Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 - Accessing and Monitoring PIX Firewall [Cisco PIX Firewall Software]

Table Of Contents

Accessing and Monitoring PIX Firewall

Connecting to PIX Firewall Over a VPN Tunnel

Command Authorization and LOCAL User Authentication

Privilege Levels

User Authentication

Creating User Accounts in the LOCAL Database

User Authentication Using the LOCAL Database

Viewing the Current User Account

Command Authorization

Overview

Configuring LOCAL Command Authorization

Enabling LOCAL Command Authorization

Viewing LOCAL Command Authorization Settings

TACACS+ Command Authorization

Recovering from Lockout

Configuring PIX Firewall Banners

Using Network Time Protocol

Overview

Enabling NTP

Viewing NTP Status and Configuration

Managing the PIX Firewall Clock

Viewing System Time

Setting the System Clock

Setting Daylight Savings Time and Timezones

Using Telnet for Remote System Management

Configuring Telnet Console Access to the Inside Interface

Allowing a Telnet Connection to the Outside Interface

Overview

Using Telnet with an Easy VPN Remote Device

Using Cisco Secure VPN Client Version 1.1

Using Telnet

Trace Channel Feature

Using SSH for Remote System Management

Overview

Obtaining an SSH Client

Identifying the Host Using an SSH Client

Configuring Authentication for an SSH Client

Connecting to the PIX Firewall with an SSH Client

Viewing SSH Status

Enabling Auto Update Support

Overview

Identifying the Auto Update Server

Managing Auto Update Support

Viewing the Auto Update Configuration

Capturing Packets

Overview

Configuration Procedure

Packet Capture Output Formats

Packet Capture Examples

Saving Crash Information to Flash Memory

Using Syslog

Enabling Logging to Syslog Servers

Changing Syslog Message Levels

Disabling Syslog Messages

Viewing Modified Message Levels

Logging Access Control List Activity

Overview

Configuration

Logging Behavior

Syslog Message Format

Managing IDS Syslog Messages

Using SNMP

Overview

MIB Support

SNMP CPU Utilization

SNMP Usage Notes

SNMP Traps

Receiving Requests and Sending Syslog Traps

Compiling Cisco Syslog MIB Files

Using the Firewall and Memory Pool MIBs

ipAddrTable Notes

Viewing Failover Status

Verifying Memory Usage

Viewing The Connection Count

Viewing System Buffer Usage

Accessing and Monitoring PIX Firewall

This chapter describes how to configure and use the tools and features provided by the PIX Firewall for monitoring and configuring the system, and for monitoring network activity. It contains the following sections:

•Connecting to PIX Firewall Over a VPN Tunnel

•Command Authorization and LOCAL User Authentication

•Configuring PIX Firewall Banners

•Using Network Time Protocol

•Managing the PIX Firewall Clock

•Using Telnet for Remote System Management

•Using SSH for Remote System Management

•Enabling Auto Update Support

•Capturing Packets

•Saving Crash Information to Flash Memory

•Using Syslog

•Using SNMP

Connecting to PIX Firewall Over a VPN Tunnel

PIX Firewall Version 6.3 allows a remote management connection to any interface of a PIX Firewall over a VPN tunnel. This feature is useful for remotely managing a PIX Firewall used as an Easy VPN Remote device, which typically has an unknown IP address assigned dynamically to the outside interface.

The network management applications that are currently supported include the following:

•AAA

•Network Time Protocol (NTP)

•Ping

•PIX Device Manager (PDM)

•Telnet

•Secure shell (SSH)

•SNMP

•SNMP traps

•Syslogs

To enable management access over a VPN tunnel, enter the following command:
management-access mgmt_if
Replace mgmt_if with the IP address assigned to the interface of the remote PIX Firewall to which you want to connect.

Note You must enable management access for each interface that is connected to the supported management services that you want to use.

Command Authorization and LOCAL User Authentication

This section describes the Command Authorization feature and related topics, introduced with PIX Firewall Version 6.2. It includes the following topics:

•Privilege Levels

•User Authentication

•Command Authorization

•Recovering from Lockout

Privilege Levels

PIX Firewall Version 6.2 and higher supports up to 16 privilege levels. This is similar to what is available with Cisco IOS software. With this feature, you can assign PIX Firewall commands to one of 16 levels. Also, users logging into the PIX Firewall are assigned privilege levels.

Note Users with a privilege level greater than or equal to 2 have access to the enable and configuration mode and therefore the PIX Firewall prompt changes to #. Users with a privilege level 0 or 1 see the prompt >.

When a user tries to access enable mode, if the message "T+ enable privilege too low" appears on the AAA server, set the Max privilege of the AAA client to Level1 in the Advanced TACACS options.

To enable different privilege levels on the PIX Firewall, use the enable command in configuration mode. To assign a password to a privilege level, enter the following command:
pix(config)# enable password [password] [level level] [encrypted]
Replace password with a character string from three to sixteen characters long, with no spaces. Replace level with the privilege level you want to assign to the enable password.

Note The encrypted keyword indicates to the PIX Firewall that the password supplied with the enable command is already encrypted.

For example, the following command assigns the enable password Passw0rD to privilege Level 10:
enable password Passw0rD level 10
The following example shows the usage of the enable password command with the encrypted keyword:
enable password .SUTWWLlTIApDYYx level 9 encrypted
Note Encrypted passwords that are associated with a level can only be moved among PIX Firewall units along with the associated levels.

Once the different privilege levels are created, you can gain access to a particular privilege level from the > prompt by entering the enable command, as follows:
pix> enable [privilege level]
Replace privilege level with the privilege level to which you want to gain access. If the privilege level is not specified, the default of 15 is used. By default, privilege level 15 is assigned the password cisco. It will always have a password associated with it unless someone assigns it a blank password using the enable password command.

User Authentication

This section describes how to configure the PIX Firewall to use LOCAL user authentication. It includes the following topics:

•Creating User Accounts in the LOCAL Database

•User Authentication Using the LOCAL Database

•Viewing the Current User Account

Note PIX Firewall Version 6.2 only supports authentication using the LOCAL database for administrative access to the PIX Firewall. When using PIX Firewall Version 6.3 or higher, you can also use the LOCAL database for authentication through the PIX Firewall. For further information, refer to "Configuring AAA" in Chapter 3, "Controlling Network Access and Use."

Creating User Accounts in the LOCAL Database

To define a user account in the LOCAL database, enter the following command:
username username {nopassword|password password [encrypted]} [privilege level]
Replace username with a character string from four to fifteen characters long. Replace password with a character string from three to sixteen characters long. Replace privilege level with the privilege level you want to assign to the new user account (from 0 to 15). Use the nopassword keyword to create a user account with no password. Use the encrypted keyword if the password you are supplying is already encrypted.

Note The username database that you configure can be moved among PIX Firewall units with the rest of the configuration. Encrypted passwords can only be moved along with the associated username in the database.

For example, the following command assigns a privilege level of 15 to the user account admin.
username admin password passw0rd privilege 15
If no privilege level is specified, the user account is created with a privilege level of 2. You can define as many user accounts as you need.

Use the following command to create a user account with no password:
username username nopassword
Replace username with the user account that you want to create without a password.

To delete an existing user account, enter the following command:
no username username
Replace username with the user account that you want to delete. For example, the following command deletes the user account admin.
no username admin
To remove all the entries from the user database, enter the following command:
clear username
User Authentication Using the LOCAL Database

User authentication can be completed using the LOCAL database after user accounts are created in this database.

To enable authentication using the LOCAL database, enter the following command:
pix(config)# aaa authentication serial|telnet|ssh|http|enable console LOCAL
After entering this command, the LOCAL user accounts are used for authentication.

You can also use the login command, as follows, to access the PIX Firewall with a particular username and password:
pix> login 
The login command only checks the local database while authenticating a user and does not check any authentication or authorization (AAA) server.

When you enter the login command, the system prompts for a username and password as follows:
Username:admin
 Password:********
Note Users with a privilege level greater than or equal to 2 have access to the enable and configuration modes and the PIX Firewall prompt changes to #. Users with the privilege level 0 or 1 see the prompt >.

Use the following command to log out from the currently logged in user account:
logout 
Viewing the Current User Account

The PIX Firewall maintains usernames in the following authentication mechanisms:

•LOCAL

•TACACS+

•RADIUS

To view the user account that is currently logged in, enter the following command:
show curpriv
The system displays the current user name and privilege level, as follows:
Username:admin
Current privilege level: 15
Current Mode/s:P_PRIV
As mentioned in the section "Privilege Levels," you use the enable command to obtain access to different privilege levels with the following command:

pix> enable [privilege level]

When you assign a password to a privilege level, the privilege level is associated with the password in the LOCAL database in the same way a username is associated with a password. When you obtain access to a privilege level using the enable command, the show curpriv command displays the current privilege level as a username in the format enable_n, where n is a privilege level from 1 to 15.

An example follows:
pix(config)# show curpriv
Username : enable_9
Current privilege level : 9
Current Mode/s : P_PRIV
When you enter the enable command without specifying the privilege level, the default privilege level (15) is assumed and the username is set to enable_15.

When you log into the PIX Firewall for the first time or exit from the current session, the default user name is enable_1, as follows:
pix> show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
Command Authorization

This section describes how to assign commands to different privilege levels. It includes the following topics:

•Overview

•Configuring LOCAL Command Authorization

•Enabling LOCAL Command Authorization

•Viewing LOCAL Command Authorization Settings

•TACACS+ Command Authorization

Overview

LOCAL and TACACS+ Command Authorization is supported in PIX Firewall Version 6.2 and higher. With the LOCAL command authorization feature, you can assign PIX Firewall commands to one of 16 levels.

Caution When configuring the Command Authorization feature, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by simply restarting the PIX Firewall from the configuration that is saved in Flash memory. If you still get locked out, refer to the section "Recovering from Lockout."

Configuring LOCAL Command Authorization

In the default configuration, each PIX Firewall command is assigned to either privilege level 0 or privilege level 15. To reassign a specific command to a different privilege level, enter the following command:
[no] privilege [{show | clear | configure}] level level [mode {enable|configure}] command 
command
Replace level with the privilege level and command with the command you want to assign to the specified level. You can use the show, clear, or configure parameter to optionally set the privilege level for the show, clear, or configure command modifiers of the specified command. Replace command with the command for which you wish to assign privileges. For the full syntax of this command, including additional options, refer to the PIX Firewall Command Reference.

For example, the following commands set the privilege of the different command modifiers of the access-list command:
privilege show level 10 command access-list
privilege configure level 12 command access-list
privilege clear level 11 command access-list
The first line sets the privilege of show access-list (show modifier of cmd access-list) to 10. The second line sets the privilege level of the configure modifier to 12, and the last line sets the privilege level of the clear modifier to 11.

To set the privilege of all the modifiers of the access-list command to a single privilege level of 10, you would enter the following command:
privilege level 10 command access-list
For commands that are available in multiple modes, use the mode parameter to specify the mode in which the privilege level applies.

The following are examples of setting privilege levels for mode-specific commands:
privilege show level 15 mode configure command configure
privilege clear level 15 mode configure command configure
privilege configure level 15 mode configure command configure
privilege configure level 15 mode enable command configure
privilege configure level 0 mode enable command enable
privilege show level 15 mode configure command enable
privilege configure level 15 mode configure command enable
privilege configure level 15 mode configure command igmp
privilege show level 15 mode configure command igmp
privilege clear level 15 mode configure command igmp
privilege show level 15 mode configure command logging
privilege clear level 15 mode configure command logging
privilege configure level 15 mode configure command logging
privilege clear level 15 mode enable command logging
privilege configure level 15 mode enable command logging
Note Do not use the mode parameter for commands that are not mode-specific.

By default, the following commands are assigned to privilege level 0:
privilege show level 0 command checksum
privilege show level 0 command curpriv
privilege configure level 0 command help
privilege show level 0 command history
privilege configure level 0 command login
privilege configure level 0 command logout
privilege show level 0 command pager
privilege clear level 0 command pager
privilege configure level 0 command pager
privilege configure level 0 command quit
privilege show level 0 command version
Enabling LOCAL Command Authorization

Once you have reassigned privileges to commands from the defaults, as necessary, enable the command authorization feature by entering the following command:
aaa authorization command LOCAL
By specifying LOCAL, the user's privilege level and the privilege settings that have been assigned to the different commands are used to make authorization decisions.

When users log in to the PIX Firewall, they can enter any command assigned to their privilege level or to lower privilege levels. For example, a user account with a privilege level of 15 can access every command because this is the highest privilege level. A user account with a privilege level of 0 can only access the commands assigned to level 0.

Viewing LOCAL Command Authorization Settings

To view the CLI command assignments for each privilege level, enter the following command:
show privilege all
The system displays the current assignment of each CLI command to a privilege level. The following example illustrates the first part of the display:
pix(config)# show privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
To view the command assignments for a specific privilege level, enter the following command:
show privilege level level
Replace level with the privilege level for which you want to display the command assignments.

For example, the following command displays the command assignments for privilege Level 15:
show privilege level 15
To view the privilege level assignment of a specific command, enter the following command:
show privilege command command
Replace command with the command for which you want to display the assigned privilege level.

For example, the following command displays the command assignment for the access-list command:
show privilege command access-list
TACACS+ Command Authorization

Caution Only enable this feature with TACACS+ if you are absolutely sure that you have fulfilled the following requirements.

1. You have created entries for enable_1, enable_15, and any other levels to which you have assigned commands.

2. If you are enabling authentication with usernames:

–You have a user profile on the TACACS+ server with all the commands that the user is permitted to execute.

–You have tested authentication with the TACACS+ server.

3. You are logged in as a user with the necessary privileges. You can see this by entering the show curpriv command.

4. Your TACACS+ system is completely stable and reliable. The necessary level of reliability typically requires that you have a fully redundant TACACS+ server system and fully redundant connectivity to the PIX Firewall.

Caution When configuring the Command Authorization feature, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by simply restarting the PIX Firewall from the configuration that is saved in Flash memory. If you still get locked out, refer to the section "Recovering from Lockout."

After command authorization with a TACACS+ server is enabled, for each command entered, the PIX Firewall sends the username, command, and command arguments to the TACACS+ server for authorization.

To enable command authorization with a TACACS+ server, enter the following command:
aaa authorization command tacacs_server_tag
To create the tacacs_server_tag, use the aaa-server command, as follows:
aaa-server tacacs_server_tag [(if_name)] host ip_address [key] [timeout seconds]
Use the tacacs_server_tag parameter to identify the TACACS+ server and use the if_name parameter if you need to specifically identify the PIX Firewall interface connected to the TACACS+ server. Replace ip_address with the IP address of the TACACS+ server. Replace the optional key parameter with a keyword of up to 127 characters (including special characters but excluding spaces) to use for encrypting data exchanged with the TACACS+ server. This value must match the keyword used on the TACACS+ server. Replace seconds with a number up to 30 that determines how long the PIX Firewall waits before retrying the connection to the TACACS+ server. The default value is 5 seconds.

The PIX Firewall only expands the command and the command modifier (show, clear, no) when it sends these to the TACACS+ server. The command arguments are not expanded.

For effective operation, it is a good idea to permit the following basic commands on the AAA server:

•show curpriv

•show version

•show aaa

•enable

•disable

•quit

•exit

•login

•logout

•help

For Cisco PIX Device Manager (PDM) to work with Command Authorization using a TACACS+ Server, the AAA server administrator should authorize the user for the following commands:

•write terminal or show running-config

•show pdm

•show version

•show curpriv

Recovering from Lockout

If you get locked out because of a mistake in configuring Command Authorization, you can usually recover access by simply restarting the PIX Firewall from the configuration that is saved in Flash memory.

If you have already saved your configuration and you find that you configured authentication using the LOCAL database but did not configure any usernames, you have created a lockout problem. You can also encounter a lockout problem by configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down or misconfigured.

If you cannot recover access to the PIX Firewall by restarting your PIX Firewall, use your web browser to access the following website:

http://www.cisco.com/warp/public/110/34.shtml

This website provides a downloadable file with instructions for using it to remove the lines in the PIX Firewall configuration that enable authentication and cause the lockout problem.

You can encounter a different type of lockout problem if you use the aaa authorization command tacacs_server_tag command and you are not logged as the correct user. For every command you type, the PIX Firewall will display the following message:
Command Authorization failed
This occurs because the TACACS+ server does not have a user profile for the user account that you used for logging in. To prevent this problem, make sure that the TACACS+ server has all the users configured with the commands that they can execute. Also make sure that you are logged in as a user with the required profile on the TACACS+ server.

Configuring PIX Firewall Banners

PIX Firewall Version 6.3 introduces support for "Message-of-the-Day" (MOTD), EXEC, and login banners, similar to the same feature in Cisco IOS software. The size of banners is only limited by available system memory or Flash memory.

To configure a banner, enter the following command:
banner {exec|login|motd} text
Replace text with the string that you want the system to display. Spaces are allowed but tabs cannot be entered using the CLI. You can dynamically add the host name or domain name of the PIX Firewall by including the strings $(hostname) and $(domain) in the string.

Use the exec option to display a banner before the enable prompt is displayed. Use the login option to display the banner before the password login prompt when accessing the PIX Firewall using Telnet. Use the motd option to display a message-of-the-day banner.

To configure a banner including multiple lines, enter the banner command once for each line in the banner.

To display the current banner, enter the following command:
show banner {exec|login|motd}
To remove a specific banner, enter the following command:
no banner {exec|login|motd}
To clear all banners, enter the following command:
clear banner
Using Network Time Protocol

This section describes how to use the NTP client, introduced with PIX Firewall Version 6.2. It includes the following topics:

•Overview

•Enabling NTP

•Viewing NTP Status and Configuration

Overview

The Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations such as validating a certificate revocation lists (CRL), which includes a precise time stamp.

PIX Firewall Version 6.2 and higher provides an NTP client that allows the PIX Firewall to obtain its system time from NTP version 3 servers, like those provided with Cisco IOS routers.

Enabling NTP

To enable the PIX Firewall NTP client, enter the following command:
[no] ntp server ip_address [key number] source if_name [prefer]
This command causes the PIX Firewall to synchronize with the time server identified by ip_address. The key option requires a authentication key when sending packets to this server. When using this option, replace number with the authentication key. The interface specified by if_name is used to send packets to the time server. If the source keyword is not specified, the routing table will be used to determine the interface. The prefer option makes the specified server the preferred server to provide synchronization, which reduces switching back and forth between servers.

To enable authentication for NTP messages, enter the following command:
[no] ntp authenticate
[no] ntp authentication-key number md5 value
[no] ntp trusted-key number
The ntp authenticate command enables NTP authentication. If you enter this command, the PIX Firewall will not synchronize to an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.

The ntp authentication-key command is used to define authentication keys for use with other NTP commands to provide a higher degree of security. The number parameter is the key number (1 to 4294967295). The value parameter is the key value (an arbitrary string of up to 32 characters). The key value will be replaced with `********' when the configuration is viewed with either the write terminal, show configuration, or show tech-support commands.

Use the ntp trusted-key command to define one or more key numbers corresponding to the keys defined with the ntp authentication-key command. The PIX Firewall will require the NTP server to provide this key number in its NTP packets. This provides protection against synchronizing the PIX Firewall system clock with an NTP server that is not trusted.

To remove NTP configuration, enter the following command:
clear ntp
This command removes the NTP configuration, disables authentication, and removes all the authentication keys.

Viewing NTP Status and Configuration

This section describes the information available about NTP status and associations. To view information about NTP status and configuration, use any of the following commands:

•show ntp associations—displays information about the configured time servers.

•show ntp associations detail—provides detailed information.

•show ntp status—displays information about the NTP clock.

The following examples show sample output for each command and the following tables define the meaning of the values in each column of the output.

Example 9-1 shows sample output from the show ntp associations command.

Example 9-1 Sample Output from show ntp association Command
PIX> show ntp associations
     address         ref clock     st  when  poll  reach  delay  offset    disp
 ~172.31.32.2      172.31.32.1       5    29  1024  377     4.2   -8.59     1.6
+~192.168.13.33    192.168.1.111     3    69   128  377     4.1    3.48     2.3
*~192.168.13.57    192.168.1.111     3    32   128  377     7.9   11.18     3.6
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
The first characters in a display line can be one or more of the following characters:

•* —Synchronized to this peer

•# —Almost synchronized to this peer

•+ —Peer selected for possible synchronization

•- —Peer is a candidate for selection

•~ —Peer is statically configured

Table 9-1 describes the meaning of the values in each column:

Table 9-1 Output Description from ntp association Command

Output Column Heading

Description

address

Address of peer.

ref clock

Address of reference clock of peer.

st

Stratum of peer.

when

Time since last NTP packet was received from peer.

poll

Polling interval (in seconds).

reach

Peer reachability (bit string, in octal).

delay

Round-trip delay to peer (in milliseconds).

offset

Relative time of peer clock to local clock (in milliseconds).

disp

Dispersion.

Example 9-2 provides sample output from the show ntp association detail command:

Example 9-2 Sample Output from ntp association detail Command
pix(config)# show ntp associations detail
172.23.56.249 configured, our_master, sane, valid, stratum 4
ref ID 172.23.56.225, time c0212639.2ecfc9e0 (20:19:05.182 UTC Fri Feb 22
2002)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021
delay 4.47 msec, offset -0.2403 msec, dispersion 125.21
precision 2**19, version 3
org time c02128a9.731f127b (20:29:29.449 UTC Fri Feb 22 2002)
rcv time c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
xmt time c02128a9.6b3f729e (20:29:29.418 UTC Fri Feb 22 2002)
filtdelay =     4.47    4.58    4.97    5.63    4.79    5.52    5.87
0.00
filtoffset =   -0.24   -0.36   -0.37    0.30   -0.17    0.57   -0.74
0.00
filterror =     0.02    0.99    1.71    2.69    3.66    4.64    5.62
16000.0
Table 9-2 describes the meaning of the values in each column:

Table 9-2 Output Description from ntp association detail Command

Output Column Heading

Description

configured

Peer was statically configured.

dynamic

Peer was dynamically discovered.

our_master

Local machine is synchronized to this peer.

selected

Peer is selected for possible synchronization.

candidate

Peer is a candidate for selection.

sane

Peer passes basic sanity checks.

insane

Peer fails basic sanity checks.

valid

Peer time is believed to be valid.

invalid

Peer time is believed to be invalid.

leap_add

Peer is signalling that a leap second will be added.

leap-sub

Peer is signalling that a leap second will be subtracted.

unsynced

Peer is not synchronized to any other machine.

ref ID

Address of machine peer is synchronized to.

time

Last time stamp peer received from its master.

our mode

Our mode relative to peer (active/passive/client/server/bdcast/bdcast client).

peer mode

Peer's mode relative to us.

our poll intvl

Our poll interval to peer.

peer poll intvl

Peer's poll interval to us.

root delay

Delay along path to root (ultimate stratum 1 time source).

root disp

Dispersion of path to root.

reach

Peer reachability (bit string in octal).

sync dist

Peer synchronization distance.

delay

Round-trip delay to peer.

offset

Offset of peer clock relative to our clock.

dispersion

Dispersion of peer clock.

precision

Precision of peer clock in hertz.

version

NTP version number that peer is using.

org time

Originate time stamp.

rcv time

Receive time stamp.

xmt time

Transmit time stamp.

filtdelay

Round-trip delay (in milliseconds) of each sample.

filtoffset

Clock offset (in milliseconds) of each sample.

filterror

Approximate error of each sample.

Example 9-3 provides sample output for the show ntp status command:

Example 9-3 Output of the show ntp status Command
pixfirewall(config)# show ntp status
Clock is synchronized, stratum 5, reference is 172.23.56.249
nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6
reference time is c02128a9.73c1954b (20:29:29.452 UTC Fri Feb 22 2002)
clock offset is -0.2403 msec, root delay is 42.51 msec
root dispersion is 135.01 msec, peer dispersion is 125.21 msec
Table 9-3 describes the meaning of the values in each column:

Table 9-3 Output Description from ntp status Command

Output Column Heading

Description

synchronized

System is synchronized to an NTP peer.

unsynchronized

System is not synchronized to any NTP peer.

stratum

NTP stratum of this system.

reference

Address of peer to which the system is synchronized.

nominal freq

Nominal frequency of system hardware clock.

actual freq

Measured frequency of system hardware clock.

precision

Precision of the clock of this system (in hertz).

reference time

Reference time stamp.

clock offset

Offset of the system clock to synchronized peer.

root delay

Total delay along path to root clock.

root dispersion

Dispersion of root path.

peer dispersion

Dispersion of synchronized peer.

Managing the PIX Firewall Clock

This section describes how to manage the PIX Firewall system clock and includes the following topics:

•Viewing System Time

•Setting the System Clock

•Setting Daylight Savings Time and Timezones

Viewing System Time

To view the current system time, enter the following command:
show clock [detail]
This command displays the system time. The detail option displays the clock source and the current summer-time setting. PIX Firewall Version 6.2 and higher provides milliseconds, timezone, and day.

For example:
16:52:47.823 PST Wed Feb 21 2001
Setting the System Clock

To set the system time, enter the following command:

clock set hh:mm:ss month day year

Replace hh:mm:ss with the current hours (1-24), minutes, and seconds. Replace month with the first three characters of the current month. Replace day with the numeric date within the month (1-31), and replace year with the four-digit year (permitted range is 1993 to 2035).

Setting Daylight Savings Time and Timezones

PIX Firewall Version 6.2 and higher also provides enhancements to the clock command to support daylight savings (summer) time and time zones.

To configure daylight savings (summer) time, enter the following command:
clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm 
[offset]]
The summer-time keyword automatically switches to summer time (for display purposes only).

The recurring keyword indicates that summer time should start and end on the days specified by the values that follow this keyword. If no values are specified, the summer time rules default to United States rules. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the week (Sunday, Monday,...). The month parameter is the full name of the month (January, February,...). The hh:mm parameter is the time (24-hour military format) in hours and minutes. The offset option is the number of minutes to add during summer time (default is 60).

Use either of the following commands when the recurring keyword cannot be used:
clock summer-time zone date date month year hh:mm date month year hh:mm [offset]
clock summer-time zone date month date year hh:mm month date year hh:mm [offset]
The date keyword causes summer time to start on the first date listed in the command and to end on the second specific date in the command. Two forms of the command are included to enter dates either in the form month date (for example, January 31) or date month (for example, 31 January).

In both forms of the command, the first part of the command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone.

If the starting month is after the ending month, the Southern Hemisphere is assumed.

The zone parameter is the name of the time zone (for example, PDT) to be displayed when summer time is in effect. The week option is the week of the month (1 to 5 or last). The weekday option is the day of the week (Sunday, Monday,...). The date parameter is the date of the month (1 to 31). The month parameter is the full name of the month (January, February,...). The year parameter is the four-digit year (1993 to 2035). The hh:mm parameter is the time (24-hour military format) in hours and minutes. The offset option is the number of minutes to add during summer time (default is 60).

To set the time zone for display purposes only, enter the following command:
clock timezone zone hours [minutes]
The clock timezone command sets the time zone for display purposes (internally, the time is kept in UTC). The no form of the command is used to set the time zone to Coordinated Universal Time (UTC). The zone parameter is the name of the time zone to be displayed when standard time is in effect. The hours parameter is the hours offset from UTC. The minutes option is the minutes offset from UTC.

The clear clock command will remove the summer time setting and set the time zone to UTC.

Using Telnet for Remote System Management

Note SSH provides another option for remote management of the PIX Firewall when using a less secure interface. For further information, refer to "Using SSH for Remote System Management."

The serial console lets a single user configure the PIX Firewall, but often this is not convenient for a site with more than one administrator. PIX Firewall lets you access the console via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from lower security interfaces.

This section includes the following topics:

•Configuring Telnet Console Access to the Inside Interface

•Allowing a Telnet Connection to the Outside Interface

•Using Telnet

•Trace Channel Feature

Configuring Telnet Console Access to the Inside Interface

Note See the telnet command page within the Cisco PIX Firewall Command Reference for more information about this command.

Follow these steps to configure Telnet console access:

Step 1 Enter the PIX Firewall telnet command.

For example, to let a host on the internal interface with an address of 192.168.1.2 access the PIX Firewall, enter the following:
telnet 192.168.1.2 255.255.255.255 inside
To Telnet to a lower security interface, refer to "Allowing a Telnet Connection to the Outside Interface."

Step 2 If required, set the duration for how long a Telnet session can be idle before PIX Firewall disconnects the session.

The default duration, 5 minutes, is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed. Set a longer idle time duration as shown in the following example.
telnet timeout 15
Step 3 To protect access to the console with an authentication server, use the aaa authentication telnet console command.

This requires that you have a username and password on the authentication server. When you access the console, PIX Firewall prompts you for these login credentials. If the authentication server is off line, you can still access the console by using the username pix and the password set with the enable password command.

Step 4 Save the commands in the configuration using the write memory command.

Example 9-4 shows commands for using Telnet to permit host access to the PIX Firewall console.

Example 9-4 Using Telnet
telnet 10.1.1.11 255.255.255.255
telnet 192.168.3.0 255.255.255.0
The first telnet command permits a single host, 10.1.1.11 to access the PIX Firewall console with Telnet. The 255 value in the last octet of the netmask means that only the specified host can access the console.

The second telnet command permits PIX Firewall console access from all hosts on the 192.168.3.0 network. The 0 value in the last octet of the netmask permits all hosts in that network access.

Note A maximum of five (5) active Telnet sessions are simultaneously allowed to the PIX Firewall console.

Allowing a Telnet Connection to the Outside Interface

This section tells you how to configure a Telnet connection to a lower security interface of the PIX Firewall. It includes the following topics:

•Overview

•Using Telnet with an Easy VPN Remote Device

•Using Cisco Secure VPN Client Version 1.1

Overview

This section also applies when using the Cisco Secure Policy Manager Version 2.0 or higher. It is assumed you are using the Cisco VPN Client version 3.x, Cisco Secure VPN Client version 1.1, or the Cisco VPN 3000 Client version 2.5, to initiate the Telnet connection.

Note Use the auth-prompt command for changing the login prompt for Telnet sessions through the PIX Firewall. It does not change the login prompt for Telnet sessions to the PIX Firewall.

Once you have configured Telnet access, refer to "Using Telnet" for more information about using this command.

Note You must have two security policies set up on your VPN client. One security policy is used to secure your Telnet connection and another is used to secure your connection to the inside network.

Using Telnet with an Easy VPN Remote Device

The following are the different types of Easy VPN Remote devices you can use with a PIX Firewall used as an Easy VPN Remote Server:

•Software clients—Connect directly to the Easy VPN Server but require prior installation and configuration of client software on each host computer. These include the following:

–Cisco VPN Client Version 3.x (also known as Unity Client 3.x)

–Cisco VPN 3000 Client Version 2.5 (also known as the Altiga VPN Client Version 2.5)

•Hardware clients—Allow multiple hosts on a remote network to access a network protected by an Easy VPN Server without any special configuration or software installation on the remote hosts. These include the following:

–PIX 501 or PIX 506/506E

–Cisco VPN 3002 Hardware Client

–Cisco IOS-based Easy VPN Remote devices (for example, Cisco 800 series and 1700 series routers)

For more information about configuring a PIX Firewall as an Easy VPN Server or for configuring Easy VPN Remote devices to connect to the PIX Firewall, refer to Chapter 8, "Managing VPN Remote Access."

To open a VPN tunnel for running a Telnet session to a PIX Firewall from an Easy VPN Remote device, follow these steps:

Step 1 Set up IPSec by entering the following commands:
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp enable outside
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set esp-des-md5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
Step 2 Set up an IP pool for the Telnet session by entering the following commands:
ip local pool tnpool 1.1.1.1-1.1.1.1
Step 3 Set up Telnet access by entering the following command:
telnet 1.1.1.1 255.255.255.255 outside
Step 4 Set up the VPN group for the remote Telnet user by entering the following commands:
vpngroup telnet address-pool tnpool
vpngroup telnet password 12345678
Step 5 Setup the VPN client authentication by entering the following commands:
group telnet
password 12345678
Using Cisco Secure VPN Client Version 1.1

This section applies if you are using a Cisco Secure VPN Client Version 1.1. In the example, the IP address of the PIX Firewall's outside interface is 168.20.1.5, and the Cisco Secure VPN Client's IP address, derived from the virtual pool of addresses, is 10.1.2.0.

To encrypt your Telnet connection to a PIX Firewall lower interface, perform the following steps as part of your PIX Firewall configuration:

Step 1 Create an access-list command statement to define the traffic to protect from the PIX Firewall to the VPN client using a destination address from the virtual local pool of addresses:
access-list 80 permit ip host 168.20.1.5 10.1.2.0 255.255.255.0
Step 2 Specify which host can access the PIX Firewall console with Telnet:
telnet 10.1.2.0 255.255.255.0 outside
Specify the VPN client's address from the local pool and the outside interface.

Step 3 Within the VPN client, create a security policy that specifies the Remote Party Identity IP address and gateway IP address as the same IP address—the IP address of the PIX Firewall's outside interface. In this example, the IP address of the PIX Firewall's outside is 168.20.1.5.

Step 4 Configure the rest of the security policy on the VPN client to match the PIX Firewall's security policy.

Note To complete the configuration of the VPN client, refer to the vpngroup command in the Cisco PIX Firewall Command Reference.

Using Telnet

Perform the following steps to test Telnet access:

Step 1 From the host, start a Telnet session to a PIX Firewall interface IP address.

If you are using Windows 95 or Windows NT, click Start>Run to start a Telnet session. For example, if the inside interface IP address is 192.168.1.1, enter the following command.
telnet 192.168.1.1
Step 2 The PIX Firewall prompts you with a password:
PIX passwd: 
Enter cisco and press the Enter key. You are then logged into the PIX Firewall.

The default password is cisco, which you can change with the passwd command.

You can enter any command on the Telnet console that you can set from the serial console, but if you reboot the PIX Firewall, you must log back into the PIX Firewall after it restarts.

Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall's command history feature used with the arrow keys. However, you can access the last entered commands by pressing Ctrl-P.

Step 3 Once you have Telnet access available, you may want to view ping information while debugging.

You can view ping information from Telnet sessions with the debug icmp trace command. The Trace Channel feature also affects debug displays, which is explained in "Trace Channel Feature."

Messages from a successful ping appear as follows:
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.23
Step 4 In addition, you can use the Telnet console session to view syslog messages:

a. Display start messages with the logging monitor 7 command. The "7" will cause all syslog message levels to display.

If you are using the PIX Firewall in production mode, you may wish to use the logging buffered 7 command to store messages in a buffer that you can view with the show logging command, and clear the buffer for easier viewing with the clear logging command. To stop buffering messages, use the no logging buffered command.

You can also lower the number from 7 to a lesser value, such as 3, to limit the number of messages that appear.

b. If you entered the logging monitor command, then enter the terminal monitor command to cause the messages to display in your Telnet session. To disable message displays, use the terminal no monitor command.

Trace Channel Feature

The debug packet command sends its output to the Trace Channel. All other debug commands do not. Use of Trace Channel changes the way you can view output on your screen during a PIX Firewall console or Telnet session.

If a debug command does not use Trace Channel, each session operates independently, which means any commands started in the session only appear in the session. By default, a session not using Trace Channel has output disabled by default.

The location of the Trace Channel depends on wh