Introduction to the CIPS 5.x Command-Line Interface

The CIPS 5.x CLI provides a user interface for all direct connections to the AIP-SSM (e.g., Telnet, SSH, and session from the ASA). This section covers:

  • How to log in to the AIP-SSM via the CLI
  • CLI command modes
  • Initial AIP-SSM configuration

Logging In to the AIP-SSM via the CLI

You can connect to the AIP-SSM CLI via the ASA backplane using the session command, or by initiating an SSH or Telnet connection via the external management Ethernet port.

Note

The Cisco ASA session command is covered in detail in Chapter 13, "Intrusion Prevention System Integration."

The default username is cisco and the default password is cisco. The user is forced to change his password after the first login. Example 14-2 shows the user cisco successfully logging in to the AIP-SSM CLI via the ASA backplane using the session command.

Example 14-2. Logging In to the CLI

Chicago# session 1

Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco

Password: 

Last login: Tue Feb 1 12:53:12 from 127.0.1.1

***NOTICE***

This product contains cryptographic features and is subject to United States

and local country laws governing import, export, transfer and use. Delivery

of Cisco cryptographic products does not imply third-party authority to import,

export, distribute or use encryption. Importers, exporters, distributors and

users are responsible for compliance with U.S. and local country laws. By using

this product you agree to comply with applicable laws and regulations. If you

are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

ChicagoSSM#

Note

There are four major user account roles that determine which operations a user is allowed to perform. They are covered later in this chapter under "User Administration."

 

CLI Command Modes

The CIPS 5.x CLI is similar to the Cisco ASA and IOS CLIs. It has a configuration command mode that is entered by invoking the configure terminal command. Example 14-3 demonstrates how to enter into global configuration mode.

Example 14-3. Entering Configuration Mode

ChicagoSSM# configure terminal

ChicagoSSM(config)#

The (config)# prompt is displayed after you invoke the configure terminal command.

Just like in Cisco IOS and ASA, you can display the help for a specific command by typing a question mark (?) after the command. You can also type a question mark to view the valid keywords that complete the command. There are certain commands that generate user interactive prompts. An example of this is the setup command, which is covered in the following section.

Initializing the AIP-SSM

Before the AIP-SSM can communicate with any management station and start analyzing data from the network, you must first configure basic settings using the setup command. The AIP-SSM will first display the current configuration and then generate user interactive prompts that will guide you to complete the initial settings.

Note

The default input is displayed inside brackets, [ ]. To accept the default input, press Enter.

Example 14-4 includes the output of the setup command.

Example 14-4. Configuring Initial Settings with the setup Command

ChicagoSSM# setup

 --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.

User ctrl-c to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

Current Configuration:

service host

network-settings

host-ip 127.0.0.1

host-name sensor

telnet-option enabled

ftp-timeout 300

login-banner-text

exit

time-zone-settings

offset -420

standard-time-zone-name GMT-07:00

exit

summertime-option recurring

offset 60

summertime-zone-name PDT

start-summertime

month april

week-of-month first

day-of-week sunday

time-of-day 02:00:00

exit

end-summertime

month october

week-of-month last

day-of-week sunday

time-of-day 02:00:00

exit

exit

ntp-option disabled

exit

service web-server

port 443

exit

Current time: Thu Feb 23 08:05:26 2005

Setup Configuration last modified: Thu Jan 27 21:32:55 2005

Continue with configuration dialog?[yes]: yes

Enter host name[sensor]: ChicagoSSM

Enter IP interface[10.1.9.201/24,10.1.9.1]: 192.168.10.28/24,192.168.10.1

Enter telnet-server status[disabled]:enable

Enter web-server port[443]:

Modify current access list?[no]: yes

Current access list entries:

Delete:

Permit: 192.168.10.0/24

Modify system clock settings?[no]: yes

 Use NTP?[no]: yes

 NTP Key ID[]: 1

 NTP Key Value[]: cisco

 NTP Server IP Address[]:192.168.10.123 NTP Key ID[1]:

 Modify summer time settings?[no]:

 Modify system timezone?[no]:

Modify virtual sensor "vs0" configuration?[no]: yes

Current interface configuration

 Command control: GigabitEthernet0/0

 Unused:

 GigabitEthernet0/1

 Monitored:

 None

Add Monitored interfaces?[no]: yes

Interface[]:

Follow these steps after the AIP-SSM prompt asks you if you would like to continue with the configuration dialog:

Step 1.

The configuration dialog asks you to enter the host name to be assigned to the AIP-SSM. The default host name is sensor. Enter the new host name (case sensitive) as follows:
 

Enter host name[sensor]: ChicagoSSM
 

Step 2.

You are asked to enter the IP address and default gateway for the management interface of the AIP-SSM. The default IP address is 10.1.9.201 and the default gateway is 10.1.9.1. Enter the IP address and gateway configuration in the following format:

<ip address>/<mask-bits>,<gateway>

The IP address 192.168.10.28 with a 24-bit mask and gateway of 192.168.10.1 is entered in the following example:
 

Enter IP interface[10.1.9.201/24,10.1.9.1]: 192.168.10.28/

 24,192.168.10.1
 

Step 3.

Telnet services are disabled by default. The AIP-SSM allows you to enable Telnet services at this point:
 

Enter telnet-server status[disabled]:enable
 

Step 4.

The default web server port is TCP port 443 (because it is the default for most web servers that support SSL/TLS). The configuration dialog allows you to change the port at this point:
 

Enter web-server port[443]:

The default port is selected in this example.
 

Step 5.

The configuration dialog prompts you to modify the current access list. Enter yes to add or delete hosts or networks that will be allowed to communicate with the AIP-SSM.
 

 Modify current access list?[no]: yes

 Current access list entries:

 Delete:

 Permit: 192.168.10.0/24

The 192.168.10.0/24 network is added to the list in this example.
 

Step 6.

After adding or deleting entries to your access list, the configuration dialog prompts you to change the clock settings. In the following example, NTP is enabled:
 

 Modify system clock settings?[no]: yes

 Use NTP?[no]: yes

 NTP Key ID[]: 1

 NTP Key Value[]: cisco

 NTP Server IP Address[]: 192.168.10.123

The NTP key ID is set to 1, the key is cisco, and the NTP server address is 192.168.10.123.
 

Step 7.

You can also modify daylight savings time settings. The default is recurring, which automatically adjusts the time:
 

 Modify summer time settings?[no]: yes

 Recurring, Date or Disable?[Recurring]:

 Start Month[april]:

 Start Week[first]:

 Start Day[sunday]:

 Start Time[02:00:00]:

 End Month[october]:

 End Week[last]:

 End Day[sunday]:

 End Time[02:00:00]:

 DST Zone[PDT]:

 Offset[60]:
 

Step 8.

The configuration dialog asks you to specify the time zone to be displayed when standard time is in effect:
 

 Modify system timezone?[no]: yes

 Timezone[GMT-07:00]: GMT-05:00

 UTC Offset[-420]:
 

Step 9.

The last step is to modify the monitored interface. In case of the AIP-SSM, the only interface used for monitoring is the internal Gigabit Ethernet interface:
 

 Modify virtual sensor "vs0" configuration?[no]: yes

 Current interface configuration

 Command control: GigabitEthernet0/0

 Unused:

 GigabitEthernet0/1

 Monitored:

 None

 Add Monitored interfaces?[no]: yes
 

Step 10.

The AIP-SSM displays a summary of the configuration entered:
 

The following configuration was entered.

service host

network-settings

host-ip 192.168.10.28/24,192.168.10.1

host-name ChicagoSSM

telnet-option enabled

access-list 192.168.10.0/24

ftp-timeout 300

no login-banner-text

exit

time-zone-settings

offset -420

standard-time-zone-name GMT-05:00

exit

summertime-option recurring

offset 60

summertime-zone-name PDT

start-summertime

month april

week-of-month first

day-of-week sunday

time-of-day 02:00:00

exit

end-summertime

month october

week-of-month last

day-of-week sunday

time-of-day 02:00:00

exit

exit

ntp-option enabled

exit

service web-server

port 443

exit

[0] Go to the command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration and exit setup.

Enter your selection[2]:

From the menu, you can select any of the available options:
 

- Go to the command prompt without saving the configuration

- Return back to the setup without saving the configuration

- Save the configuration and exit setup

Select option 2 if you are satisfied with the configuration and you want to save it in the system.
 

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net