Cisco Security Appliance Command Line Configuration Guide For the Cisco PIX 500 Series Software Version 7.0 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: N/A, Online only Text Part Number: OL-6721-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0301R) CiscoSecurity Appliance Command Line Configuration Guide Copyright © 2005 Cisco Systems, Inc. All rights reserved. C O N T E N T S About This Guide xxi Document Objectives xxi Audience xxi Related Documentation xxii Document Organization xxii Document Conventions xxiv Obtaining Documentation xxv Cisco.com xxv Ordering Documentation xxv Documentation Feedback xxv Obtaining Technical Assistance xxvi Cisco Technical Support Website xxvi Submitting a Service Request xxvi Definitions of Service Request Severity xxvii Obtaining Additional Publications and Information xxvii PART 1 Getting Started and General Information CHAPTER 1 Introduction to the Security Appliance 1-1 Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying NAT 1-2 Using AAA for Through Traffic 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Applying Application Inspection 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5 Security Context Overview 1-5 CiscoSecurity Appliance Command Line Configuration Guide OL-6721-01 i Contents CHAPTER 2 Getting Started 2-1 Accessing the Command-Line Interface 2-1 Setting Transparent or Routed Firewall Mode 2-2 Working with the Configuration 2-3 Saving Configuration Changes 2-3 Viewing the Configuration 2-3 Clearing and Removing Configuration Settings 2-4 Creating Text Configuration Files Offline 2-4 CHAPTER 3 Enabling Multiple Context Mode 3-1 Security Context Overview 3-1 Common Uses for Security Contexts 3-2 Unsupported Features 3-2 Context Configuration Files 3-2 How the Security Appliance Classifies Packets 3-3 Sharing Interfaces Between Contexts 3-6 Shared Interface Guidelines 3-7 Cascading Security Contexts 3-9 Logging into the Security Appliance in Multiple Context Mode 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 CHAPTER 4 Configuring Ethernet Settings and Subinterfaces 4-1 Configuring Ethernet Settings 4-1 Configuring Subinterfaces 4-2 CHAPTER 5 Adding and Managing Security Contexts 5-1 Configuring a Security Context 5-1 Removing a Security Context 5-5 Changing the Admin Context 5-5 Changing Between Contexts and the System Execution Space 5-5 Changing the Security Context URL 5-6 Reloading a Security Context 5-7 Reloading by Clearing the Configuration 5-7 Reloading by Removing and Re-adding the Context 5-7 CiscoSecurity Appliance Command Line Configuration Guide ii OL-6721-01 Contents Monitoring Security Contexts 5-8 Viewing Context Information 5-8 Viewing Resource Usage 5-9 CHAPTER 6 Configuring Interface Parameters 6-1 Security Level Overview 6-1 Configuring the Interface 6-2 Allowing Communication Between Interfaces on the Same Security Level 6-4 CHAPTER 7 Configuring Basic Settings 7-1 Changing the Enable Password 7-1 Setting the Hostname 7-2 Setting the Domain Name 7-2 Setting the Date and Time 7-2 Setting the Time Zone and Daylight Saving Time Date Range 7-3 Setting the Date and Time Using an NTP Server 7-4 Setting the Date and Time Manually 7-4 Setting the Management IP Address for a Transparent Firewall 7-5 CHAPTER 8 Configuring IP Routing and DHCP Services 8-1 Configuring Static and Default Routes 8-1 Configuring a Static Route 8-2 Configuring a Default Route 8-3 Configuring OSPF 8-3 OSPF Overview 8-4 Enabling OSPF 8-5 Redistributing Routes Between OSPF Processes 8-5 Adding a Route Map 8-6 Redistributing Static, Connected, or OSPF Routes to an OSPF Process 8-7 Configuring OSPF Interface Parameters 8-8 Configuring OSPF Area Parameters 8-10 Configuring OSPF NSSA 8-11 Configuring Route Summarization Between OSPF Areas 8-12 Configuring Route Summarization When Redistributing Routes into OSPF 8-12 Generating a Default Route 8-13 Configuring Route Calculation Timers 8-13 Logging Neighbors Going Up or Down 8-14 Displaying OSPF Update Packet Pacing 8-14 CiscoSecurity Appliance Command Line Configuration Guide OL-6721-01 iii Contents Monitoring OSPF 8-15 Restarting the OSPF Process 8-15 Configuring RIP 8-16 RIP Overview 8-16 Enabling RIP 8-16 Configuring Multicast Routing 8-17 Multicast Routing Overview 8-17 Enabling Multicast Routing 8-18 Configuring IGMP Features 8-18 Disabling IGMP on an Interface 8-19 Configuring Group Membership 8-19 Configuring a Statically Joined Group 8-19 Controlling Access to Multicast Groups 8-19 Limiting the Number of IGMP States on an Interface 8-20 Modifying the Query Interval and Query Timeout 8-20 Changing the Query Response Time 8-21 Changing the IGMP Version 8-21 Configuring Stub Multicast Routing 8-21 Configuring a Static Multicast Route 8-21 Configuring PIM Features 8-22 Disabling PIM on an Interface 8-22 Configuring a Static Rendezvous Point Address 8-22 Configuring the Designated Router Priority 8-23 Filtering PIM Register Messages 8-23 Configuring PIM Message Intervals 8-23 For More Information about Multicast Routing 8-24 Configuring DHCP 8-24 Configuring a DHCP Server 8-24 Enabling the DHCP Server 8-24 Configuring DHCP Options 8-26 Using Cisco IP Phones with a DHCP Server 8-26 Configuring DHCP Relay Services 8-27 Configuring the DHCP Client 8-28 CHAPTER 9 Configuring IPv6 9-1 IPv6-enabled Commands 9-1 Configuring IPv6 on an Interface 9-2 Configuring IPv6 Default and Static Routes 9-3 Configuring IPv6 Access Lists 9-4 CiscoSecurity Appliance Command Line Configuration Guide iv OL-6721-01 Contents Verifying the IPv6 Configuration 9-5 The show ipv6 interface Command 9-5 The show ipv6 route Command 9-6 Configuring a Dual IP Stack on an Interface 9-6 IPv6 Configuration Example 9-7 CHAPTER 10 Configuring AAA Servers and the Local Database 10-1 AAA Overview 10-1 About Authentication 10-2 About Authorization 10-2 About Accounting 10-2 AAA Server and Local Database Support 10-3 Summary of Support 10-3 RADIUS Server Support 10-4 Authentication Methods 10-4 Attribute Support 10-4 RADIUS Functions 10-4 TACACS+ Server Support 10-5 SDI Server Support 10-6 SDI Version Support 10-6 Two-step Authentication Process 10-7 SDI Primary and Replica Servers 10-7 NT Server Support 10-7 Kerberos Server Support 10-7 LDAP Server Support 10-8 Local Database Support 10-8 User Profiles 10-8 Local Database Functions 10-8 Fallback Support 10-9 Configuring the Local Database 10-9 Identifying AAA Server Groups and Servers 10-11 CHAPTER 11 Configuring Failover 11-1 Understanding Failover 11-1 Failover System Requirements 11-2 Hardware Requirements 11-2 Software Requirements 11-2 License Requirements 11-2 CiscoSecurity Appliance Command Line Configuration Guide OL-6721-01 v Contents The Failover and State Links 11-3 Failover Link 11-3 State Link 11-4 Active/Active and Active/Standby Failover 11-5 Active/Standby Failover 11-5 Active/Active Failover 11-9 Determining Which Type of Failover to Use 11-12 Regular and Stateful Failover 11-13 Regular Failover 11-13 Stateful Failover 11-13 Failover Health Monitoring 11-14 Unit Health Monitoring 11-14 Interface Monitoring 11-14 Configuring Failover 11-15 Configuring Active/Standby Failover 11-15 Prerequisites 11-16 Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 11-16 Configuring LAN-Based Active/Standby Failover 11-17 Configuring Optional Active/Standby Failover Settings 11-20 Configuring Active/Active Failover 11-23 Prerequisites 11-23 Configuring Cable-Based Active/Active Failover (PIX security appliance Only) 11-23 Configuring LAN-Based Active/Active Failover 11-25 Configuring Optional Active/Active Failover Settings 11-28 Configuring Failover Communication Authentication/Encryption 11-32 Verifying the Failover Configuration 11-32 Using the show failover Command 11-33 Viewing Monitored Interfaces 11-41 Displaying the Failover Commands in the Running Configuration 11-41 Testing the Failover Functionality 11-41 Controlling and Monitoring Failover 11-42 Forcing Failover 11-42 Disabling Failover 11-43 Restoring a Failed Unit or Failover Group 11-43 Monitoring Failover 11-43 Failover System Messages 11-43 Debug Messages 11-44 SNMP 11-44 CiscoSecurity Appliance Command Line Configuration Guide vi OL-6721-01 Contents Failover Configuration Examples 11-44 Cable-Based Active/Standby Failover Example 11-45 LAN-Based Active/Standby Failover Example 11-46 LAN-Based Active/Active Failover Example 11-48 PART 2 Configuring the Firewall CHAPTER 12 Firewall Mode Overview 12-1 Routed Mode Overview 12-1 IP Routing Support 12-2 Network Address Translation 12-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 12-3 An Inside User Visits a Web Server 12-4 An Outside User Visits a Web Server on the DMZ 12-5 An Inside User Visits a Web Server on the DMZ 12-6 An Outside User Attempts to Access an Inside Host 12-7 A DMZ User Attempts to Access an Inside Host 12-8 Transparent Mode Overview 12-8 Transparent Firewall Features 12-9 Using the Transparent Firewall in Your Network 12-10 Transparent Firewall Guidelines 12-10 Unsupported Features in Transparent Mode 12-11 How Data Moves Through the Transparent Firewall 12-12 An Inside User Visits a Web Server 12-13 An Outside User Visits a Web Server on the Inside Network 12-14 An Outside User Attempts to Access an Inside Host 12-15 CHAPTER 13 Identifying Traffic with Access Lists 13-1 Access List Overview 13-1 Access List Types and Uses 13-2 Access List Type Overview 13-2 Controlling Network Access for IP Traffic (Extended) 13-2 Identifying Traffic for AAA Rules (Extended) 13-3 Controlling Network Access for IP Traffic for a Given User (Extended) 13-4 Identifying Addresses for Policy NAT and NAT Exemption (Extended) 13-4 VPN Access (Extended) 13-5 Identify Traffic in a Class Map for Modular Policy Framework 13-5 Controlling Network Access for Non-IP Traffic (EtherType) 13-6 Redistributing OSPF Routes (Standard) 13-6 CiscoSecurity Appliance Command Line Configuration Guide OL-6721-01 vii Contents Access List Guidelines 13-6 Access Control Entry Order 13-6 Access Control Implicit Deny 13-7 IP Addresses Used for Access Lists When You Use NAT 13-7 Adding an Extended Access List 13-9 Adding an EtherType Access List 13-11 Adding a Standard Access List 13-13 Simplifying Access Lists with Object Grouping 13-13 How Object Grouping Works 13-13 Adding Object Groups 13-14 Adding a Protocol Object Group 13-14 Adding a Network Object Group 13-15 Adding a Service Object Group 13-15 Adding an ICMP Type Object Group 13-16 Nesting Object Groups 13-17 Using Object Groups with an Access List 13-18 Displaying Object Groups 13-19 Removing Object Groups 13-19 Adding Remarks to Access Lists 13-20 Time Range Options 13-20 Logging Access List Activity 13-20 Access List Logging Overview 13-21 Configuring Logging for an Access Control Entry 13-22 Managing Deny Flows 13-23 CHAPTER 14 Applying NAT 14-1 NAT Overview 14-1 Introduction to NAT 14-2 NAT Control 14-3 NAT Types 14-5 Dynamic NAT 14-5 PAT 14-6 Static NAT 14-7 Static PAT 14-7 Bypassing NAT when NAT Control is Enabled 14-9 Policy NAT 14-9 NAT and Same Security Level Interfaces 14-12 Order of NAT Commands Used to Match Real Addresses 14-13 CiscoSecurity Appliance Command Line Configuration Guide viii OL-6721-01