PIX VPN and additional commands

1
PIX VPN and additional commands
2
VPN
For the VPN user to be able to remotely access
internal hosts, the VPN must assign an internal
IP address.
3
VPN Review

• PPTP using the Microsoft client authenticates via
  MSCHAP or CHAP to the internal network.
• We can configure the VPN to use IPSEC within a
  L2TP tunnel.
• We can use the Cisco VPN client to access the VPN
  using the L2TP
• Authentication is down with the VPN Group Name
  and password.
• Once the VPN Group is authenticated, we can
  authenticate via user on the LOCAL database.
• Alternative methods of athentication TACACS and
  Radius Servers.

4
VPN Continued

• The Microsoft client does not allow for tunneling
  of internet traffic which is known as split
  tunneling.
• The VPN user must configure the PIX to allow for
  SPLIT TUNNELING in order for the user to VPN into
  the firewall and browse the internet THROUGH the
  VPN tunnel.

5
PIX Monitoring and Troubleshooting

• Use the OSI model as a reference or starting
  place for troubleshooting.

6
Monitoring and Troubleshooting
7
OSI Model Quick Reference

• Session layer-gtAccess Lists
• Network Layer-gtNAT/PAT/Static Global Ipsec/VPN
  Routing
• Data Link/Physical-gtHardware Cabling

8
Hardware/Cabling

• Cabling questions/issues?
• Is the correct cable connected to the correct
  interface?
• Is the correct end of the cable connected to the
  correct interface? (primarily with failover
  cables for higherend pix firewalls)
• Is the correct cable type connected to the
  equipment? (crossover cables, rollover cables)
• Are the cable pinouts correct? (check with cable
  tester)
• Is the cable verified as good? (Test with cable
  tester or swap out with good equipment)

9
Troubleshooting Connectivity

• To be effective the PIX must be able to reach
  its destination.
• Whenever you make a change to NAT, global,
  static, access lists or anything that depends on
  or is part of translation, get into the habit of
  issuing the clear xlate command to clear any
  current translations

10
Check Addressing

• Always make sure your device has valid IP
  addresses and that what you are trying to do
  makes networking sense. Packets cannot magically
  jump from one network to another without some
  gateway on their same network doing the
  translation.

11
Check Routing

• Use a structured approach to isolate the problem.
• PIX uses both static and dynamic routing.
• For dynamic routing, PIX supports only RIP as a
  routing protocol.
• show rip
• Static default route
• route outside 0.0.0.0 0.0.0.0 172.17.14.1 metric
  1
• This command states that all traffic that does
  not match any of the local interfaces will be
  sent to the next hop(metric 1) of 172.17.14.1.
• pix sh route
• outside 0.0.0.0 0.0.0.0 172.17.14.1 1
  OTHER static
• inside 10.0.0.0 255.255.255.0 10.0.0.100
  1 CONNECT CONNECT static

12
Checking Translation

• PIX firewall performs address translation.
• In order for internal networks to communicate
  with external networks, and vice versa, addresses
  must be translated.
• Translation is NOT optional. Translation is the
  act of translating one IP address to another,
  which can be configured as one to one (NAT), or
  many to one (PAT)
• pix sh nat
• nat (inside) 0 access-list inside_outbound_nat0_ac
  l
• nat (inside) 1 10.0.0.0 255.255.255.0 0 0
• pix sh global
• global (outside) 1 interface

13
Checking Access

• show access-list
• access-list cached ACL log flows total 0, denied
  0 (deny-flow-max 256)
• alert-interval 300
• access-list OUTBOUND line 15 deny tcp any eq 445
  any (hitcnt0)
• access-list OUTBOUND line 16 deny udp any any
  range snmp snmptrap (hitcnt919)
• access-list OUTBOUND line 17 deny udp any range
  snmp snmptrap any (hitcnt0)
• access-list OUTBOUND line 18 deny udp any any eq
  tftp (hitcnt100)
• access-list OUTBOUND line 19 deny udp any eq tftp
  any (hitcnt0)
• access-list OUTBOUND line 20 remark Allow
  anything else
• access-list OUTBOUND line 21 permit ip any any
  (hitcnt46716)
• access-list OUTBOUND line 22 remark Egress ACL
  start allow ping
• access-list OUTBOUND line 23 remark Block the MS
  ports and SNMP
• access-list OUTBOUND line 24 remark Allow
  anything else
• access-list OUTBOUND line 25 remark Egress ACL
  start allow ping
• access-list OUTBOUND line 26 remark Block the MS
  ports and SNMP
• access-list OUTBOUND line 27 remark Allow
  anything else
• access-list OUTBOUND line 28 deny udp any eq 8118
  any (hitcnt0)
• access-list INBOUND 8 elements
• access-list INBOUND line 1 remark Ingress ACL
  allow ping and smtp

14
Checking Access

• pix show access-group
• access-group INBOUND in interface outside
• access-group OUTBOUND in interface inside

15
Show Interface

• pix sh int
• interface ethernet0 "outside" is up, line
  protocol is up
• Hardware is i82559 ethernet, address is
  0sss.axxx.cxxx
• IP address 172.17.14.200, subnet mask
  255.255.255.252
• MTU 1500 bytes, BW 100000 Kbit full duplex
• 3847417 packets input, 3961084158 bytes,
  0 no buffer
• Received 106674 broadcasts, 0 runts, 0
  giants
• 0 input errors, 0 CRC, 0 frame, 0
  overrun, 0 ignored, 0 abort
• 2465807 packets output, 466808322 bytes,
  0 underruns
• 0 output errors, 0 collisions, 0
  interface resets
• 0 babbles, 0 late collisions, 0 deferred
• 0 lost carrier, 0 no carrier
• input queue (curr/max blocks) hardware
  (128/128) software (0/9)
• output queue (curr/max blocks) hardware
  (0/28) software (0/1)
• interface ethernet1 "inside" is up, line protocol
  is up
• Hardware is i82559 ethernet, address is
  xxxx.xxxx.cxxx
• IP address 10.0.0.100, subnet mask
  255.255.255.0
• MTU 1500 bytes, BW 100000 Kbit full duplex
• 2486094 packets input, 468622509 bytes, 0
  no buffer

16
Command Reference

• Show tech-support
• Displays running config and all pertinent
  statistics for the firewall.
• Show version (sh ver)
• Includes interface information, serial numbers,
  pdm, ios versions as well as licensed features
• show perfmon-gtperformance monitor statistics

17
Capturing Traffic with the PIX

• Cisco has provided a tool for capturing and
  analyzing network traffic with IOS version 6.2
• The capture command allows the PIX to act as a
  packet sniffer. (similar to Etherreal/shark)
• It captures both inbound and outbound traffic

18
Capture Command

• Usage capture ltcapture-namegt access-list
  ltacl-namegt buffer ltbuf-sizegt
• ethernet-type lttypegt interface
  ltif-namegt
• packet-length ltbytesgt
• circular-buffer
• clear capture ltcapture-namegt
• no capture ltcapture-namegt access-list
  ltacl_namegt circular-buffer interface
  ltif-namegt
• show capture ltcapture-namegt access-list
  ltacl-namegt count ltnumbergt
• detail dump

19
Capture Command

• ltcapture-namegt defines a name for this capture
  session, all other information is optional
• Access-list specifies an access list to limit the
  source and destination of the traffic captured.
• Buffer specifies the size of the buffer (in
  bytes) used to store captured packets. Default
  is 512k. Once buffer is filled, the catpure
  stops.
• Ethernet-type specifies the protocols to capture,
  ip, arp, rarp, ip6 or any protocol number between
  1 and 65535
• Interface specifies the interface on which to
  capture packets.

20
Capture Command

• Once I have all this info, how can I view it?
• Console
• Show capture ltcapture-namegt access-list ltIDgt
  count ltnumbergt detaildump
• Display to a web browser
• https//pixipaddress/catpure/ltcapture-namegt
• Downloading captured traffic
• https//pixipaddress/catpure/ltcapture-namegt/pcap
• Copy using tftp
• Copy captureltcapture-namegt tftp//location/filena
  ame pcap

21
Logging

• Show logging-gtshows logging configuration
• Logging levels
• Level-keyword-message
• 0-emergency-system unusable
• 1-alert-immediate action needed
• 2-critical-critical condition
• 3-error-error condition
• 4-warning-warning condition
• 5-notification-normal but significant condition
• 6-informational-informational message only
• 7-debugging-only used during debugging