利用者:Ciscoequip

Cisco IT Network Reseller Cisco Reseller Cisco Solution Cisco Services Cisco Routers Cisco Switches Cisco Security Cisco Wireless Cisco VPN Client Cisco Mobility Cisco Supports Cisco Client VPN Cisco Router Network Asset Recovery Buy Cisco Sell Cisco Irvine Cisco South Cali Cisco Orange County Cisco Los Angeles Cisco

Configuring the Cisco PIX/ASA Complete configuration of the Cisco PIX is in the evening scope in this book. However, we're able to cover a number of the initial steps necessary to arrange the PIX and then to allow the website owner accessibility graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously the PIX Device Manager [PDM] for software versions prior to 7.0).

To initially configure a PIX as it is, connect a serial connecter towards console port of the PIX (and that is typically outlined that has a light blue color). Makes use of the blue serial port cable that included the PIX. Folks who wants discover that cable, it's also possible to start using a null modem or perhaps rollover cable. The serial port settings from the terminal emulation software on your computer ought to be as listed in

Baud 9600 Parity None Quantity of Bits 8 Number of Stop Bits 1

Following your console connection has become established, establish the terminal emulation software (Windows typically incorporates HyperTerminal, and you'll alternatively use TeraTerm Pro) with the settings in Table 6-1. The PIX command prompt should immediately appear (otherwise press the Enter button to the keyboard):

pixfirewall>

Next, type the enable command gain access to the privileged mode of execution. By default, the enable password using a new PIX seriously isn't set:

pixfirewall> enable Password: pixfirewall#

By default, the enable command assumes which the user is intending to gain access to privilege level 15 (the highest privilege level). To begin configuring the PIX for basic network access, several actions should be performed:

Assign IP addresses for any firewall interfaces.

Configure the firewall name, domain, and passwords.

Configure the firewall routing settings.

Configure the firewall for remote management access.

Configure the network address translation settings for outbound access.

Configure the ACLs.

Configure logging for the firewall.

Assigning IP Addresses to the Firewall Interfaces Speak about the network, the firewall requires IP addresses sent to the firewall interfaces. Particles this process changed between PIX/ASA version 6.x and 7.x, though the fundamental steps offer the same: Give the interface, configure the interface itself, and assign an IP address into the interface.

Assigning IP Addresses in PIX 6.x To assign IP addresses to the PIX interfaces, the administrator must enter configuration mode. Because PIX runs on the command interface that is similar to IOS, administrators enter configuration mode when they would with a Cisco IOS-based router:

firewall# configure terminal firewall(config)#

While in configure mode, the other item will be to let the interfaces. The PIX interfaces are administratively banned inside default configuration. To permit the interfaces, utilize the interface hardware-id hardware-speed command:

firewall(config)# interface ethernet0 auto firewall(config)# interface ethernet1 auto

Automagically, the Ethernet0 (or FastEthernet0) hardware-id is the outside interface and also the Ethernet1 (or FastEthernet1) hardware-id is known as a inside interface. The configuration of the interface itself is performed by the auto command word. This specifies the fact that interface speed should be determined by the PIX as an alternative to be specified by the administrator. Also you can manually define the hardware speed (for example, 10 or 100).

Next thing to configuring the interface is always to assign vintage car and security level for the interface. By default, the outdoors interface provides a security higher level of 0; the inner interface carries a security higher level of 100. The name which you assign is the name useful in the configuration to easily identify the interface. For instance, this lets you use inside to consult the Ethernet1 interface. You need to use the command nameif hardware-id if-name security-lvl to configure the interface name and security level:

firewall(config)# nameif ethernet0 outside security0 firewall(config)# nameif ethernet1 inside security100

With all the interfaces now active and configured, the IP addresses are usually assigned (it is simply as possible to assign the IP addresses before enabling the interface, nonetheless the interfaces still will not work until enabled).

Assigning IP addresses is made on the global configuration mode. The firewall supports static IP addresses on all interfaces and can be also configured to implement DHCP or PPPoE-assigned addresses around the interface only. To assign a static Ip, operate the ip interface-name ip-address subnet-mask command:

firewall(config)# ip address outside 10.19.24.1 255.255.255.0 firewall(config)# ip address inside 192.168.122.1 255.255.255.0

To be certain that the PIX can correspond with devices on sides, ping the address of an system on either interface:

firewall(config)# ping 10.19.24.100 10.19.24.100 response received -- 0ms 10.19.24.100 response received -- 0ms 10.19.24.100 response received -- 0ms firewall(config)# ping 192.168.122.226 192.168.122.226 response received -- 0ms 192.168.122.226 response received -- 0ms 192.168.122.226 response received -- 0ms firewall(config)#

Assigning IP Addresses in PIX/ASA 7.x To the PIX/ASA 7.0 software, the commands that need to be run have changed, nonetheless the necessary steps are similar: Encourage the interface, configure the interface itself, and assign the interface Ip. From your global configuration mode, access the interface configuration mode for the interface you want to configure by running the interface interface-name interface-number command:

firewall(config)# interface ethernet 2 firewall(config-if)#

While you are during the interface configuration mode, you'll be able to perform the many interface configuration and IP address assignments. To allow the interface, run the no shutdown command. To the interface, run the nameif name command. To assign the safety level, run the security-level number command. To configure the incidence and duplex settings over the interface, run the pace 10  command along with the duplex  half command. Examples of these commands follow:

firewall(config-if)# no shutdown firewall(config-if)# nameif dmz01 firewall(config-if)# security-level 50 firewall(config-if)# speed auto firewall(config-if)# duplex auto

Configuring the Ip may be a couple of running the ip ip-address [mask] as well as ip dhcp [setroute] command. The setroute option helps you configure the firewall to use the road assigned with the DHCP server since the default route for that firewall. Unlike previous versions of software, PPPoE is no longer supported, and DHCP addresses might be assigned to any interface (not simply the outside interface). Usually, it is advisable to assign a static Ip, as shown here:

firewall(config-if)# ip address 10.21.67.17 255.255.255.240

Repeat these commands for those interfaces that ought to be configured.

Note

Similar to most Cisco devices, changing the configuration only changes the running configuration. To your changes that need considering permanent and devoted to memory, they will be saved to NVRAM. For PIX software running 6.x and earlier, this can be done by running the write memory command at the privileged mode of execution:

firewall# write memory

For PIX/ASA software running 7.x and newer, this is done by running the copy running-config startup-config command:

firewall# copy running-config startup-config

You ought to do this anytime you are finished running commands and therefore are ready to the firewall configuration to be made permanent.

Configuring the Firewall Name, Domain address, and Passwords Ever since the firewall may be assigned IP addresses as well as interfaces are functioning properly the next phase is to configure some elementary firewall configuration values much like the firewall host name, domain, and passwords. The commands to perform these configurations are exactly the same for all versions within the PIX/ASA software. It is possible to configure the host name by running the hostname name command, and also the website address is configured by running the domain-name domain command with the global configuration mode:

firewall(config)# hostname houqepixfw01 houqepixfw01(config)# domain-name houqe.lab

The two passwords the fact that PIX/ASA uses automagically (and you're not using any form of AAA authentication). The initial one is called the login password which is useful to authenticate remote access via Telnet or SSH. The command to put the login password is passwd password:

houqepixfw01(config)# passwd ReallyDifficultPassword

Second is called the enable password and it's useful to access the international configuration mode and to provide ASDM/PDM access. The command recreate the enable password is enable password password level level and is particularly shown here. The exact level syntax is not required, just in case left blank defaults to privilege level 15. You possibly can set multiple passwords, each granting the means to access an alternative privilege level.

houqepixfw01(config)# enable password DifferentPasswordThanPasswd

After all this, the firewall can authenticate administrative access and remote management access connections (whilst it still really should be configured to permit remote management access).

Configuring the Firewall Routing Settings With IP connectivity established, the next step is to configure routing for the firewall. The firewall supports both static routes and dynamic routing using Open Shortest Path First (OSPF; to acquire more information about configuring OSPF routing, see Cisco ASA and PIX Firewall Handbook [Cisco Press]). You'll be able to configure static routes on all software versions by running the road interface-name ip-address netmask gateway-ip [metric | tunneled] command. This same command enables you to set the default route to the PIX the following:

houqepixfw01(config)# route outside 0.0.0.0 0.0.0.0 10.21.67.2 1

The quality 1 at the conclusion of the road command specifies the metric to the next hop and is also optional. In general, the default route points to the next-hop router to the firewall on the net, for example pointing to the net professional router.

Configuring the Firewall for Remote Management Access The PIX/ASA firewall supports three primary techniques of remote management access:

Telnet

SSH

ASDM/PDM

Both Telnet and SSH are widely used to provide CLI accessibility firewall, whereas the ASDM/PDM offers an HTTPS-based GUI management console.

Configuring Telnet Access Telnet remote management is a simplest, yet least secure, technique for remotely handling the firewall. The explanation for it is that Telnet would not encrypt the results in transmit and actually sends the information in cleartext. This will make it possible for a malicious user to capture the results and learn the likes of the passwords forced to get access to the firewall. For this reason deficiency, it's not possible to access a PIX/ASA firewall in the outside interface using Telnet alone (although PIX/ASA does support Telnet facing outward interface whether it is protected by IPsec).

The configuration to let Telnet access is the similar for many PIX/ASA software versions. This is accomplished by running the telnet hostname command within the global configuration mode:

houqepixfw01(config)# telnet 10.21.120.15 255.255.255.255 inside

You are able to restrict Telnet use of certain IP addresses or hosts by defining the appropriate subnet mask. By way of example, in the preceding command, just the host with IP address 10.21.120.15 is in a position to get connected to the firewall. You can even define the interface that the Telnet access shall be permitted to when using the appropriate interface name (for example, inside or dmz01, in the event you named an interface dmz01).

Due to general insecurity of Telnet, and since SSH provides same functionality to your firewall, use SSH as an alternative to Telnet.

Configuring SSH Access Configuring SSH might be a more involved than configuring Telnet access because for just a link to be established using SSH the objective host will need to have an RSA key pair for identity certificates. Therefore, configuring SSH access is usually a group of smaller steps that must definitely be performed:

Step. 1. Assign a lot and website towards firewall.

Step 2. Generate and save the RSA key pair.

Step 3. Configure the firewall to allow SSH access.

The treatment for assigning the host and domain for any firewall was covered previously during this chapter. Precisely why it is important to repeat this is always that the RSA key pairs make use of the host and website name inside key-generation process.

Generating and saving the RSA key pair is finished a single of two methods determined by whether you're using PIX 6.x or PIX/ASA 7.0. For PIX 6.0, you can generate the RSA key pair by running the ca generate rsa key key-size command on the global configuration mode:

houqepixfw02(config)# ca generate rsa key 1024 For  >= 1024, key generation could take approximately several minutes. Please wait. Keypair generation process begin. .Success. houqepixfw02(config)#

Among the bigger deficiencies within the PIX 6.x applications are that, unlike some other configuration setting, the RSA keys may not be saved while you issue the write memory command. Instead, they should be saved separately making use of the ca save all command in the global configuration mode:

houqepixfw02(config)# ca save all

With the PIX/ASA 7.x software, generating the RSA keys demands the standby time with the following command:

crypto key generate rsa [ usage-keys | general-keys ] [ label key-pair-label ] [ modulus size ] [ noconfirm ]

As a general rule, truly the only syntax required could be the following:

houqepixfw01(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys are going to be:  Keypair generation process begin. Please wait... houqepixfw01(config)#

You'll be able to specify a modulus sized 512, 768, 1024 (the default size), or 2048. Unlike previous software versions, the RSA keys are saved after you save the firewall configuration (for instance, by running the command copy running-config startup-config).

As soon as the RSA keys are actually generated, the critical for actually permit SSH accessibility firewall is identical for anyone software versions and it is akin to how Telnet access is permitted. Just run the command ssh ip-address mask interface command:

houqepixfw01(config)# ssh 10.21.120.15 255.255.255.255 inside

Like Telnet, SSH is often on a subnets or hosts. Unlike Telnet, SSH can certainly be configured for remote accessibility outside interface.

PIX/ASA 7.x also supports running SSHv1 or SSHv2 (previous software versions supported a variant of SSHv1 1 named version 1.5). Generally, SSHv2 is known as safer, and the firewall can be on a only supporting SSHv2 by running the ssh version 5 command.

Configuring ASDM/PDM Access Aside from the CLI management methods, PIX/ASA firewalls support a GUI for remote management. For PIX 6.x, this management interface is known as the PIX Device Manager (PDM). For PIX/ASA 7.x, this management interface is termed the Adaptive Security Device Manager (ASDM). They are both extremely similar to the other, using the ASDM being the logical upgrade and replacement the PDM. The ASDM/PDM functions for a web-based management interface getting a small web server running to the firewall and Java plug-ins on the client computer to function. Configuring the ASDM/PDM demands a few steps that are identical for all those software versions. First, you ought to ensure that you have downloaded and installed the ASDM/PDM software over the firewall (automatically, it's in addition to the firewall). Second, it is advisable to give the HTTP server around the firewall by running the http server enable command. Third, you should permit HTTP access within a manner just like Telnet and SSH by running the http ip-address mask command:

houqepixfw02(config)# http server enable houqepixfw02(config)# http 10.0.0.0 255.0.0.0 inside

Configuring NAT Settings for Outbound Access As soon as the default route may be set, the PIX/ASA is nearly able to pass traffic relating to the inside, higher-security interface as well as the outside, lower-security interface. In many situations, to maintain this outbound traffic functionality you have to configure NAT as the firewall will typically be hiding the internal network IP addresses from your external network resources using NAT. It is not absolutely vital, however (whilst it is by and large recommended), and also the PIX/ASA 7.0 in particular does not need NAT for outbound communications. The configuration (or lack thereof) for NAT differs according to if you are using PIX 6.x or PIX/ASA 7.0.

Configuring NAT for PIX 6.x Outbound access to the PIX firewall generally requires the configuration of two policies. First, define the translation method which will be applied to the outbound requests. Second, guarantee that now of course ACL are available for the given network interface an access rule is determined to let the traffic at issue. Automatically, the PIX firewall allows all traffic from your higher-security interface to your lower-security interface, thanks to the point that there isn't a default ACL on any interface.

There are two primary techniques of performing translation: a static translation or a dynamic translation. Static translations are essentially a single to just one mapping of internal addresses to external addresses. Therefore, they require which the internal address not change and therefore never are often a successful technique of providing outside access to a variety of hosts. Instead, they have a tendency to be used in conjunction with ACLs to supply admission to internal resources from external sources (we address this configuration later in this particular chapter).

Dynamic translation uses NAT/PAT to dynamically assign addresses (or ports) to internal hosts that require external access. The firewall keeps track of which communications sessions are part of each internal host and allows the firewall to operate the essential translations.

To configure dynamic NAT, you might want to develop a NAT rule. The obvious way to make this happen is to specify what readers are to be translated while using the nat command after which it put in place an international pool while using global command. The nat command is used to define what local addresses will likely be included for NAT. The syntax with the command is this:

nat [(local-interface)] id local-ip [mask [ dns ] [ outside | [ norandomseq ] [max_conns [emb_limit]]]

The id and local-ip syntax are used to define the neighborhood IP addresses which is included in the corresponding NAT translation (based on the ID). A notable exception for this will be the nat 0 access-list acl-name command, which configures the firewall never to use NAT for virtually any addresses that match the related ACL. This can be typically for access across VPN connections. In many other cases, you'd define the NAT addresses the following:

houqepixfw02(config)# nat (inside)1 0.0.0.0 0.0.0.0

In such cases, we've specified to work with NAT for everyone addresses. After we only wanted NAT to be used for addresses over the 10.1.1.0/24 subnet, we can easily have replaced the local-ip and mask with 10.1.1.0 and 255.255.255.0. When you have defined what local addresses should use NAT, you need to to configure the global pool.

The worldwide command is commonly used to define the pool of worldwide addresses that might be applied by the translation rule. An effective way to think about the world addresses is that these are the basic external addresses that this internal clients can be to remain caused by as soon as they access external resources. You are able to specify one or more global addresses from the pool. If you ever specify a single address rather than performing NAT, the firewall will automatically perform PAT instead. The syntax on the command is this:

global [(if-name)] nat-id global-ip [-global-ip] [netmask global-mask] | interface

The interface syntax can be used to specify make use of the interface Ip for PAT as an alternative to defining an additional IP address to the global pool. Almost all of the useful in instances when there's a simple single address intended for use (as an example, whenever using a PIX firewall in a very SOHO environment for a broadband connection like digital subscriber line [DSL] or cable modem). This command configures a global pool by using an outside interface to use addresses 10.21.67.40/28-10.21.67.45/28:

houqepixfw02(config)# global (outside)1 10.21.67.40-10.21.67.45 netmask 255.255.255.240

When every one of the IP addresses are used by NAT, the firewall will automatically alteration to using PAT (in the event that a PAT statement has long been configured) enabling more addresses out. Alternatively, if you ever simply have the Ip that is definitely used on the interface, you possibly can simplify the global command the following:

houqepixfw02(config)# global (outside)1 interface outside interface address put into PAT pool houqepixfw02(config)#

In the event that there is not an ACL which should be configured, the hosts based on the NAT translation rule are going to have outbound access.

Configuring NAT for PIX/ASA 7.x A major distinction between the PIX/ASA 7.x software and previous versions is usually that automatically the firewall doesn't involve NAT and definately will allow outbound access without any additional configuration required. Obviously, when your environment requires NAT (which most Internet-connected firewalls require), you will need to execute the proper NAT configuration commands to the firewall.

To need NAT for communications, it's essential to first run the nat-control command (no additional syntax). When NAT control is disabled (the default), the firewall allows communications with outside hosts without the configuration associated with a NAT rule. When NAT control has become enabled, the next step is to run the nat and global commands. With the PIX/ASA 7.x, the nat and global syntax differs slightly:

nat (real-ifc) nat-id real-ip [mask [dns] [outside] tcp] tcp-max-conns    [emb-limit [udp> udp-max-conns] [norandomseq]] global (mapped-ifc) nat-id interface

During this case, however, the actual commands would be the exact command syntax for previous versions of software. Therefore, running seventy one commands might appear as if this:

houqepixfw01(config)# nat-control houqepixfw01(config)# nat (inside)1 0.0.0.0 0.0.0.0 houqepixfw01(config)# global (outside)1 10.21.67.10-10.21.67.14 netmask 255.255.255.240

In this instance, NAT control is enabled, a NAT pool for a lot of internal addresses is configured, plus a global pool from 10.21.67.10 through 10.21.67.14 is configured. At this time, internal hosts can access external resources using NAT.

Alternatively, if you simply have the IP address that may be allotted to the interface, you can simplify the world command as follows:

houqepixfw01(config)# global (outside)1 interface INFO: outside interface address included in PAT pool houqepixfw01(config)#

Configuring the ACLs Controlling users are the cornerstone of firewalls, and also the PIX/ASA controls the flow of traffic with the firewall by implementing ACLs. PIX/ASA ACLs are essentially linked lists of values known as ACL entries (ACEs) which are parsed in a top-down manner with entries towards the top of the ACL being processed before entrees further across the ACL are processed. This processing is finished in the first-match manner, therefore as soon as the data being processed by an ACL is matched to an ACE, the ACL stops being parsed as well as the action defined in the matching ACE is finished. Therefore, be certain that if you create your ACLs you'd put entries allowing traffic in front of entries that deny traffic; otherwise, right after the data matches an ACE that denies the traffic, the traffic will probably be blocked, and also the ACE which allows the traffic should never be processed.

The configuration and implementation of ACLs is usually a two-step process:

1. Define the ACL and implement the ACEs.

2. Assign the ACL to the interface.

Defining the ACL and Implementing the ACEs The PIX/ASA supports lots of different kinds of ACLs:

Access list EtherType This ACL is employed to filter traffic according to the EtherType value.

Access list extended This can be a most commonly implemented method of ACL and is used in general-purpose filtering of TCP/IP-based traffic.

Access list standard This ACL is used to acknowledge the destination IP addresses that will be used in a route map for OSPF route redistribution.

Access list webtype This ACL is required for WebVPN filtering and is particularly only supported on PIX/ASA 7.1 and newer.

You are able to configure multiple forms of ACLs at a PIX firewall and define multiple ACLs of the same type. This lets you define purpose-based ACLs. A purpose-based ACL suggests that the ACL is determined for a given purpose as well as ACEs within the ACL were written explicitly for the purpose. Completing this task helps you use different ACLs to regulate and filter traffic in multiple situations. Including, you would possibly build one ACL to operate traffic from the Internet to your DMZ segment then build another ACL with different ACEs to master traffic coming from the DMZ towards the internal network.

Building an ACL is a nice straightforward procedure that typically requires defining these elements:

What action must be taken for traffic that fits your foot the ACE in the ACL?

What protocol has used?

Just what is the source for the traffic?

Just what is the place to go for the traffic?

What application port/ports are employed?

ACLs are made on all software versions by running the access-list command together with the appropriate parameters. Table 6-2 shows the parameters readily available for a prolonged ACL.

Table 6-2. access-list Parameters Parameter Description default (Optional) Sets logging for the default method, which is to send system log message 106023 for each and every denied packet. deny Denies a packet when the conditions are matched. When it comes to network access (the access-group command), this keyword prevents the packet from passing in the security appliance. In the example of applying application inspection to a class map (the class-map and inspect commands), this keyword exempts the traffic from inspection. Some features don't let deny ACEs for use, such as NAT. Begin to see the command documentation each feature that utilizes an ACL to find out more. dest_ip Specifies the Ip from the network or host which the packet is now being sent. Go into the host keyword prior to Ip to specify a single address. In cases like this, really don't enter a mask. Get into the any keyword rather than address and mask to specify any address. disable (Optional) Disables logging because of this ACE. icmp_type (Optional) If ever the protocol is icmp, specifies the ICMP type. id Specifies the ACL ID, as being a string or integer approximately 241 characters in total. The ID is case sensitive. Tip: Use all capital letters so you can be conscious of the ACL ID better inside your configuration. inactive (Optional) Disables an ACE. To reenable it, go into the entire ACE without the presence of inactive keyword. This feature permits you to keep track connected with an inactive ACE with your configuration to generate reenabling easier. interface ifc_name Specifies the interface address when the source or destination address. interval secs (Optional) Specifies the log interval from which to generate a 106100 system log message. Valid values are from 1 to 600 seconds. The default is 300. level (Optional) Sets the 106100 system log message level from 0 to 7. The default level is 6. line line-num (Optional) Specifies the queue number when to insert the ACE. If you do not specify a line number, the ACE is included to no more the ACL. The queue number isn't stored in the configuration; it only specifies where you can insert the ACE. log (Optional) Sets logging options each time a deny ACE matches a packet for network access (an ACL applied while using the access-group command). In the event you type in the log keyword which has no arguments, you enable system log message 106100 on the default level (6) but for the default interval (300 seconds). If you can not enter into the log keyword, the default logging occurs, using system log message 106023. mask The subnet mask to the IP address. While you specify a network mask, the technique is different from the Cisco IOS Software access-list command. The protection appliance runs on the network mask (for instance, 255.255.255.0 for any Class C mask). The Cisco IOS mask uses wildcard bits (by way of example, 0.0.0.255). object-group icmp_type_obj_grp_id (Optional) If the protocol is icmp, specifies the identifier associated with an ICMP-type object group. Begin to see the object-group icmp-type command to increase a physical object group. object-group network_obj_grp_id Specifies the identifier of your network object group. Start to see the object-group network command so as to add something group. object-group protocol_obj_grp_id Specifies the identifier of an protocol object group. Start to see the object-group protocol command to increase a product group. object-group service_obj_grp_id (Optional) Should you set the protocol to tcp or udp, specifies the identifier on the service object group. Be conscious of the object-group service command to incorporate a thing group. operator (Optional) Matches the main harbour numbers utilised by the cause or destination. The permitted operators are listed below:

lt (below)

gt (a lot more than)

eq (the same as)

neq (not add up to)

range (a comprehensive array of values. Usually when you use this operator, specify two port numbers, by way of example, range 100 200.)

permit Permits a packet should the the weather is matched. Regarding network access (the access-group command), this keyword lets the packet come into contact with the protection appliance. In the example of applying application inspection to some class map (the class-map and inspect commands), this keyword applies inspection into the packet. port (Optional) If you ever set the protocol to tcp or udp, specifies the integer or name of a TCP or UDP port. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP the other for UDP. TACACS+ requires one definition for port 49 on TCP. protocol Specifies the IP protocol name or number. By way of example, UDP is 17, TCP is 6, and EGP is 47. src_ip Specifies the IP address in the network or host where the packet is now being sent. Go into the host keyword prior to Ip to specify just one address. In cases like this, will not enter a mask. Go into the any keyword rather than address and mask to specify any address. time-range time_range_name (Optional) Schedules each ACE to become activated at particular times of the day and week by making use of the perfect opportunity range to the ACE. Be aware of the time-range command for information about defining an occasion range.

The syntax the parameters are input within a extended ACL is usually as follows:

access-list id [line line-number] [extended] permit protocol   interface ifc_name  [operator port | object-group service_obj_grp_id] object-group network_obj_grp_id [operator port | object-group service_obj_grp_id | object-group icmp_type_obj_grp_id] [log disable       | default [inactive | time-range time_range_name]

Evidently this might appear to be things, numerous values are optional and not just necessary usually. Most access-list entries make use of abbreviated syntax:

access-list id permit protocol source destination operator port

By way of example, in the event you wanted to define an access-list entry to permit HTTP traffic in the host with a web server, you'd run this particular command:

houqepixfw01(config)# access-list out_in_01 permit tcp any host 10.21.67.2 eq http

On this example, we defined an ACL ID of "out_in_01" and configured it to allow for TCP port 80 (HTTP) on the source to the destination 10.21.67.2. In order for you identical ACL also to permit SMTP visitors another server, run these command:

houqepixfw01(config)# access-list out_in_01 permit tcp any host 10.21.67.3 eq smtp

You will see the ACL to see that both lines have already been added onto identical ACL by running the following command (the implicit deny ip any any rule following all ACLs is just not shown, the acceptable reason to explicitly include it with all ACLs):

houqepixfw01(config)# show access-list out_in_01 access-list out_in_01; 2 elements access-list out_in_01 line 1 extended permit tcp any host 10.21.67.2 eq www (hitcnt=0) access-list out_in_01 line 2 extended permit tcp any host 10.21.67.3 eq smtp (hitcnt=0)

The hitcnt value displays whether any packets have matched the ACE, which may support troubleshooting connectivity over the firewall. One example is, if you do not be aware of the hitcnt value increasing when traffic that is certainly supposed to be matching the ACL is it being transmitted, it may signify that the ACL is misconfigured. A common sort of that happening will be accidentally specifying the wrong protocol with the ACL (by way of example, using TCP when you have owned UDP).

As soon as the ACL has been defined, the firewall is still not utilizing the ACL. With the upper management, you need to assign the ACL a great interface.

Assigning the ACL with an Interface Fundamentally, there's two main methods of filtering traffic: ingress filtering and egress filtering. Ingress filtering defines filtering traffic that's stepping into a reliable network from an untrusted network.

Egress filtering defines filtering traffic that's coming from a trusted network in an untrusted network.

For PIX software version 6.x and below, all ACLs were applied to traffic being received by an interface. So, one example is, should you planned to apply an ACL for traffic from the internet to your DMZ segment, you would probably apply the ACL facing outward interface of the firewall, thus and can filter traffic getting into the firewall on teh lateral side interface. This may be among an ingress filter. To create an egress filter (such as, to filter traffic from inside network towards you network), you will apply the right ACL into the inside interface.

While using the PIX/ASA software 7.x and above, the method of applying ACLs became a little bit more complex, but while doing so more flexible. Rather than only having the ability to apply an ACL to inbound traffic for a given interface, while using the 7.x software it is possible to apply an ACL with an interface and define whether or not it is true for traffic entering the interface (in) or exiting the interface (out). This flexibility permits you to do things like define an egress filter and apply it to outbound traffic externally interface.

No matter which software the firewall is running, ACLs are put on to an interface by running the access-group command. Really the only distinction between 6.x and 7.x would be the power to specify in or in the syntax as follows:

access-group access-list out interface interface-name [per-user-override]

Including, if you want to apply the ACL that was previously defined (ACL out_in_01) facing outward interface around the firewall, you operate the following command:

houqepixfw01(config)# access-group out_in_01 in interface outside

After all this, in the event that you've your translation rules configured accordingly, the traffic that is permitted or denied from the ACL out_in_01 shall be filtered around the interface accordingly.

Configuring Logging on the Firewall Probably the most valuable capabilities of any firewall is a power to log events so that your administrator might be informed of and cognizant of what is going on using the firewall. Cisco PIX/ASA firewalls use syslog to the logging of the events for the firewall (syslog and logging into websites general is discussed in much greater detail in Chapter 12, "What Is My Firewall Saying?"), that allows webmaster in order to read/parse the logs for important events or events which will require additional action (including, events that indicate a misconfiguration from the firewall may be occurring).

On the whole, PIX/ASA firewalls keep the following commonly used logging destinations:

Console

Monitor (Telnet and SSH sessions)

ASDM (PIX/ASA 7.x only)

Remote syslog server

No matter what logging method implemented, it is very important ensure that the firewall provides the correct time and date (either by manually entering the time and date or using NTP to automatically configure the time and date) to ensure the logs can easily be interpreted. For more information about configuring the time and date on PIX/ASA firewalls, understand the Cisco ASA and PIX Firewall Handbook (Cisco Press).

Configuring Console, Monitor, or ASDM Logging Console, monitor, and ASDM logging all function in a similar way because almost all designed to output the logging results to the management interface (the CLI in the example of console and monitor logging or maybe the ASDM GUI in the example of ASDM logging). Consequently, they each use similar variations within the logging command. One which just enable any particular means of logging, the first thing is usually to enable logging in general on the firewall by running the command logging on within the global configuration mode of execution. This command is the identical command for a lot of versions of PIX/ASA software.

To permit console logging run the command logging console [logging-list | level]. The logging-list syntax means that you can consult a listing of defined logging level, event class, and message IDs that were previously defined by the logging list name level level [class event-class] command. How much syntax defines the ideal standard of system log messages to log. For instance, if you'd like to log debug level and below, you operate these commands:

houqepixfw01(config)# logging on   houqepixfw01(config)# logging console debug %PIX-5-111008: User 'enable_15' executed the 'logging console debug' command. %PIX-3-710003: UDP access denied by ACL from 10.21.120.178/137 to   inside:10.21.121.255/137

This command causes the firewall to showcase all log messages to the console session of the firewall. You might be Telnet or SSH to touch base towards the firewall and you also desire the log messages display inside Telnet or SSH session, run the logging monitor [logging-list | level] command. This makes the firewall to log all messages to Telnet or SSH sessions, however will not be displayed into the active Telnet or SSH session unless you want to also run the command terminal monitor. Terminal monitor enables the display in the syslog messages for this Telnet or SSH session. As an example, if you wish to log debug level and below and display the syslog messages around the current SSH session, run this particular commands:

houqepixfw01(config)# logging on   houqepixfw01(config)# logging monitor debug houqepixfw01(config)# terminal monitor %PIX-5-111008: User 'enable_15' executed the 'terminal monitor' command.

%PIX-3-710003: UDP access denied by ACL from 10.21.120.178/137 to     inside:10.21.121.255/137

You could stop the display of syslog messages, while still finding the firewall perform monitor logging, by running the command terminal no monitor. These commands offer the same for all versions within the PIX/ASA software.