C H A P T E R 4
System Maintenance
In addition to the posted exam topic of “Remote Access,” this chapter also covers these important system maintenance topics for the PIX:
•
•
•
•
•
Activation key upgrade
Installing a new OS on the Cisco PIX Firewall Upgrading the Cisco PIX Firewall operating system Creating a boot helper diskette using a Windows PC Password recovery
How to Best Use This Chapter
Chapter 3, “The Cisco Secure PIX Firewall,” gave you insight into the different models of the Cisco PIX Firewall as well as the features and available configurations. This chapter provides information about how to configure access for the PIX, access the PIX, and maintain the PIX's integrity through upgrades. In addition, you will learn about password recovery and how to create a boot helper diskette. It is very important for you to understand the technology that powers the Cisco PIX Firewall in great detail. Test yourself with the “Do I Know This Already?” quiz and see how familiar you are with these aspects of the PIX.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. If you have to look at any references to correctly answer the questions about PIX functionality, (re)read that portion of the material. The concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the “Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.
1How many ways can you access the PIX Firewall?
2What is the command to change the Telnet password?
3Which version of SSH does PIX support?
4What is the activation key?
5Give one reason why you would need to change the activation key on your PIX Firewall.
48 Chapter 4: System Maintenance
Foundation Topics
Accessing the Cisco PIX Firewall
The PIX Firewall can be accessed via the console port or remotely through the following methods:
•
•
•
Telnet
Secure Shell (SSH)
A browser using PIX Device Manger (PDM)
Console port access lets a single user configure the Cisco PIX Firewall. A user connects a PC or laptop to the PIX through the console access port using a rollover cable.
The following sections describe how to access the PIX remotely via Telnet and SSH. Chapter 11, “PIX Device Manager,” covers access via the PDM as well as other aspects of the PDM in greater detail.
Accessing the Cisco PIX Firewall with Telnet
You can manage the PIX via Telnet from hosts on any internal interface. With IPSec configured, you can use Telnet to remotely administer the console of a Cisco PIX Firewall from lower-security interfaces.
To access the PIX Firewall via a Telnet connection, you have to first configure the PIX for Telnet access:
Step 1 Enter the PIX Firewall telnet command:
telnet local_ip [mask] [if_name]
You can identify a single host or a subnet that can have Telnet access to the PIX Firewall. For example, to let a host on the internal interface with an address of 10.1.1.1 access the PIX Firewall, enter the following:
telnet 10.1.1.24 255.255.255.255 inside
Step 2 Configure the Telnet password using the passwd command:
passwd telnetpassword
If you do not set a password, the default Telnet password is cisco.
Step 3 If required, set the duration for how long a Telnet session can be idle before the PIX disconnects the session. The default duration is 5 minutes. To configure the timeout for 15 minutes, you would enter
telnet timeout 15
Accessing the Cisco PIX Firewall 49
Step 4 To protect access to the console with an authentication server, use the aaa authentication telnet console command. (AAA authentication is optional.)
This requires that you have a username and password on the authentication server. When you access the console, the PIX prompts you for these login credentials. If the authentication server is offline, you can still access the console by using the username pix and the password set with the enable password command.
Step 5 Save the commands in the configuration using the write memory command.
As soon as you have Telnet configured on the Cisco PIX Firewall, you are ready to access the PIX via a Telnet session. You can start a Telnet session to the PIX from the Windows command-line interface (CLI).
Accessing the Cisco PIX Firewall with Secure Shell (SSH)
SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. The Cisco PIX Firewall supports the SSH remote shell functionality provided in SSH version 1. SSH version 1 also works with Cisco IOS Software devices. Up to five SSH clients are allowed simultaneous access to the PIX console.
NOTE SSH v1.x and v2 are entirely different protocols and are incompatible. Make sure that you download a client that supports SSH v1.x.
Like Telnet, SSH also first has to be configured on the PIX Firewall. To configure the SSH, follow these steps:
Step 1 Identify a host/network to be used to access the PIX Firewall console using SSH. The syntax for the ssh command is
ssh ip_address [netmask] [interface_name]
For example, to let a host on the internal interface with an address of 10.1.1.1 access the PIX via SSH, enter the following:
ssh 10.1.1.25 255.255.255.255 inside
Step 2 The password used to perform local authentication is the same as the one used for Telnet access. It is set using the passwd command:
passwd password
50 Chapter 4: System Maintenance
Step 3 Specify how long in minutes a session can be idle before being disconnected. The default duration is 5 minutes, although you can set this duration anywhere between 1 and 60 minutes. The command to configure this setting is as follows:
ssh timeout number
To gain access to the Cisco PIX Firewall console using SSH, you have to install an SSH client. After installing the SSH client, enter the username pix (the default), and then enter the password.
When you start an SSH session, a dot (.) appears on the Cisco PIX Firewall console before the SSH user authentication prompt appears:
pix(config)# .
The display of the dot does not affect SSH's functionality. The dot appears at the console when you generate a server key or decrypt a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to 2 minutes or longer. The dot is a progress indicator that verifies that the PIX is busy and has not hung.
Installing a New Operating System
Installing a new operating system (OS) on a Cisco PIX Firewall is similar in some respects to installing a new OS on your PC. You must consider fundamental questions such as whether you have enough memory and disk space (Flash size for PIX) when deciding whether to upgrade the operating system. Table 4-1 shows the RAM and Flash memory requirements for the different versions and releases of the Cisco PIX Firewall OS.
Table 4-1 PIX Software RAM/Flash Memory Requirements
PIX Software Version |
Memory |
|
|
PIX Software version 4.4(x) |
2 MB Flash, 16 MB RAM |
|
|
PIX Software version 5.0(x) |
2 MB Flash, 32 MB RAM |
|
|
PIX Software version 5.1(x) |
2 MB Flash, 32 MB RAM |
|
|
PIX Software version 5.2(x) |
8 MB Flash, 32 MB RAM |
|
|
PIX Software version 5.3(x) |
8 MB Flash, 32 MB RAM |
|
|
PIX Software version 6.0(x) |
8 MB Flash, 32 MB RAM |
|
|
PIX Software version 6.1(x) |
8 MB Flash, 32 MB RAM |
|
|
PIX Software version 6.2(x) |
8 MB Flash, 32 MB RAM |
|
|
In addition to the memory and Flash requirements, you should consider the model of Cisco PIX Firewall before installing an OS. For example, the OS required for the Cisco PIX Firewall model 506 is 5.1x or greater, the Cisco PIX Firewall model 525 needs 5.2x or greater, and the Cisco PIX Firewall model 535 needs 5.3x or greater.
Installing a New Operating System 51
To determine the RAM memory and Flash memory you have running on your Cisco PIX Firewall, use the show version command. The output from this command also tells you which PIX OS you are currently running, as shown in Example 4-1.
Example 4-1 Sample Output from the show version Command
PIX520# show version
Cisco Secure PIX Firewall Version 5.1(1)
Compiled on Wed 23-Feb-00 10:22 by hyen
Finesse Bios V3.3
PIX520 up 7 days 13 hours
Hardware: SE440BX2, 32 MB RAM, CPU Pentium II 349 MHz
Flash AT29C040A @ 0x300, 2MB
BIOS Flash AM28F256 @ 0xfffd8000, 32KB
Encryption hardware device: PIX PL2
0:ethernet0: address is 0090.2742.ff45, irq 11
1:ethernet1: address is 0090.2742.fdb6, irq 10
2:ethernet2: address is 0090.2743.0275, irq 15
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6
Serial Number: 18014702 (0x112e1ee)
<--- More --->
Activation Key: 0x8cb9bdcb 0x863a858b 0x2ae0c93b 0x3a46651a
As you can see, the OS version is 5.1(1), and the Flash memory size is 2 MB.
Notice the last line of Example 4-1, which starts with Activation Key. The activation key is the license key for the PIX OS. It is important to save your configuration and write down your activation key before upgrading to a newer version of the PIX OS.
Upgrading Your Activation Key
Three important reasons might prompt you to upgrade or change your activation key:
•Your Cisco PIX Firewall does not have failover activated.
•Your PIX does not currently have VPN-DES or VPN-3DES encryption enabled.
•You are upgrading from a connection-based license to a feature-based license.
52 Chapter 4: System Maintenance
Before the release of PIX 6.2, the activation keys were changed in monitor mode. Cisco PIX Firewall version 6.2 introduces a method of upgrading or changing the license for your Cisco PIX Firewall remotely without entering monitor mode and without replacing the software image. With this new feature, you can enter a new activation key for a different PIX license from the CLI. To enter an activation key, use the following command:
activation-key license#
You replace license# with the key you get with your new license. For example:
activation-key 0x14355378 0xabcdef01 0x2645678ab 0xcdef01274
After changing the activation key, you must reboot the PIX Firewall to enable the new license. If you are upgrading to a newer version and you are changing the activation key, you must reboot the Cisco PIX Firewall twice—once after the new image is installed, and again after the new activation key has been configured.
If you are downgrading to a lower Cisco PIX Firewall software version, it is important to ensure that the activation key running on your system is not intended for a higher version before you install the lower-version software image. If this is the case, you must first change the activation key to one that is compatible with the lower version before installing and rebooting. Otherwise, your system might refuse to reload after you install the new software image.
The show activation-key command output indicates the status of the activation key:
•If the activation key in the PIX Flash memory is the same as the activation key running on the PIX, the show activation-key output reads as follows:
The flash activation key is the SAME as the running key.
•If the activation key in the PIX Flash memory is different from the activation key running on the PIX, the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key.
The flash activation key takes effect after the next reload.
•If the PIX Flash memory software image version is not the same as the running PIX software image, the show activation-key output reads as follows:
The flash image is DIFFERENT from the running image.
The two images must be the same in order to examine the flash activation key.
Example 4-2 shows sample output from the show activation-key command.
Example 4-2 show activation-key Command Output
Pix(config)# show activation-key
Serial Number: 480221353 (0x1c9f98a9)
Running Activation Key: 0x66df4255 0x36dc5fc 0x28d2ec4d 0x09f6287f
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled