Networking/Cisco PIX

From popdata
Jump to: navigation, search

Cisco ASA 5520 Firewall & VPN

Has replaced the 515e a while ago.
  • 2018-02-06 update wiki page via ASDM java management application.
    • ASA model 5525 software 9.1(7) flash 8192 MB
  • Security advisory tools.cisco.com/security/...20180129-asa1 affects us because AnyConnect uses "webvpn" with "ikev2". That advisory offers free update (e.g. 9.1.7.23) by contacting Cisco TAC with Product Serial # and referring to advisory URL.

Cisco PIX 515e Firewall

Cisco online configuration guide or local pdf

Interface config

The PIX has 6 physical ports. They are labelled Ethernet 0 which is usually called the outside network. Ethernet 1 which is usually called the inside network. And a 4 port expansion card numbered from left to right Ethernet 2 to Ethernet 5.

Our assignments:

Ethernet 0 outside
Connection to UBCnet
Ethernet 1 redzone
Connection to secondary firewall
Ethernet 2 clients
The various partner VLANs (via UBC switches)
Ethernet 3 dmz
DMZ networks that can be accessed from outside
Ethernet 4 undef
not yet used
Ethernet 5 servers
Server networks from the partners

VLAN config

outside

VLAN: No: Subnet: Comment
CHSPR 647 137.82.131.0/24 Public subnet

clients

VLAN: No: Subnet: Comment
CHSPR-CLNT 647 10.40.10.0/24 CHSPR clients
PHLO-CLNT 81? 10.80.10.0/24 PHLO clients


dmz

VLAN: No: Subnet: Comment
CHSPR-NET 42 10.40.20.0/24 CHSPR Network Services
CHSPR-EML 43 10.40.30.0/24 CHSPR Email Services
CHSPR-WEB 44 10.40.40.0/24 CHSPR Web Services
PHLO-NET 82 10.80.20.0/24 PHLO Network Services
PHLO-EML 83 10.80.30.0/24 PHLO Email Services
PHLO-WEB 84 10.80.40.0/24 PHLO Web Services

servers

VLAN: No: Subnet: Comment
CHSPR-FP 45 10.40.50.0/24 CHSPR File & Print
PHLO-ADMIN 89 10.80.90.0/24 PHLO Admin Servers
PHLO-FP 85 10.80.50.0/24 PHLO File & Print (collaboratory)


OS Upgrade

  • Login to cisco website (http://www.cisco.com/ -> login) Username: phlo-cisco
  • Go to downloads -> VPN Software -> Cisco PIX Security Appliances Software -> Download PIX Security Appliance Software
  • Get the Release Note && Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco Security Appliance Software Version 7.0
  • Choose: asdm-522.bin & pix722.bin
  • setup a tftp server on a machine on the same network as the cisco pix
  • put the two files in the tftp directory on the machine
  • connect a PC to the serial console port of the cisco with blue cable, DB9 connector
  • connect to the serial port with a terminal program (9600 N81)
  • login and enable
  • reload
  • Hit escape when you see:
Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
  • stuff missing here
  • enter: address 10.99.0.80
  • enter: address 10.99.0.12 (this being the address of a machine with tftp server running
  • enter: ping 10.99.0.12 You should get a 100% success rate
  • it is now running the new firmware only in ram, we need to move it to flash
  • enter: enable
  • copy it again
  • enter: copy tftp://10.99.0.12/pix722.bin flash:
  • enter: write memory
  • enter: reload
  • now do the asdm
  • enter: copy tftp://10.99.0.12/asdm-522.bin flash:asdm
  • enter: write memory
  • enter: reload
  • you can now go to https://10.99.0.80/ leave the username empty

ASDM GUI (java)

If you have java installed, you can download the ASDM GUI kava applciation from the firewall, one of https://137.82.131.69 or your gateway https://10.90.10.254 , login and download asdm.jnlp .

Installing Java JDK or JRE for ASDM

    • Clicked on ~/Desktop/"ASDM on 10.90.10.254 from asdm.jnlp.desktop", opens "Icedtea-web 1.6.2ubuntu1" 4/16/16 8PM. Got signature complaints, then errors "too many redirect"
    • Cisco ASDM-IDM Launcher. Connecting to device. Enter username and password.
    • Authentication Required. Enter login details to access Authentication on /10.90.10.254 {yubikey]
    • Java console: "Trying for ASDM Version file; url = https://10.90.10.254/admin/"
    • Exception ... Caused by: java.net.ProtocolException: Server redirected too many times (20)
  • Get from Ryoko
    • 209674 [Poller] ERROR com.cisco.dmcommon.util.DMCommonEnv - Exception while parsing line:SA|ISAKMP_SAS|4294967292|IPSEC_SAS|2|MH|ISAKMP_SAS|4294967292|IPSEC_SAS|2|

Fixing the MSS exceeded messages

phlo-fw1(config)# access-list bacula-tcp permit tcp any host 10.80.90.30       
phlo-fw1(config)# 
phlo-fw1(config)# exit
phlo-fw1# config term
phlo-fw1(config)# class-map bacula-map1
phlo-fw1(config-cmap)# match access-list bacula-tcp
phlo-fw1(config-cmap)# exit
phlo-fw1(config)# tcp-map mss-map
phlo-fw1(config-tcp-map)# exceed-mss allow
phlo-fw1(config-tcp-map)# exit
phlo-fw1(config)# policy-map bacula-map1
phlo-fw1(config-pmap)# class bacula-map1
phlo-fw1(config-pmap-c)# set connection advanced-options mss-map
phlo-fw1(config-pmap-c)# exit
phlo-fw1(config-pmap)# exit 
phlo-fw1(config)# service-policy bacula-map1 interface phlo-admin