Home > Articles > Cisco Network Technology > General Networking > Cisco Firewall Configuration Fundamentals

Cisco Firewall Configuration Fundamentals

Chapter Description

This chapter describes the configuration fundamentals for IOS and ASA-based firewalls, highlighting the similarities between the product families.

From the Book

Cisco Firewalls

Cisco Firewalls


Remote Management Access to IOS Devices

The examples analyzed in the previous section assumed local access to the console port of the IOS device. This section looks at remote management connections that rely on protocols such as Telnet, SSH, and HTTPS.

Remote Access Using Telnet

IOS uses the concept of Virtual Terminal (VTY) lines to receive connections related to protocols such as Telnet and SSH. The settings entered on a VTY line apply to session requests arriving on any of the router interfaces. The typical VTY-level settings follow:

  • Timeout value: Defines the inactivity timeout for the terminal lines. The parameters of the exec-timeout command are respectively MINUTES and SECONDS.
  • Password: The combination of the password and login commands requires a generic user initiating a Telnet session to the router to inform this password.

Example 3-22 shows the basic parameters concerning VTY configuration and the authentication sequence for a Telnet session. Privileged mode access requires an enable secret to be configured at the global level.

Example 3-22. VTY Lines for Telnet Access

line vty 0 4
 exec-timeout 5 0
 password cisco
enable secret 5 $1$k6BB$cldMRpv4a6hQ.EmbS0EPJ/
! Authentication Experience for a Generic User when using Telnet

User Access Verification
!! Following authentication, the generic user obtains information about the session
R1# show tcp brief
TCB       Local Address               Foreign Address             (state)
838F2330             ESTAB

Remote Access Using SSH

The previous section demonstrated the creation of a Telnet session for generic users. (Only the password is presented; no user information is entered.) SSH, on the opposite range of the spectrum from Telnet, requires nongeneric users, meaning that the username is always requested by the device (acting as an SSH server).

Example 3-23 shows a typical sequence of tasks to enable SSH on an IOS device. The preliminary activities of setting and verifying the clock, and verifying the existence of an RSA key-pair, are still recommended and employ exactly the same commands as those analyzed for ASA in Example 3-16. A few points that deserve special attention for IOS follow:

  • The aaa new-model must be enabled, so that authentication methods for each type of access can be specified. The example shows that users of the VTY lines (Telnet or SSH) are authenticated through the method-list called TERMINAL-LINES, which points to the local database.
  • Specifying a hostname (distinct from the default name Router) and creating an ip domain-name). These two elements are grouped to generate a name for the RSA key-pair. It is interesting to clearly associate this key-pair to SSH usage as illustrated in the example (ip ssh keypair-name command).

Example 3-23. Enabling SSH on IOS

! Creating a username in the local database
R1(config)# username user1password #####
! Enabling aaa new-model (allowing an authentication method for each type of access)
R1(config)# aaa new-model
! The authentication method for the VTY lines uses the local database
R1(config)# aaa authentication login TERMINAL-LINES local
R1(config)# line vty 0 4
R1(config-line)# login authentication TERMINAL-LINES
! Changing the default host name and creating a domain name
Router(config)# hostname R1
R1(config)# ip domain-name mylab.net
! Generating the RSA key pair
R1(config)# crypto key generate rsa

The name for the keys will be: R1.mylab.net
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
%SSH-5-ENABLED: SSH 1.99 has been enabled
! Determining the key pair to be used for SSH
R1(config)# ip ssh rsa keypair-name R1.mylab.net
! Displaying the SSH sessions
R1# show ssh
Connection Version Mode Encryption  Hmac         State                 Username
0          2.0     IN   aes256-cbc  hmac-sha1    Session started       user1
0          2.0     OUT  aes256-cbc  hmac-sha1    Session started       user1
%No SSHv1 server connections running.
R1# show tcp brief
TCB       Local Address               Foreign Address             (state)
83FC0F0C             ESTAB

Remote Access Using HTTP and HTTPS

IOS enables remote access using HTTP and HTTPS; the latter, of course, being preferable. Example 3-24 shows how to enable the HTTP Server and unveils what goes on behind the scenes when the ip http secure-server command is issued.

Example 3-25 registers how to control the web connections to the routers both from the user database and source addresses perspectives. (Chapter 14 examines the usage of more sophisticated user databases in a great level of detail.)

Example 3-24. Enabling HTTP and HTTPS on IOS

! Enabling the HTTP server
R1(config)# ip http server
! Enabling the HTTPS Server
R1(config)# ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
CRYPTO_PKI: Generating self signed cert TP-self-signed-681151852
CRYPTO_PKI: Creating trustpoint TP-self-signed-681151852
CRYPTO_PKI:Insert Selfsigned Certificate:
[output suppressed]
CRYPTO_PKI: Self signed cert TP-self-signed-681151852 created
%PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new      certificate
! Saving the self-signed certificate
R1# write memory
Building configuration...
PKI: Removing old cert file nvram:IOS-Self-Sig#6.cer
crypto_ca_certificate: saved cert to nvram:IOS-Self-Sig#6.cer [OK][OK]
! Information about the self-signed certificate
R1# show crypto pki certificates
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
 Name: IOS-Self-Signed-Certificate-681151852  cn=IOS-Self-Signed-Certificate-681151852
  Validity Date:
 start date: 00:04:19 UTC Sep  14 2009 end   date: 00:00:00 UTC Jan  1 2020
  Associated Trustpoints:
  Storage: nvram:IOS-Self-Sig#6.cer
R1# show running-config | include crypto|key

   crypto pki trustpoint TP-self-signed-681151852 
   rsakeypair TP-self-signed-681151852
crypto pki certificate chain TP-self-signed-681151852

Example 3-25. Controlling HTTP and HTTPS access

! Using the local database for web authentication
ip http authentication local
! Defining allowed source addresses for web access
access-list 1 permit
ip http access-class 1
7. Clock Synchronization Using NTP | Next Section Previous Section