Introduction This document describes how to create AAA-authenticated access to a PIX Firewall that runs PIX Software version 5.2 through 6.2, and also provides information about enable authentication, syslogging, and gaining access when the AAA server is down. In PIX 5.3 and later, the authentication, authorization, and accounting ( AAA) change over previous versions of code is that the RADIUS ports are configurable. In PIX Software versions 5.2 and later, you can create AAA-authenticated access to the PIX in five different ways: Note: DES or 3 DES must be enabled on the PIX (issue a show version command to verify) for the last three methods. In PIX Software version 6.0 and later, PIX Device Manager ( PDM) can also be loaded to enable GUI management. PDM is outside the scope of this document. For more information about the authentication and authorization command for PIX 6.2, refer to PIX 6.2 : Authentication and Authorization Command Configuration Example. In order to create AAA-authenticated ( Cut-through Proxy) access to a PIX Firewall that runs PIX Software versions 6.3 and later, refer to PIX/ ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example. Prerequisites Requirements Perform these tasks before you add AAA authentication: Issue these commands in order to add a password for the PIX: passwd ww telnet [] [] The PIX automatically encrypts this password to form an encrypted string with the keyword encrypted, as in this example: passwd On Tr BUG1 Tp0edmkr encrypted You do not need to add the encrypted keyword. Make sure you can Telnet from the inside network to the inside interface of the PIX without AAA authentication after you add these statements. Always have a connection open to the PIX while you add authentication statements in the event that backing out the commands is necessary. On AAA.
Introduction The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. The security appliance supports two failover configurations: Active/ Active Failover Active/ Standby Failover Each failover configuration has its own method to determine and perform failover. With Active/ Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/ Active Failover is only available on units that run in multiple context mode. With Active/ Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/ Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover. A transparent firewall, is a Layer 2 firewall that acts like a bump in the wire, or a stealth firewall, and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to readdress IP. You can set the adaptive security appliance to run in the default routed firewall mode or transparent firewall mode. When you change modes, the adaptive security appliance clears the configuration because many commands are not supported in both modes. If you already have a populated configuration, be sure to back up this configuration before you change the mode; you can use this backup configuration for reference when you create a new configuration. Refer to Transparent Firewall.
Messages 106001 to 112001 Log Message % PIX-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN, ACK. The TCP_flags are as follows: • ACK— The acknowledgment number was received. • FIN— Data was sent. • PSH— The receiver passed data to the application. • RST— The connection was reset. • SYN-— Sequence numbers were synchronized to start a connection. • URG— The urgent pointer was declared valid. Recommended Action: None required. Log Message % PIX-2-106002: protocol Connection denied by outbound list list_ ID src laddr lport dest faddr fport Explanation This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable is 1 for ICMP, 6 for TCP, and 17 for UDP. In some 4.4 versions, protocol may also display as the protocol name; such as, TCP. For ICMP connections, fport may also be one of the following values corresponding to the ICMP message type: •0 - Echo Reply •3 - Destination Unreachable •4 - Source Quench •5 - Redirect •8 - Echo Request •11 - Time Exceeded •12 - Parameter Problem •13/14 - Timestamp Request/ Reply •15/16 - Information Request/ Reply • A1 - Address Format Request • A2 - Address Format Reply Recommended Action: Use the show outbound command to check outbound lists. Log Message % PIX-2-106003: Connection denied src laddr dest faddr due to JAVA Applet. Explanation This is a connection-related message. This message is logged if.
Download Now