Scribd Logo
Upload

Welcome to Scribd!

  • Pix Firewall Phan I

    Uploaded by

    Hoàng Nguyễn
    137 views20 pages

    Original Title

    Pix Firewall Phan i

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    137 views20 pages

    Pix Firewall Phan I

    Uploaded by

    Hoàng Nguyễn

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Bi Vit V PIX FIREWALL

    Tc gi: Nguyn Th Bng Tm

    Chng 1 : GII THIU V PIX FIREWALL

    PIX ( Private Internet Exchange) firewall l thnh phn chnh trong gii php bo mt end-to-end ca Cisco . PIX firewall l gii php bo mt v phn cng v phn mm , p ng bo mt mng mc cao m khng nh hng n hot ng ca mng . Pix l mt thit b hybrid v n kt hp cc c im ca cng ngh packet filtering v proxy server .

    1. PIX hardware : Pix c nhiu model khc nhau , thch hp vi nhiu mi trng mng khc nhau , v d nh mng SOHO th khc vi mng ca service provider . PIX c cc loi models sau : 501 , 506 , 506E , 515 , 515E , 520 , 525E , v 535 . Theo hnh sau :

    Hnh 1 : PIX firewall family

    c im ca tng loi thit b PIX : a. PIX 501 : 501 l model c bn ca PIX v c cu hnh c nh . N c mt switch 4 port cho kt ni bn trong v mt interface 10Mbps cho kt ni n thit b bn ngoi (nh cable modem hay router DSL ) . Pix 501 dnh 3Mbps cho kt ni 3DES Ipsec ( vt qu c yu cu ca user trong mng SOHO ). c im ca PIX 501 l : - b x l 133MHz AMD SC520 - RAM 16MB , flash 8MB - 1 port console - 1 port half-duplex RJ45 10BaseT cho outside - 1 switch tch hp , autosensing , auto-MDIX 4 port RJ45 10/100 cho inside b. Pix 506

    Pix 506 l thit b c thit k cho cc cng ty thuc remote office/ branch office . L thit b c : - Mt port console - Hai port RJ45 10BaseT autonegotiate , mt cho inside , mt cho outside Hardware : 200MHz Intel Pentium MMX , trong RAM l 32Mbps , flash l 8Mbps - S dng TFTP cho download image v upgrade image . - Pix 506 cung cp VPN , c th kt ni n 4 VPN peer ng thi . PIX 506E l thit b c ci tin t PIX 506 , c CPU l 300MHz Intel Celeron . Clear-text throughput ln n 20Mbps , 3DES throughput tng ln 16Mbps . c. PIX 515

    PIX 515 thng c dng trong cc doanh nghip nh , trung bnh . Pix c mt slot c th gn thm mt single-port , hoc l four-port Fast Ethernet interface , cho php inside , outside v c th cung cp thm

    4 mng dch v khc . Pix 515 c RAM 32MB , Flash 8MB , licensing linh ng do cc doanh nghip c th tr tin nhng ci h cn . Restricted license gii hn 3 interface , nhng unrestricted license cho php tng b nh RAM t 32MB n 64MB v tng n 6 interface cng vi failover . d. PIX 520

    PIX 520 c thit k dnh cho cc doanh nghip ln v mi trng tc cao , phc tp . Mc d cc sn phm mi hn c Flash n 16MB nhng i vi PIX 520 i c Flash ch c 2MB . chy nhng software c version t 5.2 tr ln th Flash cn phi c nng cp ln 16MB . PIX 520 c kiu thit k khung , l rack-mountable , s dng a mm 3.5inch load v nng cp image .

    e. PIX 525

    PIX 525 c thit k dnh cho cc Enterprise v Service Provider s dng , p ng mi trng bo mt l tng . PIX 525 cung cp mt dy nhiu network interface card . Standard card bao gm single-port hay fourport 10/100 Fast Ethernet , Gigabit Ethernet (vi UR license) , 4/16 Token Ring v dual-attached multimode FDDI card . Vi restricted license , Pix 525 cung cp 6 interface . Vi unrestricted license (UR) Pix 525 cung cp n 8 interface . f. PIX 535

    PIX 535 c thit k cho cc Enterprise v Service Provider s dng

    . N c cng sut 1.0Gpbs vi kh nng thc hin cng mt lc 500,000 kt ni . p ng c site-to-site v remote access VPN vi 56-bit DES v 168-bit 3DES , chc nng tch hp ca PIX firewall 535 c th thc hin vi VPN Accelerator card phn phi 10Mbps throughput v 2000 IPSEC tunnel . PIX firewall 535 cung cp Fast Ethernet , Gigabit Ethernet v VPN Accelerator interface . Flash l 16MB v s dng software c version t 5.3 tr v sau . 2. Console port : C ch chnh giao tip vi PIX l thng qua console port . Mt vi thit b s dng DB9 connector , mt vi thit b mi hn s dng Cisco standard RJ45 connector . Nu ta ang s dng Windows , th dng chng trnh Hyperterm giao tip vi PIX . Giao din phi tun theo hnh v sau :

    V cc tham s phi c thit lp nh sau :

    Lc ny kt ni n PIX thnh cng . Nu cp ngun th lc ny PIX s din ra qu trnh boot . y l mt on v d ca qu trnh boot : Reading 1921536 bytes of image from flash.######################## ######################################################## # ######################### 32MB RAM mcwa i82559 Ethernet at irq 11 MAC: 000f.23ac.53f7 mcwa i82559 Ethernet at irq 10 MAC: 000f.23ac.53f6 System Flash=E28F640J3 @ 0xfff00000 BIOS Flash=am29f400b @ 0xd8000 ----------------------------------------------------------------------|| || || || |||| |||| ..:||||||:..:||||||:..

    ciscoSystems Private Internet eXchange ----------------------------------------------------------------------Cisco PIX Firewall Cisco PIX Firewall Version 6.3(1) Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has a Restricted (R) license. Cryptochecksum(changed): d41d8cd9 8f00b204 e9800998 ecf8427e Cannot select private key Pre-configure PIX Firewall now through interactive prompts [yes]? n => s dng n vo tin vo CLI .

    3. Software Licensing : c c mt sn phm linh ng , PIX s dng software licensing enable hay disable cc c im trong PIX OS . Mc d hardware c th ging nhau v platform gia cc thit b , nhng s dng software no cho PIX cn ph thuc vo RAM v Flash ca PIX . V d nh OS yu cu cho PIX model 506 l t 5.1x tr ln , cho PIX model 525 l t 5.2x tr ln Cc c im ca software khc nhau cn ph thuc vo activation key . Activation key l license key ca PIX OS , cho php ta upgrade cc c im mi ca OS m khng cn phi c software mi , mc d qu

    trnh thc hin l tng t nhau . Activation key l do cisco a ra v tnh ton , ph thuc vo s serial m ta c v ph thuc vo ta yu cu nhng g . S serial c c l da vo Flash . Do nu ta s dng Flash khc , ta phi thay i activation key . Khi ta mun kch hot mt chc nng no trong PIX , ta phi tr tin thc hin iu ny , c key ta phi gi serial number ca PIX n Cisco , Cisco s gi li cho ta key c to ra t serial number . C 3 l do quan trng upgrade hay thay i activation key l : Cisco PIX firewall khng kch hot failover Pix khng kch hot VPN Khi ta cn nng cp t connection-based license ln feature-based license .

    c c thng tin v activation key , serial number , s dng show version command . Cu lnh ny cung cp thng tin v code version , thng tin v phn cng pixfirewall(config)# sh version Cisco PIX Firewall Version 6.3(1) Cisco PIX Device Manager Version 3.0(1) Compiled on Wed 19-Mar-03 11:49 by morlee pix up 27 mins 25 secs Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000f.23ac.53f6, irq 10 1: ethernet1: address is 000f.23ac.53f7, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited

    Throughput: Unlimited IKE peers: Unlimited This PIX has a Restricted (R) license. Serial Number: 808036792 (0x3029a9b8) Running Activation Key: 0x9a5c6f78 0x67304d0a 0xed4c2329 0x89dd199b Configuration last modified by enable_15 at 23:52:55.403 UTC Sun Mar 6 2005 Licensing : V tng quan , licensing c phn thnh 3 loi l unrestricted , restricted , v failover . Vic dng unrestricted hay restricted license l ph thuc vo s interface m ta cn s dng PIX . V d i vi PIX 515 vi unrestricted license cung cp n 6 interface . Quan st li nhng thng tin khi show version pha trn , ta thy license l restricted cho php ti a cho pix l 2 interface ( inside v outside ) , i vi PIX 515 th restricted cho php ti a l 3 interface ( thm mt interface dmz na ) . Do , mun c unrestricted v failover license , ta phi nng cp activation key mi . i vi cc PIX OS c version trc version 6.2 , activation key c thay i trong mode monitor . T version 6.2 tr v sau cho php ta nng cp hay thay i license bng cch thay i key CLI ( command line interface ) . Thc hin iu ny bng cu lnh sau : activation-key license# license# : l key m ta c c vi license mi . v d : activation-key 0x89dd199b 0x9a5c6f78 0x67304d0a 0xed4c2329

    Sau khi thay i activation key , ta phi reboot PIX firewall kch hot license mi. Nu PIX c nng cp n mt version mi hn v thay i activation key , ta phi reboot PIX 2 ln -1 ln sau khi ci t image mi , mt ln sau khi activation key mi c cu hnh . Lu l khi nng cp ln

    version mi hn , nhng chc nng c kch hot t version c th khng cn key . Nu ta thay i image ca PIX vi version c hn , phi m bo rng activation key ang chy trong h thng khng tc ng n cc version cao hn trc khi ci t version thp hn . Nu c th ta cn phi thay activation key cho thch hp vi version thp hn trc khi ci t v reboot . Nu khng h thng c th khng cho php ta reload li sau khi ci t software mi . 4. Password recovery : vo ch enable trong PIX , cn phi bit password . Password c lu trong PIX s dng m ha MD5 , khng phi dng clear-text . Trong trng hp qun hoc mt password console hoc telnet vo PIX , ging nh hu ht cc sn phm ca Cisco , PIX cng cung cp cc th tc khi phc password . Khng ging nh Cisco router l khi phc password bng cch thay i thanh ghi cu hnh , PIX s dng mt phng php khc . Khi phc password c th c thc hin trn PIX firewall bng cch s dng mt file khi phc password c bit . Thc hin khi phc password a trn PIX khng c xa cu hnh , ch c xa password . Ph thuc vo | cc dng sn phm ca PIX m ta c cc phng php khi phc password khc nhau . Th tc khi phc pasword trong PIX bng a mm khc vi khi phc password cc thit b PIX khng c a . S khc nhau y l PIX s boot nh th no vi file m ta s dng trong qu trnh . i vi PIX c a mm s boot t a , cn nhng PIX khng c a (diskless) s boot t TFTP server . Bn cnh binary file cn cho khi phc password , ta cn cn cc thnh phn sau : - Laptop hoc l PC - Terminal-emulating software - TFTP software (cn cho cc pix boot t tftp) - Cng c rawrite.exe (cn cho cc pix c a mm to a boot)

    a. Khi phc password cho cc PIX 506 , 515 , 525 , 535 bng TFTP Khi phc password cho cc model ny (cc model khng c a mm) cn phi c TFTP server . Qu trnh khi phc nh sau : Bc 1 : download file npxx.bin vi xx l version OS ang chy trong PIX . V d PIX ang chy version 5.3(1) (bit c bng cch show version) th file cn down l np53.bin Note : file np53.bin lm vic vi tt c cc PIX OS 5.3(x) . Bc 2 : chp file vo my c ci TFTP server Bc 3 : reboot PIX firewall , sau khong 10giy trong qu trnh reboot . Nhn nt Escape hoc Ctrl Break ngt qu trnh reboot , a Pix vo ch monitor monitor> Bc 4 : ch ra interface ca PIX firewall dng cho TFTP . s dng interface inside , dng cu lnh sau : monitor > interface 1 Bc 5 : ch ra a ch ca interface PIX firewall monitor> address ip_address Bc 6 : ch ra default gateway (iu ny ch cn thit trong trng hp c m hnh l pix-router-TFTP server ) monitor> gateway ip_address Bc 7 : ch ra a ch ca TFTP server monitor>server ip_address_server Bc 8 : kim tra kt ni n TFTP server bng cch ping n TFTP server monitor> ping ip_address_server Bc 9 : ch ra filename ca file dng khi phuc password m ta download trc monitor> file npxx.bin Bc 10 : khi ng chng trnh TFTP . monitor> tftp b. khi phc password cho cc pix 510 , 520 bng a mm : Bc 1 : Download file npxx.bin (vi xx l version ca OS ang chy trong PIX ) .

    Bc 2 : Chp file rawrite.exe vo cng ng dn vi OS version password m ta download trc . Bc 3 : Sau khi c c 2 file ny , m MS-DOS Window : C :\> rawrite Bc 4 : Reboot PIX firewall vi a mm m ta va to ra . Khi c du nhc xut hin , s dng y xa password : Do you wish to erase the passwords? [yn] y H thng s t ng xa password v bt u reboot . 5. Nng cp Cisco PIX OS : C 3 th tc nng cp PIX OS , v vic s dng th tc no l do PIX OS ang chy trong PIX v PIX model quyt nh . - C th s dng copy tftp flash command ( i vi cc PIX s dng software version 5.1 tr v sau thc hin command ny mode privileged ) - Nng cp OS monitor mode . Th tc ny ging nh th tc trn nhng ch khc mode m ta s dng khi copy file t tftp server . i vi cc thit b PIX khng c a mm bn trong (501 ,506 , 515 , 525 , 535 ) s thc hin nng cp image t monitor mode . i vi cc PIX s dng version 5.0 tr v trc cn c mt a boothelper to ra boothelper mode , tng t nh ROM monitor mode - PIX firewall version 6.2 dng HTTP client cho php ta s dng cu lnh copy ly thng tin cu hnh , software image , hay l Cisco PDM software t HTTP server . a. Nng cp OS s dng copy tftp flash command Bc 1 : Download file pixnnx.bin ( file binary software image , vi nn l version number , x l release number . V chp file ny vo tftp server Bc 2 : s dng copy tftp flash command Bc 3 : nhp a ch IP ca tftp server Bc 4 : nhp source filename (file ta va download) Bc 5 : nhp Yes tip tc

    b. Nng cp OS s dng monitor mode Nu PIX c nng cp t version 5.0x hoc trc ln version 5.1x tr v sau , cn s dng phng php boothelper mode hoc l monitor mode . Bi v cc version trc 5.1 , PIX firewall software khng c h tr copy tftp flash command Cc bc nng cp PIX firewall s dng monitor mode : Bc 1 : download binary software image file pixnnx.bin v chp file

    ny vo tftp server . Bc 2 : reload li PIX , nhn Esc key (hoc l nhn Break) vo monitor mode . i vi PIX firewall chy version 5.0 tr v trc th s dng boothelper mode Bc 3 : s dng interface command ch ra PIX interface no m TFTP server kt ni n . Mc nh l interface 1 (inside) monitor> interface num Bc 4 : ch ra a ch ca interface monitor> address ip_address Bc 5 : ch ra default gateway (nu cn) monitor> gateway ip_address Bc 6 : ch ra a ch tftp server monitor> server ip_address Bc 7 : kim tra kt ni n tftp server monitor>ping server_address Bc 8 : ch ra image filename : monitor> file name_file Bc 9 : bt u qu trnh tftp monitor> tftp Bc 10 : Khi xut hin prompt , g y ci t image mi n Flash . Bc 11 : PIX firewall reboot v bt u install image mi Note : T monitor hay boothelper mode , pix khng s dng vi Gigabit Ethernet 6. LAB : Scenario :

    Bi 1 : Upgrade image t monitor mode

    Trong bi ny ta s thc hin nng cp image t monitor mode theo th t cc bc a ra phn trc . Trc khi nng cp image , s dng show version command xem version m pix ang chy , xem serial number v activation key . Note : bo m an ton , ta s s dng li image m PIX ang chy thc hin bi lab ny pixfirewall# sh version Cisco PIX Firewall Version 6.3(1) Cisco PIX Device Manager Version 3.0(1) Compiled on Wed 19-Mar-03 11:49 by morlee pix up 27 mins 25 secs Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000f.23ac.53f6, irq 10 1: ethernet1: address is 000f.23ac.53f7, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has a Restricted (R) license. Serial Number: 808036792 (0x3029a9b8) Running Activation Key: 0x9a5c6f78 0x67304d0a 0xed4c2329 0x89dd199b Configuration last modified by enable_15 at 23:52:55.403 UTC Sun Mar 6 2005 Cc bc thc hin nh sau : pixfirewall>reload Rebooting. Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001 Platform PIX-506E System Flash=E28F640J3 @ 0xfff00000

    Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 10 seconds. Flash boot interrupted. Nhn Esc hoc Break 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 000f.23ac.53f7 Use ? for help. monitor> ? ? this help message address [addr] set IP address of the PIX interface on which the TFTP server resides file [name] set boot file name gateway [addr] set IP gateway help this help message interface [num] select TFTP interface ping <addr> send ICMP echo reload halt and reload system server [addr] set server IP address tftp TFTP download timeout TFTP timeout trace toggle packet tracing monitor> interface 1 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 000f.23ac.53f7 monitor> address 10.10.10.100 address 10.10.10.100 monitor> server 10.10.10.10 server 10.10.10.10 monitor> ping 10.10.10.10 Sending 5, 100-byte 0x13d ICMP Echoes to 10.10.10.10, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5)

    monitor> file pix631.bin file pix631.bin

    monitor> tftp tftp pix631.bin@10.10.10.10 . Received 656235 bytes

    Cisco Secure PIX Firewall admin loader (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 Flash =E28F640J3 @ 0xfff00000 BIOS Flash =AM29F400B @ 0xd8000 Flash version 6.3.1, Install version 6.3.1 Installing to flash

    Serial Number: 808036792 (0x3029a9b8) Activation Key: 0x9a5c6f78 0x67304d0a 0xed4c2329 0x89dd199b Do you want to enter a new activation key ? n

    Pix s reboot v install image mi .

    Bi 2 : Password recovery Sau y l bi password recovery c thc hin trn PIX 506 . Trc khi tin hnh khi phc password , show version kim tra pix ang chy OS no : pixfirewall> sh version Cisco PIX Firewall Version 6.3(1) Cisco PIX Device Manager Version 3.0(1) Compiled on Wed 19-Mar-03 11:49 by morlee pix up 27 mins 25 secs Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000f.23ac.53f6, irq 10 1: ethernet1: address is 000f.23ac.53f7, irq 11 < -- omitted-- > Quan st thng tin t show version trn , ta thy pix hin ti ang chy OS version 6.3(1) . Do , khi phc password cho pix , ta cn phi c file np63.bin trong tftp server . Bi lm c thc hin da trn cc bc khi phc password nu trn . pixfirewall>en password: pixfirewall#enable password cisco =>t password mode enable l cisco . pixfirewall# write memory Building configuration... Cryptochecksum: 93bc4b61 43237b6a 67fe6565 ad91568d [OK] pixfirewall#reload rebooting. Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST

    2001 Platform PIX-506E System Flash=E28F640J3 @ 0xfff00000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 10 seconds. Flash boot interrupted. Nhn Esc hoc Break 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 000f.23ac.53f7 Use ? for help. monitor> ? ? this help message address [addr] set IP address of the PIX interface on which the TFTP server resides file [name] set boot file name gateway [addr] set IP gateway help this help message interface [num] select TFTP interface ping <addr> send ICMP echo reload halt and reload system server [addr] set server IP address tftp TFTP download timeout TFTP timeout trace toggle packet tracing monitor> interface ethernet1 0: i8255X @ PCI(bus:0 dev:14 irq:10) 1: i8255X @ PCI(bus:0 dev:13 irq:11) Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 000f.23ac.53f7 monitor> address 10.10.10.100 address 10.10.10.100 monitor> server 10.10.10.10 server 10.10.10.10 monitor> ping 10.10.10.10 Sending 5, 100-byte 0x9fd7 ICMP Echoes to 10.10.10.10, timeout is 4 seconds:

    !!!!! Success rate is 100 percent (5/5) monitor> file np63.bin file np63.bin monitor> tftp tftp np63.bin@10.10.10.10............................................................ ...................................................................................................... ................... Received 92160 bytes Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 System Flash=E28F640J3 @ 0xfff00000 BIOS Flash=am29f400b @ 0xd8000 Do you wish to erase the passwords? [yn] y The following lines will be removed from the configuration: enable password qktPUfU6etg/RRvG encrypted passwd 2KFQnbNIdI.2KYOU encrypted Do you want to remove the commands listed above from the configuration? [yn] y Passwords and aaa commands have been erased. Rebooting.. => H thng s t ng xa password v bt u reboot .

    You might also like