1111

2

Network Security 2

Module 8 – PIX Security Appliance Contexts, Failover, and Management

3

Learning Objectives

8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode

8.2 Configure PIX Security Appliance Failover

8.3 Configure Transparent Firewall Mode

8.4 PIX Security Appliance Management

4

Module 8 – PIX Security Appliance Contexts, Failover, and Management

8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode

5

Security Contexts

6

Common Uses for Security Contexts

7

Multiple Contexts Example

8

Context Configuration Files

9

Packet Classification

10

Backing up the Single Mode Configuration

11

Admin Context

12

Enabling Multiple Context Mode

13

Adding a Context

14

Removing a Context

15

Changing the Admin Context

16

Changing Between Contexts

17

Viewing Context Information

18

Module 8 – PIX Security Appliance Contexts, Failover, and Management

8.2 Configure PIX Security Appliance Failover

19

Hardware Failover

20

Hardware and Stateful Failover

21

Failover Requirements

22

Types of Failover Cabling

23

Serial Cable – Active/Standby Failover

24

LAN-Based Failover

• Provides long-distance failover functionality

• Uses an Ethernet cable rather than the serial failover cable

• Requires a dedicated LAN interface, but the same interface can be used for stateful failover

• Requires a dedicated switch, hub, or VLAN

• Uses message encryption and authentication to secure failover transmissions

25

Active/Active Failover

26

Active/Active Failover

27

Failover Tests

Hello packets are exchanged every 15 seconds.

When a failure occurs the PIX performs the following tests:

• Link Up/Down

• Network activity

• ARP

• Broadcast ping

28

Failover Configuration

• Attach a network cable for each interface

• Connect the failover cable

• Configure the failover parameters

• Power on the secondary PIX

29

Module 8 – PIX Security Appliance Contexts, Failover, and Management

8.3 Configure Transparent Firewall Mode

30

Transparent Versus Routed Firewall

31

Transparent Firewall Benefits

Easily integrated and maintained in existing network:

• IP readdressing not necessary.

• No NAT to configure.

• No IP routing to troubleshoot.

32

Transparent Firewall Guidelines

• Layer 3 traffic must be explicitly permitted.

• Each directly connected network must be on the same subnet.

• A management IP address is required for each context, even if you do not intend to use Telnet to the context.

• The management IP address must be on the same subnet as the connected network.

• Do not specify the PIX management IP address as the default gateway for connected devices.

• Devices need to specify the router on the other side of the PIX as the default gateway.

• Each interface must be a different VLAN interface

33

Unsupported Features

The following features are not supported in transparent firewall mode:

• NAT• Dynamic routing protocols• IPv6• DHCP relay• Quality of Service• Multicast• VPN termination for through

traffic

34

View the Current Firewall Mode

35

Enable Transparent Firewall Mode

36

Assigning the Management IP Address

37

Configure ACLs

38

Ethertype ACLs

39

ARP Inspection

40

MAC Address Table

41

Disable MAC Address Learning

42

Adding a Static MAC Address

43

Viewing the MAC Address Table

44

debug Commands

45

Module 8 – PIX Security Appliance Contexts, Failover, and Management

8.4 PIX Security Appliance Management

46

Configure Telnet Access

Default timeout is 5 minutes

47

SSH Connections to the PIX

SSH connections to the PIX Security Appliance:

• Provide secure remote access.

• Provide strong authentication and encryption.

• Require RSA key pairs for the PIX.

• Require AES or 3DES activation keys.

• Allow up to five SSH clients to simultaneously access the PIX console.

• Use the Telnet password for local authentication.

48

SSH Connections

49

Command authorization Overview

The purpose of command authorization is to securely and efficiently administer the PIX Security Appliance. It has the following types:

• Enable-level command authorization with passwords

• Command authorization using the local user database

• Command authorization using ACS

50

Create and Password Protect Privilege Levels

51

Configuring Command Authorization

52

Viewing Command Authorization Configuration

53

Lockout

54

Password Recovery ASA

55

Viewing Directory Contents

56

Viewing File Contents

57

Directory Management

58

Copying Files

59

Installing Software

60

File Backup

61

Viewing Version Information

62

Image Upgrade

63

Entering a New Activation Key

64

Upgrading the Image and Activation Key

Complete the following steps to upgrade the image and the activation key at the same time:

• Step 1: Install the new image.

• Step 2: Reboot the system.

• Step 3: Update the activation key.

• Step 4: Reboot the system.

65

Troubleshooting the Activation Key Upgrade