FNS10 Mod13

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—13-11
Module 13
PIX Failover and System Maintenance
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-2

Learning Objectives
For review only. Please do not distribute

Upon completion of this chapter, you will be able

to perform the following tasks:
• Define the primary, secondary, active, and standby PIX
Firewalls.
• Describe how failover works.
• Identify the failover interface tests.
• Define failover, LAN-based failover, and stateful failover.
• Configure stateful failover.
• Configure LAN-based stateful failover.

Learning Objectives (cont.)
Upon completion of this chapter, you will be

able to perform the following tasks:

• Configure Telnet access to the PIX Firewall console.
• Configure SSH access to the PIX Firewall console.
• Configure command authorization.
• Recover PIX Firewall passwords using general
password recovery procedures.
• Use TFTP to install and upgrade the software image
on the PIX Firewall.

Overview

This module will cover serial cable failover and

LAN-based failover. Instructions will be given on
how to configure each one of these in a network
environment. conducting system maintenance
via remote access, configuring a PIX Firewall to
support command authorization, and
performing image and activation key upgrades
on PIX Firewalls will also be covered.

Key terms

• Failover
• Stateful Failover
• Stateless Failover
• LAN based Failover
• Serial Failover
• SSH

Understanding Failover

Failover

The primary and secondary units must:

• Be the same model number.
• Have identical software versions and activation key types.
• Have the same amount of Flash memory and RAM.

IP Addresses for Failover

• When actively functioning, the primary PIX Firewall uses system IP

addresses and media access control (MAC) addresses.
• When on standby, the secondary PIX Firewall uses a set of
failover IP addresses and MAC addresses.
Configuration Replication

Configuration replication occurs:

• When the standby firewall completes its initial bootup.
• As commands are entered on the active firewall.
• By entering the write standby command.

Failover and Stateful Failover
• Failover

– Connections are dropped.

– Client applications must
reconnect.
– Provides redundancy.
• Stateful failover
– TCP connections remain
active.
– No client applications
need to reconnect.
– Provides redundancy and
stateful connection.

Cabling for Stateful Failover


Failover Interface Test

• Link Up/Down test—Testing the NIC itself.

• Network Activity test—Testing received network
activity.
• ARP test—Reading the PIX Firewall’s ARP cache
for the ten most recently acquired entries.
• Broadcast Ping test—Sending out a broadcast
ping request.

Serial Failover Configuration

Overview of Configuring Failover
with a Failover Serial Cable
Complete the following tasks to configure failover

with a failover serial cable:

• For each interface you plan to use, attach a network cable
from the primary firewall interface to its corresponding
interface on the secondary firewall.
• Connect the failover cable between the primary and
secondary firewalls.
• Configure the primary firewall for failover and save the
configuration to Flash memory.
• Power on the secondary firewall.

Step 1—Cabling the Firewalls


Step 2—Connecting the
Failover Cable


Step 3—Configuring the Primary PIX
Firewall
Complete the following steps to configure the primary firewall:

• Assign names and security levels to each interface you plan to use.
• Specify a speed for each interface you plan to use.
• Assign an IP address to each interface you plan to use.
• Set the PIX Firewall clock.
• Set the MTU size. (This is optional for stateful failover.)
• Enable failover.
• Assign a failover IP address for each interface.
• Specify the name of a dedicated stateful failover interface. (This is
optional for stateful failover.)
• Set the failover poll time.
• Use the write memory command to save the configuration to Flash
memory.

Configuring the Primary
PIX Firewall (Cont.)
pixfirewall(config)#
failover [active]

• Enables failover between the active and standby PIX Firewalls.

failover ip address if_name ip_address

• Creates an IP address for the standby PIX Firewall.
failover link [stateful_if_name]
• Enables stateful failover.
failover poll seconds

• Specifies how long failover waits before sending special failover hello packets
between the primary and secondary firewalls.
pixfirewall(config)# failover
Pixfirewall(config)# failover ip address MYFAILOVER 172.17.0.7
pixfirewall(config)# failover link MYFAILOVER
Pixfirewall(config)# failover poll 10
Step 4—Powering on
the Secondary Firewall


Failover Commands

failover replicate http

• Enables the stateful replication of HTTP sessions.
write standby
• Stores configuration to the failover standby firewall.
failover reset
• Forces both firewalls back to an unfailed state.

failover mac address Command
failover mac address mif_name act_mac stn_mac

• Enables you to configure a virtual MAC address for a PIX Firewall failover
pair.
pixfirewall(config)# failover ip address outside 192.168.0.7

pixfirewall(config)# failover ip address inside 10.0.0.7
pixfirewall(config)# failover ip address dmz 172.16..0.7
pixfirewall(config)# failover ip address MYFAILOVER 172.17.0.7
pixfirewall(config)# failover mac address outside
00a0.c989.e481 00a0.c969.c7f1
pixfirewall(config)# failover mac address inside 00a0.c976.cde5
00a0.c922.9176
pixfirewall(config)# failover mac address dmz 00a0.c969.87c8
00a0.c918.95d8
pixfirewall(config)# failover mac address MYFAILOVER
00a0.c959.e341 00a0.c696.c7g2

show failover Command
Before failover After failover

pixfirewall(config)# show failover


Failover On Failover On
Cable status: Normal Cable status: Normal
Reconnect timeout 0:00:00 Reconnect timeout 0:00:00
Poll frequency 3 seconds Poll frequency 3 seconds
This host: Primary - Active This host: Primary – Standby (Failed)
Active time: 360 (sec) Active time: 0 (sec)
Interface intf5 (127.0.0.1): Shut Down Interface intf5 (127.0.0.1): Shut Down
Interface intf4 (127.0.0.1): Shut Down Interface intf4 (127.0.0.1): Shut Down
Interface MYFAILOVER (172.17.0.1): Normal Interface MYFAILOVER (172.17.0.7): Normal (Waiting)
Interface dmz (172.16.0.1): Normal Interface dmz (172.16.0.7): Normal (Waiting)
Interface outside (192.168.0.2): Normal Interface outside (192.168.0.7): Normal (Waiting)
Interface inside (10.0.0.1): Normal Interface inside (10.0.0.7): Failed (Waiting)
Other host: Secondary - Standby Other host: Secondary - Active
Active time: 0 (sec) Active time: 150 (sec)
Interface intf5 (127.0.0.1): Link Down Interface intf5 (127.0.0.1): Link Down
Interface intf4 (127.0.0.1): Link Down Interface intf4 (127.0.0.1): Link Down
Interface MYFAILOVER (172.17.0.7): Normal Interface MYFAILOVER (172.17.0.1): Normal (Waiting)
Interface dmz (172.16.0.7): Normal Interface dmz (172.16.0.1): Normal (Waiting)
Interface outside (192.168.0.7): Normal Interface outside (192.168.0.2): Normal (Waiting)
Interface inside (10.0.0.7): Normal Interface inside (10.0.0.1): Normal (Waiting)
Stateful Failover Logical Update Statistics Stateful Failover Logical Update Statistics
Link : MYFAILOVER Link : MYFAILOVER

LAN-Based Failover
Configuration

LAN-Based Failover Overview
LAN-based failover:

• Provides long-distance failover functionality.

• Uses an Ethernet cable rather than the serial failover
cable.
• Requires a dedicated LAN interface, but the same
interface can be used for stateful failover.
• Requires a dedicated switch, hub, or VLAN.
• Uses message encryption and authentication to secure
failover transmissions.

LAN-Based Failover
Configuration Overview
Complete the following tasks to configure LAN-based
failover:

• Verify that any switch port that connects to a PIX Firewall

interface is configured to support LAN-based failover.
• Attach network cables except for the failover LAN interface.
• Configure the primary PIX Firewall.
• Save the primary firewall’s configuration to Flash memory.
• Power on the secondary firewall.
• Configure the secondary PIX Firewall with the minimum failover
LAN command set.
• Save the secondary firewall’s configuration to Flash memory.
• Connect the LAN failover interface to the network.
• Reload the secondary firewall.

Steps 1 and 2—Preparing
Switches and Cables


Steps 3 and 4—Preparing the Primary
PIX Firewall
failover lan unit primary | secondary

• Designates a PIX Firewall as the primary or secondary firewall.
failover lan interface if_name
• Specifies the LAN-based failover interface.
failover lan key key_secret
• Enables encryption and authentication of LAN-based failover
messages between PIX Firewalls.
failover lan enable
• Enables LAN-based failover.

Steps 5, 6, and 7—Preparing
the Secondary PIX Firewall

pixfirewall(config)# nameif ethernet3 MYFAILOVER

security55
pixfirewall(config)# interface ethernet3 100full
pixfirewall(config)# ip address MYFAILOVER 172.17.0.1
255.255.255.0
pixfirewall(config)# failover ip address MYFAILOVER
172.17.0.7
pixfirewall(config)# failover lan unit secondary
pixfirewall(config)# failover lan interface MYFAILOVER
pixfirewall(config)# failover lan key 1234567
pixfirewall(config)# failover lan enable

Steps 8 and 9—Connecting the Interfaces
and Reloading the Secondary Firewall


show failover Command with LAN-
Based Failover
Failover On

Cable status: Unknown

Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Standby
Active time: 255 (sec)
Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.1): Normal
Other host: Secondary - Active

Active time: 256305 (sec)
Interface outside (192.168.0.7): Normal
Interface inside (10.0.0.7): Normal
Stateful Failover Logical Update Statistics

Link : Unconfigured.
Lan Based Failover is Active

interface MYFAILOVER (172.17.0.1): Normal, peer(172.17.0.7):Normal

Remote Access

Configuring Telnet Access
to the PIX Firewall Console
telnet ip_address [netmask] [if_name]

• Specifies which hosts can access the PIX Firewall console via Telnet
telnet timeout minutes
• Sets the maximum time a console Telnet session can be idle before being logged off
by the PIX Firewall
passwd password [encrypted]

• Sets the password for Telnet access to the PIX Firewall
pixfirewall(config)# telnet 10.0.0.11 255.255.255.255 inside

pixfirewall(config)# telnet timeout 15
pixfirewall(config)# passwd telnetpass

Viewing and Disabling Telnet
show telnet

• Displays IP addresses permitted to access

the PIX Firewall via Telnet.
clear telnet
• Removes Telnet access from a previously
authorized IP address.
who [local_ip]
• Enables you to view which IP addresses are
currently accessing the PIX Firewall console
via Telnet.
kill telnet_id
• Terminates a Telnet session.
SSH Connections to the PIX Firewall

SSH connections to the PIX Firewall

• Provide secure remote access.
• Provide strong authentication and encryption.
• Require RSA key pairs for the PIX Firewall.
• Require DES or 3DES activation keys.
• Allow up to five SSH clients to simultaneously
access the PIX Firewall console.
• Use the Telnet password for local authentication.

Configuring SSH Access
to the PIX Firewall Console
pixfirewall(config)# pixfirewall(config)#

ca zeroize rsa ca generate rsa key | specialkey

• Removes any previously generated RSA keys. key_modulus_size
• Generates an RSA key pair.
ca save all ssh ip_address [netmask]
• Saves the CA state. [interface_name]
• Specifies the host or network authorized to
initiate an SSH connection.
domain-name name ssh timeout mm

• Configures the domain name. • Specifies how long a session can be idle before
being disconnected.

Connecting to the PIX Firewall
with an SSH Client
username: pix
password: telnetpassword

172.26.26.50
pixfirewall(config)# ca zeroize rsa

pixfirewall(config)# ca save all
pixfirewall(config)# domain-name cisco.com
pixfirewall(config)# ca generate rsa key 768
pixfirewall(config)# ca save all
pixfirewall(config)# ssh 172.26.26.50 255.255.255.255 outside
pixfirewall(config)# ssh timeout 30
Viewing, Disabling,
and Debugging SSH
show ssh sessions [ip_address]

• Enables you to view the status of your SSH

sessions.
ssh disconnect session_id
• Disconnects and SSH session.
clear ssh
• Removes all SSH command statements from
the configuration.
debug ssh
• Enables SSH debugging.

Command Authorization

Command Authorization Overview
Command authorization is characterized

by the following:
• Its purpose is to securely and efficiently administer the
PIX Firewall.
• It has the following types:
– Enable-level command authorization with passwords.
– Command authorization using the local user database.
– Command authorization using ACS.

Enable-Level Command Authorization
To configure and use enable-level command

authorization, complete the following tasks:

• Use the enable command to create privilege levels and
assign passwords to them.
• Use the privilege command to assign specific commands
to privilege levels.
• Use the aaa authorization command to enable the
command authorization feature.
• Use the enable command to access the desired privilege
level.

Create and Password-Protect
Your Privilege Levels
enable password pw [level priv_1evel] [encrypted]

• Configures enable passwords for the various privilege levels.
pixfirewall(config)# enable password Passw0rD

level 10
enable [priv_1evel]
• Provides access to a particular privilege level from the > prompt.
pixfirewall> enable 10
Password: Passw0rD
pixfirewall#
Assign Commands to Privilege Levels
and Enable Command Authorization
privilege [show | clear | configure] level level [mode

enable | configure] command command

• Configures user-defined privilege levels for PIX Firewall commands.
aaa authorization command LOCAL | tacacs_server_tag
• Enables command authorization.
pixfirewall(config)# enable
password Passw0rD level 10
pixfirewall(config)# pixfirewall> enable 10
privilege show level 8 Password: Passw0rD
command access-list
pixfirewall# config t
pixfirewall(config)# accesslist . . .
privilege configure level
10 command access-list
pixfirewall(config)# aaa
authorization command LOCAL

Command Authorization Using the
Local User Database

To configure and use command authorization with the

local user database, complete the following tasks:
• Use the privilege command to assign specific commands to
privilege levels.
• Use the username command to create user accounts in the local
user database and assign privilege levels to the accounts.
• Use the aaa authorization command to enable command
authorization.
• Use the aaa authentication command to enable authentication
using the local database.
• Use the login command to log in and access privilege levels.

Creating User Accounts
in the Local Database

username username nopassword | password
password [encrypted] [privilege level]
• Configures the username for the specified privilege level.
pixfirewall(config)# username admin password

passw0rd privilege 15
pixfirewall(config)# username kenny password
chickadee privilege 14

Configuring Authentication
with the Local Database
aaa authentication [serial | enable | telnet | ssh |

http] console group_tag

• Enables user authentication.
pixfirewall(config)# privilege configure level 10

command access-list
pixfirewall(config)# username kenny password chickadee
privilege 10
pixfirewall(config)# aaa authorization command LOCAL
pixfirewall(config)# aaa authentication enable console
LOCAL
pixfirewall> login
Username: kenny
Password: chickadee

Command Authorization Using ACS

To configure and use ACS command authorization,

complete the following tasks:
• Create a user profile on the TACACS+ server with all the
commands that the user is permitted to execute.
• Use the aaa-server to specify the TACACS+ server.
• Use the aaa authentication command to enable authentication
with a TACACS+ server.
• Use the aaa authorization command to enable command
authorization with a TACACS+ server.

aaa authorization Command for
Command Authorization with ACS

aaa authorization command LOCAL |tacacs_server_tag

• Enables command authorization.
pixfirewall(config)# aaa-server MYTACACS protocol

tacacs+
pixfirewall(config)# aaa-server MYTACACS (inside)
host 10.0.0.11 thekey timeout 20
pixfirewall(config)# aaa authentication enable
console MYTACACS
pixfirewall(config)# aaa authorization command
MYTACACS

Viewing Your Command
Authorization Configuration

show privilege [all | command

command | level level]
• Displays the privileges for a command or
set of commands.
show curpriv
• Displays the user account that is
currently logged in.

Lockout
pixfirewall(config)# privilege configure level 10

command access-list

pixfirewall(config)# username kenny password chickadee

privilege 10
pixfirewall(config)# aaa authorization command LOCAL
pixfirewall(config)# aaa authentication enable console
LOCAL
pixfirewall> login
Username: kenny
Password: chickadee

Activation Keys

Entering a New Activation Key

activation-key activation-key-four-tuple
• Updates the activation key on your PIX Firewall.
pixfirewall(config)# activation-key
0x12345678 0xabcdef01 0x2345678ab
0xcdef01234

Upgrading the Image
and the Activation Key

To upgrade the image and the activation key

at the same time, complete the following
steps:
• Step 1—Install the new image.
• Step 2—Reboot the system.
• Step 3—Update the activation key.
• Step 4—Reboot the system.

Troubleshooting the
Activation Key Upgrade

Problem and
Message
Resolution
Either the activation key has
The activation key you
already been upgraded or
entered is the same as the
you need to enter a different
Running key.
key.
The Flash image and the Reboot the PIX Firewall and
Running image differ. re-enter the activation key.
Either you made a mistake

The activation key is not entering the activation key
valid. or you need to obtain a valid
activation key.

Password Recovery
and Image Upgrade

Password Recovery
• Download the following file

from CCO: npXX.bin (where

XX = the PIX Firewall image
version number).
• Reboot the system and break
the boot process when
prompted to go into monitor
mode.
• Set the interface, IP address,
gateway, server, and file to
tftp the previously
downloaded image.
• Follow the directions
displayed.
Image Upgrade

copy tftp[:[[//location][/tftp_pathname]]]
flash[:[image | pdm]]
• Enables you to change software images without
accessing the TFTP monitor mode.
pixfirewall(config)# copy
tftp://172.26.26.50/pix611.bin flash
• The TFTP server at IP address 172.26.26.50 receives the
command and determines the actual file location from
its root directory information. The server then
downloads the TFTP image to the PIX Firewall.

Summary

Summary
• The primary and secondary PIX Firewalls are the two firewalls
used for failover. The primary PIX Firewall is usually active,

while the secondary PIX Firewall is usually standby, but during

failover the primary PIX Firewall goes on standby while the
secondary becomes active.
• The configuration of the primary PIX Firewall is replicated to
the secondary PIX Firewall during configuration replication.
• During failover connections are dropped, while during stateful
failover connections remain active.
• There are four interface tests to ensure that the PIX Firewalls
are running:
– Link Up and Down test
– Network Activity test
– ARP test
– Broadcast Ping test
Summary (cont.)
• LAN-based failover enables you to use Ethernet cabling

with a dedicated hub, switch or VLAN for long-distance

failover.
• SSH provides secure remote management of the
PIX Firewall.
• TFTP is used to upgrade the software image on
PIX Firewalls.
• You can configure three different types of command
authorization: enable-level with password, local command
authorization, and ACS command authorization.
• The PIX Firewall can be configured to permit multiple users
to access its console simultaneously via Telnet.
• You can enable Telnet to the PIX Firewall on all interfaces.
• Password recovery for the PIX Firewall requires a TFTP
server.

© 2003, Cisco Systems, Inc. All rights reserved. 61

FNS10 Mod13

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FNS10 Mod13

Hochgeladen von

Copyright:

Verfügbare Formate

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

PIX Failover and System Maintenance

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-2

For review only. Please do not distribute

Upon completion of this chapter, you will be able

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-3

Upon completion of this chapter, you will be

For review only. Please do not distribute

able to perform the following tasks:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-4

For review only. Please do not distribute

This module will cover serial cable failover and

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-5

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-6

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-7

For review only. Please do not distribute

The primary and secondary units must:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-8

For review only. Please do not distribute

• When actively functioning, the primary PIX Firewall uses system IP

For review only. Please do not distribute

Configuration replication occurs:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-10

For review only. Please do not distribute

– Connections are dropped.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-11

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-12

For review only. Please do not distribute

• Link Up/Down test—Testing the NIC itself.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-13

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-14

Complete the following tasks to configure failover

For review only. Please do not distribute

with a failover serial cable:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-15

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-16

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-17

Complete the following steps to configure the primary firewall:

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-18

For review only. Please do not distribute

• Enables failover between the active and standby PIX Firewalls.

failover ip address if_name ip_address

failover poll seconds

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-20

For review only. Please do not distribute

failover replicate http

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-21

For review only. Please do not distribute

pixfirewall(config)# failover ip address outside 192.168.0.7

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-22

Before failover After failover

For review only. Please do not distribute

pixfirewall(config)# show failover

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-23