are using PIX 6.x or PIX/ASA 7.0.

Configuring NAT for PIX 6.x Outbound access with the PIX firewall generally necessitates the configuration of two policies. First, define the translation method that might be used for your outbound requests. Second, make sure that one bit of ACL are available for the given network interface that the access rule is scheduled to let the traffic under consideration. By default, the PIX firewall allows all traffic from a higher-security interface to some lower-security interface, due to the fact there isnt a default ACL on any interface.

There's two primary strategies to performing translation: a static translation or even a dynamic translation. Static translations are essentially a 1 hour to 1 mapping of internal addresses to external addresses. Therefore, they want the internal address not change and therefore never are generally a successful technique for providing outside entry to a variety of hosts. Instead, they tend for usage jointly with ACLs to offer the means to access internal resources from external sources (we address this configuration later in such a chapter).

Dynamic translation uses NAT/PAT to dynamically assign addresses (or ports) to internal hosts which require external access. The firewall monitors which communications sessions remain in each internal host and allows the firewall to accomplish the specified translations.

To configure dynamic NAT, you need to create a NAT rule. The easiest way to achieve this is always to specify what visitors are to be translated while using nat command and create some sort of pool making use of the global command. The nat command is used to define what local addresses will be included for NAT. The syntax with the command is the:

   nat [(local-interface)] id local-ip [mask [ dns ] [ outside | [ norandomseq ]
       [max_conns [emb_limit]]]


The id and local-ip syntax are used to define a nearby IP addresses that is to be as part of the corresponding NAT translation (defined by the ID). A notable exception to the will be the nat 0 access-list acl-name command, which configures the firewall don't use NAT for any addresses that match the related ACL. This is certainly typically used in access across VPN connections. Generally in most other cases, you would probably define the NAT addresses as follows:

   houqepixfw02(config)# nat (inside)1 0.0.0.0 0.0.0.0


However, we've got specified to use NAT for those addresses. As we only wanted NAT for use for addresses about the 10.1.1.0/24 subnet, we might have replaced the local-ip and mask with 10.1.1.0 and 255.255.255.0. After you have defined what local addresses should use NAT, you need to to configure the world pool.

The international command can be used to define the pool of global addresses that will be utilised by the translation rule. The simplest way to think about the international addresses is necessities such as external addresses that the internal clients will appear to become caused by when they access external resources. You can specify one or two global addresses in the pool. In the event you specify one particular address in place of performing NAT, the firewall will automatically perform PAT instead. The syntax on the command is:

   global [(if-name)] nat-id global-ip [-global-ip] [netmask global-mask] | interface


The interface syntax may be used to specify to use the interface Ip for PAT rather than defining an extra Ip for the global pool. The vast majority of useful for times when you will find there's single address readily available for use (by way of example, when using a PIX firewall inside of a SOHO environment spanning a broadband connection which include digital subscriber line [DSL] or cable modem). These command configures a universal pool upon an outside interface to implement addresses 10.21.67.40/28-10.21.67.45/28:

   houqepixfw02(config)# global (outside)1 10.21.67.40-10.21.67.45 netmask
     255.255.255.240


When every one of the IP addresses are employed by NAT, the firewall will automatically switch the signal from using PAT (assuming that a PAT statement has been configured) permitting more addresses out. Alternatively, in the event you have the IP address that could be assigned to the interface, you can simplify the worldwide command the following:

  houqepixfw02(config)# global (outside)1 interface
  outside interface address combined with PAT pool
  houqepixfw02(config)#


Let's assume that there isnrrrt an ACL that should be configured, the hosts based on the NAT translation rule could have outbound access.

Configuring NAT for PIX/ASA 7.x A serious difference between the PIX/ASA 7.x software and former versions is always that automagically the firewall doesn't require NAT and definitely will allow outbound access without any additional configuration required. Not surprisingly, should your environment requires NAT (which most Internet-connected firewalls require), you should execute the right NAT configuration commands for the firewall.

To require NAT for communications, you ought to first run the nat-control command (no additional syntax). When NAT control is disabled (the default), the firewall allows communications with outside hosts with no configuration of any NAT rule. When NAT control has long been enabled, the next task is to run the nat and global commands. For any PIX/ASA 7.x, the nat and global syntax differs slightly:

  nat (real-ifc) nat-id real-ip [mask [dns] [outside] [[tcp] tcp-max-conns
    [emb-limit]] [udp> udp-max-conns] [norandomseq]]
  global (mapped-ifc) nat-id  interface


During this case, however, the exact commands will be the identical command syntax for previous versions of software. Therefore, running all three commands might appear to be this:

  houqepixfw01(config)# nat-control
  houqepixfw01(config)# nat (inside)1 0.0.0.0 0.0.0.0
  houqepixfw01(config)# global (outside)1 10.21.67.10-10.21.67.14 netmask
    255.255.255.240


In this instance, NAT control is enabled, a NAT pool for those internal addresses is configured, as well as a global pool from 10.21.67.10 through 10.21.67.14 is configured. At this time, internal hosts can access external resources using NAT.

Alternatively, in case you just have the IP address that is assigned to the interface, you can simplify the worldwide command the following:

 houqepixfw01(config)# global (outside)1 interface
 INFO: outside interface address added onto PAT pool
 houqepixfw01(config)#


Configuring the ACLs Controlling traffic is the premise off firewalls, as well as the PIX/ASA controls the flow of traffic via the firewall by implementing ACLs. PIX/ASA ACLs are essentially linked lists of values generally known as ACL entries (ACEs) that are parsed from a top-down manner with entries towards the top of the ACL being processed before entrees further across the ACL are processed. This processing is carried out within a first-match manner, consequently the moment the data being processed by an ACL is matched in an ACE, the ACL stops being parsed as well as action defined in the matching ACE is made. Therefore, be certain that once you create your ACLs you'd put entries to allow for traffic ahead of entries that deny traffic; otherwise, once the data matches an ACE that denies the traffic, the traffic are going to be blocked, and the ACE that permits the traffic will not processed.

The configuration and implementation of ACLs is really a two-step process:

1. Define the ACL and implement the ACEs.


2. Assign the ACL with an interface.


Defining the ACL and Implementing the ACEs The PIX/ASA supports several unique types of ACLs:

Access list EtherType This ACL can be used to filter traffic in accordance with the EtherType value.

Access list extended This is the most frequently implemented kind of ACL which is used in general-purpose filtering of TCP/IP-based traffic.

Access list standard This ACL is used to spot the destination IP addresses which is employed in a route map for OSPF route redistribution.

Access list webtype This ACL is used for WebVPN filtering which is only supported on PIX/ASA 7.1 and newer.

You may configure multiple different types of ACLs with a PIX firewall and define multiple ACLs of the identical type. To do so enables you to define purpose-based ACLs. A purpose-based ACL ensures that the ACL is defined to get a given purpose and also the ACEs within the ACL are written explicitly for that purpose. Doing this permits you to use different ACLs to control and filter traffic in multiple situations. For example, you might build one ACL to manage traffic from the Internet into a DMZ segment and build another ACL with different ACEs to master traffic coming from the DMZ towards internal network.

Building an ACL is a nice straightforward procedure that typically requires defining these elements:

What action should be taken for traffic that fits your foot the ACE in the ACL?

What protocol is being used?

Just what is the source to your traffic?

Is there a place to go for the traffic?

What application port/ports are used?

ACLs are designed on all software versions by running the access-list command with all the appropriate parameters. Table 6-2 shows the parameters available for a longer ACL.

Table 6-2. access-list Parameters Parameter

Description

default

(Optional) Sets logging towards default method, which is to send system log message 106023 each denied packet.

deny

Denies a packet if ever the conditions are matched. When it comes to network access (the access-group command), this keyword prevents the packet from passing through the security appliance. In the case of applying application inspection to some class map (the class-map and inspect commands), this keyword exempts the traffic from inspection. Some features never let deny ACEs to use, for example NAT. Be conscious of the command documentation for each feature making use of an ACL to acquire more information.

dest_ip

Specifies the IP address of the network or host which the packet will be sent. Enter into the host keyword ahead of the IP address to specify just one address. However, usually do not enter a mask. Enter in the any keyword instead of the address and mask to specify any address.

disable

(Optional) Disables logging just for this ACE.

icmp_type

(Optional) Should the protocol is icmp, specifies the ICMP type.

id

Specifies the ACL ID, to be a string or integer about 241 characters in total. The ID is case sensitive. Tip: Employ all capital letters so its possible to view the ACL ID better in the configuration.

inactive

(Optional) Disables an ACE. To reenable it, go into the entire ACE without worrying about inactive keyword. This feature allows you to keep a record of your inactive ACE in the configuration to help make reenabling easier.

interface ifc_name

Specifies the interface address as being the source or destination address.

interval secs

(Optional) Specifies the log interval in which to develop a 106100 system log message. Valid values come from 1 to 600 seconds. The default is 300.

level

(Optional) Sets the 106100 system log message level from 0 to 7. The default level is 6.

line line-num

(Optional) Specifies the queue number from which to insert the ACE. Unless you specify a line number, the ACE is included with no more the ACL. The cloths line number seriously isn't trapped in the configuration; it only specifies where you can insert the ACE.

log

(Optional) Sets logging options every time a deny ACE matches a packet for network access (an ACL applied using the access-group command). If you ever enter into the log keyword without any arguments, you enable system log message 106100 with the default level (6) likely default interval (300 seconds). Unless you type in the log keyword, the default logging occurs, using system log message 106023.

mask

The subnet mask to the IP address. Whenever you specify a network mask, the method is different from the Cisco IOS Software access-list command. The protection appliance runs on the network mask (as an example, 255.255.255.0 to get a Class C mask). The Cisco IOS mask uses wildcard bits (one example is, 0.0.0.255).

object-group icmp_type_obj_grp_id

(Optional) Should the protocol is icmp, specifies the identifier of the ICMP-type object group. Understand the object-group icmp-type command to increase a thing group.

object-group network_obj_grp_id

Specifies the identifier of your network object group. Understand the object-group network command to increase an item group.

object-group protocol_obj_grp_id

Specifies the identifier of your protocol object group. See the object-group protocol command to increase an object group.

object-group service_obj_grp_id

(Optional) In case you set the protocol to tcp or udp, specifies the identifier of an service object group. Begin to see the object-group service command to increase something group.

operator

(Optional) Matches the port numbers used by the fundamental cause or destination. The permitted operators are as follows: 

lt (a lot less than)

gt (more than)

eq (add up to)

neq (not similar to)

range (a complete variety of values. By using this operator, specify two port numbers, by way of example, range 100 200.)


permit

Permits a packet if ever the conditions are matched. Regarding network access (the access-group command), this keyword lets the packet pass through the protection appliance. In the event of applying application inspection towards a class map (the class-map and inspect commands), this keyword applies inspection for the packet.

port

(Optional) In the event you set the protocol to tcp or udp, specifies the integer or name of an TCP or UDP port. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP the other for UDP. TACACS+ requires one definition for port 49 on TCP.

protocol

Specifies the IP protocol name or number. One example is, UDP is 17, TCP is 6, and EGP is 47.

src_ip

Specifies the IP address of the network or host from where the packet has sent. Enter the host keyword prior to a Ip to specify only one address. In this situation, will not enter a mask. Enter into the any keyword rather than the address and mask to specify any address.

time-range time_range_name

(Optional) Schedules each ACE to generally be activated at particular times of waking time and week through the use of a moment range into the ACE. View the time-range command for information about defining a moment range.



The syntax the fact that parameters are input in a extended ACL is usually as follows:

   access-list id [line line-number] [extended]  permit 
      object-group protocol_obj_grp_id 
      object-group network_obj_grp_id [operator port | object-group
       service_obj_grp_id]  interface ifc_name  [operator port | object-group service_obj_grp_id |
      object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable
      | default]] [inactive | time-range time_range_name]


Even though this might appear to be too much info online, numerous values are optional instead of necessary generally. Most access-list entries function abbreviated syntax:

   access-list id  permit protocol source destination operator port


Such as, if you ever needed to define an access-list entry to permit HTTP traffic in the host to your web server, you'd probably run these command:

   houqepixfw01(config)# access-list out_in_01 permit tcp any host 10.21.67.2 eq http


On this example, we defined an ACL ID of "out_in_01" and configured it to permit TCP port 80 (HTTP) from the source for the destination 10.21.67.2. If you'd like precisely the same ACL also to permit SMTP people to another type of server, run the subsequent command:

   houqepixfw01(config)# access-list out_in_01 permit tcp any host 10.21.67.3 eq smtp


You can view the ACL to discover that both lines have already been included in identical ACL by running the following command (the implicit deny ip any any rule at the end of all ACLs is not shown, a justification to explicitly add it to all ACLs):

   houqepixfw01(config)# show access-list out_in_01
   access-list out_in_01; 2 elements
   access-list out_in_01 line 1 extended permit tcp any host 10.21.67.2 eq www (hitcnt=0)
   access-list out_in_01 line 2 extended permit tcp any host 10.21.67.3 eq smtp (hitcnt=0)


The hitcnt value displays whether any packets have matched the ACE, which can support troubleshooting connectivity throughout the firewall. One example is, if you can not view the hitcnt value increasing when traffic that may be said to be matching the ACL is now being transmitted, it could mean that the ACL is misconfigured. A typical example of that happening will be accidentally specifying an unacceptable protocol with the ACL (for instance, using TCP when you purchase UDP).

Once the ACL has been defined, the firewall still is not using the ACL. For your to happen, you must assign the ACL to an interface.

Assigning the ACL to the Interface Fundamentally, there's 2 methods of filtering traffic: ingress filtering and egress filtering. Ingress filtering defines filtering traffic that may be stepping into a dependable network from an untrusted network.

Egress filtering defines filtering traffic that's from the trusted network to a untrusted network.

For PIX software version 6.x and below, all ACLs were put on to traffic stepping into an interface. So, as an example, if you desired to apply an ACL for traffic coming from the internet to some DMZ segment, you'll apply the ACL to the outside interface with the firewall, thus letting it to filter traffic entering the firewall on the outside of interface. This could be certainly one of an ingress filter. To generate an egress filter (for example, to filter traffic internally network to the outside network), you would probably apply the perfect ACL on the inside interface.

While using PIX/ASA software 7.x and above, the joy of applying ACLs became a touch more intricate, but while doing so more flexible. In lieu of only having the ability to apply an ACL to inbound traffic on a given interface, while using the 7.x software you can apply an ACL for an interface and define whether it refers to traffic entering the interface (in) or exiting the interface (out). This flexibility helps you do things like define an egress filter and use it to outbound traffic around the interface.

Whatever which software the firewall is running, ACLs are put on to an interface by running the access-group command. Really the only distinction between 6.x and 7.x could be the capability specify in or in the syntax as follows:

   access-group access-list in  interface interface-name [per-user-override]


Such as, if you'd like to apply the ACL that had been previously defined (ACL out_in_01) facing outward interface about the firewall, you operate the next command:

   houqepixfw01(config)# access-group out_in_01 in interface outside


At this stage, let's assume that you could have your translation rules configured accordingly, the traffic that was permitted or denied inside the ACL out_in_01 are going to be filtered on teh lateral side interface accordingly.

Configuring Logging to the Firewall Just about the most valuable capabilities of a typical firewall may be the power to log events in order that the administrator could be informed of and aware of what's going on when using the firewall. Cisco PIX/ASA firewalls use syslog for the logging of all events on the firewall (syslog and signing in general is discussed in much greater detail in Chapter 12, "What Is My Firewall Saying?"), allowing webmaster so that you can read/parse the logs for important events or events which will require additional action (as an example, events that indicate a misconfiguration of your firewall could be occurring).

Generally speaking, PIX/ASA firewalls include the following common logging destinations:

Console

Monitor (Telnet and SSH sessions)

ASDM (PIX/ASA 7.x only)

Remote syslog server

In spite of the logging method implemented, it is essential to ensure that the firewall gets the correct starting time and date (either by manually entering the starting time and date or using NTP to automatically configure the time and date) to ensure the logs can easily be interpreted. To find out more about configuring the time and date on PIX/ASA firewalls, be aware of the Cisco ASA and PIX Firewall Handbook (Cisco Press).

Configuring Console, Monitor, or ASDM Logging Console, monitor, and ASDM logging all function in a similar way for the reason that just about all which is designed to output the logging brings about the management interface (the CLI regarding console and monitor logging or maybe the ASDM GUI when it comes to ASDM logging). Consequently, each of them use similar variations in the logging command. Could use one that enable any particular procedure for logging, the first step is to enable signing in general to the firewall by running the command logging on in the global configuration mode of execution. This command is the same command for all those versions of PIX/ASA software.

Permit console logging run the command logging console [logging-list | level]. The logging-list syntax enables you to talk about an index of defined logging level, event class, and message IDs which are previously defined by the logging list name message start-id[- end-id] command. The exact level syntax defines the maximum a higher level system log messages to log. Such as, if you wish to log debug level and below, you run the following commands:

   houqepixfw01(config)# logging on
   houqepixfw01(config)# logging console debug
   %PIX-5-111008: User 'enable_15' executed the 'logging console debug' command.
   %PIX-3-710003: UDP access denied by ACL from 10.21.120.178/137 to
   inside:10.21.121.255/137


This command causes the firewall to show off all log messages towards console session of the firewall. You might be Telnet or SSH to get in touch to the firewall and you aim for the log messages display inside the Telnet or SSH session, run the logging monitor [logging-list | level] command. This leads to the firewall to log all messages to Telnet or SSH sessions, however they are not going to sometimes be displayed towards the active Telnet or SSH session up until you also run the command terminal monitor. Terminal monitor enables the display in the syslog messages for this Telnet or SSH session. For example, to be able to log debug level and below and display the syslog messages over the current SSH session, run this commands:

   houqepixfw01(config)# logging on
   houqepixfw01(config)# logging monitor debug
   houqepixfw01(config)# terminal monitor
   %PIX-5-111008: User 'enable_15' executed the 'terminal monitor' command.
   %PIX-3-710003: UDP access denied by ACL from 10.21.120.178/137 to
     inside:10.21.121.255/137

You possibly can stop the display of syslog messages, while still obtaining the firewall perform monitor logging, by running the command terminal no monitor. These commands is the same for all versions of your PIX/ASA software.

Herramientas personales