The Command-Line Interface
|
Like a Cisco router, the configuration of the PIX is contained in a text file. The job of a PIX administrator is to create the text file. There are many ways to achieve this goal: working offline and uploading configurations, working through an intermediary such as the PIX Device Manager (PDM), or working at the command prompt. Because most maintenance tasks are fairly simple, most of your time will be spent at the command prompt, so it is helpful to spend some time with that.
Factory Default Configurations
There are two basic factory default configurations. Because the PIX 501 and PIX 506 have fairly specific purposes, the default configurations for those devices are suited to their market. Because the PIX 515, 525, and 535 are more general-purpose firewalls, they have correspondingly less configuration.
PIX 501 and 506E
The PIX 501 and 506E are intended to be dropped into a traditional DSL environment. Cisco makes the following assumptions:
-
The default information flow control policy will be anything permitted from the inside allowed out, nothing in.
-
The external interface will have its IP set via DHCP. Both interfaces are set fixed to 10Mbps Ethernet.
-
DHCP will be provided to inside users, with the default route set to the PIX.
The internal network that the PIX provides is the 192.168.1.0 network. (Remember, this is one of the choices allowed by RFC1918.) The PIX will be the default gateway for the network, at 192.168.1.1. This is convenient since many other vendors (such as wireless AP vendors) also use the 192.168.1.0 network and assume that the gate is at 192.168.1.1—so the 501 and 506E can be transparently dropped into most home nets. Limiting the interfaces to 10Mbps is not a problem, since the outside interface is going to be connected to a digital subscriber line (DSL) or cable environment, which will typically be functioning at less than 1Mbps, and fixing the connection to 10Mbps avoids some of the Fast Ethernet duplex handshaking problems that can occur on older switches.
For most users, this solution is reasonable. If this device is part of an enterprise deployment, a little more thought is required; this solution does not support centralized maintenance, for example, or VPN tunnels. If you are rolling out a large number of clients, you will want to determine a template and preconfigure the PIX before sending it to the end users.
PIX 515E, 525, and 535
The PIX 515E and up arrive with essentially blank factory configurations. Interfaces are set to autoconfigure but are disabled, and configuration via the console is required.
Administrative Access Modes
An administrative access mode is a state in which the administrator is able to issue commands, potentially to change the configuration of the PIX. Monitor mode, described earlier, is an administrative access mode, but it is contained in ROM rather than in the binary image, and hopefully you will never have to use it.
When you first log in, you are in an unprivileged mode. You can identify the mode you are in from the prompt: If the prompt looks like the hostname followed by a right-angle bracket (>), you are in unprivileged mode. Few commands are available:
PIX1> ? enable Turn on privileged commands help Help list login Log in as a particular user logout Exit from current user profile, and to unprivileged mode pager Control page length for pagination quit Quit from the current mode, end configuration or logout
This is not a complete list of the available commands. For example, when you are in unprivileged mode:
PIX1> show ? checksum View configuration information cryptochecksum curpriv Display current privilege level history Display the session command history pager Control page length for pagination version Display PIX system software version PIX1> show version Cisco PIX Firewall Version 6.2(1) Cisco PIX Device Manager Version 1.0(1) Compiled on Wed 17-Apr-02 21:18 by morlee pix1 up 160 days 23 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz …
The most important of these is enable mode, which turns on the privileged commands. At this point, your prompt will change; now it ends in a pound sign. To show your new privilege:
PIX1# ? arp Change or view the arp table, and set the arp timeout value capture Capture inbound and outbound packets on one or more interfaces configure Configure from terminal copy Copy image or PDM file from TFTP server into flash. debug Debug packets or ICMP tracings through the PIX Firewall. disable Exit from privileged mode eeprom Show or reprogram the 525 onboard i82559 devices flashfs Show, destroy, or preserve filesystem information help Help list kill Terminate a telnet session logout Exit from current user profile, and to unprivileged mode logging Clear syslog entries from the internal buffer pager Control page length for pagination passwd Change Telnet console access password ping Test connectivity from specified interface to <ip> quit Quit from the current mode, end configuration or logout reload Halt and reload system session Access an internal AccessPro router console shun Manages the filtering of packets from undesired hosts terminal Set terminal line parameters who Show active administration sessions on PIX write Write config to net, flash, floppy, or terminal, or erase flash
At this point, you are more or less protected from accidentally harming the system: you can erase the configuration in total, but it will not make small changes until you enter configuration mode. Use the configure terminal command to get into configuration mode. Again, your prompt will change to show privilege:
PIX1(config)#
There are approximately 100 lines of commands, so it is not appropriate to show them all here. Unlike a Cisco router, for which there are additional modes, these are all the modes that occur: you have no rights, you are somewhat protected, or you are changing the configuration. However, note that if you are in configuration mode, your show commands are still available.
The PIX also stores previous commands you've executed. Use the show history command to see what you've executed. This feature is helpful in two ways: One, if you are unsure what you have executed so far, is to look at the show history command to see what you've done to date. A more common use is when you have lots of similar commands. You can use the Up-arrow key to see the previous line in your history and then use the basic commands (covered in the following section) to edit the line and resubmit it.
| Note | The PIX firewall provides help functionality built into the command-line interface. Use the question mark key (?)—it is your friend. At any point, pressing ? will help you complete your commands. In addition, a "man page" functionality is built in. For example, if you want to ping something and forgot the syntax, try ping ?. If you don't remember what the ping command does, try help ping. This provides usage, and description and syntax issues. |
Basic Commands
The environment at the command prompt is similar to that of a Cisco router and uses "emacs"-style commands, shown in Table 8.3.
| Command | Result |
|---|---|
| Tab | Command-line completion. |
| Ctrl + A | Moves the cursor to the start of a line. |
| Ctrl + B | Moves the cursor one character left (nondestructive). |
| Alt + B | Moves the cursor one word left. |
| Ctrl + D | Deletes the character under the cursor. |
| Ctrl + E | Moves the cursor to the end of the line. |
| Ctrl + F | Moves the cursor one character right. |
| Alt + F | Moves the cursor one word right. |
| Ctrl + H or Rubout | Erases the previous character. |
| Ctrl + R | Reprints a line. |
| Up Arrow or Ctrl + P | Displays the previous line. |
| Up Arrow or Ctrl + N | Displays the next line. |
| Help or ? | Displays help. |
To see additional editing commands, try searching the Web for emacs style commands. However, the list shown in Table 8.3 is very useful. For example, if you are setting up multiple ACL statements, you can save a great deal of effort by changing only a port number, then pressing _Ctrl + P to get the previous line, Alt + F to move right a few words, Ctrl + D to delete the old port, and then typing the new port.
In addition, you don't have to type the full command—you only have to provide enough of the command to establish a unique initial segment. For example, the command configure terminal can be abbreviated; the first three letters aren't enough (both conduit and configure start with con), and only one option from the configure command starts with t. Therefore, to get into configuration mode, just type conf t. Such shortcuts can save a bit of typing, particularly on long commands.
Hostname and Domain Name
Two useful commands are the hostname and domain-name commands. These set the hostname (which appears in the prompt) and the domain name of the PIX. The syntax is hostname <name> and domain-name <name>—for example:
PIX1 (config)# hostname PIX1 PIX1(config)# domain-name secret.com
Configuring Interfaces
The most important aspect of a network device is the network interface. In the PIX, configuring the network interface is a fairly straightforward process. You need to specify a few parameters to put the security in context and a few parameters to put connectivity in context, and then the default information flow policy takes over.
The nameif Command
The nameif command is used to give an interface a logical name and assign it a security level. The name should be memorable, since it will be used in all other commands. The format of the nameif command is:
nameif <hardware_id> <interface> <security_level>
hardware_id corresponds to the hardware associated with the interface, such as _ethernet0. interface corresponds to a descriptive name, such as dmz, and security_level corresponds to the level of trust, an integer between 100 (trusted) and 0 (untrusted).
The tradition is to put ethernet0 (the first card from the left) as the outside interface, with a security level of 0—for example:
PIX1(config)# nameif ethernet0 outside security0
To assign ethernet1 (the second card from the left) as the inside interface with a security level of 100, the command is:
PIX1(config)# nameif ethernet1 inside security100
The remaining cards, if any, are assigned values between 0 and 100. An example for a DMZ network might resemble the following:
PIX1(config)# nameif ethernet2 dmz security50
The interface Command
The interface command is used to set the physical layer properties of the interface. The syntax of the command is:
interface <hardware_id> <hardware_speed> [shutdown]
In this command, hardware_id corresponds to the value from the nameif command, and _hardware_speed is chosen from Table 8.4.
| Value | Description |
|---|---|
| 10baset | 10Mbps Ethernet, half duplex. |
| 100basetx | Fast Ethernet, half duplex. |
| 100full | Fast Ethernet, full duplex. |
| 1000sxfull | Gigabit Ethernet, full duplex. |
| 1000basesx | Gigabit Ethernet, half duplex. |
| 1000auto | Gigabit Ethernet to autonegotiate full or half duplex. |
| aui | 10Mbps Ethernet, half duplex, for an AUI cable interface. |
| bnc | 10Mbps Ethernet, half duplex, for a BNC cable interface. |
| auto | Sets Ethernet speed automatically. Generally, it is better to hardcode the cable type, since autonegotiation has failed with some hardware devices. |
The optional shutdown keyword disables the interface; shutdown is useful to rapidly terminate a connection on a network that is at hazard or to ensure that unused networks are not accidentally added. An example of the interface command is:
PIX1(config)# interface ethernet0 100full
The ip address Command
The ip address command sets the IP address of the particular interface. The syntax of the command is as follows:
ip address <interface> <ip_address> <netmask>
In the ip address command, interface corresponds to the same parameter as in the nameif command, a descriptive term for the network, and ip_address and netmask correspond to the usual properties for the interface. An example of this command might look something like this:
PIX1(config)# ip address dmz 192.168.0.1 255.255.255.0
| Note | The PIX can also obtain an IP address through DHCP client or PPPoE functionality. |
Static Routes
The PIX is not a router and so does not have a wide selection of routing protocols. The PIX supports static routes and RIP. Specifying a static route is done with the following syntax:
route <if_name> <ip_address> <netmask> <gateway_ip> [metric]
Translating this syntax into English, it reads "If packets destined for interface if_name on the network specified by network address ip_address are bounded by mask netmask, then route it via a next hop at gateway_ip." The optional metric command is used to give an indication of distance.
A particularly important route is the default route. This is the "route of last resort"—the route used when no other direction is known for the packet. Only one default route is allowed on the PIX. This route is indicated by the 0 route with netmask 0; for example:
PIX1(config)# route outside 0 0 63.122.40.140 1
Password Configuration
Two passwords need to be set: a password for access to the PIX and an enable password to get into privileged (enable) mode. The PIX is limited to 16-byte passwords and is case sensitive. A basic password will assign a password, such as:
PIX1(config)# passwd cisco PIX1(config)# enable password cisco
In the configuration, the password is stored in an encrypted fashion. The command then looks like this:
enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted
When first connecting to the PIX, you will see a password prompt:
Connected to 10.10.10.1. Escape character is '^]'. User Access Verification Password: Type help or '?' for a list of available commands. pix1> en Password: *****
You should note that to preserve security, the password is not echoed to the screen, and the previous sequence will get you into enable mode.
| Note | The PIX also supports local user accounts with individual passwords. Alternatively, you can use RADIUS or TACACS+ for console authentication. |
Managing Configurations
Just as with any network device, the most important task related to your PIX is ongoing management. It is important that you be comfortable not just manipulating the configuration with configuration mode but also pushing configurations out to storage and in from backup systems. Key commands here are write, which allows you to store a command; copy, which allows you to manage the underlying PIX application software; and configure, which allows you to update the configuration.
The write Command
The write command allows you to write the configuration to various types of media. Allowed variants are write net, write memory, write standby, write terminal, write erase, and write floppy.
write net [[server_ip] : [filename] ]
The write command writes the configuration to a TFTP server. The IP address of the server can be specified on the command line or preset with the TFTP server command, tftp-server [if_name] ip_address path. Specifying a value on this line supercedes the value on the TFTP server line, but if the TFTP-server information is set, you can provide just a colon (or no parameters at all).
The next command allows you to store the configuration to flash. The uncompressed parameter specifies storing the configuration as an uncompressed string and is generally not necessary.
write memory [uncompressed]
If you want to print the configuration to the terminal (screen), use this command:
write terminal
Note that this command prints out the running configuration. In version 6.2, two new show commands were added: show running-config, which gives the same output as write terminal, and show startup-config, which shows the configuration that is written to flash. If the pager variable is set, the screen will pause after a fixed number of lines. To store the configuration via an ASCII capture, set the pager to 0, and then type write terminal.
Similarly to the write memory command, on devices that have a diskette drive, the write floppy command stores the configuration in a proprietary format. This allows the PIX to readily read the configuration. If you write the configuration to a PIX boot disk, the appliance will come up with the desired configuration. Unfortunately, it is not easily readable on other devices.
write floppy [uncompressed]
There is one other write command: write erase. This command clears the flash configuration to a known good state and allows you to reconfigure.
The copy Command
The copy command is a similar way of managing images. The most common use of the command is in the copy tftp command—for example:
copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]
The first couple of parameters are straightforward: They deal with specifying the location and filename of the TFTP server and, as previously mentioned, can be set with the TFTP-server command. The keyword flash indicates that the information is being stored to flash. The files can be conventional images, in which case they are available on the next reload, or PDM images, in which case they are available immediately.
Images can also be downloaded from a Web server via conventional HTTP or over SSL. This is specified by the following command:
copy http[s]://[user:password@] location [:port ] / http_pathname flash [: [image | pdm] ]
You can probably figure out the parameters. The first part is the standard URI notation: _http for clear-text Web use or https for SSL service. The user:password@location portion allows you to encode user information; if you are working via a Web browser, this portion triggers a pop-up window asking you to fill in your username and password. Since the PIX does not have a pop-up, you can specify it on the command line by inserting it before the @ sign. If the Web server is running on a nonstandard port, you can also specify it here by putting the port after a colon, similar to this:
copy http://fwadmin:cisco@10.10.10.1:99/pix_image flash
This solution is convenient if you do not have a TFTP server handy and can safely store the image files on a Web server.
The configure Command
You can manage configurations via the configure command. This is often the dual to the write commands. For example, just as write terminal dumps the configuration to the terminal, configure terminal allows you to change the configuration from the terminal.
These commands generally merge the configuration from the media with the existing configuration. You will often want to clear configure to wipe out the existing configuration so you can pull a complete stored config. The other choices are:
configure [terminal|floppy|memory]
You've used this one already, in the conf t command. It allows you to add commands from the terminal, from a diskette (if the PIX has a diskette drive), or from flash (memory).
Analogous to the copy command, the following command
configure http[s]://[<user>:<password>@]<location>[:<port>]/<pathname>
merges a configuration that is stored on a Web server with the running configuration.
configure net [<location>]:[<pathname>] configure factory-default [<inside_ip> [<mask>]]
Resetting the System
Generally, after fetching a new image, you will want to have the PIX start under the new image. Similarly, it is helpful to occasionally restore the configuration to what is running on the flash—if, for example, you have been exploring commands and have gotten to an uncertain state. You can always power-cycle the device; this solution has no moving parts, and configurations and images are fully flushed to flash, so you do not have to worry about corruption. However, there is a better way: the reload command.
The reload Command
You can restart the PIX gracefully using the reload command. This command prompts you, to ensure that you really mean what you are saying; it can only be executed from privileged mode:
pix1# reload Proceed with reload? [confirm]
At this point, there is a brief pause while the PIX reboots, and then you will be working under the new system. Note: If you want to bypass pressing the second carriage return, you can type reload noconfirm, but when you are executing a potentially dangerous command such as a reboot, it is generally good to have an "Are you really sure you want to do this?" checkpoint.
|
EAN: 2147483647
Pages: 240
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter VI Web Site Quality and Usability in E-Commerce
- Chapter VII Objective and Perceived Complexity and Their Impacts on Internet Communication
- Chapter XI User Satisfaction with Web Portals: An Empirical Study
- Chapter XVI Turning Web Surfers into Loyal Customers: Cognitive Lock-In Through Interface Design and Web Site Usability