1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Remote Access

Remote Access

The PIX Firewall serial console port allows a single administrator to configure the unit, but it requires close proximity to the device. This close proximity requirement, or limiting access to a single administrator, can severely limit the flexibility on an administrator team. The PIX Firewall allows additional console access via Telnet, HTTP, and Secure Shell (SSH).

Telnet Access

Telnet allows host console access from any internal interface, much like the Telnet access to a Cisco router or switch. If the PIX Firewall is configured for IPSec, it’s possible to allow Telnet sessions from the outside interface. PIX Firewall IPSec support, including for Telnet sessions, is covered in Chapter 21.

Up to 16 host or network addresses can be configured to access the PIX Firewall console with Telnet, and up to five hosts can access the unit simultaneously. The configuration mode telnet command is used to define which hosts can access the PIX Firewall console with Telnet. While you can enable Telnet on all interfaces, the PIX OS requires that IPSec be configured on the outside interface to allow Telnet traffic. Use the no telnet or clear telnet command to remove Telnet access assigned to an IP address. The syntax is

Pix(config)# telnet ip_address [netmask] [if_name]
Pix(config)# clear telnet [ip_address [netmask] [if_name]]
Pix(config)# no telnet [ip_address [netmask] [if_name]]

The default netmask is 255.255.255.255, or the host address mask. The default if_name is all inside interfaces. To allow any host, use 0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask.

In the following, the first example shows a single host (1.1.1.11) allowed to use Telnet to access from the outside, while the entire 192.168.1.0 network can access the inside address. The second example allows all internal hosts to access any inside interface in the PIX using a web browser.

Pix(config)# telnet 1.1.1.11 outside
Pix(config)# telnet 192.168.1.0 255.255.255.0 inside

Pix2(config)# telnet 0 0
Pix2(config)# show telnet
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 dmz
Pix2(config)#

If the IP address assigned Telnet access is outside of the network or on any lower security interface, then it’s necessary to add access list entries and possibly address translations to complete the configuration.

Use the telnet timeout minutes command to set an idle timer to close any inactive, but open, Telnet console sessions. The acceptable range is 1 to 60 minutes. The default is five minutes. Setting the timer to 15 to 20 minutes until the configuration and testing is completed might be useful.

The show telnet command lists the IP addresses configured to Telnet to the PIX Firewall. The show telnet timeout command displays the current Telnet idle timer value.

The passwd Command

The passwd password command is used to set a Telnet password for access to the PIX console. The default Telnet password is cisco and a Telnet user is prompted with the PIX passwd: message. The password doesn’t appear when entered. The following output demonstrates the previous commands:

Pix(config)# passwd cisCo123 
Pix(config)# telnet 192.168.1.10 255.255.255.255 inside 
Pix(config)# telnet 192.168.1.47 255.255.255.255 
Pix(config)# telnet 192.168.2.0 255.255.255.0 inside 
Pix(config)# telnet 1.1.1.10 255.255.255.255 outside
Pix(config)# telnet timeout 10 
Pix(config)# show telnet 
 ?????????192.168.1.10 255.255.255.255 inside 
 ?????????192.168.1.47 255.255.255.255 inside 
 ?????????192.168.1.47 255.255.255.255 dmz 
 ?????????192.168.1.47 255.255.255.255 intf3 
 ?????????192.168.2.0 255.255.255.0 inside 
 ?????????1.1.1.10 255.255.255.255 outside 
Pix(config)# show telnet timeout
telnet timeout 10 minutes

The who and kill Commands

The who command is used to see the IP addresses currently accessing the unit. The output includes a session ID followed by the IP address. The kill session_id command is used to end an active Telnet console session. The following output shows the who and kill commands.

pix# who
0: From 192.168.1.10
1: From 192.168.2.210
pix# kill 0
pix# who
1: From 192.168.2.210

HTTP Access

The PIX Firewall, like many other Cisco devices, provides a graphical user interface that can be used for configuration tasks. Two configuration mode http commands are required to use a web browser, such as Internet Explorer, to access the firewall console. The http server enable command turns on the feature. The second command defines the host(s) that can use the feature. It’s possible to have up to 16 simultaneous HTTP console sessions. Use the no form of each command to remove the configuration. The syntax is

Pix(config)# http server enable
Pix(config)# [no] http server enable
Pix(config)# http ip_address [netmask] [if_name]
Pix(config)# no http ip_address [netmask] [if_name]

The default netmask is 255.255.255.255 or the host address mask. The default if_name is the inside interface. To allow any host, use 0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask. In the following, the first example shows a single host (1.1.1.11) allowed to use a web browser to access from the outside, while the entire 192.168.1.0 network can access the inside address. The second example allows all internal hosts to access any inside interface on the PIX unit using a web browser.

Pix(config)# http server enable
Pix(config)# http 1.1.1.11 outside
Pix(config)# http 192.168.1.0 255.255.255.0

Pix2(config)# http server enable
Pix2(config)# http 0 0 
Pix2(config)# show http
0.0.0.0 0.0.0.0 inside
Pix2(config)#

To access the PIX Firewall using a web browser, use the http command followed by the appropriate interface. The web browser prompts for a user name and a password. Always use admin for the user name and the Telnet password specified with the passwd command.

Note?

Cisco PIX Device Manager (PDM) requires the PIX Firewall to have the HTTP server feature enabled. Chapter 22 covers PDM.

Secure Shell (SSH) Access

The PIX Firewall supports SSH console access for configuration tasks. The configuration mode ssh ip_address command defines the host(s) or network(s) that can initiate an SSH connection to the PIX Firewall. The no form of the command removes the address(es). The syntax is

Pix(config)# ssh ip_address [netmask] [if_name]
Pix(config)# no ssh ip_address [netmask] [if_name]
Pix(config)# ssh timeout minutes

The no ssh ip_address command removes the specified ssh command statement from the configuration, while the clear ssh command removes all ssh command statements.

No default netmask exists. The default if_name is all inside interfaces. To allow any host, use 0.0.0.0 0.0.0.0 (or 0 0) for ip_address and netmask.

The ssh timeout command defines an idle timer of 1 to 60 minutes (default is five minutes).

The show ssh command shows the addresses that are allowed SSH access. The show ssh sessions command displays all active SSH sessions to the PIX Firewall. The output includes a session ID for each connection. The ssh disconnect session_id command will disconnect the specific session. The following output demonstrates the previous commands:

Pix# config t
Pix(config)# ssh 1.1.1.47 255.255.255.255 outside
Pix(config)# ssh timeout 15
Pix(config)# show ssh
1.1.1.47 255.255.255.255 outside
0.0.0.0 0.0.0.0 inside
0.0.0.0 0.0.0.0 dmz
Pix(config)#
Pix# show ssh sessions
Session ID ??Client IP ?????Version Encryption ??State ??Username
 ???0 ???????192.168.1.19 ??1.5 ????3DES ????????4 ??????-
 ???1 ???????192.168.1.116 ?1.5 ????DES ?????????6 ??????pix
 ???2 ???????192.168.1.41 ??1.5 ????3DES ????????4 ??????-
Pix# ssh disconnect 1

To use SSH, your PIX Firewall must have a DES or 3DES activation key.

To gain access to the PIX Firewall console via SSH, when prompted for the user name and password, use pix and the Telnet password (set with the passwd command). SSH permits user names up to 100 characters and passwords up to 50 characters.

AAA Support for Telnet, HTTP, and SSH Sessions

The PIX Firewall supports AAA authentication for Telnet, HTTP, and SSH sessions using the aaa authentication command. Use the no form of the command to turn off the authentication. The syntax is

Pix(config)# aaa authentication [serial | enable | telnet | ssh | http] console group_tag
Pix(config)# no aaa authentication [serial | enable | telnet | ssh | http] console group_tag

The AAA support is covered in the next section.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Chapter 17: CiscoSecure PIX Firewalls
Chapter 18: Getting Started with the Cisco PIX Firewall
Chapter 19: Access Through the PIX Firewall
Chapter 20: Advanced PIX Firewall Features
Remote Access
AAA on the PIX Firewall
Advanced Protocol Handling
Attack Guards
Intrusion Detection
Shunning
Managing SNMP Services
Chapter Review
Chapter 21: Firewalls and VPN Features
Chapter 22: Managing and Maintaining the PIX Firewall
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars