You are on page 1of 11

Cisco PIX Firewalls: Configure, Manage, &

Troubleshoot
Comprehensive Frequentl !s"e# $uestions
$: How do I convince my managers of the need for security and get more funding?
!: Unfortunately, managers in many organizations have not expanded their definition
of business risk to include risk to information assets.he problem is that generally,
most other risks are !uantifiable, and it is a straightforward calculation to determine
how much money should be spent to mitigate those risks, if any. Information security
is a thornier problem in that hard"and"fast numbers are not available to enable
an organization to determine how likely it is that they will experience a security
incident and how much it will cost. It is becoming easier to calculate these numbers
based on various industry surveys and direct loss experiences, but the seemingly
random nature of attacks makes such !uantification tough.
#anagement often views information security as spending money $often lots of
it% to protect against something that might never happen. It fre!uently takes an
actual serious breach or worm infestation to &shake the money tree.' In the $fortunate%
absence of that event, you should collect as much data as you can. (articipate
in trade groups and information security associations so you can talk to others in
your industry or field. )ocument carefully the risks and threats you face, along with
descriptions of the business benefits that the spending will result in.he need for
security is real, and you must convince your management of that.
$: How can I get a policy developed when my company takes a very casual and
trusting approach to security?
!: alk to the various stakeholders in your company about what they perceive as the
key risks. *very company has risks, and the company culture does not change that.
ry to convince the stakeholders of the benefits of protecting information assets+if
not from employees, at least from outside attackers. ,reating an acceptable use policy
is a great start.
$: I do not have enough staff to ade!uately manage security. How can I keep on top of
everything?
!: -ou need to prioritize your activities and automate wherever possible. (erform a risk
analysis, evaluate where the greatest threats are, and do what is necessary to protect
against them. .uild a secure baseline configuration for all your /0 platforms from
which all new systems are built. )evelop a good configuration management process
to make it easier to stay current on patches. .y making a strong initial effort to
secure your network, you will experience less tactical firefighting.
$: I have a new 1eb application that needs to communicate with a database server on
my internal 234. How do I make this application secure with my firewall?
!: (lace your 1eb server on the )#5 network. ,reate rules to filter traffic from the
outside coming into your 1eb server. 3ccessible ports should be only H( $,(
67% and8or H(0 $,( 99:% and any others necessary for the application to run.
hen restrict inbound traffic to come from the 1eb server I( address only, going
only to the database server I( and destination port number$s%. #onitor this backend
connection continuously, and deploy network"based intrusion detection on the
)#5 as well as host"based intrusion detection on the 1eb and database servers to
detect malicious activity.
$: How do I recover my password from my ,isco (I; firewall?
!: he password recovery for the ,isco (I; re!uires you to download a program from
,isco for the exact (I; firewall you are recovering the password from.his program
will be used either from a floppy drive on the older (I; firewalls like the <=7 or
from a >( server on newer (I; firewalls.-ou will need to press the %&C key
within ?7 seconds of booting the (I;.-ou will configure the interface, address, and
>( server in monitor mode.-ou will also configure a gateway and the filename
of the recovery tool.-ou will use the tftp command to start downloading the tool
and you will be prompted to erase the passwords.
$: 1hat are ,isco default passwords?
!: he default elnet password is cisco and the enable password is blank.
$: 1hat is the default I( address for my ,isco (I; firewall?
!: >or the ,isco (I; <7?, <7@, <7@* and the <?<, the default I( address in the inside
interface is ?A=.?@6.?.? and the outside interface is configured to use )H,( from
the I0(
$: How do I clear an existing configuration so I can start over?
!: >or the (I; <7? and <7@, you can use the configure factory-default, which will put
the (I; back to factory specifications including the I( addresses.-ou can also use the
clear configuration and then wri memory to blank the startup configuration. 3 final
option is to use the clear all command.
$: How do I upgrade my old ,isco (I; to B.7 code?
!: >or the (I; <7? and <7@, the word is sorry, you cannot upgrade to B.7 yet. >or the
owners of the <?<*, <=< and <:<, you have to first upgrade to @.: from whatever
version you are on and then you can upgrade to B.7.
$: )oes the B.7 code on the ,isco (I; support I(v@?
!: -es, one of the features of the B.7 code is that you can configure I(v@ either by
enabling I(v@ processing or explicitly using an I(v@ address.o enable I(v@ processing
on an interface, use the ipv6 enable command.o give an interface an I(v@
address, use the ipv6 address autoconfig.
$: ,ould I use a static command with a netmask option instead of the nat 0 access-list
command to configure public I( addresses inside the (I;?
!: 3lthough this configuration will work, it opens the firewall to vulnerabilities if an
access list is misconfigured. Use nat 0 access-list if you can.
$: 1hy do I have to issue a clear xlate after I make changes?
!: he xlate table is maintained by the 43 process of the (I;, so if you make
changes to that process, items can become stuck in the table, or items that should
not be in the table might still remain.his can cause unpredictable results, and creates
a security risk.
$: 0hould I move all my servers into a )#5?
!: )#5s are very helpful in containing security risks for publicly accessible servers. If
a
server is not accessible to the outside world, there is probably no good reason to
move it into a )#5. If you do not trust the inside users, that is another story.
$: 1hy should I use private I( addresses inside my network if I have enough public
address space?
!: Using private address space inside your network can provide many advantages to a
corporation.he amount of address space provided allows for increased flexibility in
the network design and allows for expansion. However, private addresses are not for
everyone, and many universities and other institutions that have large amounts of I(
address space use public addressing in their networks.
$: ,an I monitor and manage remote (I; firewalls using 30)# from a central facility
or other offsite locations?
!: -es. Using the http command via the ,2I or 30)#, you can authorize an I( range
or a specific I( address for access to 30)#.he 30)# connection is encrypted for
security.
$: ,an I set up 333 for administrative connectivity to the (I; firewall using 30)#?
!: -es. 30)# includes full 333 configuration functionality. 3dditionally, you can use
30)# to configure the (I; for 333 services for 30)# itself.
$: )o I need a special license to enable 30)# on my (I; firewall?
!: -es.-ou need a )*0 or :)*0 activation key from ,isco before 30)# will function
properly. 3 <@"bit )*0 key is available free.he ?@6"bit :)*0 key is available from
,isco at an additional cost.
$: )oes 30)# include C(4 maintenance functionality?
!: -es. C(4 maintenance functionality is available in 30)#.3dditionally,30)#
includes C(4 functionality not present in the ,2I, such as the C(4 1izard.
$: ,an I use 30)# to manage multiple (I; firewalls at once?
!: -es, but a separate instance of 30)# must be launched for each firewall.
$: 1hat happens when >( protocol inspection is not enabled?
!: here are several casesD
E /utbound active >( sessions will not work because the outside servers will not
be able to open a data channel to an inside client.
E /utbound passive >( sessions will work normally if outbound traffic is not
explicitly disabled, because all connections in this case are initiated by an inside
client.
E Inbound >( active connections will work normally if there are static 43 entry
and an access list allowing outside clients to connect to the inside server.
E Inbound >( passive >( connections will not work because outside clients will
not be able to open data connections to the inside server.
$: I have a (I; and an 0#( server configured on its inside network. 0ometimes I get
two copies of incoming mail messages. 1hat is wrong with my server?
!: 4othing is wrongF there is a slight misbehavior on the (I; side.-ou probably have
0#( protocol inspection configured. 0ome versions of (I; software send an error
message to relaying servers when a final dot in the message body and <CR><!>
are not in the same I( packet. In this case, your internal server accepts the message
for delivery, but the outside relaying server treats this as an error and attempts
delivery again. #ost of the time, this condition does not happen twice in a row, so
the second time delivery goes without error and you receive two copies of the same
message. If this really irritates you, you can turn 0#( protocol inspection off.
$: he old way of configuring application inspection, with the fixup command, seemed
more straightforward.1hy do I have to enter so many commands now to accomplish
the same result?
!: 3lthough it may seem that the #(> is more complex than the old way of configuring
application inspection, there are several advantages to it. >or example, with
#(> you can reuse traffic class definitions or policy maps to actually simplify repetitive
application inspection configurations. 3lso, the #(> used for application inspection
is very similar to the #(> used to configure !uality of service on I/0"based
routers.herefore, knowledge of one will result in instant familiarity with the other.
$: 0ince the (I; firewall supports so much routing functionality, why do I need
routers on my network? ,anGt I Hust use the (I; for any routing re!uirements?
!: 3lthough the (I; does support a number of routing features, there are still others
that are not present. >or example, auto"I( and .0I for (I# multicast routing are
not supported. 3s well, dynamic routing with II( and /0(> is not as robust, in that
the number of options and subfeatures present in the (I; are less than those in a
true router. >inally, many routers participate in routing protocols over non"*thernet
interfaces such as frame"relay or 3#F the (I; firewall does not have these interface
options.
$: Is it possible to filter e"mail content in any way similar to 1eb content filtering?
!: 4o.he (I; does not inspect the contents of ,( packets related to e"mail and
currently does not support any outside filtering servers.
$: I turned on 1eb filtering, and now certain 1eb sites, such as 1indows Update,
hotmail,
and certain 1eb forms, do not display correctly.
!: 4ot all 1eb sites work well with UI2 filtering.-ou can exempt these sites from
filtering
using the filter url except command.
$: I have two links to my I0(, and I turned on I(>. 4ow, half of my traffic is being
denied by the (I;. 1hat should I do?
!: he only solution here is to turn I(> verification off. It simply does not work in a
situation with asymmetric routing, where a reply to the packet may come on a path
other than the packet itself.
$: 1hat is the advantage to running my )H,( server on my (I; firewall rather than
on a stand"alone server?
!: he main advantage is simplifying your network infrastructure by having fewer
hosts.
,ombining firewall and )H,( services onto the same (I; firewall allows you to
manage only that one device rather than having to worry about managing and
maintaining a separate server.
$: How do I know if I should use static or dynamic routing?
!: In general, you should always choose the simplest routing solution that satisfies your
needs. herefore, static routing is preferred over dynamic routing, since it has lower
overhead and less complexity. In cases where you have a network where there are a
small and unchanging number of routes to each destination, static routing should be
sufficient. In other cases, when the (I; needs to make a routing decision based on
other factors, you will need to use one of its supported dynamic routing protocols.
$: 1hen should I enable !ueuing and policing?
!: Juality of 0ervice, including !ueuing and policing, are generally needed when you
have multiple types of traffic on your network, and some types of traffic need to
have priority over others. 3 good example of this is a network with voice or video
trafficF since voice and video are very sensitive to delay, they need to be given priority
over other types of traffic. In this case, you should enable !ueuing to prioritize
the voice and video traffic.
$:1hen should I use *asyC(4?
!: *asyC(4 is most useful when you have many endpoints, and you wish to push the
policy settings out to them rather than configuring them all manually. his is most
often appropriate when you control all the endpoints. If a third"party controls an
endpoint, they may wish to manually control the policy settings of that device rather
than have you push out configuration from your *asyC(4 server.
$: 3re there 333 protocols other than I3)IU0 and 3,3,0K?
!: -es.1e identified and briefly discussed 3,3,0 and ;3,3,0, which are no
longer supported by ,isco and are not used much anymore. In addition, you can
choose from 42# $1indows%, 0ecureI), Lerberos, and 2)3( depending on your
application re!uirements.
$: I am interested in implementing a cheap or free 333 serverF is there such a thing or
do I have to buy ,iscoGs version?
!: /pen 0ource can be a wonderful thing. ,iscoGs own 3,3,0K server was released
to
the public and has been modified over time and is available at httpD88www.gazi.edu.tr8
tacacs8index.php?pageMdownload. >or a free I3)IU0 server, there is >ree Iadius
available at httpD88www.freeradius.org8.
$: I am new to configuring the (I; firewall and am unsure if I have configured 333
correctly. Is there a way that I can check my configuration?
!: 0ure, donGt save it to flash yet $you )I) read the warnings and notes scattered
throughout the book about this, right?% and try it.-ou can enable debugging of
333 to see exactly what is happening and when.
$: )oes the (I; firewall support 333 for authenticating ,isco software C(4 clients?
!: -es.he (I; provides support for 333 authentication with ,isco C(4 clients
using xauth.
$: ,an I use 333 to keep certain users from using certain commands?
!: 3bsolutely, you can assign privileges to the commands and then by using
authorization,
assign allowed privilege levels to the user.
$: )o I have to use a 333 server? I Hust have a single (I; firewall.
!: 4o, you can use a local 333 database on the (I; itself.
$: )o I have to use the command line interface to configure 333 on the ,isco (I;?
!: 4o, the new 30)# web tool for the ,isco (I; will let you completely configure
333 on the (I; using the NUI instead of the ,2I.
$: 0omeone else configured my ,isco (I; for 333. How can I tell how my 333 is
configured?
!: 3ll you need to do is to use the command show aaa-server and this will give you
detailed information on all configured 333 servers on the (I; firewall.
$: I see an error message such as &=7?776Dhe (I; is disallowing new connections.'
4ow my (I; will not pass any inbound or outbound traffic. 1hat has happened?
!: -our ,isco (I; is configured to use ,( syslog, and something has happened to
break the ,( connection between the (I; and the syslog server. It could be that
the service has stopped or even that the allocated message storage is full. *ither correct
the problem or use the U)( syslog service.
$: I have configured syslog on my (I; firewall, and the syslog server has been
configured.
However, no messages are being logged. 1hat is wrong?
!: /n both the (I; and syslog server, the protocol and port number need to be the
same. In addition, make sure that the facility is the same.he default is local9 $=7%,
so if you have changed this setting, it needs to be changed on both sides.
$: 1hen I poll my (I; using 04#(, the throughput performance of the (I;
degrades. 1hat can I do?
!: If too many 04#( /I)s are being polled at once or too often, the (I; processor
can be overloaded to the point where throughput will suffer. ,heck your 04#(
management station and see which variables are being polled and how often.3
second 04#( issue can be that the severity level of the traps is set too high and too
many traps are being sent to the 04#( management station. 3 classic example is
that the severity level has been set to debugging to troubleshoot a problem and then
forgotten about until a performance degradation is noticed.
$: 1hen I use 30)# to view graphs under the #onitoring tab, the time is incorrect.
!: he 30)# assumes that the (I; clock is set to U, format. 30)# then adds
or subtracts the difference between the U, and your time zone.he resulting
time is what is used on the graphs.his situation is easily corrected using the clock
command.
$: I have configured my (I; firewall to use authenticated 4(, but I cannot connect
to the timeserver.1hy not?
!: *ncrypted 4( re!uires the use of authentication keys.hese keys must match on
the (I; and the 4( server. If they do not match, the (I; will not be able to connect
to the 4( server and receive updates.
$: 1hich IL* lifetime parameters are supported?
!: 3lthough there are two parameters, time lifetime and volume lifetime, only the former
is currently supported, so the output of show isakmp policy will always show a no volume
limit setting.
$: 3ll I(sec connections are dropped when I reapply a crypto map to the interface. Is
this normal behavior?
!: -es. 1hen a crypto map is applied to an interface, all internal I(sec"related
structures
such as 0() and 03) are reinitialized, so all 03s are deleted and all tunnels are
dropped. Unfortunately, for any change in a crypto map to become effective, it has
to be reapplied.
$: I cannot establish a C(4 to ,heck (oint C(4"?. 1hat should I do?
!: *nsure that all parameters match exactly on both sides. C(4"? might refuse the
connection if the (I; offers #)< and 0H3"? but its corresponding &Interoperable
)evice' obHect in C(4"? has been configured with only 0H3"?.
$: I have done that, and I still get errors "o valid #$ and %dentity doesn&t match
negotiated identity.
!: No over the crypto access"lists again. 4etworks, network masks, and hosts have to
match on both sides. If one side attempts to negotiate a tunnel for a single host, and
the other side expects a subnet, the tunnel will fail. .e aware also that C(4"? will
by default supernet adHacent networks during IL* negotiation, which breaks tunnels
to ,isco (I; and other devices.
$: #y Internet connectivity drops after I establish a C(4 connection with the (I;
using a C(4 client. 1hat is the cause of this problem?
!: #ost probably, you did not specify same security traffic to be allowed to traverse the
(I;. *nable this feature using the same-security-traffic permit intra-interface command.
$: 1hat client versions are supported with (I; vB.7?
!: C(4 client v9.7 and higher can be used with (I; vB.7.
$: 1hat is the best method to monitor failover on a daily basis? 1hen the primary
firewall fails, how will I know?
!: he (I; firewall generates syslog messages for all failover events, including any
errors.he best way to monitor failover is to check syslog messages regularly.
>ailover messages are always sent with a severity level of = $critical%. It is recommended
that you install a syslog watching program to alert you when a failover error
or switchover occurs.
$: 1hen configuring failover, how should I deal with unused interfaces?
!: If you are not using a particular interface, our recommendation is to shut it down
administratively. If it is not administratively shut down, the (I; firewall will use the
interface as a part of failover monitoring, and you will need to assign it system and
failover I( addresses and connect it to the corresponding interface on the other firewall.
3lternatively, you can remove the interface from monitoring by using the no monitor'
interface command.
$: 2oad balancing based on context is not granular enough for our business
re!uirements.
)oes the (I; firewall offer load balancing per conversation?
!: he (I; firewall does not have a built"in load balancing. 3ctive8active failover can
be used only by assigning specific contexts to one of two failover groupsF therefore,
each context can have one and only one active firewall at any time. If per"conversation
load balancing is re!uired, we recommend that the failover feature on the (I;
firewall be disabled and that a load"balancing device such as the ,isco ,ontent
0witch be used for this purpose. 3lthough the load"balancing device will offer true
load balancing per conversation, it will not be able to provide stateful capabilities. In
case of a failure, all client sessions will be dropped and will need to be reestablished.
$: ,an I place a router between the primary and secondary (I; firewall 234"based
failover connection?
!: 4o.-ou can only use a hub, a switch, or a dedicated C234 on a switch.he
234based failover interfaces from both firewalls must be in the same C234 and the
same
subnet. Unless your router is running in transparent bridging mode, it will not work.
$: I suspect a key mismatch between my IL* peers. 1hat can I do to verify that?
!: -ou can check syslog messages, which will display information about these types of
errors.-ou can also use show crypto isakmp and view the configuration.
$: 1hat is the latest version of (I; software that supports oken Iing and >))I
interfaces?
!: Cersion <.:.Cersions after that have no support for oken Iing or >))I.
$: How do I determine how much memory is installed on my (I; firewall?
!: Use either the show version command or the show memory command.
$: In a failover configuration, what determines which firewall is active and which is
standby?
!: he failover cable that ,isco provides is strange, such that one end will cause the
firewall to become the active in a failover configuration whereas the other end will
become standby.