CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

This is a Digital Library

With over 100,000 free electronic resource in Persian, Arabic and English

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






  • Foundation Topics



    Access Modes


    The Cisco PIX Firewall contains a command set based on Cisco IOS® Software technologies that provides three administrative access modes:

    • Unprivileged mode is available when you first access the PIX Firewall through console or Telnet. It displays the > prompt. This mode lets you view only restricted settings.

    • You access privileged mode by entering the enable command and the enable password. The prompt then changes from > to #. In this mode you can change a few of the current settings and view the existing Cisco PIX Firewall configuration. Any unprivileged command also works in privileged mode. To exit privileged mode, enter the disable or exit command.

    • You access configuration mode by entering the configure terminal command. This changes the prompt from # to (config)#. In this mode you can change system configurations. All privileged, unprivileged, and configuration commands work in this mode. Use the exit or ^z command to exit configuration mode.


    Chapter 4, "System Management/Maintenance."


    Configuring the PIX Firewall


    Six important commands are used to produce a basic working configuration for the PIX Firewall:

    interface

    nameif

    ip address

    nat

    global

    route


    Before you use these commands, it can prove very useful to draw a diagram of your Cisco PIX Firewall with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter.


    Figure 6-1. Documenting Cisco PIX Firewall Security Levels, Interfaces, and IP Addresses


    interface Command

    The interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all-in-one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows:


    interface hardware-id hardware-speed [ shutdown ]

    Table 6-2 describes the command parameters for the interface command.

    Table 6-2. interface Command Parameters

    Command Parameter

    Description

    hardware-id

    Indicates the interface''s physical location on the Cisco PIX Firewall.

    hardware-speed

    Sets the connection speed, depending on which medium is being used. auto sets Ethernet speeds automatically. However, it is recommended that you configure the speed manually.

    1000sxfull Sets full-duplex Gigabit Ethernet.

    1000basesx Sets half-duplex Gigabit Ethernet.

    1000auto Automatically detects and negotiates full-/half-duplex Gigabit Ethernet.

    10baset Sets 10 Mbps half-duplex Ethernet (very rare these days).

    10full Sets 10 Mbps full-duplex Ethernet.

    100full Sets 100 Mbps full-duplex Ethernet.

    100basetx Sets 100 Mbps half-duplex Ethernet.

    Make sure that the hardware-speed setting matches the port speed on the switch to which the interface is connected.

    aui Set 10 for Mbps Ethernet half-duplex communication with an attachment unit interface (AUI) cable interface.

    auto Sets Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed-sensing network interface card. You should not use this option to maintain compatibility with switches and other devices in your network.

    bnc Set for 10-Mbps Ethernet half-duplex communication with a Bayonet-Neill-Concelman (BNC) cable interface.

    shutdown

    Administratively shuts down the interface. This parameter performs a very similar function in Cisco IOS Software. However, unlike with Cisco IOS, the command no shutdown cannot be used here. To place an interface in an administratively up mode, you reenter the interface command without the shutdown parameter.

    Example 6-1 shows some examples of the interface command:


    Example 6-1. Sample Configuration for the interface Command


    Pix(config)# interface ethernet0 auto
    Pix(config)# interface ethernet1 100full
    Pix(config)# interface ethernet2 100basetx shut


    nameif Command

    As the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later.

    Note

    The nameif command can also be used to assign security values of 0 and 100. The names "inside" and "outside" are merely reserved for security levels 100 and 0, respectively, and are assigned by default, but they can be changed.

    The syntax of the nameif command is as follows:


    nameif hardware-id if-name security-level

    Table 6-3 describes the command parameters for the nameif command.

    Table 6-3. nameif Command Parameters

    Command Parameter

    Description

    hardware-id

    Indicates the interface''s physical location on the Cisco PIX Firewall.

    if-name

    Specifies the name by which you refer to this interface. The name cannot have any spaces and must not exceed 48 characters.

    security-level

    Specifies a numerical value from 1 to 99 indicating the security level.

    Example 6-2 shows some examples of the nameif command:


    Example 6-2. Sample Configuration for the nameif Command


    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security20

    The security-level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists.

    You can verify your configuration by using the show nameif command.


    ip address Command

    All the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter.

    The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table 6-4 describes the parameters for the ip address command, the syntax of which is as follows:

    Table 6-4. ip address Command Parameters

    Command Parameter

    Description

    if-name

    Specifies the interface name that was configured using the nameif command.

    ip-address

    Specifies the IP address of the interface.

    netmask

    Specifies the appropriate network mask. If the mask value is not entered, the PIX assigns a classful network mask.


    ip address if-name ip-address [netmask]

    Example 6-3 shows configuration of the inside interface with an IP address of 10.10.10.14/24:


    Example 6-3. Sample Configuration for the ip address Command


    ip address inside 10.10.10.14 255.255.255.0

    Use the show ip command to view the configured IP address on the PIX interface.


    nat Command

    The nat (which stands for Network Address Translation) command lets you dynamically translate a set of IP addresses (usually on the inside) to a global set of IP addresses.

    Note

    PIX Version 6.2 and later support bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses.

    The nat command is always paired with a global command, with the exception of the nat 0 command. Table 6-5 describes the command parameters for the nat command, the syntax of which is as follows:


    nat (if-name) nat-id local-ip [netmask]

    Table 6-5. nat Command Parameters

    Command Parameter

    Description

    (if-name)

    Specifies the internal network interface name.

    nat-id

    Specifies the ID number to match with the global address pool.

    local-ip

    Specifies the IP address that is translated. This is usually the inside network IP address. It is possible to assign all of the inside network for the local-ip through nat (inside) 1 0 0 .

    netmask

    Specifies the network mask for the local IP address.

    Example 6-4 shows an example of the nat command.


    Example 6-4. Sample Configuration for the nat Command


    nat (inside) 1 10.10.10.0 255.255.255.0
    nat (inside) 2 172.16.1.0 255.255.255.0

    Chapter 5, "Understanding Cisco PIX Firewall Translation and Connection," discusses NAT in greater detail.


    Configuring Port Address Translation

    Port Address Translation (PAT) can be configured using the same command as Network Address Translation (NAT). PAT maps a single global IP address to many local addresses. PAT extends the range of available outside addresses at your site by dynamically assigning unique port numbers to the outside address as a connection is requested. A single IP address has up to 65,535 ports available for making connections. For PAT, the port number uniquely identifies each connection.

    PAT translates a group of local addresses to a single global IP address with a unique source port (above 1024). When a local host accesses the destination network, the Firewall services module assigns it the global IP address and then a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the responding traffic, which includes the IP address and port number as the destination, can be assigned to the correct host. It is highly unlikely that you would run out of addresses in PAT configuration because there are more than 64,000 ports available.

    PAT enables you to use a single global address, thus conserving routable addresses. You can even use the destination actual interface IP address as the PAT IP address (this type of configuration is used, but not limited to, the outside interface). PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path.

    In large enterprise environments, to use NAT you must have a large number of routable addresses in the global pool. If the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses. This can be a disadvantage.

    PAT does not work with applications that have an inbound data stream on one port and the outgoing control path on another, such as multimedia applications. For those situations, it is more advantageous to use NAT. Example 6-5 shows a sample configuration for PAT.


    Example 6-5. Sample Configuration for Configuring PAT on the Inside Interface


    nat (inside) 1 10.10.30.0 255.255.255.0
    global (outside) 1 interface


    global Command

    The global command is used to define the address or range of addresses into which the addresses defined by the nat command are translated. It is important that the nat-id be identical to the nat-id used in the nat command. The nat-id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is as follows:


    global (if-name) nat-id global-ip | global-ip-global-ip [ netmask netmask]

    Table 6-6 describes the parameters and options for the global command.

    Table 6-6. global Command Parameters

    Command Parameter

    Description

    (if-name)

    Specifies the external network where you use these global addresses.

    nat-id

    Identifies the global address and matches it with the nat command with which it is pairing.

    global-ip

    Specifies a single IP address. When a single IP address is specified, the PIX automatically performs PAT. A warning message indicating that the PIX will use PAT for all addresses is displayed on the console.

    global-ip-global-ip

    Defines a range of global IP addresses to be used by the PIX to NAT.

    netmask

    Specifies the network mask for the global IP address(es).

    There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there are not, you can leverage the shortage of global addresses by PAT entry, which permits more than 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges:

    • 0 to 511

    • 512 to 1023

    • 1024 to 65535


    PAT assigns a unique source port for each User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and then assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323. Example 6-6 shows a configuration using a range of global IP addresses and a single IP address for PAT.


    Example 6-6. Sample Configuration for NAT and PAT


    nat (inside) 1 10.0.0.0 255.0.0.0
    global (outside) 1 192.168.100.20-192.168.100.50 netmask 255.255.255.0
    global (outside) 1 192.168.100.55 netmask 255.255.255.0

    When a host or device tries to start a connection, the PIX Firewall checks the translation table to see whether there is an entry for that particular IP address. If there is no existing translation, a new translation slot is created. The default time that a translated IP address is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command.


    route Command

    The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command.

    Table 6-7 describes the route command parameters, the syntax of which is as follows:

    Table 6-7. route Command Parameters

    Command Parameter

    Description

    if-name

    Specifies the name of the interface from which the data leaves.

    ip-address

    Specifies the IP address to be routed.

    netmask

    Specifies the network mask of the IP address to be routed.

    gateway-ip

    Specifies the IP address of the next-hop address. Usually this is the IP address of the perimeter router.

    metric

    Specifies the number of hops to gateway-ip.


    route if-name ip-address netmask gateway-ip [metric]

    Example 6-7 shows a default route configuration on a Cisco PIX Firewall:


    Example 6-7. Default Route of 192.168.1.3


    route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

    Note

    On the PIX Firewall, only one default route is permitted.

    The 1 at the end of the route indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the ARP cache of the PIX Firewall before testing your new route configuration.


    Routing Information Protocol

    The Routing Information Protocol (RIP) can be enabled to build the Cisco PIX Firewall routing table. RIP configuration specifies whether the PIX updates its routing tables by passively listening to RIP traffic and whether the interface broadcasts itself as a default route for network traffic on that interface. When using RIP version 2 with PIX software versions earlier than 5.3, it is important to configure the router providing the RIP updates with the network address of the PIX interface. The default version is 1 if not explicitly specified. The syntax to enable RIP is as follows:


    rip if-name default | passive [ version [ 1 | 2 ]] [ authentication [ text | md5
    key (key-id) ]]

    Table 6-8 describes the rip command parameters.

    Table 6-8. rip Command Parameters

    Command Parameter

    Description

    if-name

    Specifies the interface name.

    default

    Broadcasts a default route on the interface.

    passive

    Enables passive RIP on the interface. The Cisco PIX Firewall listens for RIP routing broadcasts and uses that information to populate its routing tables.

    version

    Specifies the RIP version number. Use version 2 for RIP update encryption. Use version 1 to provide backward compatibility with the earlier versions.

    authentication

    Enables authentication for RIP version 2.

    text

    Sends RIP updates in clear text.

    md5

    Encrypts RIP updates using MD5 encryption.

    key

    Specifies the key to encrypt RIP updates. This value must be the same on the routers and on any other device that provides RIP version 2 updates. The key is a text string up to 16 characters in length.

    key-id

    Specifies the key identification value. The key-id can be a number from 1 to 255. Use the same key-id that is used on the routers and any other device that provides RIP version 2 updates.


    Testing Your Configuration

    Making sure that the configuration you entered works is an important part of the configuration process. At this point you test basic connectivity from the inside interface out to the other interfaces. Use the ping and debug commands to test your connectivity.

    The ping command sends an Internet Control Message Protocol (ICMP) echo request message to the target IP address and expects an ICMP echo reply. By default, the PIX denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX. If no ICMP control list is configured, the PIX accepts all ICMP traffic that terminates at any interface (including the outside interface). For example, when you first configure the PIX, it is a good idea to be able to ping an interface and get a response. The following makes that possible for the outside interface:


    icmp permit any any outside

    The icmp permit any any outside command is used during the testing/debugging phase of your configuration process. Make sure that you change it so it does not respond to ping requests after you complete testing. It is a security risk to leave it set to accept and respond to ICMP packets.

    After the icmp permit command has been configured, you can ping the outside interface on your Cisco PIX Firewall and ping from hosts on each firewall interface. For example:


    ping outside 192.168.1.1

    You also can monitor ping results by starting debug icmp trace .


    Saving Your Configuration

    Configuration changes that you have made stay in the random access memory (RAM) of the PIX Firewall unless you save them to Flash memory. If for any reason the PIX must be rebooted, the configuration changes you made are lost. So, when you finish entering commands in the configuration, save the changes to Flash memory by using the write memory command, as follows:


    Pix# write memory

    Note

    There is one obvious advantage of not having configuration changes committed to Flash memory immediately. For example, if you make a configuration change that you cannot back out from, you simply reboot and return to the settings you had before you made the changes.

    You are now finished configuring the Cisco PIX Firewall. This basic configuration lets protected network users start connections and prevents users on unprotected networks from accessing (or attacking) protected hosts.

    Use the write terminal or show running-config command to view your current configuration.


    Support for Domain Name System Messages


    PIX Firewall fully supports NAT and PAT Domain Name System (DNS) messages originating from either a more secure interface or less secure interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A record is translated correctly. To illustrate this point, Figure 6-2 shows a user from inside obtaining DNS resolution from the outside (maybe from an Internet service provider) for a web server on the inside.


    Figure 6-2. User Obtaining DNS Resolution from the Outside


    Configuring Dynamic Host Configuration Protocol on the Cisco PIX Firewall


    The Cisco PIX Firewall can be configured as either of the following:

    • DHCP server

    • DHCP client



    Using the PIX Firewall Dynamic Host Configuration Protocol Server

    The DHCP server is usually used in, but not limited to, SOHO environments. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled, and you must specify the associated PIX Firewall interface with if-name . In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The unlimited user license on the PIX 501 and all other PIX Firewall platforms supports 256 addresses. To configure DHCP on the PIX, use the dhcpd command. The following is the syntax for the dhcpd command:


    dhcpd address ip1 [- ip2 ] if-name
    dhcpd auto-config [outside]
    dhcpd dns dns1 [ dns2 ]
    dhcpd wins wins1 [ wins2 ]
    dhcpd lease lease-length
    dhcpd domain domain-name
    dhcpd enable if-name
    dhcpd option 66 ascii { server-name | server-ip-str }
    dhcpd option 150 ip server-ip1 [ server-ip2 ]
    dhcpd ping-timeout timeout
    debug dhcpd event
    debug dhcpd packet

    Table 6-9 describes the different dhcpd command parameters.

    Table 6-9. dhcpd Command Parameters

    Parameter

    Description

    address ip1- [ ip2]

    Specifies the IP pool address range.

    auto-config

    Enables the PIX to configure DNS, Windows Internet Naming Service (WINS), and domain name values automatically from the DHCP client to the DHCP server. If the user also specifies DNS, WINS, and domain parameters, the command line interface (CLI) parameters overwrite the auto-config parameters.

    binding

    Specifies the binding information for a given server IP address and its associated client hardware address and lease length.

    code

    Specifies the DHCP option code, either 66 or 150.

    dns dns1 [ dns2]

    Specifies the IP addresses of the DNS servers for the DHCP client.

    domain domain-name

    Specifies the DNS domain name; for example, cspfa2.com.

    if-name

    Specifies the interface on which to enable the DHCP server.

    lease lease-length

    Specifies the length of the lease, in seconds, granted to the DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds.

    option 150

    Specifies the Trivial File Transfer Protocol (TFTP) server IP address(es) designated for Cisco IP Phones in dotted-decimal format. DHCP option 150 is site-specific; it gives the IP addresses of a list of TFTP servers.

    option 66

    Specifies the TFTP server IP address designated for Cisco IP Phones and gives the IP address or the host name of a single TFTP server.

    outside

    Specifies the outside interface of the firewall.

    ping-timeout

    Specifies the timeout value of a ping, in milliseconds, before an IP address is assigned to a DHCP client.

    server-ip(1,2)

    Specifies the IP address(es) of a TFTP server.

    server-ip-str

    Specifies the TFTP server in dotted-decimal format, such as 1.1.1.1, which is treated as a character string by the PIX Firewall DHCP server.

    server-name

    Specifies an American Standard Code for Information Interchange (ASCII) character string representing the TFTP server.

    statistics

    Provides statistical information, such as address pool, number of bindings, malformed messages, sent messages, and received messages.

    wins wins1 [wins2]

    Specifies the IP addresses of the Microsoft NetBIOS name servers (Windows Internet Naming Service servers). The second server address is optional.

    In addition to supporting a DHCP client and DHCP server configuration, the PIX also supports a DHCP relay configuration. The DHCP relay configuration enables the PIX to assist in dynamic configuration of IP device hosts on any Ethernet interface. When the PIX Firewall receives a request from a host on an interface, it forwards the request to a user-configured DHCP server on another interface. The DHCP relay agent is a feature that is provided by PIX Version 6.3.

    PIX Firewall Version 6.3 allows any number of integrated DHCP servers to be configured, and on any interface. The DHCP client can be configured only on the outside interface, and the DHCP relay agent can be configured on any interface. The DHCP server and DHCP relay agent cannot be configured concurrently on the same PIX Firewall, but the DHCP client and DHCP relay agent can be configured concurrently.

    As with all other DHCP servers, DNS, Windows Internet Naming Service (WINS), IP address lease time, and domain information on the PIX can be configured. The following six steps are required to enable the DHCP server feature on the PIX:


    Step 1.

    Enable the DHCP daemon on the Cisco PIX Firewall to listen to DHCP requests from clients:


    pix(config)# dhcpd enable inside

    Step 2.

    Specify the IP address range that the PIX DHCP server assigns:


    pix(config)# dhcpd address 10.10.10.15-10.10.10.100 inside

    Step 3.

    Specify the lease length to grant to the client (the default is 3600 seconds):


    pix(config)# dhcpd lease 2700

    Step 4.

    Specify a DNS server (optional):


    pix(config)# dhcpd dns 192.168.10.68 192.168.10.73

    Step 5.

    Specify a WINS server (optional):


    pix(config)# dhcpd wins 192.168.10.66

    Step 6.

    Configure the domain name the client will use (optional):


    pix(config)# dhcpd domain axum.com



    Configuring the PIX Firewall Dynamic Host Configuration Protocol Client

    DHCP client support on the Cisco PIX Firewall is designed for use in SOHO environments in which Digital Subscriber Line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the PIX Firewall. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address.

    Note

    The DHCP client does not support failover configuration.

    The DHCP client feature on the PIX Firewall is enabled by the ip address dhcp command:


    ip address outside dhcp [ setroute ] [ retry retry-cnt]

    The setroute option tells the Cisco PIX Firewall to set its default route using the default gateway parameter that the DHCP server returns. Do not configure a default route when using the setroute option.

    Note

    ip address dhcp is used to release and renew the outside interface''s IP address.

    To view current information about the DHCP lease, enter the following command:


    show ip address outside dhcp

    The partial configuration in Example 6-8 demonstrates how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using the interface IP address to configure a PIX Firewall in a SOHO environment with the inside interface as the DHCP server:


    Example 6-8. Sample Configuration for the dhcpd Command


    Ip address outside dhcp setroute
    Ip address inside 10.100.1.1 255.255.255.0
    dhcpd address 10.100.1.50-10.100.1.60 inside
    dhcpd dns 192.168.1.106 192.168.1.107
    dhcpd wins 192.168.1.106
    dhcpd lease 1200
    dhcpd domain cspfa.com
    dhcpd enable inside
    nat (inside) 1 0 0
    global (outside) 1 interface


    Configuring Time Settings on the Cisco PIX Firewall


    The PIX obtains its time setting information in two ways:

    • By Network Time Protocol (NTP) server

    • By system clock



    Network Time Protocol

    The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for a precise synchronized time among network systems. It is important to maintain a consistent time throughout all network devices, such as servers, routers, and switches. When analyzing network events, logs are an important source of information. Analyzing and troubleshooting network events can be difficult if there is a time inconsistency between network devices on the network. Furthermore, some time-sensitive operations, such as validating certificates and certificate revocation lists (CRLs), require precise time stamps.

    Cisco PIX Firewall Version 6.2 and later enable you obtain the system time from NTP version 3 servers.

    The syntax to enable an NTP client on the PIX Firewall is as follows:


    ntp server ip-address [ key number ] source if-name [ prefer ]

    Table 6-10 describes the parameters of the ntp command.

    Table 6-10. ntp Command Parameters

    Command Parameter

    Description

    ip-address

    Specifies the IP address of the time server with which the PIX synchronizes.

    key

    This keyword indicates that you are configuring the NTP client to use the specified authentication key (identified by number) when sending packets to the NTP server.

    number

    Specifies the authentication key. This value is useful when you use multiple keys and multiple servers for identification purposes.

    source

    Specifies the interface. If the source keyword is not specified, the routing table is used to determine the interface.

    if-name

    Specifies the interface name used to send packets to the NTP server.

    prefer

    Specifies the preferred time server. This option reduces switching back and forth between servers by making the specified server the preferred time server.

    Communication of messages between the PIX and the NTP servers can be authenticated to prevent the PIX from synchronizing time with rogue NTP servers. The three commands used to enable NTP authentication are as follows:


    ntp authenticate
    ntp authentication-key number md5 value
    ntp trusted-key number

    Note

    NTP uses port 123 for communication.

    The ntp authenticate command enables NTP authentication and refuses synchronization with an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.

    The ntp authentication-key command is used to define authentication keys for use with other NTP commands to provide a higher degree of security. The number parameter is the key number (1 to 4294967295). The md5 option is the encryption algorithm. The value parameter is the key value (an arbitrary string of up to 32 characters).

    The ntp trusted-key command is used to define one or more key numbers that the NTP server is required to provide in its NTP packets for the PIX Firewall to accept synchronization with that NTP server. The Cisco PIX Firewall requires the NTP server to provide this key number in its NTP packets, which provides protection against synchronizing the PIX system clock with an NTP server that is not trusted.

    NTP configuration on the PIX can be verified and viewed by using the following show commands:

    • The show ntp command displays the current NTP configuration.

    • The show ntp associations [ detail] command displays the configured network time server associations.

    • The show ntp status command displays the NTP clock information.


    To remove the NTP configuration, use the clear ntp command.


    PIX Firewall System Clock

    The second method of configuring the time setting on the PIX Firewall is by using the system clock. The system clock is usually set when you answer the initial setup interview question when you are configuring a new Cisco PIX Firewall. You can change it later using the clock set command:


    clock set hh:mm:ss month day year

    Three characters are used for the month parameter. The year is a four-digit number. For example, to set the time and date to 17:51 and 20 seconds on April 9, 2003, you would enter the following:


    clock set 17:51:20 apr 9 2003

    Note

    The system clock, unlike NTP, is not synchronized with other network devices.

    Cisco PIX Firewall Version 6.2 includes improvements to the clock command. The clock command now supports daylight saving (summer) time and time zones. To configure daylight saving time, enter the following command:


    clock summer-time zone recurring [ week weekday month hh:mm week weekday
    month hh:mm [offset] ]

    Table 6-11 describes the parameters for the clock command.

    Table 6-11. clock Command Parameters

    Command Parameter

    Description

    summer-time

    Automatically switches to summer time (for display purposes only).

    zone

    Specifies the name of the time zone.

    recurring

    Indicates that summer time should start and end on the days specified by the values that follow this keyword. The summer time rule defaults to the United States rule.

    week

    Specifies the week of the month. The week is 1 through 4.

    week day

    Sets the day of the week (Sunday, Monday).

    month

    Specifies the full name of the month, such as April.

    hh:mm

    Specifies the time in 24-hour clock format.

    offset

    Specifies the number of minutes to add during summer. The default is 60 minutes.

    Time zones are set only for display. Setting a time zone does not change the internal PIX time, which is kept according to Coordinated Universal Time (UTC). To set the time zone, use the clock timezone command. The syntax for the command is as follows:


    clock timezone zone hours [minutes]

    The following clock summer-time command specifies that summer time starts on the first Sunday in April at 2 A.M. and ends on the last Sunday in October at 2 A.M.:


    pix(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday
    October 2:00

    You can check your clock configuration by simply entering the show clock command as shown in Example 6-9 below:


    Example 6-9. show clock Sample Output


    PIXFW# show clock
    10:04:06.334 PDT Thu Feb 13 2004


    Configuring Login Banners on the PIX Firewall


    PIX Firewall Version 6.3 introduces support for message-of-the-day (MOTD), EXEC, and login banners, similar to the feature included in Cisco IOS Software. Banner size is limited only by available system memory or Flash memory.

    You can create a message as a warning for unauthorized use of the firewall. In some jurisdictions, civil and/or criminal prosecution of crackers who break into your system are made easier if you have incorporated a warning banner that informs unauthorized users that their attempts to access the system are in fact unauthorized. In other jurisdictions, you may be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent to do so. One way of providing this notification is to put the information into a banner message configured with the PIX banner command.

    Legal notification requirements are complex and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you should consider which of the following information should be put into your banner:

    • A notice that the system can be logged in to or used only by specifically authorized personnel, and perhaps information about who may authorize use

    • A notice that any unauthorized use of the system is unlawful and may be subject to civil and/or criminal penalties

    • A notice that any use of the system may be logged or monitored without further notice and that the resulting logs may be used as evidence in court

    • Specific notices required by specific local laws


    From a security, rather than a legal, point of view, your login banner usually should not contain any specific information about your router, its name, its model, what software it is running, or who owns it; such information may be abused by crackers.

    The banner messages can be displayed when a user enters privileged EXEC mode, upon line activation, on an incoming connection to a virtual terminal, or as a message of the day. To create a banner message, use the following command:


    Banner { exec | login|motd } text

    Table 6-12 describes the parameters of the banner command.

    Table 6-12. banner Command Parameters

    Parameter

    Description

    exec

    Configures the system to display a banner before displaying the enable prompt.

    login

    Configures the system to display a banner before the password login prompt when accessing the firewall using Telnet.

    motd

    Configures the system to display a message-of-the-day banner.

    text

    Specifies the line of message text to be displayed in the firewall command-line interface. Subsequent text entries are added to the end of an existing banner unless the banner is cleared first. The tokens $(domain) and $(hostname) are replaced with the host name and domain name of the firewall.

    Spaces are allowed, but tabs cannot be entered using the command-line interface (CLI). You can dynamically add the host name or domain name of the PIX Firewall by including $(hostname) and $(domain) in the string. Example 6-10 shows a sample configuration using the banner command.


    Example 6-10. A Sample Configuration of the banner Command


    pixfw(config)# banner login Warning Notice
    This is a U.S. Government computer system, which may be accessed and used only
    for authorized Government business by authorized personnel. Unauthorized access
    or use of this computer system may subject violators to criminal, civil, and/or
    administrative action.
    All information on this computer system may be intercepted, recorded, read, copied,
    and disclosed by and to authorized personnel for official purposes, including criminal
    investigations. Such information includes sensitive data encrypted to comply with
    confidentiality and privacy requirements. Access or use of this computer system
    by any person, whether authorized or unauthorized, constitutes consent to these
    terms. There is no right of privacy in this system. ^d

    To replace a banner, use the no banner command before adding the new lines. The no banner { exec | login | motd} command removes all the lines for the banner option specified. The no banner command removes all the lines for the banner option specified and does not selectively delete text strings. The clear banner command removes all the banners.


    Sample PIX Configuration


    Example 6-11 shows sample output for a PIX configuration. Included are some of the commands discussed in this chapter.


    Example 6-11. Sample PIX Configuration


    pix# show config
    : Saved
    : Written by deguc at 11:29:39.859 EDT Fri Aug 8 2002
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security20
    enable password GgtfiV2tiX5zk297 encrypted
    passwd kP3Eex5gnkza7.w9 encrypted
    hostname pix
    domain-name axum.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    pager lines 24
    no logging on
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 192.168.1.1 255.255.255.224
    ip address inside 10.10.10.1 255.255.0.0
    ip address dmz 172.16.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    pdm location 10.10.10.14 255.255.255.255 inside
    arp timeout 14400
    global (outside) 1 192.168.1.20-192.168.1.110 netmask 255.255.255.224
    global (outside) 1 192.168.1.111
    global (dmz) 1 172.16.1.10-172.16.1.20 netmask 255.255.255.224
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
    sip 0:30:00 sip-media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.10.14 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet 10.10.10.14 255.255.255.255 inside
    telnet timeout 5
    terminal width 80
    Cryptochecksum:62a73076955b1060644fdba1da64b15f


    • / 191