Management
This section rounds out the basic security appliance configuration commands. In the following sections, I cover how to allow remote CLI access to the appliance for management purposes and some basic testing and monitoring tools that you can use on your appliance.
Remote Access
By default, the only access that the appliance allows is on the console port—HTTP (ASDM), telnet, and SSH access are denied. The following sections show you how to enable the latter two types of access to the appliance; ASDM access is discussed in Chapter 27.
Telnet
To allow telnet access to your appliance, you need to configure two commands. First, you should assign a telnet password with the passwd command discussed in the “User EXEC Password” section of this chapter. Second, you must specify the IP addresses that are allowed access to the appliance with the telnet Configuration mode command:
ciscoasa(config)# telnet IP_address subnet_mask [logical_if_name] If you omit the name of the logical interface, it defaults to inside. You can list up to 16 hosts or networks with multiple telnet commands.
If you want to allow telnet access from all internal machines, use the following syntax:
ciscoasa(config)# telnet 0 0 inside
Remember that you can abbreviate 0.0.0.0 as 0.
To allow access from only a specific internal network segment, use this syntax:
ciscoasa(config)# telnet 192.168.4.0 255.255.255.0 inside
If you want to allow telnet access from only a specific machine, use this configuration:
ciscoasa(config)# telnet 192.168.5.2 255.255.255.255 inside
Note that you can enter the telnet command multiple times to set your telnet access policies. To see your telnet access policies, use the show run telnet command.
The default timeout for idle telnet sessions is 5 minutes. You can change this with the telnet timeout command:
ciscoasa(config)# telnet timeout number_of_minutes
The time can range from 1 to 60 minutes.
To see who is currently logged into the appliance via telnet, use the who command:
ciscoasa# who
1: From 192.168.1.7
2: From 192.168.1.2 The first number is the session ID and is unique for each logged-in user. You can terminate a telnet connection by using the kill command:
You can view the session IDs by using the who command. When you’re terminating a session, the appliance allows the telnet user to permit any currently executing command and then, without warning, terminates the user’s telnet connection.
SSH
Secure shell (SSH) allows a user to establish a pseudo-console connection via a remote secure shell. SSH basically provides an encrypted CLI connection between the client and the appliance by using the RSA encryption algorithm. One limitation of using telnet is that you cannot telnet to the appliance from the outside interface; SSH does not have this limitation.
To allow SSH access, you must configure the following on your appliance:
- Define a hostname and domain name.
- Generate a public/private RSA key combination.
- Specify the addresses allowed to access the appliance via SSH.
I have already talked about assigning a hostname and domain name to the appliance in the “Host and Domain Names” section. A public/private RSA key combination is used to secure the connection for the secure shell. To create your keying information, use the crypto key generate rsa command:
ciscoasa(config)# crypto key generate rsa [modulus_size] To execute the preceding command, you must first install either a DES or 3DES/AES license key if one has not already been installed. The modulus size can be 512, 768, 1024, or 2048 bits; if you omit it, the modulus defaults to 1024 bits. The larger the size, the more secure the connection will be.
Here is an example of generating an RSA key pair for SSH:
WARNING: You have a RSA keypair already defined named
.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
bigdog(config)#
You can have multiple RSA key pairs on your appliance, which are discussed in Chapter 15. By default, SSH uses the “Default-RSA-Key” pair; so if it already exists, you’ll be prompted to overwrite it.
To see the public key created by the crypto key generate rsa command, use the show crypto key mypubkey rsa command like this:
Key pair was generated at: 13:27:25 UTC Jul 18 2008
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00b27da4 3243ec84 e8b44059 1c8393f6 92b3db8c fa641f39 ee0c3775
afe8bb24 792f2691 0cace31d 619183d9 f7efdaa1 52ba98fe 79152d66
a71b7e7e 8969e9af d256bbfe f0d14ed0 44ea416b 0becbd5c eb4ec25d
74b6049e 5ea4a064 ee12550b 3b4d989f 5e9205a1 0092c033 2119641f
770a62d3 8ee7c9db c560185d f7f7aabd ff020301 0001
Use the write memory command to store RSA key pairs in flash memory. I discuss RSA and public/private keys in more depth in Chapters 15 and 16.
Once you have created your RSA key pair, you can now specify the addresses permitted to establish SSH connections to the appliance. Use the ssh command to specify permitted addresses:
ciscoasa(config)# ssh ip_address subnet_mask [logical_if_name] The default idle timeout for SSH sessions is 5 minutes. To alter this value, use the ssh timeout command:
To see your SSH commands, use the show run ssh command.
To see what users have current SSH connections to the appliance, use the show ssh sessions command:
Session ID Client IP Version Encryption State Username
0 192.168.1.2 1.5 DES 6 pix
To disconnect a session, use the ssh disconnect command:
The session ID number is shown with the show ssh sessions command.
| Note | |
Connectivity Testing
To verify that you have IP connectivity, you can use three basic troubleshooting commands: ping, traceroute, and show arp. The following two sections cover these appliance commands.
Ping
To test whether you have a connection with other IP devices, you can execute the ping command:
[data pattern] [repeat count] [size bytes]
[timeout seconds] [validate]
The logical_if_name parameter allows you to specify which interface IP address to use as the source of the ping. If you omit the name, it will default to the IP address of the interface that the appliance will use to reach the destination. You can include a data pattern in the ICMP payload, specify the number of pings to perform (four by default), the size of the pings (100 bytes by default), the timeout when waiting for echo replies (2 seconds by default), and validation of the payload.
If you cannot ping a destination, verify that the appliance’s interface(s) are up and that you have the correct IP addresses assigned to them. You can use the show interfaces or show ip command to verify this. You can also use the debug icmp trace command to see the actual ICMP packets. Once you have assigned an IP address to an interface on the appliance, you can verify its accessibility by pinging it from another machine in the same subnet. On the appliance, first enter the debug icmp trace command to enable debugging for ICMP traffic. Then go to another machine on the same subnet, and ping the appliance’s interface. Your output will look something like this:
ICMP trace on
Warning: this may cause problems on busy networks
ciscoasa#
1: ICMP echo request (len 32 id 2 seq 256) 192.168.1.2 > 192.168.1.1
2: ICMP echo reply (len 32 id 2 seq 256) 192.168.1.1 > 192.168.1.2
<--output omitted-->
The output of the command is fairly readable: there were four echo requests from the machine and four replies from the appliance (the last two sets were omitted from the output). To turn off the debug for ICMP, preface the preceding command with the no parameter: no debug icmp trace; or you could use the undebug all or no debug all commands.
Traceroute
Starting in version 7.2, the security appliances support the traceroute command, which allows you to trace the layer 3 hops that packets go through to reach a destination. Here is the syntax of the command:
logical_src_if_name] [numeric] [timeout timeout_value
[probe probe_num] [ttl min_ttl max_ttl]
[port port_value] [use-icmp]
The only required parameter is the destination IP address. Optionally, you can specify a different source IP address on the appliance than the one it will use when exiting the destination interface. Also, you can disable the reverse-DNS lookup with the numeric parameter. The default timeout for replies is 3 seconds and can be changed with the timeout parameter. The default number of probes for each layer 3 hop is 3, but can be changed with the probe parameter. You can control the number of hops with the ttl parameter. By default, traceroute uses UDP port 33,434, but can be changed with the port parameter. And instead of using UDP, you can specify the use of ICMP when performing the traceroute with the use-icmp parameter.
Address Resolution Protocol (ARP)
The TCP/IP ARP protocol resolves an IP address (layer 3) to a MAC address (layer 2). MAC addresses are used for communications between devices on the same segment or subnet, that is, the same LAN medium. Anytime the appliance initiates connections or receives requests for connections to itself, it will add the connected device’s IP and MAC addresses to its local ARP table. To view the appliance ARP table, use the show arp command, as shown here:
inside 192.168.7.200 00e0.9871.b91e
Currently one entry is in the appliance ARP table: a device with an IP address of 192.168.7.200 that is off of the inside interface. You can clear the entries in the ARP table with the clear arp [logical_if_name] command.
By default, the appliance keeps addresses in the ARP table for 4 hours (14,400 seconds). You can modify the timeout for ARP entries with the arp timeout command:
To view the timeout that you have configured, use the show run arp timeout command.
You can manually add or remove an entry from the ARP table by using the appliance Configuration mode commands shown here:
ciscoasa(config)# no arp logical_if_name IP_address
You need to specify the name of the interface that the device is off of, as well as the device IP and MAC addresses. If you add the alias parameter, the entry will become a permanent entry in the ARP table; if you save the appliance’s configuration, then the static ARP entry is saved, even upon a reboot of the appliance. If you omit the alias parameter, any rebooting of the appliance will cause the appliance to lose the static ARP configuration.
Hardware and Software Information
The security appliances support a multitude of show commands. Many of these commands are the same commands that you would execute on an IOS-based device to see the same kinds of information. The following sections will cover some common show commands, including show version, show memory, and show cpu usage.
Version Information
To display the hardware and software characteristics of your security appliance, use the show version command. The information that you can see from this command is similar to the show version command on an IOS-based device. With this command, you can see the following information about your appliance: OS software and ASDM versions, uptime since last reboot, type of processor, amount of RAM and flash, interfaces, licensed features, serial number, activation key, and the timestamp showing when configuration was last changed.
The following is an example of the show version command on an ASA 5505 running version 8.0(3):
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(1)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"
bigdog up 2 hours 39 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator
(revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001f.9e2e.e51a, irq 11
1: Ext: Ethernet0/0 : address is 001f.9e2e.e512, irq 255
2: Ext: Ethernet0/1 : address is 001f.9e2e.e513, irq 255
3: Ext: Ethernet0/2 : address is 001f.9e2e.e514, irq 255
4: Ext: Ethernet0/3 : address is 001f.9e2e.e515, irq 255
5: Ext: Ethernet0/4 : address is 001f.9e2e.e516, irq 255
6: Ext: Ethernet0/5 : address is 001f.9e2e.e517, irq 255
7: Ext: Ethernet0/6 : address is 001f.9e2e.e518, irq 255
8: Ext: Ethernet0/7 : address is 001f.9e2e.e519, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : 10
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5505 Security Plus license.
Serial Number: JMX1209Z0CM
Running Activation Key: 0x84016a7e 0x0c293f62 0x9c7201c8 0x85641c50
0x882de4ab
Configuration register is 0x1
Configuration last modified by enable_15 at 14:33:47.385
UTC Fri Jul 18 2008
bigdog#
Notice that the license installed on the ASA 5505 is the Security Plus license, which allows for failover (active/standby), more VLANs, and an unrestricted DMZ.
Memory Usage
The security appliances use RAM to store many of their components, including their active configuration, the translation table, the state (conn) table, the ARP table, a routing table, and many other tables. Because RAM is an important resource that the appliances use to enforce their security policies, you should periodically check how much RAM is free on the appliance. To view this information, use the show memory Privilege EXEC command:
Free memory: 141399240 bytes (53%)
Used memory: 127036216 bytes (47%)
------------- ----------------
Total memory: 268435456 bytes (100%)
CPU Utilization
To see the process CPU utilization of your security appliance, use the show cpu usage Privilege EXEC command, as shown here:
ciscoasa# show cpu usage
CPU utilization for 5 seconds = 20%; 1 minute: 14%; 5 minutes: 14%
You can see the CPU utilization over the last 5 seconds, 1 minute, and 5 minutes. Again, periodically you should check this to ensure that your appliance CPU can handle the load that goes through it; if not, you’ll need to replace your appliance with a higher model.
ASA Configuration Example
In this section, I will go over a basic appliance configuration using an ASA 5510 by using the network shown in Figure 3-1. Listing 3-1 shows the basic configuration for the appliance shown in Figure 3-1.
Listing 3-1: A sample ASA configuration for Figure 3-1  |
ciscoasa# configure terminal
ciscoasa(config)# hostname asa
asa(config)# domain-name dealgroup.com
asa(config)# enable password OpenSaysMe
asa(config)# interface ethernet0/0
asa(config-if)# nameif outside
asa(config-if)# security-level 0
asa(config-if)# ip address 192.168.1.1 255.255.255.0
asa(config-if)# no shutdown
asa(config-if)# exit
asa(config)# interface ethernet0/1
asa(config-if)# nameif inside
asa(config-if)# security-level 100
asa(config-if)# ip address 192.168.3.1 255.255.255.0
asa(config-if)# no shutdown
asa(config-if)# exit
asa(config)# interface ethernet0/2
asa(config-if)# nameif dmz
asa(config-if)# security-level 50
asa(config-if)# ip address 192.168.2.1 255.255.255.0
asa(config-if)# no shutdown
asa(config-if)# exit
asa(config)# passwd NoEntry
bigdog(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named
.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
asa(config)# ssh 192.168.3.0 255.255.255.0 inside
asa(config)# exit
asa# write memory
Building configuration...
Cryptochecksum: 21657c19 e04a2a24 e502173c 8626e76d
[OK]
asa# |
The first command that I executed in Listing 3-1 was to change the hostname of the appliance to asa and a domain name of dealgroup.com. Following this, I configured a Privilege EXEC password of OpenSaysMe. I then configured the three interfaces, assigning them logical names, security levels, and IP addresses, and enabling them. Once IP was configured, I wanted to be able to SSH on this appliance, so I assigned a User EXEC password of NoEntry, generating the public and private RSA keys and allowing any internal computer SSH access. Finally, I saved the appliance configuration—remember that you can execute the write memory command at either Privilege EXEC or Configuration mode.
You will actually need to do quite a few more things to pass traffic through your appliance, like setting up routing, configuring translation policies (if necessary), setting up ACLs, and many other policy configurations. This chapter, as well as this example, only focused on the basics—preparing your appliance so that you can implement your security policies. The following chapters will deal with traffic as it flows through the appliance.
