Cisco PIX 525 manuals

Cisco PIX 525 Specifications (466 pages)

Brand: Cisco | Category: Security access control systems | Size: 10.69 MB |

English

Table of contents

Cisco PIX Firewall and VPN

1

Configuration Guide

1

CONTENTS

3

Contents

10

78-15033-01

10

INDEXndex

18

About This Guide

19

Document Organization

20

Document Conventions

21

Obtaining Documentation

21

Documentation CD-ROM

22

Ordering Documentation

22

Documentation Feedback

22

Cisco.com

23

Technical Assistance Center

23

Cisco TAC Escalation Center

24

Getting Started

27

How the PIX Firewall Works

28

Adaptive Security Algorithm

29

Address Translation

31

Cut-Through Proxy

32

Supported Routing Protocols

32

Access Control

32

TurboACL

33

Downloadable ACLs

33

VLAN Support

34

Mail Guard

35

Flood Guard

35

DNS Control

35

ActiveX Blocking

36

Java Filtering

36

URL Filtering

36

Configurable Proxy Pinging

36

Voice over IP

37

CTIQBE (TAPI)

38

RAS Version 2

38

LDAP Version 2 and ILS

40

NetBIOS over IP

40

Virtual Private Networks

41

Certification Authorities

42

Using a Site-to-Site VPN

43

DHCP Server

45

DHCP Relay

46

DHCP Client

46

Using a Syslog Server

49

FTP and URL Logging

49

Integration with Cisco IDS

49

PIX Firewall Failover

50

Access Modes

51

Accessing Configuration Mode

52

Abbreviating Commands

53

Command Line Editing

54

Filtering Show Command Output

54

Command Output Paging

55

Comments

55

Configuration Size

56

Help Information

56

Where to Go from Here

57

Establishing Connectivity

61

Setting Default Routes

63

How NAT and PAT Work

70

Configuring NAT and PAT

70

Using RIP

73

PIX Firewall

74

Using OSPF

75

OSPF Features Supported

76

Restrictions and Limitations

77

Using OSPF in Public Networks

78

Viewing OSPF Configuration

81

Clearing OSPF Configuration

82

Testing Connectivity

83

Basic Configuration Examples

85

Internet

90

209.165.201.3209.165.201.2

92

192.168.0.110.0.0.3

92

209.165.201.1

92

209.165.201.4

92

Using VLANs with the Firewall

94

Using Logical Interfaces

95

VLAN Security Issues

96

Managing VLANs

97

Using Outside NAT

98

Simplifying Routing

99

209.165.200.225

100

209.165.200.226

100

Policy NAT

101

Limitations

104

Configuring Policy NAT

104

Overview

106

Configuring IGMP Timers

109

Clearing IGMP Configuration

109

Viewing and Debugging SMR

110

• RFC 2236 IGMPv2

111

• RFC 2362 PIM-SM

111

Enabling Inbound Connections

114

10.1.1.2 209.165.201.25

118

PAT address =

118

209.165.201.15

118

Inside Outside

118

Port Redirection Example

119

Configuring AAA

120

Using MAC-Based AAA Exemption

125

Basic Configuration

126

Managing Access to Services

128

Using TurboACL

130

Globally Configuring TurboACL

131

Downloading Access Lists

132

Software Restrictions

135

How Object Grouping Works

136

Using Subcommand Mode

137

Nesting Object Groups

141

Removing Object Groups

142

Filtering ActiveX Objects

143

Filtering Java Applets

144

Filtering HTTPS and FTP Sites

146

Configuring Filtering Policy

147

Filtering Long URLs

148

Configuration Procedure

150

Basic Configuration Procedure

156

• Overview, page 4-7

158

Using X.509 Certificates

162

Using Related Commands

168

Using DHCP Relay

173

Configuring the DHCP Client

174

• debug dhcpc packet

175

• debug dhcpc detail

175

• debug dhcpc error

175

Using the fixup Command

180

Basic Internet Protocols

182

• ESP tunnel serialization

186

• SPI matching

186

Application Inspection

188

Sample Configuration

189

Voice Over IP

190

CU-SeeMe

191

Viewing Connection Status

193

Technical Background

193

Viewing MGCP Information

196

Using PAT with SCCP

197

Viewing SCCP Information

199

Providing IP Address Privacy

201

Instant Messaging (IM)

202

Viewing SIP Information

202

Multimedia Applications

203

TCP Stream

205

VDO LIVE

206

ILS and LDAP

207

Step 2 Permit NFS access:

208

Management Protocols

209

Remote Shell

210

How IPSec Works

213

Internet Key Exchange (IKE)

214

Configuring IKE

216

Disabling IKE

218

CA Overview

220

Public Key Cryptography

220

Supported CA Servers

221

Configuring IPSec

225

Transform Sets

226

Crypto Maps

226

Access Lists

228

IPSec SA Lifetimes

230

Basic IPSec Configuration

231

Using Dynamic Crypto Maps

233

Site-to-Site Redundancy

236

Using NAT Traversal

236

Manual Configuration of SAs

237

Viewing IPSec Configuration

240

Clearing SAs

240

Using Pre-Shared Keys

243

Figure 7-1 VPN Tunnel Network

244

Step 1 Define a host name:

244

Scenario Description

249

Figure 7-2 VPN Tunnel Network

250

Step 11 Define a crypto map:

261

PIX Firewall 1 Configuration

263

PIX Firewall 2 Configuration

265

Services Module

267

Manual Configuration with NAT

277

Managing VPN Remote Access

281

Enabling Redundancy

284

Bypassing AAA Authentication

285

Configuring the PIX Firewall

290

Using PPTP for Remote Access

299

PPTP Configuration

300

PPTP Configuration Example

301

Privilege Levels

304

User Authentication

305

Command Authorization

307

TACACS+ Command Authorization

310

Recovering from Lockout

311

Using Network Time Protocol

312

Enabling NTP

313

Viewing System Time

317

Setting the System Clock

317

option is

318

Using Telnet

322

Trace Channel Feature

323

Obtaining an SSH Client

324

Viewing SSH Status

326

Enabling Auto Update Support

327

Managing Auto Update Support

328

Capturing Packets

329

Packet Capture Output Formats

331

Packet Capture Examples

332

Using Syslog

334

Disabling Syslog Messages

336

Configuration

337

Logging Behavior

339

Syslog Message Format

340

Managing IDS Syslog Messages

341

Using SNMP

343

MIB Support

344

SNMP CPU Utilization

344

SNMP Usage Notes

345

SNMP Traps

346

Viewing Failover Status

349

Verifying Memory Usage

350

Viewing The Connection Count

351

Viewing System Buffer Usage

352

Using PIX Firewall Failover

355

Failover System Requirements

356

Understanding Failover

357

Failover and State Links

358

State Link

359

Configuration Replication

360

Failover Triggers

361

Configuring the Primary Unit

366

Forcing Failover

374

Disabling Failover

374

Monitoring Failover

375

Basic Failover Questions

377

LAN-Based Failover Questions

379

Stateful Failover Questions

379

Cable-Based Failover Example

380

LAN-Based Failover Example

381

Obtaining an Activation Key

384

Entering a New Activation Key

384

1. Install the new image

385

2. Reboot the system

385

4. Reboot the system

385

Getting a TFTP Server

389

Downloading Software with FTP

390

Using Boothelper

392

TFTP Download Error Codes

397

Acronyms and Abbreviations

399

Access Clients

405

Introduction

406

PIX Firewall Configuration

407

Token Enabled

408

Next Tokencode Mode

408

New PIN Mode

409

L2TP Overview

413

Tunnel mode

414

Transport mode

414

Enabling IPSec Debug

419

Figure B-5 VPN Client Access

420

APPENDIX

427

Configuring the Inside Server

429

TCP/IP Reference Information

431

Protocols and Applications

435

Using Subnet Masks

437

Uses for Subnet Information

439

Using Limited IP Addresses

439

Addresses in the .128 Mask

439

Addresses in the .192 Mask

440

Addresses in the .224 Mask

440

Addresses in the .240 Mask

440

Addresses in the .248 Mask

441

Addresses in the .252 Mask

442

Proposals

445

Supported Easy VPN Proposals

447

Cisco PIX 525 Specifications (604 pages)

Brand: Cisco | Category: Security access control systems | Size: 6.04 MB |

English

Table of contents

Configuration Guide

1

CONTENTS

3

2 Getting Started 2-1

4

9 Configuring IPv6 9-1

6

11 Configuring Failover 11-1

7

2 Configuring the Firewall

9

14 Applying NAT 14-1

10

Contents

11

OL-6721-01

11

20 Applying QoS Policies 20-1

13

3 Configuring VPN

16

4 System Administration

19

B Sample Configurations B-1

21

About This Guide

23

Related Documentation

24

Document Organization

24

Part 3: Configuring VPN

25

Document Conventions

26

Obtaining Documentation

27

Documentation Feedback

27

Submitting a Service Request

28

Firewall Functional Overview

33

Security Policy Overview

34

Stateful Inspection Overview

36

VPN Functional Overview

37

Security Context Overview

37

Security Context Overview

38

Getting Started

39

Saving Configuration Changes

41

Viewing the Configuration

41

Interface.”

43

Unsupported Features

46

Context Configuration Files

46

Shared Interface Guidelines

51

Cascading Security Contexts

53

Restoring Single Context Mode

55

Configuring Ethernet Settings

57

Configuring Subinterfaces

58

Configuring Subinterfaces

60

Removing a Security Context

65

Changing the Admin Context

65

Reloading a Security Context

67

Monitoring Security Contexts

68

Viewing Resource Usage

69

Security Level Overview

71

Configuring the Interface

72

Security Level

74

Configuring Basic Settings

77

Setting the Hostname

78

Setting the Domain Name

78

Setting the Date and Time

78

Configuring a Static Route

84

Configuring OSPF

85

OSPF Overview

86

Enabling OSPF

87

Adding a Route Map

88

Configuring OSPF NSSA

93

Generating a Default Route

95

Monitoring OSPF

97

Restarting the OSPF Process

97

Configuring RIP

98

Configuring Multicast Routing

99

Enabling Multicast Routing

100

Configuring IGMP Features

100

Configuring Group Membership

101

Changing the IGMP Version

103

Configuring PIM Features

104

Configuring DHCP

106

Configuring DHCP Options

108

Configuring the DHCP Client

110

Configuring IPv6

111

Configuring IPv6 Access Lists

114

The show ipv6 route Command

116

IPv6 Configuration Example

117

AAA Overview

119

About Authentication

120

About Authorization

120

About Accounting

120

Summary of Support

121

RADIUS Server Support

122

TACACS+ Server Support

123

SDI Server Support

124

NT Server Support

125

Kerberos Server Support

125

LDAP Server Support

126

Local Database Support

126

Fallback Support

127

Configuring Failover

133

Failover System Requirements

134

The Failover and State Links

135

State Link

136

Active/Standby Failover

137

Understanding Failover

138

Command Replication

139

Failover Triggers

140

Failover Actions

140

Active/Active Failover

141

Regular and Stateful Failover

145

Failover Health Monitoring

146

Prerequisites

148

Configuring the Primary Unit

150

Configuring Failover Criteria

154

Configure the Primary Unit

157

Configure the Secondary Unit

159

Figure 11-1 ASR Example

163

Configuring Failover

164

Show Failover—Active/Active

169

Viewing Monitored Interfaces

173

Forcing Failover

174

Disabling Failover

175

Monitoring Failover

175

Debug Messages

176

Configuring the Firewall

185

Firewall Mode Overview

187

IP Routing Support

188

Network Address Translation

188

Routed Mode Overview

189

Figure 12-2 Inside to Outside

190

Transparent Mode Overview

194

Transparent Firewall Features

195

Transparent Mode Overview

196

Access List Overview

203

Access List Types and Uses

204

Access List Overview

206

VPN Access (Extended)

207

Access List Guidelines

208

Access Control Implicit Deny

209

Adding a Standard Access List

215

Adding Object Groups

216

Adding a Network Object Group

217

Adding a Service Object Group

217

Nesting Object Groups

219

Displaying Object Groups

221

Removing Object Groups

221

Time Range Options

222

Logging Access List Activity

222

Access List Logging Overview

223

access_list_name

224

Managing Deny Flows

225

Applying NAT

227

Introduction to NAT

228

NAT Control

229

Chapter 14 Applying NAT

230

NAT Overview

230

NAT Types

231

Static NAT

233

Static PAT

233

Figure 14-7 Static PAT

234

Policy NAT

235

Mapped Address Guidelines

239

DNS and NAT

240

Configuring NAT Control

241

Using Dynamic NAT and PAT

242

Global 2: 209.165.201.11

245

NAT 2: 192.168.1.0/24

245

Figure 14-19 Dynamic NAT

248

Figure 14-20 Dynamic PAT

248

Using Static NAT

251

Using Static PAT

252

Bypassing NAT

255

209.165.201.1 209.165.201.1

256

Inside Outside

256

209.165.201.2 209.165.201.2

256

Security

256

Appliance

256

Configuring NAT Exemption

257

NAT Examples

258

Overlapping Networks

259

Redirecting Ports

260

NAT Examples

262

AAA Performance

269

Authentication Overview

270

Applying Filtering Services

281

Filtering ActiveX Objects

282

Filtering Java Applets

283

Filtering Overview

284

General Procedure

285

Filtering HTTP URLs

287

Filtering HTTPS URLs

288

Filtering FTP Requests

289

Viewing Caching Statistics

291

Overview

293

Class Map Example

296

Policy Map Procedure

297

Policy Map Examples

298

Restrictions

299

Action Order

301

Advanced Options

302

Types of Direction Policies

303

Implicit Direction Policies

303

Examples

303

Service Policy and NAT

306

Configuring TCP Normalization

310

Preventing IP Spoofing

311

Configuring the Fragment Size

313

Blocking Unwanted Connections

313

Applying QoS Policies

315

QoS Concepts

316

Identifying Traffic for QoS

317

Classifying Traffic for QoS

318

Defining a QoS Policy Map

320

Applying Rate Limiting

320

Verifying QoS Statistics

322

Activating the Service Policy

323

Applying Low Latency Queueing

323

Configuring Priority Queuing

324

Sizing the Priority Queue

324

Reducing Queue Latency

324

Viewing QoS Statistics

325

How Inspection Engines Work

328

Supported Protocols

329

Managing CTIQBE Inspection

336

Managing FTP Inspection

340

Configuring FTP Inspection

341

Managing GTP Inspection

345

Managing H.323 Inspection

350

Limitations and Restrictions

351

Monitoring H.225 Sessions

354

Monitoring H.245 Sessions

355

Monitoring H.323 RAS Sessions

355

Managing HTTP Inspection

356

Managing MGCP Inspection

359

MGCP Inspection Overview

360

Managing MGCP Inspection

361

Managing RTSP Inspection

365

RTSP Inspection Overview

366

Using RealPlayer

366

Restrictions and Limitations

367

Managing SIP Inspection

369

SCCP Inspection Overview

373

Supporting Cisco IP Phones

374

Managing SNMP Inspection

379

SNMP Inspection Overview

380

Parameters

383

Adding a Static ARP Entry

384

Enabling ARP Inspection

384

MAC Address Table Overview

385

Adding a Static MAC Address

385

Viewing the MAC Address Table

386

Configuring VPN

387

Configuring IPSec and ISAKMP

389

IPSec Overview

390

Configuring ISAKMP

390

ISAKMP Overview

391

Configuring ISAKMP Policies

392

Enabling IPSec over NAT-T

395

Enabling IPSec over TCP

395

Configuring IPSec

399

Understanding Transform Sets

400

Defining Crypto Maps

400

Using Interface Access Lists

401

Configuring IPSec

402

Changing IPSec SA Lifetimes

403

Using Dynamic Crypto Maps

406

Configuring Client Update

412

Configuring Client Update

414

• Group Policies, page 25-10

415

Tunnel Groups

416

IPSec Connection Parameters

417

Configuring Tunnel Groups

418

Group Policies

424

Default Group Policy

425

Configuring Group Policies

426

ACL name

428

Configuring Users

440

Configuring Specific Users

441

Configuring User Attributes

442

Configuring Users

446

Configuring AAA Addressing

448

Configuring DHCP Addressing

449

Summary of the Configuration

451

Configuring Interfaces

452

Outside Interface

453

Configuring an Address Pool

454

Adding a User

454

Creating a Transform Set

454

Defining a Tunnel Group

455

Step 4 Save your changes

456

Step 3 Save your changes

456

Configuring LAN-to-LAN VPNs

459

Configuring an ACL

462

Step 2 Save your changes

465

Configuring Certificates

467

Certificate Scalability

468

About Key Pairs

468

About Trustpoints

469

About CRLs

469

Certificate Configuration

470

Configuring Key Pairs

471

Configuring Trustpoints

472

Obtaining Certificates

474

[ certificate data omitted ]

476

[ PKCS12 data omitted ]

480

System Administration

483

Managing System Access

485

Allowing SSH Access

486

Using an SSH Client

487

Changing the Login Password

487

Recovering from a Lockout

499

Configuring a Login Banner

500

Configurations

501

Entering a New Activation Key

502

Installation Overview

502

Viewing Files in Flash Memory

502

Backing Up the Configuration

506

Using System Log Messages

509

Using SNMP

509

Enabling SNMP

511

Testing Your Configuration

512

Performing Password Recovery

517

Other Troubleshooting Tools

519

Common Problems

520

Supported Platforms

523

Platform Feature Licenses

523

Platform Feature Licenses

524

VPN Specifications

526

Cryptographic Standards

527

VPN Specifications

528

Sample Configurations

529

Figure B-2 Example 2

534

Figure B-3 Example 3

536

APPENDIX

545

Command Modes and Prompts

546

Syntax Formatting

547

Abbreviating Commands

547

Command-Line Editing

547

Command Completion

547

Command Help

548

Filtering show Command Output

548

Command Output Paging

549

Adding Comments

549

Text Configuration Files

550

Line Order

551

Passwords

551

Text Configuration Files

552

Private Networks

554

Subnet Masks

554

Determining the Subnet Mask

555

Class C-Size Network Address

556

Class B-Size Network Address

556

IPv6 Addresses

557

IPv6 Address Types

558

Global Address

559

Site-Local Address

559

Link-Local Address

559

Unspecified Address

560

Loopback Address

560

Interface Identifiers

560

Multicast Address

560

Anycast Address

561

IPv6 Address Prefixes

562

Protocols and Applications

563

TCP and UDP Ports

564

TCP and UDP Ports

565

Local Ports and Protocols

566

ICMP Types

567

ICMP Types

568

Numerics

569

Glossary

570

C170 User Manual English

English

Cisco IronPort C-series / ESA CLI Cheat Sheet, 2 pages ISA570 User Manual English

English

Product Flipbook, 21 pages ONS 15454 SDH User Manual English

English

Cisco ONS 15454 SONET/SDH Multiservice Provisioning Platform, 18 pages Router IOS XR User Manual English

English

Cisco IOS XR Workbook, 105 pages 500 Series User Manual English

English

Cisco 500 Series Stackable Managed Switches Data Sheet [en] , 19 pages ONS 15454 SDH Specifications English

English

Cisco ONS 15454 SDH Specifications, 262 pages 500 Series User Manual English

English

Cisco Catalyst Express 500 Series Switches, 8 pages ONS 15454 SDH Specifications English

English

Cisco ONS 15454 SDH Specifications, 56 pages Router IOS XR Specifications English

English

Cisco Router IOS XR Specifications, 446 pages ONS 15454 SDH Specifications English

English

Cisco ONS 15454 SDH Specifications, 504 pages PIX-515-RPS - PIX 515-R - Firewall User Manual English

English

Cisco PIX Security Appliance Release Notes Version 7.2, 28 pages

Cisco devices