Beruflich Dokumente
Kultur Dokumente
• Failover
• Stateful Failover
• Stateless Failover
• LAN based Failover
• Serial Failover
• SSH
• Failover
• Assign names and security levels to each interface you plan to use.
• Specify a speed for each interface you plan to use.
• Assign an IP address to each interface you plan to use.
• Set the PIX Firewall clock.
• Set the MTU size. (This is optional for stateful failover.)
• Enable failover.
• Assign a failover IP address for each interface.
• Specify the name of a dedicated stateful failover interface. (This is
optional for stateful failover.)
• Set the failover poll time.
• Use the write memory command to save the configuration to Flash
memory.
failover [active]
pixfirewall(config)# failover
Pixfirewall(config)# failover ip address MYFAILOVER 172.17.0.7
pixfirewall(config)# failover link MYFAILOVER
Pixfirewall(config)# failover poll 10
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-19
Step 4—Powering on
the Secondary Firewall
pixfirewall(config)#
pixfirewall(config)#
write standby
• Stores configuration to the failover standby firewall.
pixfirewall(config)#
failover reset
• Forces both firewalls back to an unfailed state.
• Enables you to configure a virtual MAC address for a PIX Firewall failover
pair.
Stateful Failover Logical Update Statistics Stateful Failover Logical Update Statistics
Link : MYFAILOVER Link : MYFAILOVER
LAN-based failover:
pixfirewall(config)#
failover lan unit primary | secondary
pixfirewall(config)#
failover lan interface if_name
• Specifies the LAN-based failover interface.
pixfirewall(config)#
failover lan key key_secret
• Enables encryption and authentication of LAN-based failover
messages between PIX Firewalls.
pixfirewall(config)#
failover lan enable
• Enables LAN-based failover.
• Specifies which hosts can access the PIX Firewall console via Telnet
pixfirewall(config)#
telnet timeout minutes
• Sets the maximum time a console Telnet session can be idle before being logged off
by the PIX Firewall
pixfirewall(config)#
pixfirewall(config)#
clear telnet
• Removes Telnet access from a previously
authorized IP address.
pixfirewall(config)#
who [local_ip]
• Enables you to view which IP addresses are
currently accessing the PIX Firewall console
via Telnet.
pixfirewall(config)#
kill telnet_id
• Terminates a Telnet session.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-34
SSH Connections to the PIX Firewall
pixfirewall(config)# pixfirewall(config)#
pixfirewall(config)# pixfirewall(config)#
ca save all ssh ip_address [netmask]
• Saves the CA state. [interface_name]
• Specifies the host or network authorized to
initiate an SSH connection.
pixfirewall(config)# pixfirewall(config)#
username: pix
password: telnetpassword
172.26.26.50
pixfirewall(config)#
ssh disconnect session_id
• Disconnects and SSH session.
pixfirewall(config)#
clear ssh
• Removes all SSH command statements from
the configuration.
pixfirewall(config)#
debug ssh
• Enables SSH debugging.
by the following:
• Its purpose is to securely and efficiently administer the
PIX Firewall.
• It has the following types:
– Enable-level command authorization with passwords.
– Command authorization using the local user database.
– Command authorization using ACS.
pixfirewall(config)#
enable password pw [level priv_1evel] [encrypted]
pixfirewall(config)#
enable [priv_1evel]
• Provides access to a particular privilege level from the > prompt.
pixfirewall> enable 10
Password: Passw0rD
pixfirewall#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—13-42
Assign Commands to Privilege Levels
and Enable Command Authorization
pixfirewall(config)#
privilege [show | clear | configure] level level [mode
pixfirewall(config)#
aaa authorization command LOCAL | tacacs_server_tag
• Enables command authorization.
pixfirewall(config)# enable
password Passw0rD level 10
pixfirewall(config)# pixfirewall> enable 10
privilege show level 8 Password: Passw0rD
command access-list
pixfirewall# config t
pixfirewall(config)#
pixfirewall(config)# accesslist . . .
privilege configure level
10 command access-list
pixfirewall(config)# aaa
authorization command LOCAL
pixfirewall(config)#
username username nopassword | password
password [encrypted] [privilege level]
• Configures the username for the specified privilege level.
pixfirewall> login
Username: kenny
Password: chickadee
pixfirewall# config t
pixfirewall(config)# accesslist . . .
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
show curpriv
• Displays the user account that is
currently logged in.
pixfirewall> login
Username: kenny
Password: chickadee
pixfirewall# config t
pixfirewall(config)# accesslist . . .
pixfirewall(config)#
activation-key activation-key-four-tuple
• Updates the activation key on your PIX Firewall.
pixfirewall(config)# activation-key
0x12345678 0xabcdef01 0x2345678ab
0xcdef01234
Problem and
Message
Resolution
Either the activation key has
The activation key you
already been upgraded or
entered is the same as the
you need to enter a different
Running key.
key.
The Flash image and the Reboot the PIX Firewall and
Running image differ. re-enter the activation key.
pixfirewall(config)#
copy tftp[:[[//location][/tftp_pathname]]]
flash[:[image | pdm]]
• Enables you to change software images without
accessing the TFTP monitor mode.
pixfirewall(config)# copy
tftp://172.26.26.50/pix611.bin flash
• The TFTP server at IP address 172.26.26.50 receives the
command and determines the actual file location from
its root directory information. The server then
downloads the TFTP image to the PIX Firewall.
• The primary and secondary PIX Firewalls are the two firewalls
used for failover. The primary PIX Firewall is usually active,
failover.
• SSH provides secure remote management of the
PIX Firewall.
• TFTP is used to upgrade the software image on
PIX Firewalls.
• You can configure three different types of command
authorization: enable-level with password, local command
authorization, and ACS command authorization.
• The PIX Firewall can be configured to permit multiple users
to access its console simultaneously via Telnet.
• You can enable Telnet to the PIX Firewall on all interfaces.
• Password recovery for the PIX Firewall requires a TFTP
server.