The PIX Firewall serial console port allows a single
administrator to configure the unit, but it requires close proximity to the
device. This close proximity requirement, or limiting access to a single
administrator, can severely limit the flexibility on an administrator team. The
PIX Firewall allows additional console access via Telnet, HTTP, and Secure Shell
(SSH).
Telnet
Access
Telnet allows host console access from any internal
interface, much like the Telnet access to a Cisco router or switch. If the PIX
Firewall is configured for IPSec, it’s possible to allow Telnet sessions from
the outside interface. PIX Firewall IPSec support, including for Telnet
sessions, is covered in Chapter 21.
Up to 16 host or network addresses can be configured to access the
PIX Firewall console with Telnet, and up to five hosts can access the unit
simultaneously. The configuration mode telnet command is used to define which hosts can access the PIX
Firewall console with Telnet. While you can enable Telnet on all interfaces, the
PIX OS requires that IPSec be configured on the outside interface to allow
Telnet traffic. Use the no telnet or clear
telnet command to remove Telnet access assigned to an IP address. The syntax
is
Pix(config)# telnet ip_address [netmask] [if_name]
Pix(config)# clear telnet [ip_address [netmask] [if_name]]
Pix(config)# no telnet
[ip_address [netmask] [if_name]]
The default netmask is 255.255.255.255, or
the host address mask. The default if_name is all inside
interfaces. To allow any host, use 0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask.
In the following, the first example shows a single host (1.1.1.11)
allowed to use Telnet to access from the outside, while the entire 192.168.1.0
network can access the inside address. The second example allows all internal
hosts to access any inside interface in the PIX using a web browser.
Pix(config)# telnet 1.1.1.11 outside
Pix(config)# telnet 192.168.1.0 255.255.255.0 inside
Pix2(config)# telnet 0 0
Pix2(config)# show telnet
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 dmz
Pix2(config)#
If the IP address assigned Telnet access is outside of the network
or on any lower security interface, then it’s necessary to add access list
entries and possibly address translations to complete the configuration.
Use the telnet timeout minutes command to set an idle timer to close any
inactive, but open, Telnet console sessions. The acceptable range is 1 to 60
minutes. The default is five minutes. Setting the timer to 15 to 20 minutes
until the configuration and testing is completed might be useful.
The show telnet command lists the IP addresses
configured to Telnet to the PIX Firewall. The show telnet
timeout command displays the current Telnet idle timer value.
The passwd Command
The passwd password command is used to set
a Telnet password for access to the PIX console. The default Telnet password is
cisco and a Telnet user is prompted with the PIX passwd:
message. The password doesn’t appear when entered. The following output
demonstrates the previous commands:
Pix(config)# passwd cisCo123
Pix(config)# telnet 192.168.1.10 255.255.255.255 inside
Pix(config)# telnet 192.168.1.47 255.255.255.255
Pix(config)# telnet 192.168.2.0 255.255.255.0 inside
Pix(config)# telnet 1.1.1.10 255.255.255.255 outside
Pix(config)# telnet timeout 10
Pix(config)# show telnet
192.168.1.10 255.255.255.255 inside
192.168.1.47 255.255.255.255 inside
192.168.1.47 255.255.255.255 dmz
192.168.1.47 255.255.255.255 intf3
192.168.2.0 255.255.255.0 inside
1.1.1.10 255.255.255.255 outside
Pix(config)# show telnet timeout
telnet timeout 10 minutes
The who and kill Commands
The who command is used to see the IP
addresses currently accessing the unit. The output includes a session ID
followed by the IP address. The kill session_id command is used to end an active Telnet
console session. The following output shows the who and kill commands.
pix# who
0: From 192.168.1.10
1: From 192.168.2.210
pix# kill 0
pix# who
1: From 192.168.2.210
HTTP Access
The PIX Firewall, like many other Cisco devices, provides a
graphical user interface that can be used for configuration tasks. Two configuration mode http commands are required
to use a web browser, such as Internet Explorer, to access the firewall console.
The http server enable command turns on the feature. The
second command defines the host(s) that can use the feature. It’s possible to
have up to 16 simultaneous HTTP console sessions. Use the no form of each
command to remove the configuration. The syntax is
Pix(config)# http server enable
Pix(config)# [no] http server enable
Pix(config)# http ip_address [netmask] [if_name]
Pix(config)# no http ip_address [netmask] [if_name]
The default netmask is 255.255.255.255 or
the host address mask. The default if_name is the inside
interface. To allow any host, use 0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask. In the
following, the first example shows a single host (1.1.1.11) allowed to use a web
browser to access from the outside, while the entire 192.168.1.0 network can
access the inside address. The second example allows all internal hosts to
access any inside interface on the PIX unit using a web browser.
Pix(config)# http server enable
Pix(config)# http 1.1.1.11 outside
Pix(config)# http 192.168.1.0 255.255.255.0
Pix2(config)# http server enable
Pix2(config)# http 0 0
Pix2(config)# show http
0.0.0.0 0.0.0.0 inside
Pix2(config)#
To access the PIX Firewall using a web browser, use the http command followed by the appropriate interface. The web
browser prompts for a user name and a password. Always use admin for the user name and the Telnet password specified with
the passwd command.
|
Note |
Cisco PIX Device Manager (PDM) requires the PIX Firewall to
have the HTTP server feature enabled. Chapter 22 covers
PDM. |
Secure Shell
(SSH) Access
The PIX Firewall supports SSH console access for
configuration tasks. The configuration mode ssh
ip_address command defines the
host(s) or network(s) that can initiate an SSH connection to the PIX Firewall.
The no form of the command removes the address(es). The syntax is
Pix(config)# ssh ip_address [netmask] [if_name]
Pix(config)# no ssh ip_address [netmask] [if_name]
Pix(config)# ssh timeout minutes
The no ssh
ip_address command removes the specified ssh command statement from the
configuration, while the clear ssh command removes all ssh
command statements.
No default netmask exists. The default if_name is all inside interfaces. To allow any host, use
0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask.
The ssh timeout command defines an idle timer of
1 to 60 minutes (default is five minutes).
The show ssh command shows the addresses that
are allowed SSH access. The show ssh sessions command displays
all active SSH sessions to the PIX Firewall. The output includes a session ID
for each connection. The ssh disconnect session_id command will disconnect the specific session.
The following output demonstrates the previous commands:
Pix# config t
Pix(config)# ssh 1.1.1.47 255.255.255.255 outside
Pix(config)# ssh timeout 15
Pix(config)# show ssh
1.1.1.47 255.255.255.255 outside
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 dmz
Pix(config)#
Pix# show ssh sessions
Session ID Client IP Version Encryption State Username
0 192.168.1.19 1.5 3DES 4 -
1 192.168.1.116 1.5 DES 6 pix
2 192.168.1.41 1.5 3DES 4 -
Pix# ssh disconnect 1
To use SSH, your PIX Firewall must have a DES or 3DES activation
key.
To gain access to the PIX Firewall console via SSH, when
prompted for the user name and password, use pix and the
Telnet password (set with the passwd command). SSH permits
user names up to 100 characters and passwords up to 50 characters.
AAA Support for
Telnet, HTTP, and SSH Sessions
The PIX Firewall supports AAA authentication for Telnet,
HTTP, and SSH sessions using the aaa authentication command.
Use the no form of the command to turn off the authentication. The syntax is
Pix(config)# aaa authentication [serial | enable | telnet |
ssh | http] console group_tag
Pix(config)# no aaa authentication [serial | enable |
telnet | ssh | http] console group_tag
The AAA support is covered in the next section.
Sections
Comments (0 posted)
Syndication
