Monday, June 20, 2011

Chapter 5: Managing a Cisco ASA (Part04)

5-5: Configuring AAA for End-User Cut-Through Proxy

Add a note hereA firewall can be configured to require users to authenticate before connections are permitted. As soon as an authentication is successful, it is cached and used to permit subsequent connections from the same user.

Add a note hereThe firewall functions as an authentication proxy, because cached authentication information is used in place of repeated authentication credentials entered by the user. Connections simply “cut through” the firewall in a very efficient fashion.

Add a note hereDevices that initiate connections but cannot participate in authentication (Cisco IP phones, for example) can be exempted from AAA and allowed to pass through the firewall.

Add a note here Authenticating Users Passing Through

Add a note hereYou can use the following steps to configure AAA authentication for cut-through proxy users:

  1. Add a note here(Optional) List protocols that trigger authentication:

    Add a note hereFirewall(config)# aaa authentication {include | exclude} service if_name
    local_ip local_mask [foreign_ip foreign_mask] server_tag

    Add a note hereTo trigger user authentication, use the include keyword and identify the triggering protocol as service. This usually is a protocol that can support native authentication, where a username and password exchange is possible. These are telnet, ssh, ftp, http, and https, which can also be written as tcp/23, tcp/22, tcp/21, tcp/80, and tcp/443, respectively.

    Add a note hereYou can also specify other types of traffic as udp/port, tcp/port, icmp/type, or protocol/port (the IP protocol number and port number). You can use 0 for a port or type to indicate a wildcard for any value, as in tcp/0 for any TCP port. Notice that these values always pertain to the destination port and never the source port.


    Note

    Add a note here Be aware that the cut-through proxy authentication process can be triggered only with Telnet, SSH, FTP, HTTP, or HTTPS traffic. If you specify other types of traffic, those packets are dropped unless the user has already authenticated and has a cut-through proxy session already initiated.

    Add a note hereAuthentication is triggered for connections initiated from the firewall interface named if_name (“inside,” for example) from local addresses defined by local_ip and local_mask. You can define specific destination addresses by foreign_ip and foreign_mask if needed. To indicate a wildcard local or foreign address, you can use 0s or the any keyword for the address and mask values.

    Add a note hereAuthentication is performed by contacting the server group name server_tag. This can be a TACACS+ group name, a RADIUS group name, or the firewall itself with the LOCAL keyword.


    Tip

    Add a note hereWith the include keyword, no traffic is allowed to pass from a given user (source address) until that user has successfully authenticated using Telnet, FTP, HTTP, or HTTPS. You can define protocols that are allowed to pass without authentication by using the exclude keyword.

  2. Add a note here(Optional) Use an access list to trigger authentication:

    Add a note hereFirewall(config)# aaa authentication match acl_name if_name server_tag

    Add a note hereHere, an access list named acl_name is used to match connections that are initiated from hosts on the firewall interface named if_name. Protocols that can be authenticated are defined in permit statements in the access list.

    Add a note hereBecause this is the most specific method of traffic authentication, it is also the preferred method. You can make the matching conditions very specific by giving the local (source) and foreign (destination) addresses. Remember that the matching protocol is always specified as the destination port in the access list entry.

    Add a note hereThe authentication server group named server_tag is used to handle the actual authentication. This can be a TACACS+ server group name, a RADIUS server group name, or the firewall itself as LOCAL.

    Add a note here For example, all IP traffic coming from source addresses 172.16.0.0/24 should be authenticated before being passed through the firewall. In addition, all HTTP and HTTPS connections initiated from the inside interface should be authenticated. Authentication is handled by servers assigned to the default TACACS+ server group. The following commands can be used to accomplish this:

    Add a note hereFirewall(config)# access-list AuthList1 permit ip 172.16.0.0 255.255.255.0
    any
    Firewall(config)# access-list AuthList1 permit tcp any any eq http
    Firewall(config)# access-list AuthList1 permit tcp any any eq https
    Firewall(config)# aaa authentication match AuthList1 inside TACACS+
  3. Add a note here(Optional) Use SSL for all web-related authentication:

    Add a note hereFirewall(config)# aaa authentication secure-http-client

    Add a note hereBy default, if a user initiates authentication with Telnet, FTP, or HTTP traffic, his or her username and password credentials are collected as cleartext through a popup browser window. You can use this command to force the firewall to use SSL to collect this information securely with encryption.


    Note

    Add a note hereA firewall supports only 16 simultaneous SSL sessions for the initial user authentication. Any connections that require additional SSL sessions are dropped until a new session can be started.

  4. Add a note here(Optional) Exempt devices from authentication.

    1. Add a note hereDefine a list of exempt MAC addresses:

      Add a note hereFirewall(config)# mac-list id {deny | permit} mac macmask

      Add a note hereThe device list is named id (an arbitrary text name). You can permit the device to pass without authentication or deny it from doing so. The device is identified by its Media Access Control (MAC) address mac (in dotted-triplet form, as in 1111.2222.3333) and a MAC address mask macmask (in dotted-triplet format, where a 1 bit matches and a 0 bit ignores). To match a single-device MAC address, the macmask is given as ffff.ffff.ffff.

      Add a note hereYou can repeat this command to define multiple MAC addresses in a single list. For example, the following MAC list allows the host using MAC address 0006.5b02.a841 or 0040.9646.6cf6 to initiate connections without authentication:

      Add a note hereFirewall(config)# mac-list Exemptions permit 0006.5b02.a841 ffff.ffff.ffff
      Firewall(config)# mac-list Exemptions permit 0040.9646.6cf6 ffff.ffff.ffff

      Note

      Add a note here If you decide to list device MAC addresses here, those devices must be located on the firewall interface’s IP subnet. In other words, they cannot lie beyond a router, or their MAC addresses will become obscured by the router.

      Add a note hereAny devices not explicitly permitted or denied in a MAC address control list are subject to any other authentication methods that are configured on the firewall interface.

    2. Add a note hereApply the list to authentication:

      Add a note hereFirewall(config)# aaa mac-exempt match id

      Add a note hereThe MAC address control list named id is used to permit or deny specific hosts from passing without authentication.

  5. Add a note here(Optional) Limit per-user proxy connections:

    Add a note hereFirewall(config)# aaa proxy-limit {proxy_limit | disable}

    Add a note hereBy default, a firewall supports cut-through proxy for up to 16 concurrent active connections per user. You can change this limit to proxy_limit (1 to 128 concurrent connections per user) or disable the limit completely.

  6. Add a note here(Optional) Adjust the cut-through proxy session timer.

    Add a note hereThe firewall keeps two timers for each user’s connection activity after a successful authentication: an absolute timer and an inactivity timer.

    1. Add a note hereAdjust the absolute timer:

      Add a note hereFirewall(config)# timeout uauth hh[:mm[:ss]] absolute

      Add a note hereBy default, the absolute timer is used to require a user to reauthenticate if a new connection is initiated at least 5 minutes after the previous authentication. This timer runs for each user who authenticates with the cut-through proxy feature. The user must authenticate again if a new connection begins after the timer has expired, even if other connections are active or still initiating.

      Add a note hereYou can set the absolute timer by giving the hours, minutes, and seconds duration. Notice that minutes and seconds are both optional. It might seem intuitive that giving two digits (60, for example) would mean seconds, but in fact it means hours.

    2. Add a note hereAdjust the inactivity timer:

      Add a note hereFirewall(config)# timeout uauth hh[:mm[:ss]] inactivity

      Add a note hereBy default, the inactivity timer is set to 0, which disables it for each user. You can use this timer to require a user to reauthenticate only after all his or her connections become idle or inactive (no data passed) for a period of time. Opening a new connection also resets the counter.

      Add a note here You can set the inactivity timer by giving the hours, minutes, and seconds duration. Notice that minutes and seconds are both optional. It might seem intuitive that giving two digits (60, for example) would mean seconds, but in fact it means hours.


Tip

Add a note hereSetting and using the user authentication (uauth) timers is a bit of a trade-off. The absolute timer forces a strict authentication policy, making users reauthenticate again and again at regular intervals. This can be beneficial to protect access to sensitive data, but it also can be a nuisance to the end users.

Add a note hereThe inactivity timer is less secure but more user-friendly. As long as a connection is kept alive, the user is not asked to authenticate again.

Add a note hereYou can use both timers to gain some benefits from each. Always make sure that the inactivity timer is set to a value less than the absolute timer. In addition, the absolute timer must be set to a value less than the xlate timer. The idea is to require an absolute timer authentication only after all sessions become inactive. Any existing xlate entries for the user’s connections should also stay alive until both types of timers have expired and the user has been given a chance to reauthenticate.

Add a note hereYou can use the show timeout command to see the current values of all connection timers. For example, this firewall is configured to reauthenticate users after their connections have been idle for 15 minutes and at regular 30-minute intervals:

Add a note hereFirewall# show timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:30:00 absolute uauth 0:15:00 inactivity
Firewall#

Add a note here Authorizing User Activity with TACACS+ Servers

Add a note hereYou can follow these steps to configure traffic authorization using AAA and TACACS+ servers:

  1. Add a note hereList protocols that require authorization:

    Add a note hereFirewall(config)# aaa authorization {include | exclude} service if_name
    local_ip local_mask foreign_ip foreign_mask server_tag

    Add a note hereThe protocol that must be authorized for a user is identified as service with the include keyword. The protocol can be telnet, ftp, http, any, or protocol/port (decimal IP protocol number and decimal port number).

    Add a note here Connections using this protocol are initiated on the firewall interface named if_name from local addresses defined by local_ip and local_mask. You can define specific destination addresses by foreign_ip and foreign_mask if needed. To indicate a wildcard local or foreign address, use 0s for the address and mask values. This is similar to the any keyword in Cisco router IOS software.

    Add a note hereAuthorization is performed by contacting the TACACS+ server group name server_tag. For example, the following commands cause the firewall to generate requests to see if the users are authorized to initiate FTP and Telnet connections. All other connection types are authorized without explicit AAA authorization requests.

    Add a note hereFirewall(config)# aaa authorization include ftp inside 0 0 0 0 TACACS_Farm
    Firewall(config)# aaa authorization include telnet inside 0 0 0 0 TACACS_Farm
  2. Add a note here(Optional) Use an access list to trigger authorization:

    Add a note hereFirewall(config)# aaa authorization match acl_name if_name server_tag

    Add a note hereHere, an access list named acl_name is used to match connections that are initiated from the firewall interface named if_name. Protocols that are checked for authorization are defined in permit statements in the access list. You can make the matching conditions very specific by giving the local (source) and foreign (destination) addresses.

    Add a note hereThis is the preferred method of defining authorization, because the access list is the most scalable and easiest to administer. Remember that the matching protocol is always specified as the destination port in the access list entry.

    Add a note hereThe TACACS+ server group named server_tag is used to handle the actual authorization.

  3. Add a note hereConfigure a user’s TACACS+ profile.

    Add a note hereTo authorize a user to use a protocol, you must configure the user’s profile on the TACACS+ server. TACACS+ has a facility to authorize only commands to be executed; therefore, the protocol is considered a “command” even though it is not.

    Add a note hereYou should configure the command by using any of the valid keywords or protocol/port definitions that are supported by the aaa authorization {include | exclude} command. For example, you can use the telnet, ssh, ftp, http, or https keyword along with an optional permitted destination address. You can give the permitted address as any or .* if no granularity is required.

    Add a note hereFor example, suppose a CiscoACS server is configured with a command authorization set called guests that allows HTTP, ICMP, SMTP, and DNS traffic from any host. Figure 5-5 shows the Shell Command Authorization Set configuration page. Each of the protocols is listed as a “command” by using a keyword or the protocol/port.

    Add a note here Image from book
    Add a note hereFigure 5-5: Sample Configuration of CiscoACS Traffic Authorization

    Add a note here You then apply the shell command authorization set to a User Setup or Group Setup in CiscoACS by selecting it from the drop-down list. Figure 5-6 shows how the guests set is configured for a group of users.

    Add a note here Image from book
    Add a note hereFigure 5-6: Applying Traffic Authorization to a User Group in CiscoACS

Add a note here Authorizing User Activity with RADIUS Servers

Add a note here User authorization is not available as a part of the RADIUS protocol. However, if you have only RADIUS servers available and you need to set up authorization for user traffic, you can use access lists to emulate authorization.

Add a note hereThe RADIUS server can be configured to return a reference to an access list that is based on a user’s authorization. The firewall can use the access list information to permit or deny the user’s connections as they are initiated. You have two ways to approach RADIUS authorization:

  • Add a note hereThe RADIUS server returns the name of an access control list (ACL) that is defined locally on the firewall.

  • Add a note hereThe RADIUS server returns the contents of an ACL that is downloaded and used by the firewall. The ACL is actually defined on the RADIUS server, not on the firewall.

Add a note here You can use the following steps to configure RADIUS user authorization:

  1. Add a note here(Optional) Reference an ACL from the AAA server.

    1. Add a note hereConfigure access lists to permit specific traffic:

      Add a note hereFirewall(config)# access-list acl_name permit protocol any foreign_ip
      foreign_mask operator port

      Add a note hereAdd a permit access list entry for a protocol and destination address that should be allowed for a user. Normally, the access list entries are configured for groups of users so that one policy can be applied to multiple users.

      Add a note hereRemember that the access list has an implicit deny any any at the end, so any traffic not specifically permitted in the list is rejected.

    2. Add a note hereAdd the access list name to the RADIUS user profiles.

      Add a note hereThe RADIUS server simply returns a text value for attribute 11 from the user’s profile. This is returned when the user authenticates, so RADIUS authentication must also be configured on the firewall. Attribute 11 is called filter-id. When the firewall receives this attribute value, it uses it to reference an access list by the same name.

      Add a note hereOn a CiscoACS server, begin by making the filter-id parameter available to user or group configurations. Go to Interface Configuration, select RADIUS(IETF), and make sure that attribute [011]Filter-Id is checked for User and/or Group.

      Add a note hereNext, go to User Setup or Group Setup, select a user or group, and click Edit Settings. In the IETF RADIUS Attributes section, look for attribute [011]Filter-Id. Check that box and enter the name of the ACL in the text box.

      Add a note hereFor example, suppose an ACL named acl_http_only is used to “authorize” or control a user’s access through a firewall. Only HTTP and HTTPS connections are allowed. First, the access list must be configured on the firewall with the following commands:

      Add a note hereFirewall(config)# access-list acl_http_only permit tcp any any eq www
      Firewall(config)# access-list acl_http_only permit tcp any any eq https

      Add a note hereNext, the user (or group) profile in CiscoACS must be configured with the ACL name as RADIUS attribute 11, as shown in Figure 5-7.

      Add a note here Image from book
      Add a note hereFigure 5-7: Defining the Filter-Id Attribute in CiscoACS


      Tip

      Add a note here If attribute 11 (shown as [011]Filter-Id in CiscoACS) is not defined for a user, the AAA server does not return that attribute. In this case, traffic is assumed to be authorized.

      Add a note hereIf attribute 11 is defined for a user on the AAA server but the corresponding ACL is not configured on the firewall, all traffic for that user is denied. This is because a nonexistent ACL is being referenced.

      Add a note hereInstead of attribute 11, you can also use a vendor-specific attribute-value pair. Use vendor 9 attribute 1, with the value text acl=acl_id.

  2. Add a note here(Optional) Download an ACL from the RADIUS server.

    Add a note hereRather than preconfiguring ACLs on the firewall to authorize user traffic, you can use a RADIUS server to download the actual ACL content to the firewall. ACLs can be downloaded per user or per group. In either case, the ACL is actually downloaded during user authentication so that it is available when the users begin initiating connections. ACLs can be created on the RADIUS server at the same time a new user is added, making the administration a bit easier.

    Add a note here When the RADIUS profile is being edited, you can choose a “downloadable ACL” and enter the ACL contents exactly as you would in a firewall session.

    Add a note hereIf the firewall is configured for RADIUS authentication, it also begins accepting any downloadable ACLs that are returned in a RADIUS exchange. The firewall requests an ACL download only if the specified ACL is not already configured on the firewall. No other authorization commands are necessary.

    1. Add a note hereCreate the downloadable ACL on the RADIUS server.

      Add a note hereIn CiscoACS, go to Shared Profile Components and select Downloadable IP ACLs. Click the Add button to create a new ACL. Give the ACL a name and an optional description.

      Add a note hereTo configure the ACL contents, click the Add button. You must enter the ACL name again, along with the actual ACL permit or deny statements in the ACL Definitions text box. As soon as the ACL contents are in place, click the Submit button.

      Add a note here Figure 5-8 shows an example in which a downloadable ACL called http_only has been created.

      Add a note here Image from book
      Add a note hereFigure 5-8: An Example of a Downloadable ACL in CiscoACS

      Add a note here You should see a list of downloadable ACLs that includes the new ACL as well as the CiscoACS default called permit_anything.

    2. Add a note hereAssign the downloadable ACL to a user or group.

      Add a note hereIn CiscoACS, go to User Setup or Group Setup. In the Downloadable ACSs section, check the Assign IP ACL box and select the appropriate ACL from the drop-down list. In Figure 5-9, the http_only ACL has been selected and will be downloaded when the user authenticates with the CiscoACS server.

      Add a note here Image from book
      Add a note hereFigure 5-9: Assigning a Downloadable ACL in CiscoACS

    3. Add a note hereEnable downloadable ACLs on the firewall:

      Add a note hereFirewall(config)# access-group access-list {in | out} interface if_name
      per-user-override

      Add a note hereAfter downloadable ACLs are accepted from a AAA server, they must be treated like any other access list—they must be applied to an interface. Therefore, you can use the per-user-override keyword when you apply an access list to an interface with the access-group command.

      Add a note here Any downloadable ACLs simply override the contents of the existing access list for a given end user. The access list statements are not replaced, however; the per-user ACL is evaluated first, ahead of the regular access list.


Tip

Add a note hereDownloadable ACLs are active only as long as the user is authenticated on the firewall. As soon as the uauth timer expires for a user, the corresponding downloadable ACL is removed. When the user initiates a new connection and authenticates again, the downloadable ACL is retrieved and put into service once more.

Add a note hereYou can verify downloadable ACLs on a firewall as they are being used. First, use the show uauth username and look for the access list that has been downloaded from the RADIUS server. This is indicated by a line beginning with access-list followed by the ACL name that was dynamically created. Next, use the show access-list command to see the current contents and counters for the ACL entries. The following example demonstrates this downloadable ACL verification process:

Add a note hereFirewall# show uauth dhucaby
user 'dhucaby' at 192.168.199.4, authenticated
access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
Firewall#
Firewall# show access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1
access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1; 3 elements
access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1
permit tcp any any eq http (hitcnt=17)
access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1
permit tcp any 172.17.3.0 255.255.255.0 eq telnet (hitcnt=5)
access-list #ACSACL#-ASA-dhucaby_access_list-1cff1dd1
deny ip any any (hitcnt=201)
Firewall#

Add a note hereDownloaded ACLs always have this naming format:

Add a note here#ACSACL#-acl_name-versionID

Add a note herewhere acl_name is the name of the access list (ASA-dhucaby_access_list in the preceding example) and versionID is a string of digits that uniquely identifies the current ACL (1cff1dd1 in the example). If the ACL is updated on the RADIUS server, the versionID is changed.

Add a note here Keeping Accounting Records of User Activity

Add a note hereYou can use the following steps to configure user activity accounting using AAA servers:

  1. Add a note here(Optional) List protocols that will be tracked:

    Add a note hereFirewall(config)# aaa accounting {include | exclude} service if_name
    local_ip local_mask foreign_ip foreign_mask server_tag

    Add a note here The firewall sends accounting records when a user initiates a connection on the firewall interface named if_name with protocol service (telnet, ftp, http, any, or protocol/port), as long as you use the include keyword. You can further specify the user traffic by giving the local and foreign IP addresses and masks. You can also use a wildcard for any of the address and mask values by giving a 0 value.

    Add a note hereUsually, you can enter this command with the same arguments as the aaa authentication command. In this way, the firewall tracks the same connection activity for which it acts as a cut-through proxy. Accounting records are sent only to the active AAA server in the server group named server_tag. The active server is determined by the firewall’s AAA authentication feature.


    Tip

    Add a note hereIf you plan to generate accounting information for all user traffic involving a specific protocol, you can use this alternative form of the command:

    Add a note hereFirewall(config)# aaa accounting {include | exclude} service if_name
    server_tag
  2. Add a note here(Optional) Use an access list to trigger accounting:

    Add a note hereFirewall(config)# aaa accounting match acl_name if_name server_tag

    Add a note hereHere, an access list named acl_name is used to match connections that are initiated from the firewall interface named if_name. Protocols that are recorded are defined in permit statements in the access list.

    Add a note hereThis method of traffic accounting is preferred, because it is more scalable and easier to maintain. You can make the matching conditions very specific by giving the local (source) and foreign (destination) addresses. The AAA server group named server_tag is used to receive accounting information.

Add a note here AAA Cut-Through Proxy Configuration Examples

Add a note hereIn a sample network, user authentication is used on a firewall to require users on the inside to authenticate before initiating outbound connections. Users located on the 192.168.128.0/27 subnet should have all traffic except outbound DNS requests subject to authentication. The DNS traffic should be allowed without authentication so that users can resolve host names.

Add a note hereThree TACACS+ servers are available on the inside network:

  • Add a note here192.168.4.10

  • Add a note here192.168.4.11

  • Add a note here192.168.4.12

Add a note hereThese are tried in succession until a responsive server is found. User authentication should be performed over an HTTPS session so that username and password credentials are encrypted from the client to the firewall. (The TACACS+ exchanges between the firewall and the servers are encrypted as part of the TACACS+ protocol.)

Add a note hereAfter a user is authenticated, the firewall performs cut-through proxy service until the user’s sessions have been idle for one hour. After two hours, each user is required to reauthenticate.

Add a note hereYou can use the following configuration commands to satisfy the cut-through proxy requirements:

Add a note hereaaa-server tacacs-servers protocol tacacs+
aaa-server tacacs-servers (inside) host 192.168.4.10 SpecialKey99
aaa-server tacacs-servers (inside) host 192.168.4.11 SpecialKey99
aaa-server tacacs-servers (inside) host 192.168.4.12 SpecialKey99
aaa authentication include any inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers
aaa authentication exclude udp/53 inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers
aaa authentication secure-http-client
timeout uauth 1:00:00 inactivity
timeout uauth 2:00:00 absolute

Add a note hereRemember that only Telnet, SSH, FTP, HTTP, and HTTPS traffic can actually trigger a prompt for user authentication. What, then, is the point of excluding DNS for this example? Until a user authenticates, all traffic is dropped. By excluding DNS from authentication, those requests are allowed to pass on through, so the inside users might be able to resolve addresses and then initiate connections like HTTP that can trigger the actual authentication.

Add a note hereYou can also use an access list to trigger the authentication process. An access list might be preferable if you need fine granularity over combinations of source and destination addresses and protocols. The ACL and AAA commands required for the same example are as follows:

Add a note hereaccess-list acl_aaa_trigger permit ip 192.168.128.0 255.255.128.0 any
access-list acl_aaa_trigger deny udp 192.168.128.0 255.255.128.0 any eq domain
aaa authentication match acl_aaa_trigger inside tacacs-servers
aaa authentication secure-http-client

Add a note hereYou can also apply AAA to authorize end-user connections through the firewall. The following command makes all outbound connections from the inside users subject to authorization:

Add a note hereaaa authorization include any inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers

Add a note hereEach new connection is presented to the active TACACS+_server in the tacacs-servers server group. The users or user groups must be configured in the TACACS+ servers to authorize the appropriate protocols.

Add a note hereFinally, the AAA servers are used to collect accounting information about end-user activity through the firewall. Only HTTP, HTTPS, and FTP connections are recorded. You can use the following firewall configuration commands to implement this accounting action:

Add a note hereaaa accounting include http inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers
aaa accounting include tcp/443 inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers
aaa accounting include ftp inside 192.168.128.0 255.255.128.0 0 0 tacacs-servers

5-6: Firewall Password Recovery

Add a note here If the first-level (Telnet) and privileged user (enable) passwords on a functioning Cisco firewall are unknown or have been forgotten, it is possible to recover control of the device. The password recovery procedure varies according to the firewall platform and is explained in the sections that follow.

Add a note here Recovering an ASA Password

Add a note hereOn an ASA, the configuration register is changed to allow booting without the startup configuration file. The ASA can boot its normal operating system image. Without the startup configuration, you can move directly into the privileged EXEC mode without having to use an enable password.

Add a note hereFollow these steps to recover from an unknown password:

  1. Add a note hereConnect to the ASA console.

  2. Add a note herePower cycle the ASA.

    Add a note hereThe ASA must be reloaded so that you have a chance to break out of the normal boot sequence and change the configuration register.

    Add a note hereIf the ASA is already running and you do not have the enable password, you will not be able to reload it unless you turn its power off and then back on.

  3. Add a note herePress the Escape key when you are prompted.

    Add a note hereWhen you see “Use BREAK or ESC to interrupt boot.”, you have 10 seconds to press the Escape (Esc) key. The ASA should end up at a rommon prompt, as in the following example.

    Add a note hereRebooting....
    Booting system, please wait...
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(10)0 03/25/05 22:42:05.25

    Low Memory: 631 KB
    High Memory: 256 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 00 00 8086 2578 Host Bridge
    00 01 00 8086 2579 PCI-to-PCI Bridge
    [device list output omitted]

    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005

    Platform ASA5510

    Use BREAK or ESC to interrupt boot.
    [ESC pressed here]
    Use SPACE to begin boot immediately.
    Boot interrupted.

    Management0/0
    Ethernet auto negotiation timed out.
    Interface-4 Link Not Established (check cable).
    Default Interface number-4 Not Up
    Use ? for help.
    rommon #0>
  4. Add a note hereEdit the configuration register:

    Add a note hererommon #0> confreg

    Add a note hereThe confreg command displays the current configuration register contents and allows you to enter a new value. Be sure to write down the value that is shown so that you can restore it later.

    Add a note hereWhen you are prompted to change the configuration, enter y and press Enter. Then answer each of the questions by pressing the Enter key to accept the default value. The only exception is the “disable system configuration?” question; answer y and press the Enter key, as in the following example:

    Add a note hererommon #0> confreg
    Current Configuration Register: 0x00000001
    Configuration Summary:
    boot default image from Flash

    Do you wish to change this configuration? y/n [n]: y
    enable boot to ROMMON prompt? y/n [n]:
    enable TFTP netboot? y/n [n]:
    enable Flash boot? y/n [n]:
    select specific Flash image index? y/n [n]:
    disable system configuration? y/n [n]: y
    go to ROMMON prompt if netboot fails? y/n [n]:
    enable passing NVRAM file specs in auto-boot mode? y/n [n]:
    disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

    Current Configuration Register: 0x00000040
    Configuration Summary:
    boot ROMMON
    ignore system configuration
    Update Config Register (0x40) in NVRAM...
    rommon #1>

    Add a note here In the example, notice that the configuration register has gone from 0x00000001 to 0x00000040.

  5. Add a note hereReload the ASA:

    Add a note hererommon #1> boot

    Add a note hereIn the following example, the boot command is used to reload the ASA. At the end of the boot sequence, the console is left at the EXEC level prompt.

    Add a note hereLaunching BootLoader...
    Boot configuration file contains 2 entries.


    Loading disk0:/asa800-248-k8.bin... Booting...
    Loading...

    Processor memory 180940800, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)
    [output omitted]
    Copyright 1996-2007 by Cisco Systems, Inc.

    Restricted Rights Legend

    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.

    Cisco Systems, Inc.
    170 West Tasman Drive
    San Jose, California 95134-1706

    Ignoring startup configuration as instructed by configuration register.
    INFO: Converting to disk0:/
    Type help or '?' for a list of available commands.
    ciscoasa>
  6. Add a note hereEnter privileged EXEC mode.

    Add a note hereBecause the startup configuration file was ignored, the enable password is unset. Therefore, you can just press the Enter key with a blank password:

    Add a note hereciscoasa> enable
    Password:
    ciscoasa#
  7. Add a note here Restore the running configuration:

    Add a note hereciscoasa# copy startup-config running-config
    Destination filename [running-config]?
    Cryptochecksum (unchanged): e4cd72c3 e3a210b0 cafaccc4 eb376c85
    7028 bytes copied in 2.440 secs (3514 bytes/sec)
    Firewall#
  8. Add a note hereReset the passwords.

    Add a note hereNow that you are in privileged EXEC mode, you can edit the passwords that were previously stored in the configuration. Use the password and enable password commands to set the passwords to new, known values:

    Add a note hereFirewall# configure terminal
    Firewall(config)# password password
    Firewall(config)# enable password enablepass
  9. Add a note hereRestore the configuration register:

    Add a note hereFirewall(config)# config-register hex-value

    Add a note hereEnter the original configuration value you recorded in step 4, as in the following example:

    Add a note hereFirewall(config)# config-register ?
    configure mode commands/options:
    <0x0-0xffffffff> Configuration register value
    Firewall(config)# config-register 0x00000001
    Firewall(config)#
  10. Add a note hereSave the running configuration:

    Add a note hereFirewall# copy running-config startup-config

    Add a note hereAs soon as the running configuration is saved into the startup configuration file, the firewall uses the new passwords the next time it is reloaded.


    Tip

    Add a note hereYou can use the show version command to see the configuration register settings at any time. The register contents are shown toward the end of the output, as in the following example:

    Add a note hereFirewall# show version
    Cisco Adaptive Security Appliance Software Version 8.0(0)248
    Device Manager Version 6.0(0)120
    [output omitted]
    Serial Number: JKX1014K074
    Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864
    0x4907ef91
    Configuration register is 0x40 (will be 0x1 at next reload)
    Configuration last modified by enable_15 at 12:25:07.492 EDT Fri Apr 20 2007
    Firewall#

Add a note here Recovering a PIX Password

Add a note here On a PIX platform, a password recovery utility must be downloaded to the firewall from a TFTP server. This procedure is very similar to upgrading the OS image from the PIX monitor prompt.

Add a note hereFollow these steps to reload and erase the PIX passwords:

  1. Add a note hereMake sure a TFTP server is available.

    Add a note hereThe TFTP server should have a copy of the correct PIX Password Lockout Utility software. You can find this utility on Cisco.com at http://www.cisco.com/warp/customer/110/npXX.bin

    Add a note herewhere XX is the PIX OS software release. For example, the utility for PIX OS 6.3 is called np63.bin.

  2. Add a note hereBoot the firewall to the monitor prompt.

    Add a note hereJust after booting the firewall, press the Esc key to break the normal bootup sequence.

  3. Add a note hereIdentify the TFTP server.

    1. Add a note hereIdentify the firewall interface where the TFTP server is located:

      Add a note heremonitor> interface number

      Add a note hereTFTP uses the interface with index number (0 to n – 1, where n is the number of interfaces installed). During the bootup sequence, the firewall lists the physical interfaces and their MAC addresses.

    2. Add a note hereAssign an IP address to that interface:

      Add a note heremonitor> address ip-address

      Add a note hereHere, the firewall needs just enough information to be able to contact the TFTP server. Only one physical interface can be used, so this IP address is applied to it. Because a subnet mask cannot be given, the firewall assumes a regular classful network mask (172.17.69.41 yields a Class B mask of 255.255.0.0, for example).

      Add a note hereIf your TFTP server is located on a different classful subnet, you can also specify a gateway address that can route between the firewall and the server. Use the following monitor command:

      Add a note heremonitor> gateway ip-address
    3. Add a note hereMake sure the firewall can reach the TFTP server.

      Add a note hereThe firewall must be able to reach the server with a minimal amount of routing. You can use the following monitor command to test reachability:

      Add a note heremonitor> ping ip-address
    4. Add a note here Define the TFTP server’s IP address:

      Add a note heremonitor> server ip-address
    5. Add a note hereDefine the utility filename to fetch:

      Add a note heremonitor> file npXX.bin

      Add a note hereThe utility file named npXX.bin (replace XX with the release number) is located in the TFTP server’s root directory. This is often called the /tftpboot directory, but it depends on how your TFTP server is configured.

  4. Add a note hereCopy the utility from the TFTP server:

    Add a note heremonitor> tftp

    Add a note hereWhen the download is complete, the utility runs and prompts you to clear the PIX passwords. If you answer y to the prompt, the firewall reloads, and the passwords are reset to their default values (enable_1 is cisco; enable_15 is blank).

Add a note here Recovering an FWSM Password

Add a note hereFollow these steps to reload and erase the FWSM passwords:

  1. Add a note hereBoot the FWSM into the maintenance partition:

    Add a note hereRouter# hw-module module slot-number reset cf:1
    Router# session slot slot-number processor 1

    Add a note hereFrom the Catalyst 6500 Supervisor IOS EXEC prompt, the FWSM in slot slot-number can be reset so that it reboots into its maintenance partition. Log in as the user root. The default root password is cisco.

  2. Add a note hereReset the passwords in the compact Flash configuration file:

    Add a note hereroot@localhost# clear passwd cf:partition_number
    root@localhost# exit

    Add a note hereThe FWSM compact Flash is organized into the five partitions listed in Table 5-4.

    Add a note here Table 5-4: FWSM Compact Flash Partitions
    Open table as spreadsheet

    Add a note herePartition

    Add a note hereFunction

    Add a note hereDescription

    Add a note herecf:1

    Add a note hereMaintenance

    Add a note hereUsed for module file maintenance and upgrades

    Add a note herecf:2

    Add a note hereNetwork configuration

    Add a note hereMaintenance image network configuration

    Add a note herecf:3

    Add a note hereCrash dump

    Add a note hereCrashinfo contents

    Add a note herecf:4

    Add a note hereApplication

    Add a note hereFirewall image and configuration

    Add a note herecf:5

    Add a note hereApplication

    Add a note hereAlternative image and configuration

    Add a note here To clear the passwords in the application partition, where the normal firewall image is executed, use partition-number 4 or 5, depending on which one contains the bootable image. For example, the clear passwd cf:4 command clears the passwords in the application partition 4 configuration file.

    Add a note hereYou are prompted to delete the password configuration commands (enable_1 becomes cisco; enable_15 becomes blank) and any AAA commands.

  3. Add a note hereReload the FWSM into the application partition:

    Add a note hereRouter# hw-module module slot-number reset cf:partition-number

    Add a note hereSpecify the partition number that contains the bootable firewall image.

    Add a note hereThe application partition image is booted. You can log in to the FWSM using the default passwords.


Tip

Add a note hereThe FWSM contains two types of partitions you can boot: the maintenance partition and the application partition. You can reset the passwords in either partition by first booting into the opposite partition. For example, as the preceding sequence of steps illustrates, you can reset the application partition passwords by booting into the maintenance partition. You also can reset the maintenance partition passwords by booting into the application partition.

Add a note hereYou cannot clear the passwords in the configuration of the partition that is booted, however. You can clear them only in a partition that is not currently in use.



No comments:

Post a Comment