Versions Compared

Old Version 19

changes.mady.by.user Adam Melong

Saved on

compared with

New Version Current

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Table of Contents

PIX

Most of the configurations come from this great guide:

How to configure Site to Site VPN

  1. Define a host name:

    Code Block
    hostname NewYork

  2. Configure an ISAKMP policy:

    Code Block
    isakmp enable outside 
isakmp policy 9 authentication pre-share 
isakmp policy 9 encrypt 3des

  3. Configure a pre-shared key and associate with the peer:

    Code Block
    crypto isakmp key cisco1234 address 209.165.200.229

  4. Configure the supported IPSec transforms:

    Code Block
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

  5. Create an access list:

    Code Block
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

    This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
    Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.

  6. Exclude traffic between the intranets from NAT:

    Code Block
    nat 0 access-list 90

    This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.

  7. Enable NAT for all other traffic:

    Code Block
    nat (inside) 1 0 0

  8. Assign a pool of global addresses for NAT and PAT:

    Code Block
    global (outside) 1 209.165.201.9-209.165.201.30
global (outside) 1 209.165.201.8

    The pool of registered addresses are only used for connections to the public Internet.

  9. Define a crypto map:c

    Code Block
    crypto map toSanJose 20 ipsec-isakmp 
crypto map toSanJose 20 match address 90 
crypto map toSanJose 20 set transform-set strong 
crypto map toSanJose 20 set peer 209.165.200.229

  10. Apply the crypto map to the outside interface:

    Code Block
    crypto map toSanJose interface outside

  11. Specify that IPSec traffic be implicitly trusted (permitted):

    Code Block
    sysopt connection permit-ipsec

Password Recovery

Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps:

Step 1 Download the PIX password tool from Cisco.com to a TFTP server accessible from the security appliance. See the link in the "Password Recovery Procedure for the PIX" document at the following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

Step 2 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.

Step 3 Power off the security appliance, and then power it on.

Step 4 Immediately after the startup messages appear, press the Escape key to enter monitor mode.

Step 5 Configure the network settings for the interface that accesses the TFTP server by entering the following commands:

Code Block
langxml
monitor> interface interface_id
monitor> address interface_ip
monitor> server tftp_ip
monitor> file pw_tool_name
monitor> gateway gateway_ip

Step 6 Download the PIX password tool from the TFTP server by entering the following command:

Code Block
monitor> tftp

If you have trouble reaching the server, you can enter the ping address command to test the connection.

Step 7 At the "Do you wish to erase the passwords?" prompt, enter Y.

You can now log in with the default login password of "cisco" and the blank enable password.

-

Code Block
langxml
-------------------------------------------------------------------------------
The following example shows the PIX password recovery with the TFTP server on the outside interface:

monitor> interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 10.21.1.99
address 10.21.1.99
monitor> server 172.18.125.3
server 172.18.125.3
monitor> file np70.bin
file np52.bin
monitor> gateway 10.21.1.1
gateway 10.21.1.1
monitor> ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:

Code Block
hostname(config)# no service password-recovery

On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

Troubleshooting

Pinging Through the Security Appliance

After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.

To ping between hosts on different interfaces, perform the following steps:Step 1 To add an access list allowing ICMP from any source host, enter the following command:

Code Block
hostname(config)# access-list ICMPACL extended permit icmp any any

By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.

Step 2 To assign the access list to each source interface, enter the following command:

Code Block
hostname(config)# access-group ICMPACL in interface interface_name

Repeat this command for each source interface.

Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:

Code Block
hostname(config)# class-map ICMP-CLASS
hostname(config-cmap)# match access-list ICMPACL
hostname(config-cmap)# policy-map ICMP-POLICY
hostname(config-pmap)# class ICMP-CLASS
hostname(config-pmap-c)# inspect icmp
hostname(config-pmap-c)# service-policy ICMP-POLICY global

Alternatively, you can also apply the ICMPACL access list to the destination interface to allow ICMP traffic back through the security appliance.

Step 4 Ping from the host or router through the source interface to another host or router on another interface.

Repeat this step for as many interface pairs as you want to check.

If the ping succeeds, you see a system message confirming the address translation for routed mode (305009 or 305011) and that an ICMP connection was established (302020). You can also enter the show xlate and show conns commands to view this information.

If the ping fails for transparent mode, contact Cisco TAC.

For routed mode, the ping might fail because NAT is not configured correctly (see Figure 36-5). This is more likely if you enable NAT control. In this case, you see a system message showing that the NAT translation failed (305005 or 305006). If the ping is from an outside host to an inside host, and you do not have a static translation (which is required with NAT control), you see message 106010: deny inbound icmp.