You can access the PIX firewall in several ways, such as using console ports, Telnet, Secure Shell (SSH), and HTTP. All these ways enable you to configure and manage the firewall, but by default only console port access is permitted. Figure 7.2 displays the preferred methods of access and shows that console access from the outside is allowed only when using SSH. Figure 7.2. Accessing the PIX.
The Console PortThe console port allows access for a local serial connection connected directly into the PIX firewall. Procedures such as password breaking and loading new images are recommended via this connection point, but the physical distance a technician can be from the firewall is limited. Chapter 3, "Basics of the PIX Firewall," describes how to connect to the PIX via the console cable. TelnetTelnet enables you to remotely connect to the firewall using TCP/IP to create a remote console. With TCP/IP, physical distance is no longer a concern, making Telnet a convenient way to configure and manage your firewall without ever getting up from your chair .
To enable Telnet access to the PIX, you must first use the telnet command to specify which IP addresses are allowed access. The following is the telnet command syntax: pixfirewall(config)# [no] telnet <local_ip> [<mask>] [<if_name>] Table 7.5. telnet Command Options
The following three examples all allow 192.168.1.11 Telnet access on the inside interface to the PIX firewall: pixfirewall(config)# telnet 192.168.1.11 or pixfirewall(config)# telnet 192.168.1.11 255.255.255.255 or pixfirewall(config)# telnet 192.168.1.11 255.255.255.255 inside The following command allows all addresses on the inside interface Telnet access: pixfirewall(config)# telnet 0.0.0.0 0.0.0.0 inside
Secure ShellSecure Shell, like Telnet, allows remote console connections; however, with SSH, the connections are secure. SSH provides encryption of traffic from the PIX to the client, creating a secure environment in which to manage your PIX. To create this secure environment, you must create a public key and private RSA keys. Four main steps are required to configure SSH:
The hostname CommandSSH requires a hostname to be configured; the command shown here configures a hostname for the PIX: Cisco(config)# hostname pixfirewall pixfirewall(config)# The domain-name CommandThe PIX firewall needs a domain name that will be used inside the RSA key pairs. After you generate the keys, be sure you never change the domain name of the PIX; otherwise , you will have to regenerate the RSA keys. The following command sets the domain name to newman .cla : pixfirewall(config)# domain-name newman.cla pixfirewall(config)# pixfirewall(config)# show domain-name domain-name newman.cla pixfirewall(config)#
The ca generate rsa key CommandThe ca generate rsa key command creates a pair of keys that are used to help create a secure connection between the client and the PIX. The values you used for the hostname and domain name are used inside the keys and should not be changed after the keys are generated. You can create modulus sizes for 512, 768, 1024, or 2048 bits. Also note that this command can take quite some time to execute.
The following commands are needed to create a pair of keys: pixfirewall(config)# ca zeroize rsa pixfirewall(config)# pixfirewall(config)# ca generate rsa key 1024 For <key_modulus_size> >= 1024, key generation could take up to several minutes. Please wait. .. pixfirewall(config)# The ssh CommandThe ssh command is used to define which IP addresses are allowed access to the Secure Shell console on the PIX firewall. The ssh command also defines the idle timeout of an SSH connection, like so: pixfirewall(config)# [no] ssh <local_ip> [<mask>] [<if_name>] Table 7.6. ssh Command Options
The following example allows SSH secure access to 10.72.7.9 on the outside interface: pixfirewall(config)# ssh 10.72.7.9 255.255.255.255 outside pixfirewall(config)# pixfirewall(config)# show ssh 10.72.7.9 255.255.255.255 outside pixfirewall(config)# The ssh timeout command can be used to limit the idle timeout for SSH sessions. The command example shown here sets the timeout to 10 minutes: pixfirewall(config)# ssh timeout 10 pixfirewall(config)# pixfirewall(config)# show ssh timeout ssh timeout 10 minutes pixfirewall(config)#
Displaying and Saving SSH InformationAfter you have configured SSH, four more commands are available that you can use to verify its operation and disconnect users. They are
The show ca mypubkey rsa CommandThe show ca mypubkey rsa command enables you to view the public key that was generated with your hostname and domain name. The command syntax is shown here: pixfirewall(config)# show ca mypubkey rsa % Key pair was generated at: 09:05:34 UTC Aug 31 2003 Key name: pixfirewall.newman.cla Usage: General Purpose Key Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c5af11 97e073ae ece530d1 cfea4649 84521282 768557e3 c1bb1315 8f6627cc 50224607 14b1b9cd bf7a9c61 3e28d997 ea92b816 c04c63fd 0751748e 588cbcd2 0659675b ece86f2b 6592bc39 f707de5e b040e889 cc350b03 ab1a8582 ca329402 31ce17a3 26a4c8be 3c72cd25 a80612d6 19e7419f afa68301 6c2c7682 d26a39c7 6b020301 0001 pixfirewall(config)# The ca save all CommandAfter you have generated your key, you must execute the ca save all command to save the key to flash memory. The following displays the command: pixfirewall(config)# ca save all The ca save all command might take several seconds to save, so be patient. The show ssh sessions CommandThe show ssh sessions command can be used to show who is currently connected to the PIX. Following is an example of this command: pixfirewall(config)# show ssh sessions Session ID Client IP Version Encryption State Username 0 192.168.1.11 1.5 DES 6 pix pixfirewall(config)# The ssh disconnect session CommandAfter you have viewed who has an active SSH session using the show ssh sessions command, you can use the ssh disconnect session command to drop a specific session. The following is an example of this command: pixfirewall(config)# show ssh sessions Session ID Client IP Version Encryption State Username 0 192.168.1.11 1.5 DES 6 pix pixfirewall(config)# pixfirewall(config)# ssh disconnect session 0 pixfirewall(config)# show ssh sessions pixfirewall(config)# HTTP PDM AccessThe PIX firewall allows several methods of console access, but it also has a Web browser interface that can be used to monitor and configure the firewall. This interface is called PIX Device Manager (PDM). The PDM interface Web pages are hosted from PIX firewalls and downloaded to client browsers that support HTTPS (secure socket layer). The PIX firewall must have the HTTP server feature enabled to host the PDM Web pages. The following two steps are needed to configure HTTP access:
The http server CommandTo allow the clients to access the system using HTTP browsers you first must use the http server enable command to turn on the service. Here's an example of the command: pixfirewall(config)# http server enable The http CommandNow that the PIX is enabled to host the PDM interface, the next step, as in Telnet, is to specify which hosts can connect to the PIX using HTTP. The http command's syntax is as follows : pixfirewall(config)# [no] http <local_ip> [<mask>] [<if_name>] Table 7.7. http Command Options
The first example shown here allows 192.168.1.11 HTTP access on the inside interface, whereas the second example allows HTTP access to the PIX for all addresses on the 192.168.1.0 subnet: pixfirewall(config)# http 192.168.1.11 255.255.255.255 inside and pixfirewall(config)# http 192.168.1.0 0.0.0.0 inside You can use the show http command to display what has been configured, like so: pixfirewall(config)# show http http server enabled 192.168.1.11 255.255.255.255 inside 0.0.0.0 0.0.0.0 inside pixfirewall(config)# The PIX Device Manager is covered in more detail in later chapters. |