The CIPS 5.x CLI provides a user interface for all direct connections to the AIP-SSM (e.g., Telnet, SSH, and session from the ASA). This section covers:
Logging In to the AIP-SSM via the CLI
You can connect to the AIP-SSM CLI via the ASA backplane using the session command, or by initiating an SSH or Telnet connection via the external management Ethernet port.
Note
The Cisco ASA session command is covered in detail in Chapter 13, "Intrusion Prevention System Integration."
The default username is cisco and the default password is cisco. The user is forced to change his password after the first login. Example 14-2 shows the user cisco successfully logging in to the AIP-SSM CLI via the ASA backplane using the session command.
Example 14-2. Logging In to the CLI
Chicago# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. login: cisco Password: Last login: Tue Feb 1 12:53:12 from 127.0.1.1 ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ChicagoSSM#
Note
There are four major user account roles that determine which operations a user is allowed to perform. They are covered later in this chapter under "User Administration."
CLI Command Modes
The CIPS 5.x CLI is similar to the Cisco ASA and IOS CLIs. It has a configuration command mode that is entered by invoking the configure terminal command. Example 14-3 demonstrates how to enter into global configuration mode.
Example 14-3. Entering Configuration Mode
ChicagoSSM# configure terminal ChicagoSSM(config)#
The (config)# prompt is displayed after you invoke the configure terminal command.
Just like in Cisco IOS and ASA, you can display the help for a specific command by typing a question mark (?) after the command. You can also type a question mark to view the valid keywords that complete the command. There are certain commands that generate user interactive prompts. An example of this is the setup command, which is covered in the following section.
Initializing the AIP-SSM
Before the AIP-SSM can communicate with any management station and start analyzing data from the network, you must first configure basic settings using the setup command. The AIP-SSM will first display the current configuration and then generate user interactive prompts that will guide you to complete the initial settings.
Note
The default input is displayed inside brackets, [ ]. To accept the default input, press Enter.
Example 14-4 includes the output of the setup command.
Example 14-4. Configuring Initial Settings with the setup Command
ChicagoSSM# setup --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 127.0.0.1 host-name sensor telnet-option enabled ftp-timeout 300 login-banner-text exit time-zone-settings offset -420 standard-time-zone-name GMT-07:00 exit summertime-option recurring offset 60 summertime-zone-name PDT start-summertime month april week-of-month first day-of-week sunday time-of-day 02:00:00 exit end-summertime month october week-of-month last day-of-week sunday time-of-day 02:00:00 exit exit ntp-option disabled exit service web-server port 443 exit Current time: Thu Feb 23 08:05:26 2005 Setup Configuration last modified: Thu Jan 27 21:32:55 2005 Continue with configuration dialog?[yes]: yes Enter host name[sensor]: ChicagoSSM Enter IP interface[10.1.9.201/24,10.1.9.1]: 192.168.10.28/24,192.168.10.1 Enter telnet-server status[disabled]:enable Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries: Delete: Permit: 192.168.10.0/24 Modify system clock settings?[no]: yes Use NTP?[no]: yes NTP Key ID[]: 1 NTP Key Value[]: cisco NTP Server IP Address[]:192.168.10.123 NTP Key ID[1]: Modify summer time settings?[no]: Modify system timezone?[no]: Modify virtual sensor "vs0" configuration?[no]: yes Current interface configuration Command control: GigabitEthernet0/0 Unused: GigabitEthernet0/1 Monitored: None Add Monitored interfaces?[no]: yes Interface[]:
Follow these steps after the AIP-SSM prompt asks you if you would like to continue with the configuration dialog:
Step 1. |
The configuration dialog asks you to enter the host name to be assigned to the AIP-SSM. The default host name is sensor. Enter the new host name (case sensitive) as follows: Enter host name[sensor]: ChicagoSSM |
Step 2. |
You are asked to enter the IP address and default gateway for the management interface of the AIP-SSM. The default IP address is 10.1.9.201 and the default gateway is 10.1.9.1. Enter the IP address and gateway configuration in the following format: Enter IP interface[10.1.9.201/24,10.1.9.1]: 192.168.10.28/ 24,192.168.10.1 |
Step 3. |
Telnet services are disabled by default. The AIP-SSM allows you to enable Telnet services at this point: Enter telnet-server status[disabled]:enable |
Step 4. |
The default web server port is TCP port 443 (because it is the default for most web servers that support SSL/TLS). The configuration dialog allows you to change the port at this point: Enter web-server port[443]: The default port is selected in this example. |
Step 5. |
The configuration dialog prompts you to modify the current access list. Enter yes to add or delete hosts or networks that will be allowed to communicate with the AIP-SSM. Modify current access list?[no]: yes Current access list entries: Delete: Permit: 192.168.10.0/24 The 192.168.10.0/24 network is added to the list in this example. |
Step 6. |
After adding or deleting entries to your access list, the configuration dialog prompts you to change the clock settings. In the following example, NTP is enabled: Modify system clock settings?[no]: yes Use NTP?[no]: yes NTP Key ID[]: 1 NTP Key Value[]: cisco NTP Server IP Address[]: 192.168.10.123 The NTP key ID is set to 1, the key is cisco, and the NTP server address is 192.168.10.123. |
Step 7. |
You can also modify daylight savings time settings. The default is recurring, which automatically adjusts the time: Modify summer time settings?[no]: yes Recurring, Date or Disable?[Recurring]: Start Month[april]: Start Week[first]: Start Day[sunday]: Start Time[02:00:00]: End Month[october]: End Week[last]: End Day[sunday]: End Time[02:00:00]: DST Zone[PDT]: Offset[60]: |
Step 8. |
The configuration dialog asks you to specify the time zone to be displayed when standard time is in effect: Modify system timezone?[no]: yes Timezone[GMT-07:00]: GMT-05:00 UTC Offset[-420]: |
Step 9. |
The last step is to modify the monitored interface. In case of the AIP-SSM, the only interface used for monitoring is the internal Gigabit Ethernet interface: Modify virtual sensor "vs0" configuration?[no]: yes Current interface configuration Command control: GigabitEthernet0/0 Unused: GigabitEthernet0/1 Monitored: None Add Monitored interfaces?[no]: yes |
Step 10. |
The AIP-SSM displays a summary of the configuration entered: The following configuration was entered. service host network-settings host-ip 192.168.10.28/24,192.168.10.1 host-name ChicagoSSM telnet-option enabled access-list 192.168.10.0/24 ftp-timeout 300 no login-banner-text exit time-zone-settings offset -420 standard-time-zone-name GMT-05:00 exit summertime-option recurring offset 60 summertime-zone-name PDT start-summertime month april week-of-month first day-of-week sunday time-of-day 02:00:00 exit end-summertime month october week-of-month last day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled exit service web-server port 443 exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Enter your selection[2]: From the menu, you can select any of the available options: - Go to the command prompt without saving the configuration - Return back to the setup without saving the configuration - Save the configuration and exit setup Select option 2 if you are satisfied with the configuration and you want to save it in the system. |
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies