Cisco Firewalls

Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100. Please note : This isn’t a tutorial but merely just a sample config that can be used as a reference point.     isakmp enable outside    isakmp policy 10          encryption des         … Read more

Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules. Please note : With creating policy based rules the following rules will be required, Destination any with a service port of the below ports (excluding http and https) Destination of the below … Read more

Background PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can … Read more

Below you will find a bunch of commands that can be used to gain a clear picture of a PIX/ASA`s system health, sh resource usage system sh memory sh cpu sh service-policy sh asp drop sh logging | i -1- sh fail | i This  

Below shows you how to upgrade your ASA to verson 8.04. 1. Enable scopy on your ASA  firewall(config)#ssh scopy enable 2. Copy the image from your PC to the ASA, the command below is done on your PC via “Start / Run / CMD”. Download pscp here. pscp [image].bin [user]@[asa_ip]:[image].bin 3 .Change the boot order, … Read more

Below provides the nessecary steps required to create an a packet capture on an ASA/PIX, and the relevant download method. Note : You will requre pscp (putty pscp) installed onto your PC. Download pscp here. This is only available in the later versions of PIX & ASA. First of all start the capture. capture capturefile … Read more

Below will configure you interface with vlan50, ip address 1.1.1.1 with a name of outside. This will also bring up the interface. nameif ethernet0 outside security0ip address outside 1.1.1.1 255.255.255.0interface ethernet0 autointerface outside vlan50

To enable ssh on your PIX (6.3) run the following, hostname myfw domain-name home.net ca gen rsa key 1024 ssh 0 0 inside ssh timeout 60 passwd 123 ca save all When you go to log in your username will be pix and the password 123.

The following command will allow you to add a default route to your PIX device: route [interface name] 0 0 [default gw ip] Example route outside 0 0 1.1.1.1

Heres a few PIX commands that may come in useful.  Performance / Usage sh mem Shows memory used and amount free sh cpu                                                           Shows % of CPU used sh perfmon Show the performance of various connections sh traffic Show the traffic stats sh resource usage system Shows the system utilization sh service-policy Shows the amount … Read more

Introduction This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) at the ariscahyadi blog. This software was written by mmm123, and is called PEMU, which is based on the … Read more

Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it. static (dmz,outside) tcp interface ftp 172.16.1.50 ftp netmask 255.255.255.255 static (dmz,outside) tcp interface ftp-data 172.16.1.50 ftp-data netmask 255.255.255.255  

When using a “inspect policy map” you need to add it to a “standard policy-map” to allow you to add it to the service policy.For each policy map there would be a class map, the inspect would match the FTP command, and then use the classmap “inspection-default” in the standard policy map. Running Config policy-map … Read more

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall. Configuration (config)#isakmp enable outside(config)#isakmp policy 10(config-isakmp-policy)# encryption aes-256(config-isakmp-policy)# hash sha(config-isakmp-policy)# authentication pre-share(config-isakmp-policy)# group 1(config-isakmp-policy)# lifetime 86400(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#nat (inside) … Read more

Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall. 6.x (config)#username 123 password 123(config)#isakmp enable outside(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0(config)#isakmp policy 1 authentication pre-share(config)#isakmp policy 1 encryption 3des(config)#isakmp policy 1 hash sha(config)#isakmp policy 1 group 2(config)#isakmp policy 1 lifetime 43200 (config)# crypto ipsec … Read more

Below are the steps involved in configuring protocol handling, Create the class-map – Tell the class-map which traffic to match Create Policy-map – Assign class-map to policy map. Tell the class-map what to do to the matched traffic Assign policy map globally or to interface Below will inspect http traffic on port 801 using, and … Read more

If you need to view the logs on your pix, as you haven’t got a syslog server, or you haven’t got access to it, you can access the logs on the pix itself and grep your way through, by using and enabling the logging buffer. Below shows you how to enable and disable the logging … Read more

Below shows you the commands for creating a read only account on a Cisco PIX firewall. hostname(config)# username client password 123 privilege 5hostname(config)# privilege show level 5 command running-confighostname(config)# privilege show level 5 command startup-confighostname(config)# privilege show level 5 command access-listhostname(config)#aaa authentication ssh console LOCAL

Below shows the required configuration commands for configuring AAA. Authentication Interactive user #(config) aaa-server <server name> protocol <tacacs/radius>#(config) aaa-server <server name> <interface> host <AAA server IP>#(config) aaa authentication include <https/https/ftp/telnet>  inbound 0 0 0 0#(config) access-list 111 permit tcp any any eq ftp#(config) aaa authentication match 111 <interface> <AAA server name> Console Access #(config) aaa … Read more

Static To send all traffic to 192.168.0.1 out the outside interface.To send any traffic in 10.0.1.0/24 to 10.0.0.1 out the inside interface (config)#Route outside 0 0 192.168.0.1(config)#Route inside 10.0.1.0 255.255.255.0 10.0.0.1 RIP Allow RIP updates to be received on the outside interface with a key of cisco and id of 2.Pass RIP updates out the … Read more

Below shows you how to enable ASDM upon your PIX. First of all you will need to copy the ASDM image to you PIX firewall. I find the easiest way to do this is to enable scopy (scp) on your pix using the command ssh scopy enable. And then using the putty tool pscp to … Read more

Below shows you how to configure stateful LAN based failover. Primary (config)#interface eth0(config-if)#nameif inside(config-if)#ip add 10.1.1.10 255.255.255.0 standby 10.1.1.20 (config)#interface eth1(config-if)#no nameif(config-if)#no shut (config)#interface eth2(config-if)#no nameif(config-if)#no shut (config)#failover(config)#failover lan unit primary(config)#failover lan interface failover eth1(config)#failover lan enable(config)#failover key <key>(config)#failover link state eth2(config)#failover interface ip failover 172.16.50.10 255.255.255.0 standby 172.16.50.20(config)#failover interface ip state 172.16.51.10 255.255.255.0 standby … Read more

Below shows you the commands to enable SNMP (polls or traps) on PIX/ASA v7.x or later….. pix(config)# snmp-server host [interface_name] [ip_address] trap community [community string] pix(config)# snmp-server host [interface_name] [ip_address] poll community [community string]

Below shows you the necessary steps required to enable SSH on a PIX firewall, crypto key generate rsa modulus 1024ssh [ip] [mask] [interface]aaa authentication ssh console LOCALusername [username] password[password] privilege 15