Best Practices


This section presents some of the important methods for improving performance and avoiding a lockout situation. Following is the list of such some good practices:

  • If you are running PIX Version 6.3.4 or later, be sure to create a local user and configure a local user database as a fallback, just in case there is a communication problem between the PIX and AAA server.

  • When TACACS+ is configured with authorization for pass-through traffic, be sure not to enable accounting for all traffic. Otherwise, PIX will generate many accounting records for a single PIX Firewall.

  • When configuring cut-through proxy for HTTP(S), be sure not to set the absolute timeout to zero. This is because, for loading a single HTTP page, the browser might need to make multiple connections to the web server. If the absolute timeout is set to zero, for every request to load a single web page, you need to enter authentication information multiple times. For FTP and Telnet, this is not an issue.

  • If you have a backup RADIUS Server configured, configure dead-time for RADIUS to improve the performance.

  • If you have a web server that requires authentication in addition to cut-thru proxy authentication by the PIX firewall, always configure virtual Telnet and virtual HTTP on the PIX firewall. Additionally, virtual Telnet should be used when you need to authenticate/authorize the port that cannot be used as a service for authentication (HTTP/HTTPS/Telnet/FTP can be used as service). One such protocol is SMTP (TCP/25), so if you need SMTP authentication by the PIX firewall, you need to configure virtual Telnet.

  • Do not configure console authentication for PIX Device Manager (PDM) with a One-time Token card (for example, SDI), because when PDM starts up, it makes multiple connections to the PIX to get the configuration and other information, and for each HTTP/HTTPS connection to the PIX, the user is authenticated with the AAA server. Because the one-time password changes at certain time intervals, first one or two connections will successfully authenticate, but subsequent connection authentication will fail.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net