CHAPTER
9-1
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
9
Accessing and Monitoring PIX Firewall
This chapter describes how to configure and use the tools and features provided by the PIX Firewall for
monitoring and configuring the system, and for monitoring network activity. It contains the following
sections:
•
Command Authorization and LOCAL User Authentication
•
Using Network Time Protocol
•
Managing the PIX Firewall Clock
•
Using Telnet for Remote System Management
•
Using SSH for Remote System Management
•
Enabling Auto Update Support
•
Capturing Packets
•
IDS Syslog Messages
•
Using SNMP
Command Authorization and LOCAL User Authentication
This section describes the Command Authorization feature and related topics, introduced with
PIX Firewall version 6.2. It includes the following topics:
•
command is already encrypted.
For example, the following command assigns the enable password Passw0rD to privilege Level 10:
enable password Passw0rD level 10
The following example shows the usage of the enable password command with the encrypted keyword:
enable password .SUTWWLlTIApDYYx level 9 encrypted
Note
Encrypted passwords that are associated with a level can only be moved among PIX Firewall units along
with the associated levels.
Once the different privilege levels are created, you can gain access to a particular privilege level from
the > prompt by entering the enable command, as shown below:
pix> enable [
privilege level
]
Replace privilege level with the privilege level to which you want to gain access. If the privlege level is
not specified, the default of 15 is used. By default, privilege level 15 is assigned the password cisco. It
will always have a password associated with it unless someone assigns it a blank password using the
enable password command.
User Authentication
This section describes how to configure the PIX Firewall to use LOCAL user authentication. It includes
the following topics:
•
Creating User Accounts in the LOCAL Database
•
User Authentication Using the LOCAL Database
•
Viewing the Current User Account
Creating User Accounts in the LOCAL Database
To define a user account in the LOCAL database, enter the following command:
username
username
username
Replace username with the user account that you want to delete. For example, the following command
deletes the user account admin.
no username admin
To remove all the entries from the user database, enter the following command:
clear username
User Authentication Using the LOCAL Database
User authentication can be completed using the LOCAL database after user accounts are created in this
database.
Note
The LOCAL database can be used only for controlling access to the PIX Firewall, and not for controlling
access through the PIX Firewall.
To enable authentication using the LOCAL database, enter the following command:
pix(config)# aaa authentication serial|telnet|ssh|http|enable console LOCAL
After entering this command, the LOCAL user accounts are used for authentication.
You can also use the login command, as follows, to access the PIX Firewall with a particular username
and password:
pix> login
The login command only checks the local database while authenticating a user and does not check any
authentication or authorization (AAA) server.
When you enter the login command, the system prompts for a username and password as follows:
Username:admin
Password:********
9-4
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
Chapter 9 Accessing and Monitoring PIX Firewall
Command Authorization and LOCAL User Authentication
Note
Users with a privilege level greater than or equal to 2 have access to the enable and configuration modes
Current Mode/s : P_PRIV
When you enter the enable command without specifying the privilege level, the default privilege level
(15) is assumed and the username is set to enable_15.
When you log into the PIX Firewall for the first time or exit from the current session, the default user
name is enable_1, as follows:
pix> show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
9-5
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
Chapter 9 Accessing and Monitoring PIX Firewall
Command Authorization and LOCAL User Authentication
Command Authorization
This section describes how to assign commands to different privilege levels. It includes the following
topics:
•
Overview
•
Configuring LOCAL Command Authorization
•
Enabling LOCAL Command Authorization
•
Viewing LOCAL Command Authorization Settings
•
TACACS+ Command Authorization
Overview
LOCAL and TACACS+ Command Authorization is supported in PIX Firewall version 6.2. With the
LOCAL command authorization feature, you can assign PIX Firewall commands to one of 16 levels.
which the privilege level applies.
9-6
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
Chapter 9 Accessing and Monitoring PIX Firewall
Command Authorization and LOCAL User Authentication
The following are examples of setting privilege levels for mode-specific commands:
privilege show level 15 mode configure command configure
privilege clear level 15 mode configure command configure
privilege configure level 15 mode configure command configure
privilege configure level 15 mode enable command configure
privilege configure level 0 mode enable command enable
privilege show level 15 mode configure command enable
privilege configure level 15 mode configure command enable
privilege configure level 15 mode configure command igmp
privilege show level 15 mode configure command igmp
privilege clear level 15 mode configure command igmp
privilege show level 15 mode configure command logging
privilege clear level 15 mode configure command logging
privilege configure level 15 mode configure command logging
privilege clear level 15 mode enable command logging
privilege configure level 15 mode enable command logging
Note
Do not use the mode parameter for commands that are not mode-specific.
By default, the following commands are assigned to privilege level 0:
privilege show level 0 command checksum
privilege show level 0 command curpriv
privilege configure level 0 command help
privilege show level 0 command history
privilege configure level 0 command login
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
To view the command assignments for a specific privilege level, enter the following command:
show privilege level
level
Replace level with the privilege level for which you want to display the command assignments.
For example, the following command displays the command assignments for privilege Level 15:
show privilege level 15
To view the privilege level assignment of a specific command, enter the following command:
show privilege command
command
Replace command with the command for which you want to display the assigned privilege level.
For example, the following command displays the command assignment for the access-list command:
show privilege command access-list
TACACS+ Command Authorization
Caution
Only enable this feature with TACACS+ if you are absolutely sure that you have fulfilled the following
requirements.
1.
You have created entries for enable_1, enable_15, and any other levels to which you have assigned
commands.
To create the tacacs_server_tag, use the aaa-server command, as follows:
aaa-server
tacacs_server_tag
[(
if_name
)] host
ip_address
[
key
] [timeout
seconds
]
Use the tacacs_server_tag parameter to identify the TACACS+ server and use the if_name parameter if
you need to specifically identify the PIX Firewall interface connected to the TACACS+ server. Replace
ip_address with the IP address of the TACACS+ server. Replace the optional key parameter with a
keyword of up to 127 characters (including special characters but excluding spaces) to use for encrypting
data exchanged with the TACACS+ server. This value must match the keyword used on the TACACS+
server. Replace seconds with a number up to 30 that determines how long the PIX Firewall waits before
retrying the connection to the TACACS+ server. The default value is 5 seconds.
The PIX Firewall only expands the command and the command modifier (show, clear, no) when it sends
these to the TACACS+ server. The command arguments are not expanded.
For effective operation, it is a good idea to permit the following basic commands on the AAA server:
•
show curpriv
•
show version
•
show aaa
•
enable
memory.
If you have already saved your configuration and you find that you configured authentication using the
LOCAL database but did not configure any usernames you created a lockout problem. You can also
encounter a lockout problem by configuring command authorization using a TACACS+ server if the
TACACS+ server is unavailable, down or misconfigured.
If you cannot recover access to the PIX Firewall by restarting your PIX Firewall, use your web browser
to access the following website:
/>This website provides a downloadable file with instructions for using it to remove the lines in the
PIX Firewall configuration that enable authentication and cause the lockout problem.
You can encounter a different type of lockout problem if you use the aaa authorization command
tacacs_server_tag command and you are not logged as the correct user. For every command you type,
the PIX Firewall will display the following message:
Command Authorization failed
This occurs because the TACACS+ server does not have a user profile for the user account that you used
for logging in. To prevent this problem, make sure that the TACACS+ server has all the users configured
with the commands that they can execute. Also make sure that you are logged in as a user with the
required profile on the TACACS+ server.
Using Network Time Protocol
This section describes how to use the Network Time Protocol (NTP) client, introduced with PIX Firewall
version 6.2. It includes the following topics:
•
Overview
•
Enabling NTP
•
Viewing NTP Status and Configuration
Overview
The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a
source for precisely synchronized time among network systems. This kind of accuracy is required for
time-sensitive operations such as validating a certificate revocation lists (CRL), which includes a precise
number
The ntp authenticate command enables NTP authentication. If you enter this command, the
PIX Firewall will not synchronize to an NTP server unless the server is configured with one of the
authentication keys specified using the ntp trusted-key command.
The ntp authentication-key command is used to define authentication keys for use with other NTP
commands to provide a higher degree of security. The number parameter is the key number (1 to
4294967295). The value parameter is the key value (an arbitrary string of up to 32 characters). The key
value will be replaced with ‘********’ when the configuration is viewed with either the write terminal,
show configuration, or show tech-support commands.
Use the ntp trusted-key command to define one or more key numbers corresponding to the keys defined
with the ntp authentication-key command. The PIX Firewall will require the NTP server to provide this
key number in its NTP packets. This provides protection against synchronizing the PIX Firewall system
clock with an NTP server that is not trusted.
To remove NTP configuration, enter the following command:
clear ntp
This command removes the NTP configuration, disables authentication, and removes all the
authentication keys.
Viewing NTP Status and Configuration
This section describes the information available about NTP status and associations. To view information
about NTP status and configuration, use any of the following commands:
•
show ntp associations—displays information about the configured time servers.
•
show ntp associations detail—provides detailed information.
•
show ntp status—displays information about the NTP clock.
The following examples show sample output for each command and the following tables define the
meaning of the values in each column of the output.
9-11
Cisco PIX Firewall and VPN Configuration Guide
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021
delay 4.47 msec, offset -0.2403 msec, dispersion 125.21
precision 2**19, version 3
org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)
rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)
filtdelay = 4.47 4.58 4.97 5.63 4.79 5.52 5.87
Table 9-1 Output Description for show ntp association Command
Output Column
Heading Description
address Address of peer.
ref clock Address of reference clock of peer.
st Stratum of peer.
when Time since last NTP packet was received from peer.
poll Polling interval (in seconds).
reach Peer reachability (bit string, in octal).
delay Round-trip delay to peer (in milliseconds).
offset Relative time of peer clock to local clock (in milliseconds).
disp Dispersion.
9-12
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
Chapter 9 Accessing and Monitoring PIX Firewall
Using Network Time Protocol
0.00
filtoffset = -0.24 -0.36 -0.37 0.30 -0.17 0.57 -0.74
0.00
filterror = 0.02 0.99 1.71 2.69 3.66 4.64 5.62
16000.0
version NTP version number that peer is using.
org time Originate time stamp.
rcv time Receive time stamp.
xmt time Transmit time stamp.
9-13
Cisco PIX Firewall and VPN Configuration Guide
78-13943-01
Chapter 9 Accessing and Monitoring PIX Firewall
Managing the PIX Firewall Clock
Example 9-3 provides sample output for the show ntp status command:
Example 9-3 Output of the show ntp status Command
pixfirewall(config)# show ntp status
Clock is synchronized, stratum 5, reference is 172.23.56.249
nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6
reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
clock offset is -0.2403 msec, root delay is 42.51 msec
root dispersion is 135.01 msec, peer dispersion is 125.21 msec
Table 9-3 describes the meaning of the values in each column:
Managing the PIX Firewall Clock
This section describes how to manage the PIX Firewall system clock and includes the following topics:
•
Viewing System Time
•
Setting the System Clock
•
Setting Daylight Savings Time and Timezones
filtdelay Round-trip delay (in milliseconds) of each sample.
filtoffset Clock offset (in milliseconds) of each sample.
filterror Approximate error of each sample.
Table 9-2 Output Description for show ntp association detail Command (continued)
To set the system time, enter the following command:
clock set
hh:mm:ss month day year
Replace hh:mm:ss with the current hours (1-24), minutes, and seconds. Replace month with the first
three characters of the current month. Replace day with the numeric date within the month (1-31), and
replace year with the four-digit year (permitted range is 1993 to 2035).
Setting Daylight Savings Time and Timezones
PIX Firewall version 6.2 also provides enhancements to the clock command to support daylight savings
(summer) time and time zones.
To configure daylight savings (summer) time, enter the following command:
clock summer-time
zone
recurring [
week weekday month hh:mm week weekday month hh:mm
[
offset
]]
The summer-time keyword automatically switches to summer time (for display purposes only).
The recurring keyword indicates that summer time should start and end on the days specified by the
values that follow this keyword. If no values are specified, the summer time rules default to United States
rules. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the
week (Sunday, Monday,…). The month parameter is the full name of the month (January, February,…).
The hh:mm parameter is the time (24-hour military format) in hours and minutes. The offset option is
the number of minutes to add during summer time (default is 60).
Use either of the following commands when the recurring keyword cannot be used:
clock summer-time
zone
date
date month year hh:mm date month year hh:mm
[
minutes
]
The clock timezone command sets the time zone for display purposes (internally, the time is kept in
UTC). The no form of the command is used to set the time zone to Coordinated Universal Time (UTC).
The zone parameter is the name of the time zone to be displayed when standard time is in effect. The
hours parameter is the hours offset from UTC. The minutes option is the minutes offset from UTC.
The clear clock command will remove the summer time setting and set the time zone to UTC.
Using Telnet for Remote System Management
The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site
with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any
internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a
PIX Firewall from lower security interfaces.
Note
SSH provides another option for remote management of the PIX Firewall using a lower security
interface. For further information, refer to “Using SSH for Remote System Management.”
This section includes the following topics:
•
Configuring Telnet Console Access to the Inside Interface
•
Allowing a Telnet Connection to the Outside Interface
•
Using Telnet
•
Trace Channel Feature
Configuring Telnet Console Access to the Inside Interface
Note
See the telnet command page within the Cisco PIX Firewall Command Reference for more information
about this command.
Follow these steps to configure Telnet console access:
Step 1
The first telnet command permits a single host, 10.1.1.11 to access the PIX Firewall console with Telnet.
The 255 value in the last octet of the netmask means that only the specified host can access the console.
The second telnet command permits PIX Firewall console access from all hosts on the 192.168.3.0
network. The 0 value in the last octet of the netmask permits all hosts in that network access. However,
Telnet only permits 16 hosts simultaneous access to the PIX Firewall console over Telnet.
Allowing a Telnet Connection to the Outside Interface
This section tells you how to configure a Telnet connection to a lower security interface of the
PIX Firewall. It includes the following topics:
•
Overview
•
Using Cisco Secure VPN Client
•
Using Cisco VPN 3000 Client
Overview
This section also applies when using the Cisco Secure Policy Manager version 2.0 or higher. It is
assumed you are using the Cisco VPN Client version 3.x, Cisco Secure VPN Client version 1.1, or the
Cisco VPN 3000 Client version 2.5/2.6, to initiate the Telnet connection.
Note
Use the auth-prompt command for changing the login prompt for Telnet sessions through the
PIX Firewall. It does not change the login prompt for Telnet sessions to the PIX Firewall.
Once you have configured Telnet access, refer to “Using Telnet” for more information about using this
command.
Copyright: Tài liệu đại học ©