This article describes how to configure and use the tools and features provided by the PIX firewall to monitor and configure the system and monitor network activity. It consists of the following sections:
- Remote system administration using Telnet (using Telnet for remote systems Management)
- IDS System Log information (IDs Syslog Messages)
- Using DHCP (using DHCP)
- Use SNMP (using SNMP)
- Use SSH (using SSH)
Remote system Management using Telnet (using Telnet for remote systems Management)
The console can be accessed via Telnet on the internal and third interfaces. The third interface is a network connected to the third available slot in the PIX firewall. You can browse the third interface using the show Nameif command. The third entry from the top down list is the third interface.
The serial console lets a single user configure the PIX firewall, but in many cases this is not convenient for sites with multiple administrators. The PIX firewall allows you to access the serial console via telnet from a host on any internal interface. Once IPSec is configured, you can use Telnet to remotely administer the control console of the PIX firewall from the external interface. This section includes the following:
· Configuring Telnet console access (configuring Telnet console access)
· Test Telnet access (testing telnet access)
· Secure Telnet connection on external interface (securing a Telnet Connection on the Outside Interface)
· Trace Channel attributes (Trace Channel Feature)
(i), configuring Telnet console access (configuring Telnet console access)
Follow these steps to configure Telnet console access:
Step 1 |
Use the PIX Firewall telnet command. For example, if you want to have one on top of an internal interface, The 192.168.1.2 host accesses the PIX firewall, and the following command is entered. Telnet 192.168.1.2 255.255.255.255 inside If IPSec is set, you can give way to a host on the external interface to access the PIX firewall Console. For specific information, see "Securing Telnet connections on external interfaces" (securing A Telnet Connection on the Outside Interface) "section. Use such as The command. Telnet 209.165.200.225 225.255.225.224 outside |
Step 2 |
If necessary, the PIX firewall can be idle before disconnecting a Telnet session Set the length of time. The default value of 5 minutes is too short for most cases and needs to be deferred Long until all pre production testing and error correction are completed. Set the longer idle time as shown in the following example Between Telnet timeout 15; |
Step 3 |
If you want to use an authentication server to secure access to the console, you can use AAA Authentication telnet console command, which requires you to have A username and password. When you access the console, the PIX firewall prompts you to provide these Login criteria. If the authentication server is offline, you can still use the username pix and the Enable The password command sets the password Access console. |
Step 4 |
Save the commands in the configuration with the Write memory command?/td> |
(ii), test telnet access (testing telnet access)
Perform the following steps to test telnet access:
Step 1 |
Initiates a Telnet session to the PIX firewall interface IP address from the host. If you are using Windows 95 or Windows NT, click Start>run to start the Telnet session. For example If the internal interface IP address is 192.168.1.1, enter the following command. Telnet 192.168.1.1 |
Step 2 |
The PIX firewall prompts you to enter a password: PIX passwd: Enter Cisco, and then press ENTER. You are logged on to the PIX firewall. The default password is Cisco, and you can change it by using the passwd command. You can enter any commands you can set from the serial console on the Telnet console, but if You restart the PIX firewall, and you will need to log on to the PIX firewall after it restarts. Some Telnet applications, such as Windows 95 or Windows NT Telnet sessions, may not support passing The PIX Firewall command history feature used by the arrow keys. However, you can press Ctrl-p to get the most Near-entered command. |
Step 3 |
> Once you've established Telnet access, You may want to browse ping (sniff) information while correcting errors. You can use the debug ICMP trace command to browse ping information from a telnet session. The trace Channel feature also affects the display of debug, which is detailed in the Trace Channel feature (Trace Channel Feature). The successful ping message is as follows: Outbound ICMP echo request (LEN ID 1 seq) 209.165.201.2>209.165.201.1 Inbound ICMP echo r Eply (Len ID 1 seq 256) 209.165.201.1>209.165.201.23 |
Step 4 |
In addition, you can use the Telnet console session to browse the system log information: A. Use the Logging Monitor 7 command to start information display. "7" will enable all system log levels to be displayed. If you are using the PIX firewall in production mode, you may want to use logging Buffered 7 command lip ⒋ wa ⒃ Flattery You can also clean the cache for easier browsing using the clear 胹 command. If you want to stop caching information, use the No logging buffered command. You can also reduce the number from 7 to a smaller value, such as 3, to limit the number of messages displayed. B. If you enter the logging Monitor command, then enter the Terminal Monitor command to make the information appear in your Telnet session. To prohibit information display, use the Terminal no monitor command. Example 1 gives the command to allow a host to access the PIX Firewall console using Telnet. Example 1 using Telnet Telnet 10.1.1.11 255.255.255.255 Telnet 192.168.3.0 255.255.255.0 The first telnet command allows a single host to access the PIX Firewall console using Telnet 10.1.1.11. The value 255 in the last eight-bit byte of the network mask indicates that only the specified host can access the console. The second Telnet command allows all hosts on the 192.168.3.0 network to access the PIX Firewall console. The number 0 in the last eight-bit byte of the network mask allows access to all hosts in that network. However, Telnet allows only 16 hosts to access the PIX firewall console at the same time. |
(iii), protection of Telnet connection on external interface (securing a Telnet Connection on the Outside Interface)
This section describes how to secure the PIX Firewall console telnet connection to the external interface of the PIX firewall. It includes the following content:
· Overview (Overview)
· Using Cisco Secure VPN Client (using Cisco Secure VPN Client)
· Using Cisco VPN 3000 client (using Cisco VPN 3000 client)
Overview (Overview)
If you are using Cisco Secure Policy Manager 2.0 or later, this section also applies to you. This section is premised on the assumption that you are using Cisco VPN Client 3.0, Cisco Secure VPN Client 1.1, or Cisco VPN 3000 client 2.5来 to protect your Telnet connection. In the next section, for example, the IP address of the external interface of the PIX firewall is the 168.20.1.5,cisco Secure VPN client's IP address from the virtual address pool, which is 10.1.2.0.
For specific information about this command, refer to the Telnet command page in the Cisco PIX Firewall Command Reference.
You will need to set up two security policies on your VPN client. One to protect your Telnet connection, and another to protect your connection to the internal network.
Using Cisco Secure VPN Client (using Cisco Secure VPN Client)
This section applies only if you use the Cisco Secure VPN client. To encrypt your Telnet connection to the external interface of the PIX firewall, perform the following steps as part of your PIX firewall configuration
Step 1 |
Local virtual address pool access -list permit IP host 168.20.1.5 10.1.2.0 255.255.255.0 |
step 2 |
telnet 10.1.2.0 255.255.255.0 outside Specifies the address of the VPN client from the local pool and external interface. |
Step 3 |
|
step 4 |
|
Using Cisco VPN 3000 client (using Cisco VPN 3000 client)
This section applies only if you use the Cisco VPN 3000 client. To encrypt your Telnet connection to the external interface of the PIX firewall, perform the following steps as part of your PIX firewall configuration. In the following example, the IP address of the PIX firewall external interface is the 168.20.1.5,CISCO VPN 3000 client's IP address from the virtual address pool, which is 10.1.2.0.
Defines which host can access the PIX firewall with Telnet. Specify the address of the VPN client from the local pool and external interface.
Telnet 10.1.2.0 255.255.255.0 outside
(iv), Trace Channel characteristics (trace Channel Feature)
The debug packet command sends its output to trace Channel. This is not the case for all other debug commands. The use of Trace channel changes the way you view the output on the screen during the PIX firewall console or Telnet session.
If a debug command does not use trace Channel, each session operates independently, meaning that any command initiated from the session appears only in that session. In the default state, the output of a session that does not use trace channel is disabled.
The location of the Trace channel depends on whether you are running a synchronous Telnet console session at the same time as the console session or you are using only the PIX Firewall serial console:
o If you use only the PIX Firewall serial console, all debug commands are displayed on the serial console.
o If you have a serial console session and a telnet console session that also accesses the console, the output is displayed on the Telnet console session regardless of where you entered the debug command.
o If you have 2 or more Telnet console sessions, the first session is trace Channel. If that session is closed, the serial console session becomes trace Channel. The next Telnet console session that is the Access console is then the trace Channel.
The debug command is shared between all Telnet and serial console sessions.
Note the disadvantage of the Trace channel feature is that if one administrator is using the serial console and another administrator initiates a telnet console session, the debug command output on the serial console will stop without warning. In addition, the Administrator on the Telnet console session will suddenly see the output of the debug command, which may be a situation that it does not want to appear. If you are using a serial console and the output of the debug command does not appear, use the WHO command to see if a Telnet console session is running.
Ii. IDs System Log information (IDs Syslog Messages)
The ix firewall lists the single packet (atomic) Cisco Intrusion Detection System (IDS) signature information via the system log. For a list of supported information, see the CISCO PIX Firewall system log information.
All signature information in this release is not supported by the PIX firewall. IDS System log information starts with%PIX-4-4000NN and has the following format:
%pix-4-4000nn Ids:sig_num sig_msg from ip_addr to ip_addr on interface Int_name
For example:
%pix-4-400013 ids:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface DMZ
% pix-4-400032 ids:4051 UDP snork attack from 10.1.1.1. To 192.168.1.1. On interface outside
Options:
Sig_num signature number. For specific information, see the Cisco Security Intrusion Detection System 2.2.1 User Guide.
Sig_msg signature information-almost identical to the NetRanger signature information.
The IP_ADDR signature applies to the local to remote address.
Int_name Signature The interface name originally issued.
You can use the following command to determine what information is displayed:
IP Audit Signature Signature_number disable
Connects a global policy to a signature. Used to disable a signature or not to allow a signature to be audited.
No IP audit Signature Signature_number
Deletes a policy from the signature. Used to reuse a signature.
show IP audit signature [Signature_number]
Displays the disabled signature.
IP Audit Info [action [alarm] [drop] [reset]]
Specifies the default action to take for signatures that are classified as information signatures.
The alarm option indicates that when a signature match is found in a group, the PIX firewall reports the event to all configured system log servers. The drop option discards unqualified groupings. The reset option discards unqualified groupings and closes the connection if it is part of a valid connection. The default value is alarm. To cancel an event response, use the IP Audit Info command with no action option.
No IP audit Info
Set up actions to be taken to classify the information as a signature, and investigate the default action.
Show IP Audit Info
Displays the default information action.
IP audit attack [action [alarm] [drop] [reset]]
Specifies the default action to be taken for an attack signature. The action option is defined as before. No IP audit attack
The behavior that will be taken for the attack signature is the default behavior.
Show IP Audit attack
Displays the default attack action. Audit policies (audit rules) define the attributes of all signatures that can be applied to an interface and a series of actions. Using audit policies, users can limit the amount of traffic that is audited or the actions taken when a signature match is specified. Each audit policy is identified by a name that can be defined for information or attack signatures. Each interface can have 2 policies, one for information signatures and another for attack signatures. If no action is made in the defined policy, the configured default action is taken. Each policy requires a different name.
IP audit name Audit_name info[action [alarm] [drop] [reset]]
All information signatures are considered to be part of a policy, except for information signatures that are disabled or excluded by the IP Audit Signature command. The action is the same as the previous description.
No IP audit name audit_name [INFO]
Delete Audit Policy audit_name.
IP Audit name audit_name attack [action [alarm] [drop] [reset]]
All attack signatures are considered to be part of a policy, except for an attack signature that is disabled or excluded by the IP Audit Signature command. The action is the same as the previous description.
No IP audit name Audit_name [attack]
Delete Audit rules Audit_name.
show IP audit name [name [Info|attack]]
Displays all audit policies or displays specific policies by name and possible type.
IP Audit Interface If_name audit_name
Apply audit rules or policies to an interface (via IP audit name command).
No IP audit interface [If_name]
Deletes a policy from an interface.
Show IP Audit interface
Displays the interface configuration.