Table Of Contents
A through B Commands
aaa accounting
Enable, disable, or view LOCAL, TACACS+, or RADIUS user accounting (on a server designated by the aaa-server command). (Configuration mode.)
Syntax Description
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are also kept on the designated AAA server. Accounting information is only sent to the active server in a server group.
Use the aaa accounting command with the aaa authentication and aaa authorization commands.
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
Note
Traffic that is not specified by an include statement is not processed.
For outbound connections, first use the nat command to determine which IP addresses can access the PIX Firewall. For inbound connections, first use the static and access-list command statements to determine which inside IP addresses can be accessed through the PIX Firewall from the outside network.
If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Tip
Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
Related Commands
•
aaa authentication
Enable, disable, or view LOCAL, TACACS+, or RADIUS user authentication (on a server designated by the aaa-server command). Additionally, the aaa authentication command has been modified to support PDM authentication. (Configuration mode.)
Syntax Description
Defaults
If an aaa authentication http console group_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa commands are defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password. By default, the enable password is not set.
PIX Firewall supports authentication usernames up to 127 characters and passwords of up to 63 characters. A password or username may not contain an "@" character as part of the password or username string, with a few exceptions.
Tip
Usage Guidelines
To use the aaa authentication command, you must first designate an authentication server with the aaa-server command. Also, for each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections.
Use the if_name, local_ip, and foreign_ip variables to define where access is sought and from whom. The address for local_ip is always on the highest security level interface and foreign_ip is always on the lowest.
The aaa authentication command is not intended to mandate your security policy. The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The PIX Firewall interacts with FTP, HTTP (Web access), and Telnet to display the credentials prompts for logging in to the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree.
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, these aaa authentication command statements will be removed from your configuration.
The aaa authentication console Command
The aaa authentication serial console command allows you to require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.
Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests timeouts, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.
Enabling Authentication
The aaa authentication command enables or disables the following AAA (authentication, authorization, and accounting) features:
•
•
The prompts users see requesting AAA credentials differ between the three services that can access the PIX Firewall for authentication: Telnet, FTP, and HTTP (Web):
•
•
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
•
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication console command:
•
•
•
•
You can specify an interface name with the aaa authentication command. In previous versions, if you specified aaa authentication include any outbound 0 0 server, PIX Firewall only authenticated outbound connections and not those to the perimeter interface. PIX Firewall now authenticates any outbound connection to the outside as well as to hosts on the perimeter interface. To preserve the behavior of previous versions, use these commands to enable authentication and to disable authentication from the inside to the perimeter interface:
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask serverWhen a host is configured for authentication, all users on the host must use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that users must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.
The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).
HTTP Authentication
When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command, which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS Netmeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.
Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
Note
TACACS+ and RADIUS servers
Up to 196 TACACS+ or RADIUS servers are permitted (up to 14 servers in each of the up to 14 server groups—set with the aaa-server command). When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.
The PIX Firewall displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:
•
•
Previously, TACACS+ differentiated between the two preceding states and provided two different timeout messages, while RADIUS did not differentiate between the two states and provided one timeout message.
match acl_name Option Usage
The syntax for this command is as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag
An example follows:
show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)show aaaaaa authentication match mylist outbound TACACS+Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command,
aaa authentication match yourlist outbound tacacsis equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order dependent between access-list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacsafter this command:
aaa authentication match mylist outbound TACACS+PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access-list format. Hybrid configurations; that is, old configurations combined with the new access-list configuration are not recommended.
Examples
The following example shows use of the aaa authentication command:
pixfirewall(config) aaa authentication telnet console radiusThe following example lists the new include and exclude options:
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any outbound 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the PIX Firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ anyThis example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthInRelated Commands
•
aaa authorization
Enable or disable LOCAL or TACACS+ user authorization services. (Configuration mode.)
Syntax Description
Usage Guidelines
Except for its use with command authorization, the aaa authorization command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of an aaa authorization command.
Currently, the aaa authorization command is supported for use with LOCAL and TACACS+ servers but not with RADIUS servers.
Tip
For each IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.
If the first attempt at authorization fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.Unable to connect to remote host: Connection timed outUser authorization services control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the PIX Firewall unit to verify the access permissions of the user with the designated AAA server.
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
Note
If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
The following example enables authorization for DNS lookups from the outside interface:
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0The following example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
The following example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0Related Commands
•
aaa proxy-limit
Specifies the number of concurrent proxy connections allowed per user. (Configuration mode.)
aaa proxy-limit proxy_limit | disable
no aaa-server group_tag (if_name) host server_ip key timeout seconds
clear aaa-server [group_tag]
show aaa proxy-limit
Displays the number of outstanding authentication requests allowed, or indicates that the proxy limit is disabled if disabled.
Syntax Description
Usage Guidelines
The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user. By default, this value is set to 3. If a source address is a proxy server, consider excluding this IP address from authentication or increasing the number of allowable outstanding AAA requests.
Examples
The following example shows how to set and display the maximum number of outstanding authentication requests allowed:
pixdoc515(config)# aaa proxy-limit 6pixdoc515(config)# show aaa proxy-limitaaa proxy-limit 6aaa-server
Specify an AAA server. (Configuration mode.)
Syntax Description
aaa-server
Specifies an AAA server or up to 14 groups of servers with a maximum of 14 servers each. Certain types of AAA services can be directed to different servers. Services can also be set up to fail over to multiple servers.
aaa-server radius-acctport
Sets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646.
aaa-server radius-authport
Sets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645.
debug radius session
Captures RADIUS session information and attributes for sent and received RADIUS packets.
group_tag
An alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. Up to 14 server groups are permitted. However, LOCAL cannot used with aaa-server command because LOCAL is predefined by the PIX Firewall.
host server_ip
The IP address of the TACACS+ or RADIUS server.
if_name
The interface name on which the server resides.
key
A case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.
no aaa-server
Unbinds an AAA server from and interface or host.
port
Specifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall.
These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:
•
•
You can view these and other commonly used port number assignments online at the following website:
http://www.iana.org/assignments/port-numbers
See "Ports" in "Using PIX Firewall Commands" for additional information.
protocol auth_protocol
The type of AAA server, either tacacs+ or radius.
timeout seconds
The timeout interval for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.
Usage Guidelines
The aaa-server command lets you specify AAA server groups. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS.
AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers.
If your RADIUS server uses ports 1812 for authentication and 1813 for accounting, you are required to reconfigure the PIX Firewall to use ports 1812 and 1813.
If accounting is in effect, the accounting information goes only to the active server.
If you are upgrading from a previous version of PIX Firewall and have aaa command statements in your configuration, using the default server groups lets you maintain backward compatibility with the aaa command statements in your configuration.
Usage Notes
1.
2.
3.
4.
Defaults
By default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting. (The default ports are 1645 for authentication and 1646 for accounting as defined in RFC 2058.)
The default configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localExamples
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
This example creates the AuthOut and AuthIn server groups for RADIUS authentication and specifies that servers 10.0.1.40, 10.0.1.41, and 10.1.1.2 on the inside interface provide authentication. The servers in the AuthIn group authenticate inbound connections, the AuthOut group authenticates outbound connections.
aaa-server AuthIn protocol radiusaaa-server AuthIn (inside) host 10.0.1.40 ab timeout 20aaa-server AuthIn (inside) host 10.0.1.41 abc timeout 4aaa-server AuthOut protocol radiusaaa-server AuthOut (inside) host 10.1.1.2 abc123 timeout 15aaa authentication include any inbound 0 0 0 0 AuthInaaa authentication include any outbound 0 0 0 0 AuthOutThe following example lists the commands that can be used to establish an Xauth crypto map:
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The aaa-server command is used with the crypto map command to establish an authentication association so that VPN clients are authenticated when they access the PIX Firewall.
Related Commands
access-group
Binds the access list to an interface. (Configuration mode.)
access-group acl_ID in interface interface_name
no access-group acl_ID in interface interface_name
clear access-group [acl_ID]
show access-group [acl_ID]
Displays the current access list bound to the interfaces.
Syntax Description
acl_ID
The name associated with a given access list.
in interface
Filter inbound packets at the given interface.
interface_name
The name of the network interface.
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the PIX Firewall continues to process the packet. If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message.
%PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_IDAlways use the access-list command with the access-group command.
Note
The no access-group command unbinds the acl_ID from the interface interface_name.
The show access-group command displays the current access list bound to the interfaces.
The clear access-group command removes all entries from an access list indexed by acl_ID. If acl_ID is not specified, all access-list command statements are removed from the configuration.
Examples
The following example shows use of the access-group command:
static (inside,outside) 209.165.201.3 10.1.1.3access-list acl_out permit tcp any host 209.165.201.3 eq 80access-group acl_out in interface outsideThe static command statement provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command statement lets any host access the global address using port 80. The access-group command specifies that the access-list command statement applies to traffic entering the outside interface.
access-list
Create an access list, or use downloadable access lists. (Downloadable access lists are supported for RADIUS servers only). (Configuration mode.)
