What is a Cisco PIX?
*****************
*****************
- A Cisco PIX is a dedicated hardware firewall appliance. All Cisco PIX versions have model numbers in the 500s. The most popular model for home offices and small networks is the PIX 501; many midsize companies use the PIX 515 as a corporate firewall.
- PIX firewalls run the PIX operating system. While the PIX OS is quite similar to the Cisco IOS, there are enough differences to cause some frustration for users more familiar with IOS.
- The firewall sports the PIX Device Manager (PDM) for a graphical interface. This GUI is a Java application downloaded through a Web browser.
- Typically, a PIX firewall has an outside interface that connects to the inside of an Internet router and goes to the public Internet. It also has an inside interface that connects to a LAN switch, going to the private internal network.
What is a Cisco ASA?
******************
******************
- A Cisco ASA is a new firewall and anti-malware security appliance from Cisco Systems. (Don't confuse this product with what a PIX uses for stateful packet filtering—the adaptive security algorithm, or ASA.)
- ASA models are all in the 5500 series. The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN. There's also a Business Edition for small to midsize companies.
- In total, there are five models of the Cisco ASA. All run the ASA version 7.2.2 software, and the interface is much like the Cisco PIX. Both the Cisco PIX and ASA models vary in performance, but the ASA's lowest model offers much more performance than the base PIX.
- Like the PIX, the ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator. In fact, the ASA could take the place of three separate devices--a Cisco PIX firewall, a Cisco VPN 3000 Series Concentrator, and a Cisco IPS 4000 Series Sensor.
Cisco ASA (Adaptive Security Appliances)
************************************
Cisco ASA is Hardware Device is used to connect the two or More Networks and controls the flow of traffic in that network according to the rules,
Three Types of Firewalls are in use today,
1. Packet Filtering
2. Proxy Server
3. Stateful Packet Filtering (Appliances)
Cisco 5505, 5510 and 5520 are mostly used for Small and Medium Enterprises,
Cisco 5540, 5550 and 5580 are used for Internet Edge and DC's.
Default Policy:
1. Lower (Level 0) to Higher (Level 100) Security is not allowed.
2. Higher (Level 100) to lower (Level 0) Security is allowed.
3. If Two instance having the Same Level Traffic not passing through that.
4. If we need to access the Level0 to Level100, Need to configure the ACL+NAT in that ASA.
How to Implement the Site-to-Site VPN in Cisco ASA using ASDM,
***************************************************
1. Select the Site-to-Site Tunnel Option
2. Configure the Peer IP Address (X.X.X.X)
3. Select the Authentication method
- Preshared Key *
- Certificate method
- Challenge/response authentication
4. Enter the Tunnel Group Name (XXXX)
5. Enter the IKE Policy
- Encryption (3DES)
- Authentication (SHA)
- DH Group (2)
6. Enter the IPSec Encryption and Authentication
- Encryption (3DES)
- Authentication (SHA)
7. Enter the Local Networks & Remote Networks IP details (Local:X.X.X.X/24;Remote:X.X.X.X/24)
- Select the Traffic flow action (Protect)
Note: Auth Method, Tunnel Group, IKE Policy & IPSec Parameters should be same at both end ASA's.
How to Recover the Cisco ASA VPN Preshared Key's
*********************************************
Type the below command in Privilege Mode ASA, it will help to view the password,
ASA#more system: running-config
ip host NANTHA 100.100.100.100
crypto isakmp policy 11
encryption 3des
authentication pre-share
group 2
hash sha crypto isakmp key ABCD!@#$ address 100.100.100.100 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set NAN esp-3des esp-sha-hmac
crypto map DYNAMIC 45 ipsec-isakmp
set peer 100.100.100.100
set transform-set NAN
match address NANTHA
ip route 100.100.100.100 255.255.255.255 1.1.1.1 name NANTHA
ip access-list extended NANTHA
permit ip 192.168.1.0 0.0.0.255 host 100.100.100.100
interface GigabitEthernet0/0.1(Any Interface)
description #### CONNECTED TO INTERNET####
.
.
crypto map DYNAMIC
**********
It’s allowing a remote VPN user to access a public network (most commonly the Internet) and (private network at the same time) at the same time that the user is allowed to access resources on the VPN. This method of network access enables the user to access remote devices, such as a networked printer, at the same time as accessing the public network.
An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.
A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network.
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover from the loss of passwords, perform the following steps:
Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" (Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.).
Step 2 Power off the security appliance, and then power it on.
Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later.
Step 6 At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.
Step 8 Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step 9 Enter privileged EXEC mode by entering the following command:
hostname> enable
Step 10 When prompted for the password, press Return.
The password is blank.
Step 11 Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step 12 Enter global configuration mode by entering the following command:
hostname# configure terminal
Step 13 Change the passwords in the configuration by entering the following commands, as necessary:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5.
• 0x01 - ASA default value
• 0x41 - ASA ignore startup configuration on next reboot (used for password recovery)
Step 15 Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
