CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

Access Modes

The Cisco PIX Firewall contains a command set based on Cisco IOS^® Software technologies that provides three administrative access modes:

• Unprivileged mode is available when you first access the PIX Firewall through console or Telnet. It displays the > prompt. This mode lets you view only restricted settings.

• You access privileged mode by entering the enable command and the enable password. The prompt then changes from > to #. In this mode you can change a few of the current settings and view the existing Cisco PIX Firewall configuration. Any unprivileged command also works in privileged mode. To exit privileged mode, enter the disable or exit command.

• You access configuration mode by entering the configure terminal command. This changes the prompt from # to (config)#. In this mode you can change system configurations. All privileged, unprivileged, and configuration commands work in this mode. Use the exit or ^z command to exit configuration mode.

Configuring the PIX Firewall

Six important commands are used to produce a basic working configuration for the PIX Firewall:

interface

nameif

ip address

nat

global

route

Before you use these commands, it can prove very useful to draw a diagram of your Cisco PIX Firewall with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter.

interface Command

The interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all-in-one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows:

 interface   hardware-id hardware-speed  [ shutdown ]

Table 6-2 describes the command parameters for the interface command.

Example 6-1 shows some examples of the interface command:

Example 6-1. Sample Configuration for the interface Command

Pix(config)#  interface ethernet0 auto 
Pix(config)#  interface ethernet1 100full 
Pix(config)#  interface ethernet2 100basetx shut 

nameif Command

As the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later.

Note

The nameif command can also be used to assign security values of 0 and 100. The names "inside" and "outside" are merely reserved for security levels 100 and 0, respectively, and are assigned by default, but they can be changed.

The syntax of the nameif command is as follows:

 nameif   hardware-id if-name security-level 

Table 6-3 describes the command parameters for the nameif command.

Example 6-2 shows some examples of the nameif command:

Example 6-2. Sample Configuration for the nameif Command

 nameif ethernet0 outside security0 
 nameif ethernet1 inside security100 
 nameif ethernet2 dmz security20 

The security-level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists.

You can verify your configuration by using the show nameif command.

ip address Command

All the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter.

The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table 6-4 describes the parameters for the ip address command, the syntax of which is as follows:

 ip address   if-name ip-address [netmask] 

Example 6-3 shows configuration of the inside interface with an IP address of 10.10.10.14/24:

Example 6-3. Sample Configuration for the ip address Command

 ip address inside 10.10.10.14 255.255.255.0 

Use the show ip command to view the configured IP address on the PIX interface.

nat Command

The nat (which stands for Network Address Translation) command lets you dynamically translate a set of IP addresses (usually on the inside) to a global set of IP addresses.

Note

PIX Version 6.2 and later support bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses.

The nat command is always paired with a global command, with the exception of the nat 0 command. Table 6-5 describes the command parameters for the nat command, the syntax of which is as follows:

 nat   (if-name) nat-id local-ip [netmask] 

Example 6-4 shows an example of the nat command.

Example 6-4. Sample Configuration for the nat Command

 nat (inside) 1 10.10.10.0 255.255.255.0 
 nat (inside) 2 172.16.1.0 255.255.255.0 

Chapter 5, "Understanding Cisco PIX Firewall Translation and Connection," discusses NAT in greater detail.

Configuring Port Address Translation

Port Address Translation (PAT) can be configured using the same command as Network Address Translation (NAT). PAT maps a single global IP address to many local addresses. PAT extends the range of available outside addresses at your site by dynamically assigning unique port numbers to the outside address as a connection is requested. A single IP address has up to 65,535 ports available for making connections. For PAT, the port number uniquely identifies each connection.

PAT translates a group of local addresses to a single global IP address with a unique source port (above 1024). When a local host accesses the destination network, the Firewall services module assigns it the global IP address and then a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the responding traffic, which includes the IP address and port number as the destination, can be assigned to the correct host. It is highly unlikely that you would run out of addresses in PAT configuration because there are more than 64,000 ports available.

PAT enables you to use a single global address, thus conserving routable addresses. You can even use the destination actual interface IP address as the PAT IP address (this type of configuration is used, but not limited to, the outside interface). PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path.

In large enterprise environments, to use NAT you must have a large number of routable addresses in the global pool. If the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses. This can be a disadvantage.

PAT does not work with applications that have an inbound data stream on one port and the outgoing control path on another, such as multimedia applications. For those situations, it is more advantageous to use NAT. Example 6-5 shows a sample configuration for PAT.

Example 6-5. Sample Configuration for Configuring PAT on the Inside Interface

 nat (inside) 1 10.10.30.0 255.255.255.0 
 global (outside) 1 interface 

global Command

The global command is used to define the address or range of addresses into which the addresses defined by the nat command are translated. It is important that the nat-id be identical to the nat-id used in the nat command. The nat-id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is as follows:

 global   (if-name) nat-id global-ip | global-ip-global-ip [  netmask   netmask] 

Table 6-6 describes the parameters and options for the global command.

There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there are not, you can leverage the shortage of global addresses by PAT entry, which permits more than 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges:

• 0 to 511

• 512 to 1023

• 1024 to 65535

PAT assigns a unique source port for each User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and then assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323. Example 6-6 shows a configuration using a range of global IP addresses and a single IP address for PAT.

Example 6-6. Sample Configuration for NAT and PAT

 nat (inside) 1 10.0.0.0 255.0.0.0 
 global (outside) 1 192.168.100.20-192.168.100.50 netmask 255.255.255.0 
 global (outside) 1 192.168.100.55 netmask 255.255.255.0 

When a host or device tries to start a connection, the PIX Firewall checks the translation table to see whether there is an entry for that particular IP address. If there is no existing translation, a new translation slot is created. The default time that a translated IP address is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command.

route Command

The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command.

Table 6-7 describes the route command parameters, the syntax of which is as follows:

 route   if-name ip-address netmask gateway-ip [metric] 

Example 6-7 shows a default route configuration on a Cisco PIX Firewall:

Example 6-7. Default Route of 192.168.1.3

 route outside 0.0.0.0 0.0.0.0 192.168.1.3 1 

Note

On the PIX Firewall, only one default route is permitted.

The 1 at the end of the route indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the ARP cache of the PIX Firewall before testing your new route configuration.

Routing Information Protocol

The Routing Information Protocol (RIP) can be enabled to build the Cisco PIX Firewall routing table. RIP configuration specifies whether the PIX updates its routing tables by passively listening to RIP traffic and whether the interface broadcasts itself as a default route for network traffic on that interface. When using RIP version 2 with PIX software versions earlier than 5.3, it is important to configure the router providing the RIP updates with the network address of the PIX interface. The default version is 1 if not explicitly specified. The syntax to enable RIP is as follows:

 rip   if-name   default  |  passive  [ version  [ 1 | 2 ]] [ authentication  [ text  |  md5 
 key (key-id) ]]

Table 6-8 describes the rip command parameters.

Testing Your Configuration

Making sure that the configuration you entered works is an important part of the configuration process. At this point you test basic connectivity from the inside interface out to the other interfaces. Use the ping and debug commands to test your connectivity.

The ping command sends an Internet Control Message Protocol (ICMP) echo request message to the target IP address and expects an ICMP echo reply. By default, the PIX denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX. If no ICMP control list is configured, the PIX accepts all ICMP traffic that terminates at any interface (including the outside interface). For example, when you first configure the PIX, it is a good idea to be able to ping an interface and get a response. The following makes that possible for the outside interface:

 icmp permit any any outside 

The icmp permit any any outside command is used during the testing/debugging phase of your configuration process. Make sure that you change it so it does not respond to ping requests after you complete testing. It is a security risk to leave it set to accept and respond to ICMP packets.

After the icmp permit command has been configured, you can ping the outside interface on your Cisco PIX Firewall and ping from hosts on each firewall interface. For example:

 ping outside 192.168.1.1 

You also can monitor ping results by starting debug icmp trace .

Saving Your Configuration

Configuration changes that you have made stay in the random access memory (RAM) of the PIX Firewall unless you save them to Flash memory. If for any reason the PIX must be rebooted, the configuration changes you made are lost. So, when you finish entering commands in the configuration, save the changes to Flash memory by using the write memory command, as follows:

Pix#  write memory 

Note

There is one obvious advantage of not having configuration changes committed to Flash memory immediately. For example, if you make a configuration change that you cannot back out from, you simply reboot and return to the settings you had before you made the changes.

You are now finished configuring the Cisco PIX Firewall. This basic configuration lets protected network users start connections and prevents users on unprotected networks from accessing (or attacking) protected hosts.

Use the write terminal or show running-config command to view your current configuration.

Support for Domain Name System Messages

PIX Firewall fully supports NAT and PAT Domain Name System (DNS) messages originating from either a more secure interface or less secure interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A record is translated correctly. To illustrate this point, Figure 6-2 shows a user from inside obtaining DNS resolution from the outside (maybe from an Internet service provider) for a web server on the inside.

Configuring Dynamic Host Configuration Protocol on the Cisco PIX Firewall

The Cisco PIX Firewall can be configured as either of the following:

• DHCP server

• DHCP client

Using the PIX Firewall Dynamic Host Configuration Protocol Server

The DHCP server is usually used in, but not limited to, SOHO environments. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled, and you must specify the associated PIX Firewall interface with if-name . In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The unlimited user license on the PIX 501 and all other PIX Firewall platforms supports 256 addresses. To configure DHCP on the PIX, use the dhcpd command. The following is the syntax for the dhcpd command:

 dhcpd address   ip1 [- ip2 ]  if-name 
 dhcpd auto-config [outside] 
 dhcpd dns   dns1  [ dns2 ]
 dhcpd wins wins1  [ wins2 ]
 dhcpd lease   lease-length 
 dhcpd domain   domain-name 
 dhcpd enable   if-name 
 dhcpd option 66 ascii  { server-name  |  server-ip-str }
 dhcpd option 150 ip   server-ip1  [  server-ip2 ]
 dhcpd ping-timeout   timeout 
 debug dhcpd event 
 debug dhcpd packet 

Table 6-9 describes the different dhcpd command parameters.

In addition to supporting a DHCP client and DHCP server configuration, the PIX also supports a DHCP relay configuration. The DHCP relay configuration enables the PIX to assist in dynamic configuration of IP device hosts on any Ethernet interface. When the PIX Firewall receives a request from a host on an interface, it forwards the request to a user-configured DHCP server on another interface. The DHCP relay agent is a feature that is provided by PIX Version 6.3.

PIX Firewall Version 6.3 allows any number of integrated DHCP servers to be configured, and on any interface. The DHCP client can be configured only on the outside interface, and the DHCP relay agent can be configured on any interface. The DHCP server and DHCP relay agent cannot be configured concurrently on the same PIX Firewall, but the DHCP client and DHCP relay agent can be configured concurrently.

As with all other DHCP servers, DNS, Windows Internet Naming Service (WINS), IP address lease time, and domain information on the PIX can be configured. The following six steps are required to enable the DHCP server feature on the PIX:

pix(config)# dhcpd enable inside 

pix(config)# dhcpd address 10.10.10.15-10.10.10.100 inside 

pix(config)# dhcpd lease 2700 

pix(config)# dhcpd dns 192.168.10.68 192.168.10.73 

pix(config)# dhcpd wins 192.168.10.66 

pix(config)# dhcpd domain axum.com 

Configuring the PIX Firewall Dynamic Host Configuration Protocol Client

DHCP client support on the Cisco PIX Firewall is designed for use in SOHO environments in which Digital Subscriber Line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the PIX Firewall. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address.

Note

The DHCP client does not support failover configuration.

The DHCP client feature on the PIX Firewall is enabled by the ip address dhcp command:

 ip address outside dhcp  [ setroute ] [ retry   retry-cnt] 

The setroute option tells the Cisco PIX Firewall to set its default route using the default gateway parameter that the DHCP server returns. Do not configure a default route when using the setroute option.

Note

ip address dhcp is used to release and renew the outside interface''s IP address.

To view current information about the DHCP lease, enter the following command:

 show ip address outside dhcp 

The partial configuration in Example 6-8 demonstrates how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using the interface IP address to configure a PIX Firewall in a SOHO environment with the inside interface as the DHCP server:

Example 6-8. Sample Configuration for the dhcpd Command

Ip address outside dhcp setroute
Ip address inside 10.100.1.1 255.255.255.0
dhcpd address 10.100.1.50-10.100.1.60 inside
dhcpd dns 192.168.1.106 192.168.1.107
dhcpd wins 192.168.1.106
dhcpd lease 1200
dhcpd domain cspfa.com
dhcpd enable inside
nat (inside) 1 0 0
 global (outside) 1 interface 

Configuring Time Settings on the Cisco PIX Firewall

The PIX obtains its time setting information in two ways:

• By Network Time Protocol (NTP) server

• By system clock

Network Time Protocol

The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for a precise synchronized time among network systems. It is important to maintain a consistent time throughout all network devices, such as servers, routers, and switches. When analyzing network events, logs are an important source of information. Analyzing and troubleshooting network events can be difficult if there is a time inconsistency between network devices on the network. Furthermore, some time-sensitive operations, such as validating certificates and certificate revocation lists (CRLs), require precise time stamps.

Cisco PIX Firewall Version 6.2 and later enable you obtain the system time from NTP version 3 servers.

The syntax to enable an NTP client on the PIX Firewall is as follows:

 ntp server   ip-address  [ key   number ]  source   if-name  [ prefer ]

Table 6-10 describes the parameters of the ntp command.

Communication of messages between the PIX and the NTP servers can be authenticated to prevent the PIX from synchronizing time with rogue NTP servers. The three commands used to enable NTP authentication are as follows:

 ntp authenticate 
 ntp authentication-key   number   md5  value
 ntp trusted-key   number 

Note

NTP uses port 123 for communication.

The ntp authenticate command enables NTP authentication and refuses synchronization with an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.

The ntp authentication-key command is used to define authentication keys for use with other NTP commands to provide a higher degree of security. The number parameter is the key number (1 to 4294967295). The md5 option is the encryption algorithm. The value parameter is the key value (an arbitrary string of up to 32 characters).

The ntp trusted-key command is used to define one or more key numbers that the NTP server is required to provide in its NTP packets for the PIX Firewall to accept synchronization with that NTP server. The Cisco PIX Firewall requires the NTP server to provide this key number in its NTP packets, which provides protection against synchronizing the PIX system clock with an NTP server that is not trusted.

NTP configuration on the PIX can be verified and viewed by using the following show commands:

• The show ntp command displays the current NTP configuration.

• The show ntp associations [ detail] command displays the configured network time server associations.

• The show ntp status command displays the NTP clock information.

To remove the NTP configuration, use the clear ntp command.

PIX Firewall System Clock

The second method of configuring the time setting on the PIX Firewall is by using the system clock. The system clock is usually set when you answer the initial setup interview question when you are configuring a new Cisco PIX Firewall. You can change it later using the clock set command:

 clock set   hh:mm:ss month day year 

Three characters are used for the month parameter. The year is a four-digit number. For example, to set the time and date to 17:51 and 20 seconds on April 9, 2003, you would enter the following:

 clock set 17:51:20 apr 9 2003 

Note

The system clock, unlike NTP, is not synchronized with other network devices.

Cisco PIX Firewall Version 6.2 includes improvements to the clock command. The clock command now supports daylight saving (summer) time and time zones. To configure daylight saving time, enter the following command:

 clock summer-time   zone   recurring  [ week weekday month hh:mm week weekday 
 month hh:mm [offset] ]

Table 6-11 describes the parameters for the clock command.

Time zones are set only for display. Setting a time zone does not change the internal PIX time, which is kept according to Coordinated Universal Time (UTC). To set the time zone, use the clock timezone command. The syntax for the command is as follows:

 clock timezone   zone hours [minutes] 

The following clock summer-time command specifies that summer time starts on the first Sunday in April at 2 A.M. and ends on the last Sunday in October at 2 A.M.:

pix(config)#  clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday 
 October 2:00 

You can check your clock configuration by simply entering the show clock command as shown in Example 6-9 below:

Example 6-9. show clock Sample Output

PIXFW#  show clock 
10:04:06.334 PDT Thu Feb 13 2004

Configuring Login Banners on the PIX Firewall

PIX Firewall Version 6.3 introduces support for message-of-the-day (MOTD), EXEC, and login banners, similar to the feature included in Cisco IOS Software. Banner size is limited only by available system memory or Flash memory.

You can create a message as a warning for unauthorized use of the firewall. In some jurisdictions, civil and/or criminal prosecution of crackers who break into your system are made easier if you have incorporated a warning banner that informs unauthorized users that their attempts to access the system are in fact unauthorized. In other jurisdictions, you may be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent to do so. One way of providing this notification is to put the information into a banner message configured with the PIX banner command.

Legal notification requirements are complex and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you should consider which of the following information should be put into your banner:

• A notice that the system can be logged in to or used only by specifically authorized personnel, and perhaps information about who may authorize use

• A notice that any unauthorized use of the system is unlawful and may be subject to civil and/or criminal penalties

• A notice that any use of the system may be logged or monitored without further notice and that the resulting logs may be used as evidence in court

• Specific notices required by specific local laws

From a security, rather than a legal, point of view, your login banner usually should not contain any specific information about your router, its name, its model, what software it is running, or who owns it; such information may be abused by crackers.

The banner messages can be displayed when a user enters privileged EXEC mode, upon line activation, on an incoming connection to a virtual terminal, or as a message of the day. To create a banner message, use the following command:

 Banner  { exec | login|motd }  text 

Table 6-12 describes the parameters of the banner command.

Spaces are allowed, but tabs cannot be entered using the command-line interface (CLI). You can dynamically add the host name or domain name of the PIX Firewall by including $(hostname) and $(domain) in the string. Example 6-10 shows a sample configuration using the banner command.

Example 6-10. A Sample Configuration of the banner Command

pixfw(config)#  banner login Warning Notice 
This is a U.S. Government computer system, which may be accessed and used only
for authorized Government business by authorized personnel. Unauthorized access
or use of this computer system may subject violators to criminal, civil, and/or
administrative action.
All information on this computer system may be intercepted, recorded, read, copied,
and disclosed by and to authorized personnel for official purposes, including criminal
investigations. Such information includes sensitive data encrypted to comply with
confidentiality and privacy requirements. Access or use of this computer system
by any person, whether authorized or unauthorized, constitutes consent to these
terms. There is no right of privacy in this system. ^d

To replace a banner, use the no banner command before adding the new lines. The no banner { exec | login | motd} command removes all the lines for the banner option specified. The no banner command removes all the lines for the banner option specified and does not selectively delete text strings. The clear banner command removes all the banners.

Sample PIX Configuration

Example 6-11 shows sample output for a PIX configuration. Included are some of the commands discussed in this chapter.

Example 6-11. Sample PIX Configuration

pix#  show config 
: Saved
: Written by deguc at 11:29:39.859 EDT Fri Aug 8 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security20
enable password GgtfiV2tiX5zk297 encrypted
passwd kP3Eex5gnkza7.w9 encrypted
hostname pix
domain-name axum.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
no logging on
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.1.1 255.255.255.224
ip address inside 10.10.10.1 255.255.0.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
pdm location 10.10.10.14 255.255.255.255 inside
arp timeout 14400
global (outside) 1 192.168.1.20-192.168.1.110 netmask 255.255.255.224
global (outside) 1 192.168.1.111
global (dmz) 1 172.16.1.10-172.16.1.20 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.14 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.10.10.14 255.255.255.255 inside
telnet timeout 5
terminal width 80
Cryptochecksum:62a73076955b1060644fdba1da64b15f