PIX 70 Config Guide

Table of contents :
CiscoSecurity Appliance Command Line Configuration Guide……Page 1
Audience……Page 23
Document Organization……Page 24
Document Conventions……Page 26
Documentation Feedback……Page 27
Submitting a Service Request……Page 28
Obtaining Additional Publications and Information……Page 29
Part 1: Getting Started and General Information……Page 31
Firewall Functional Overview……Page 33
Using AAA for Through Traffic……Page 34
Firewall Mode Overview……Page 35
Stateful Inspection Overview……Page 36
Security Context Overview……Page 37
Accessing the Command-Line Interface……Page 39
Setting Transparent or Routed Firewall Mode……Page 40
Viewing the Configuration……Page 41
Creating Text Configuration Files Offline……Page 42
Security Context Overview……Page 45
Context Configuration Files……Page 46
How the Security Appliance Classifies Packets……Page 47
Sharing Interfaces Between Contexts……Page 50
Shared Interface Guidelines……Page 51
Cascading Security Contexts……Page 53
Enabling Multiple Context Mode……Page 54
Restoring Single Context Mode……Page 55
Configuring Ethernet Settings……Page 57
Configuring Subinterfaces……Page 58
Configuring a Security Context……Page 61
Changing Between Contexts and the System Execution Space……Page 65
Changing the Security Context URL……Page 66
Reloading by Removing and Re-adding the Context……Page 67
Viewing Context Information……Page 68
Viewing Resource Usage……Page 69
Security Level Overview……Page 71
Configuring the Interface……Page 72
Allowing Communication Between Interfaces on the Same Security Level……Page 74
Changing the Enable Password……Page 77
Setting the Date and Time……Page 78
Setting the Time Zone and Daylight Saving Time Date Range……Page 79
Setting the Date and Time Manually……Page 80
Setting the Management IP Address for a Transparent Firewall……Page 81
Configuring Static and Default Routes……Page 83
Configuring a Static Route……Page 84
Configuring OSPF……Page 85
OSPF Overview……Page 86
Redistributing Routes Between OSPF Processes……Page 87
Adding a Route Map……Page 88
Redistributing Static, Connected, or OSPF Routes to an OSPF Process……Page 89
Configuring OSPF Interface Parameters……Page 90
Configuring OSPF Area Parameters……Page 92
Configuring OSPF NSSA……Page 93
Configuring Route Summarization When Redistributing Routes into OSPF……Page 94
Configuring Route Calculation Timers……Page 95
Displaying OSPF Update Packet Pacing……Page 96
Restarting the OSPF Process……Page 97
Enabling RIP……Page 98
Multicast Routing Overview……Page 99
Configuring IGMP Features……Page 100
Controlling Access to Multicast Groups……Page 101
Modifying the Query Interval and Query Timeout……Page 102
Configuring a Static Multicast Route……Page 103
Configuring a Static Rendezvous Point Address……Page 104
Configuring PIM Message Intervals……Page 105
Enabling the DHCP Server……Page 106
Using Cisco IP Phones with a DHCP Server……Page 108
Configuring DHCP Relay Services……Page 109
Configuring the DHCP Client……Page 110
IPv6-enabled Commands……Page 111
Configuring IPv6 on an Interface……Page 112
Configuring IPv6 Default and Static Routes……Page 113
Configuring IPv6 Access Lists……Page 114
The show ipv6 interface Command……Page 115
Configuring a Dual IP Stack on an Interface……Page 116
IPv6 Configuration Example……Page 117
AAA Overview……Page 119
About Accounting……Page 120
Summary of Support……Page 121
RADIUS Functions……Page 122
TACACS+ Server Support……Page 123
SDI Version Support……Page 124
Kerberos Server Support……Page 125
Local Database Functions……Page 126
Configuring the Local Database……Page 127
Identifying AAA Server Groups and Servers……Page 129
Understanding Failover……Page 133
License Requirements……Page 134
LAN-Based Failover Link……Page 135
State Link……Page 136
Active/Standby Failover……Page 137
Device Initialization and Configuration Synchronization……Page 138
Command Replication……Page 139
Failover Actions……Page 140
Primary/Secondary Status and Active/Standby Status……Page 141
Command Replication……Page 142
Failover Actions……Page 143
Determining Which Type of Failover to Use……Page 144
Stateful Failover……Page 145
Interface Monitoring……Page 146
Configuring Active/Standby Failover……Page 147
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)……Page 148
Configuring LAN-Based Active/Standby Failover……Page 149
Configuring the Primary Unit……Page 150
Configuring the Secondary Unit……Page 151
Configuring Optional Active/Standby Failover Settings……Page 152
Disabling and Enabling Interface Monitoring……Page 153
Configuring Virtual MAC Addresses……Page 154
Configuring Cable-Based Active/Active Failover (PIX security appliance Only)……Page 155
Configure the Primary Unit……Page 157
Configure the Secondary Unit……Page 159
Configuring Optional Active/Active Failover Settings……Page 160
Configuring Interface and Unit Poll Times……Page 161
Configuring Asymmetric Routing Support……Page 162
Verifying the Failover Configuration……Page 164
show failover—Active/Standby……Page 165
Show Failover—Active/Active……Page 169
Testing the Failover Functionality……Page 173
Forcing Failover……Page 174
Failover System Messages……Page 175
Failover Configuration Examples……Page 176
Cable-Based Active/Standby Failover Example……Page 177
LAN-Based Active/Standby Failover Example……Page 178
LAN-Based Active/Active Failover Example……Page 180
Part 2: Configuring the Firewall……Page 185
Routed Mode Overview……Page 187
Network Address Translation……Page 188
How Data Moves Through the Security Appliance in Routed Firewall Mode……Page 189
An Inside User Visits a Web Server……Page 190
An Outside User Visits a Web Server on the DMZ……Page 191
An Inside User Visits a Web Server on the DMZ……Page 192
An Outside User Attempts to Access an Inside Host……Page 193
Transparent Mode Overview……Page 194
Transparent Firewall Features……Page 195
Transparent Firewall Guidelines……Page 196
Unsupported Features in Transparent Mode……Page 197
How Data Moves Through the Transparent Firewall……Page 198
An Inside User Visits a Web Server……Page 199
An Outside User Visits a Web Server on the Inside Network……Page 200
An Outside User Attempts to Access an Inside Host……Page 201
Access List Overview……Page 203
Controlling Network Access for IP Traffic (Extended)……Page 204
Identifying Traffic for AAA Rules (Extended)……Page 205
Identifying Addresses for Policy NAT and NAT Exemption (Extended)……Page 206
Identify Traffic in a Class Map for Modular Policy Framework……Page 207
Access Control Entry Order……Page 208
IP Addresses Used for Access Lists When You Use NAT……Page 209
Adding an Extended Access List……Page 211
Adding an EtherType Access List……Page 213
How Object Grouping Works……Page 215
Adding a Protocol Object Group……Page 216
Adding a Service Object Group……Page 217
Adding an ICMP Type Object Group……Page 218
Nesting Object Groups……Page 219
Using Object Groups with an Access List……Page 220
Removing Object Groups……Page 221
Logging Access List Activity……Page 222
Access List Logging Overview……Page 223
Configuring Logging for an Access Control Entry……Page 224
Managing Deny Flows……Page 225
NAT Overview……Page 227
Introduction to NAT……Page 228
NAT Control……Page 229
Dynamic NAT……Page 231
PAT……Page 232
Static PAT……Page 233
Policy NAT……Page 235
NAT and Same Security Level Interfaces……Page 238
Mapped Address Guidelines……Page 239
DNS and NAT……Page 240
Configuring NAT Control……Page 241
Dynamic NAT and PAT Implementation……Page 242
Configuring Dynamic NAT or PAT……Page 248
Using Static NAT……Page 251
Using Static PAT……Page 252
Configuring Identity NAT……Page 255
Configuring Static Identity NAT……Page 256
Configuring NAT Exemption……Page 257
NAT Examples……Page 258
Overlapping Networks……Page 259
Redirecting Ports……Page 260
Inbound and Outbound Access List Overview……Page 263
Applying an Access List to an Interface……Page 266
Configuring Authentication for Network Access……Page 269
Authentication Overview……Page 270
Enabling Network Access Authentication……Page 271
Enabling Secure Authentication of Web Clients……Page 272
Configuring TACACS+ Authorization……Page 274
Configuring RADIUS Authorization……Page 275
Configuring Cisco Secure ACS for Downloadable ACLs……Page 276
Configuring Any RADIUS Server for Downloadable ACLs……Page 277
Configuring Accounting for Network Access……Page 278
Using MAC Addresses to Exempt Traffic from Authentication and Authorization……Page 279
Filtering Overview……Page 281
Enabling ActiveX Filtering……Page 282
Enabling Java Applet Filtering……Page 283
Filtering Overview……Page 284
Identifying the Filtering Server……Page 285
Buffering the Content Server Response……Page 286
Configuring HTTP Filtering……Page 287
Filtering HTTPS URLs……Page 288
Filtering FTP Requests……Page 289
Viewing Buffer Configuration and Statistics……Page 290
Viewing Filtering Performance Statistics……Page 291
Viewing Filtering Configuration……Page 292
Overview……Page 293
Identifying Traffic Using a Class Map……Page 294
Defining Actions Using a Policy Map……Page 296
Policy Map Procedure……Page 297
Policy Map Examples……Page 298
Multi-match Classification Policy across Multiple Feature Domains……Page 299
First-match Policy within a Feature Domain……Page 300
Action Order……Page 301
Direction Policies When Applying a Service Policy……Page 302
Match Port/Interface Policy Example……Page 303
Match Access List/Interface Policy Example……Page 304
Match Port/Global Policy Example……Page 305
Service Policy and NAT……Page 306
Configuring IP Audit for Basic IPS Support……Page 309
Configuring TCP Normalization……Page 310
Preventing IP Spoofing……Page 311
Configuring Connection Limits and Timeouts……Page 312
Blocking Unwanted Connections……Page 313
Overview……Page 315
QoS Concepts……Page 316
Identifying Traffic for QoS……Page 317
Classifying Traffic for QoS……Page 318
Applying Rate Limiting……Page 320
Viewing QoS Police Statistics……Page 322
Applying Low Latency Queueing……Page 323
Reducing Queue Latency……Page 324
Viewing QoS Statistics……Page 325
Viewing the Priority-Queue Configuration for an Interface……Page 326
Application Inspection Engines……Page 327
How Inspection Engines Work……Page 328
Supported Protocols……Page 329
Overview……Page 331
Identifying Traffic with a Traffic Class Map……Page 332
Using an Application Inspection Map……Page 334
Defining Actions with a Policy Map……Page 335
Limitations and Restrictions……Page 336
Enabling and Configuring CTIQBE Inspection……Page 337
Verifying and Monitoring CTIQBE Inspection……Page 339
Using the strict Option……Page 340
Configuring FTP Inspection……Page 341
Verifying and Monitoring FTP Inspection……Page 344
GTP Inspection Overview……Page 345
Enabling and Configuring GTP Inspection……Page 346
Verifying and Monitoring GTP Inspection……Page 349
How H.323 Works……Page 350
Limitations and Restrictions……Page 351
Enabling and Configuring H.323 Inspection……Page 352
Monitoring H.225 Sessions……Page 354
Monitoring H.323 RAS Sessions……Page 355
HTTP Inspection Overview……Page 356
Enabling and Configuring Advanced HTTP Inspection……Page 357
Managing MGCP Inspection……Page 359
MGCP Inspection Overview……Page 360
Configuring MGCP Call Agents and Gateways……Page 361
Configuring and Enabling MGCP Inspection……Page 362
Configuring MGCP Timeout Values……Page 364
Managing RTSP Inspection……Page 365
Using RealPlayer……Page 366
Enabling and Configuring RTSP Inspection……Page 367
SIP Instant Messaging……Page 369
Enabling and Configuring SIP Inspection……Page 370
Verifying and Monitoring SIP Inspection……Page 372
SCCP Inspection Overview……Page 373
Restrictions and Limitations……Page 374
Managing SMTP and Extended SMTP Inspection……Page 376
SMTP and Extended SMTP Inspection Overview……Page 377
Enabling and Configuring SMTP and Extended SMTP Application Inspection……Page 378
Managing SNMP Inspection……Page 379
Enabling and Configuring SNMP Application Inspection……Page 380
ARP Inspection Overview……Page 383
Enabling ARP Inspection……Page 384
Setting the MAC Address Timeout……Page 385
Viewing the MAC Address Table……Page 386
Part 3: Configuring VPN……Page 387
Tunneling Overview……Page 389
Configuring ISAKMP……Page 390
ISAKMP Overview……Page 391
Configuring ISAKMP Policies……Page 392
Enabling ISAKMP on the Outside Interface……Page 393
Determining an ID Method for ISAKMP Peers……Page 394
Enabling IPSec over TCP……Page 395
Alerting Peers Before Disconnecting……Page 396
Creating a Certificate Group Matching Rule and Policy……Page 397
Understanding IPSec Tunnels……Page 399
Defining Crypto Maps……Page 400
Using Interface Access Lists……Page 401
Changing IPSec SA Lifetimes……Page 403
Creating a Basic IPSec Configuration……Page 404
Using Dynamic Crypto Maps……Page 406
Clearing Security Associations……Page 408
Clearing Crypto Map Configurations……Page 409
Configuring IPSec to Bypass ACLs……Page 411
Configuring Client Update……Page 412
Overview of Tunnel Groups, Group Policies, and Users……Page 415
General Tunnel Group Parameters……Page 416
IPSec Connection Parameters……Page 417
Specify a Name and Type for the Remote-Access Tunnel Group……Page 418
Configure Remote-Access Tunnel Group General Attributes……Page 419
Configure Remote-Access Tunnel Group IPSec Attributes……Page 420
Configure LAN-to-LAN Tunnel Group General Attributes……Page 422
Configure LAN-to-LAN IPSec Attributes……Page 423
Group Policies……Page 424
Default Group Policy……Page 425
Configuring Group Policies……Page 426
Configuring Users……Page 440
Setting a User Password and Privilege Level……Page 441
Configuring User Attributes……Page 442
Configuring an IP Address Assignment Method……Page 447
Configuring AAA Addressing……Page 448
Configuring DHCP Addressing……Page 449
Summary of the Configuration……Page 451
Configuring Interfaces……Page 452
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface……Page 453
Creating a Transform Set……Page 454
Defining a Tunnel Group……Page 455
Creating a Dynamic Crypto Map……Page 456
Creating a Crypto Map Entry to Use the Dynamic Crypto Map……Page 457
Summary of the Configuration……Page 459
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface……Page 460
Configuring an ACL……Page 462
Defining a Tunnel Group……Page 463
Creating a Crypto Map and Applying It To an Interface……Page 464
Applying Crypto Maps to Interfaces……Page 465
About Public Key Cryptography……Page 467
About Key Pairs……Page 468
About CRLs……Page 469
Preparing for Certificates……Page 470
Generating Key Pairs……Page 471
Configuring Trustpoints……Page 472
Obtaining Certificates with SCEP……Page 474
Obtaining Certificates Manually……Page 476
Configuring CRLs for a Trustpoint……Page 478
Importing a Trustpoint Configuration……Page 480
Configuring CA Certificate Map Rules……Page 481
Part 4: System Administration……Page 483
Allowing Telnet Access……Page 485
Configuring SSH Access……Page 486
Changing the Login Password……Page 487
Authenticating and Authorizing System Administrators……Page 488
Configuring Authentication To Access Privileged EXEC Mode……Page 489
Authenticating Users Using the Login Command……Page 490
Configuring Local Command Authorization……Page 491
Assigning Privilege Levels to Commands and Enabling Authorization……Page 492
Viewing Command Privilege Levels……Page 494
Configuring Commands on the TACACS+ Server……Page 495
Viewing the Current Logged-In User……Page 498
Recovering from a Lockout……Page 499
Configuring a Login Banner……Page 500
Obtaining an Activation Key……Page 501
Viewing Files in Flash Memory……Page 502
Installing Application or ASDM Software to the Flash Memory……Page 503
Downloading a Text Configuration……Page 504
Backing up the Single Mode Configuration or Multiple Mode System Configuration……Page 506
Copying the Configuration from the Terminal Display……Page 507
SNMP Overview……Page 509
Enabling SNMP……Page 511
Testing Your Configuration……Page 512
Enabling ICMP Debug Messages and System Messages……Page 513
Pinging Security Appliance Interfaces……Page 514
Pinging Through the Security Appliance……Page 515
Performing Password Recovery……Page 517
Password Recovery for the PIX 500 Series Security Appliance……Page 518
Capturing Packets……Page 519
Common Problems……Page 520
Platform Feature Licenses……Page 523
Site-to-Site VPN Compatibility……Page 526
Cryptographic Standards……Page 527
Example 1: Multiple Mode Firewall With Outside Access……Page 529
Example 1: System Configuration……Page 530
Example 1: Admin Context Configuration……Page 531
Example 1: Customer B Context Configuration……Page 532
Example 2: Single Mode Firewall Using Same Security Level……Page 533
Example 3: Shared Resources for Multiple Contexts……Page 535
Example 3: System Configuration……Page 536
Example 3: Admin Context Configuration……Page 537
Example 3: Department 1 Context Configuration……Page 538
Example 4: Multiple Mode, Transparent Firewall with Outside Access……Page 539
Example 4: System Configuration……Page 540
Example 4: Admin Context Configuration……Page 541
Example 4: Customer C Context Configuration……Page 542
Firewall Mode and Security Context Mode……Page 545
Command Modes and Prompts……Page 546
Command Completion……Page 547
Filtering show Command Output……Page 548
Adding Comments……Page 549
Automatic Text Entries……Page 550
Multiple Security Context Files……Page 551
IPv4 Addresses and Subnet Masks……Page 553
Subnet Masks……Page 554
Determining the Address to Use with the Subnet Mask……Page 555
Class B-Size Network Address……Page 556
IPv6 Address Format……Page 557
Unicast Addresses……Page 558
IPv4-Compatible IPv6 Addresses……Page 559
Multicast Address……Page 560
Anycast Address……Page 561
IPv6 Address Prefixes……Page 562
Protocols and Applications……Page 563
TCP and UDP Ports……Page 564
Local Ports and Protocols……Page 566
ICMP Types……Page 567
Glossary……Page 569
Index……Page 591