Accessing the PIX

You can access the PIX firewall in several ways, such as using console ports, Telnet, Secure Shell (SSH), and HTTP. All these ways enable you to configure and manage the firewall, but by default only console port access is permitted. Figure 7.2 displays the preferred methods of access and shows that console access from the outside is allowed only when using SSH.

The Console Port

The console port allows access for a local serial connection connected directly into the PIX firewall. Procedures such as password breaking and loading new images are recommended via this connection point, but the physical distance a technician can be from the firewall is limited. Chapter 3, "Basics of the PIX Firewall," describes how to connect to the PIX via the console cable.

Telnet

Telnet enables you to remotely connect to the firewall using TCP/IP to create a remote console. With TCP/IP, physical distance is no longer a concern, making Telnet a convenient way to configure and manage your firewall without ever getting up from your chair .

Telnet communications are carried out in clear text. So, if hackers are sniffing the network, they could intercept passwords or configuration information about your PIX. Telnet access is therefore not recommended from the outside interface.

To enable Telnet access to the PIX, you must first use the telnet command to specify which IP addresses are allowed access. The following is the telnet command syntax:

 pixfirewall(config)# [no] telnet <local_ip> [<mask>] [<if_name>] 

Table 7.5. telnet Command Options

The following three examples all allow 192.168.1.11 Telnet access on the inside interface to the PIX firewall:

 pixfirewall(config)# telnet 192.168.1.11 

or

 pixfirewall(config)# telnet 192.168.1.11 255.255.255.255 

or

 pixfirewall(config)# telnet 192.168.1.11 255.255.255.255 inside 

The following command allows all addresses on the inside interface Telnet access:

 pixfirewall(config)# telnet 0.0.0.0 0.0.0.0 inside 

Telnet also has the who command, which displays the current active Telnet sessions, and the kill command, which forces a Telnet session to disconnect.

Secure Shell

Secure Shell, like Telnet, allows remote console connections; however, with SSH, the connections are secure. SSH provides encryption of traffic from the PIX to the client, creating a secure environment in which to manage your PIX. To create this secure environment, you must create a public key and private RSA keys. Four main steps are required to configure SSH:

1. Configure a hostname.

2. Configure a domain name.

3. Create a public and private RSA key pair.

4. Specify which IP addresses are allowed SSH access.

When connecting to the PIX using SSH, you are prompted to enter a username and password. Cisco uses the username pix , which can't be changed, and the current Telnet password for these prompts. The default Telnet password is cisco , in all lowercase.

The hostname Command

SSH requires a hostname to be configured; the command shown here configures a hostname for the PIX:

 Cisco(config)# hostname pixfirewall pixfirewall(config)# 

The domain-name Command

The PIX firewall needs a domain name that will be used inside the RSA key pairs. After you generate the keys, be sure you never change the domain name of the PIX; otherwise , you will have to regenerate the RSA keys. The following command sets the domain name to newman .cla :

 pixfirewall(config)# domain-name newman.cla pixfirewall(config)# pixfirewall(config)# show domain-name domain-name newman.cla pixfirewall(config)# 

The hostname and domain name are combined to form a fully qualified domain name (FQDN) that is used during key generation. For example, the FQDN in the previous example would be pixfirewall.newman.cla .

The ca generate rsa key Command

The ca generate rsa key command creates a pair of keys that are used to help create a secure connection between the client and the PIX. The values you used for the hostname and domain name are used inside the keys and should not be changed after the keys are generated. You can create modulus sizes for 512, 768, 1024, or 2048 bits. Also note that this command can take quite some time to execute.

Use the ca zeroize rsa command to remove any current RSA key pairs from the PIX.

The following commands are needed to create a pair of keys:

 pixfirewall(config)# ca zeroize rsa pixfirewall(config)# pixfirewall(config)# ca generate rsa key 1024 For <key_modulus_size> >= 1024, key generation could   take up to several minutes. Please wait. .. pixfirewall(config)# 

The ssh Command

The ssh command is used to define which IP addresses are allowed access to the Secure Shell console on the PIX firewall. The ssh command also defines the idle timeout of an SSH connection, like so:

 pixfirewall(config)# [no] ssh <local_ip> [<mask>] [<if_name>] 

Table 7.6. ssh Command Options

The following example allows SSH secure access to 10.72.7.9 on the outside interface:

 pixfirewall(config)# ssh 10.72.7.9 255.255.255.255 outside pixfirewall(config)# pixfirewall(config)# show ssh 10.72.7.9 255.255.255.255 outside pixfirewall(config)# 

The ssh timeout command can be used to limit the idle timeout for SSH sessions. The command example shown here sets the timeout to 10 minutes:

 pixfirewall(config)# ssh timeout 10 pixfirewall(config)# pixfirewall(config)# show ssh timeout ssh timeout 10 minutes pixfirewall(config)# 

When you first connect to the PIX firewall, you might see a prompt with periods (.). This means the firewall is busy generating server keys and it could take several seconds before you are prompted for username and password.

Displaying and Saving SSH Information

After you have configured SSH, four more commands are available that you can use to verify its operation and disconnect users. They are

• show ca mypubkey rsa

• ca save all

• show ssh sessions

• disconnect ssh session

The show ca mypubkey rsa Command

The show ca mypubkey rsa command enables you to view the public key that was generated with your hostname and domain name. The command syntax is shown here:

 pixfirewall(config)# show ca mypubkey rsa % Key pair was generated at: 09:05:34 UTC Aug 31 2003 Key name: pixfirewall.newman.cla  Usage: General Purpose Key  Key Data:   30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c5af11   97e073ae ece530d1 cfea4649 84521282 768557e3 c1bb1315 8f6627cc 50224607   14b1b9cd bf7a9c61 3e28d997 ea92b816 c04c63fd 0751748e 588cbcd2 0659675b   ece86f2b 6592bc39 f707de5e b040e889 cc350b03 ab1a8582 ca329402 31ce17a3   26a4c8be 3c72cd25 a80612d6 19e7419f afa68301 6c2c7682 d26a39c7 6b020301   0001 pixfirewall(config)# 

The ca save all Command

After you have generated your key, you must execute the ca save all command to save the key to flash memory. The following displays the command:

 pixfirewall(config)# ca save all 

The ca save all command might take several seconds to save, so be patient.

The show ssh sessions Command

The show ssh sessions command can be used to show who is currently connected to the PIX. Following is an example of this command:

 pixfirewall(config)# show ssh sessions Session ID      Client IP       Version Encryption      State   Username     0           192.168.1.11      1.5     DES             6       pix pixfirewall(config)# 

The ssh disconnect session Command

After you have viewed who has an active SSH session using the show ssh sessions command, you can use the ssh disconnect session command to drop a specific session. The following is an example of this command:

 pixfirewall(config)# show ssh sessions Session ID      Client IP       Version Encryption      State   Username     0           192.168.1.11      1.5     DES             6       pix pixfirewall(config)# pixfirewall(config)# ssh disconnect session 0 pixfirewall(config)# show ssh sessions pixfirewall(config)# 

HTTP PDM Access

The PIX firewall allows several methods of console access, but it also has a Web browser interface that can be used to monitor and configure the firewall. This interface is called PIX Device Manager (PDM). The PDM interface Web pages are hosted from PIX firewalls and downloaded to client browsers that support HTTPS (secure socket layer). The PIX firewall must have the HTTP server feature enabled to host the PDM Web pages. The following two steps are needed to configure HTTP access:

1. Turn on the HTTP server capability.

2. Specify which hosts can connect using HTTP.

The http server Command

To allow the clients to access the system using HTTP browsers you first must use the http server enable command to turn on the service. Here's an example of the command:

 pixfirewall(config)# http server enable 

The http Command

Now that the PIX is enabled to host the PDM interface, the next step, as in Telnet, is to specify which hosts can connect to the PIX using HTTP. The http command's syntax is as follows :

 pixfirewall(config)# [no] http <local_ip> [<mask>] [<if_name>] 

Table 7.7. http Command Options

The first example shown here allows 192.168.1.11 HTTP access on the inside interface, whereas the second example allows HTTP access to the PIX for all addresses on the 192.168.1.0 subnet:

 pixfirewall(config)# http 192.168.1.11 255.255.255.255 inside 

and

 pixfirewall(config)# http 192.168.1.0 0.0.0.0 inside 

You can use the show http command to display what has been configured, like so:

 pixfirewall(config)# show http http server enabled 192.168.1.11 255.255.255.255 inside 0.0.0.0 0.0.0.0 inside pixfirewall(config)# 

The PIX Device Manager is covered in more detail in later chapters.