Home » Configuring Firewalls » Configuring Cisco Devices

Configuring Cisco Devices - PIX/ASA/FWSM/VPN Concentrator


Firewall Analyzer supports the following versions of various Cisco devices.

Cisco IOS Firewalls:

  • 8xx
  • 18xx
  • 28xx
  • 38xx
  • 72xx
  • 73xx
  • 3005
  • 1900
  • 2911
  • 3925

Cisco FWSM Catalyst Series:

  • 6500
  • 7600

Cisco PIX versions:

  • 6.x
  • 7.x

Cisco ASA:

5500 series

Cisco VPN Concentrators Series:

  • 3000
  • 3500
Model Family Model Cisco IOS Software Version

8xx

c871, c876, c877,c878

12.4(4)T
18xx

c1841

12.3(14)T

c1811, c1812 12.4(4)T

c1801, c1802, c1803

12.4(4)T

28xx

c2801, c2851, c2821, c2811

12.3(14)T

38xx

c3845, c3825

12.3(14)T

72xx

7206VXR, 7204VXR

12.3(14)T

73xx

CISCO7301

12.3(14)T

 

To find out the version of your PIX firewall, Telnet to the PIX firewall and enter the show version command.

Cisco PIX does not create log files, but instead directs a log stream to the syslog server, which writes the log information into a file. Make sure the syslog server on Firewall Analyzer can access the PIX firewall on the configured syslog port. For this, you may have to make a rule specific to this situation.

 


Virtual Firewall (Virtual Domain) logs

Prerequisite for context/vdom in Cisco Firewalls

The Cisco Firewall IP address should be DNS resolvable from Firewall Analyzer.

There is no separate configuration required in Firewall Analyzer for receiving logs from Virtual Firewalls of the Cisco physical device.

Configuration in Cisco device for Virtual Firewall

In order to support virtual firewalls for Cisco devices, you need to enable logging based on the context-name. Otherwise it is not possible for Firewall Analyzer to detect Virtual Firewalls (vdom) of Cisco devices.


Configuring Cisco PIX using Command Line Interface

  1. Telnet to the PIX firewall and enter the enable mode
  2. Type the following:
    configure terminal
    logging on
    logging timestamp
    logging trap informational
    logging device-id {context-name | hostname | ipaddress interface_name | string text}
    logging host interface_name syslog_ip [17/<syslog_port>
    ]

    where,
interface_name is the interface on the PIX firewall whose logs need to be analyzed ("inside" or "outside," for example).
syslog_ip is the IP address of the syslog server (i.e. Firewall Analyzer), to which the Firewall should send the Syslogs.
17/<syslog_port> indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, the syslogs are sent through the default syslog port (UDP port 514). If the logs are sent through any other port, mention it as 17/<the UDP port number> (For example: 17/1514).
hostname firewall's host name (defined with the hostname configuration command). In this case, the hostname will appear in the logs sent from the Firewall.
ipaddress interface_name the IP address of a specific firewall interface named interface_name ("inside" or "outside," for example). In this case, the IP Address of the Interface Name will appear in the logs sent from the Firewall.
string text an arbitrary text string (up to 16 characters). In this case, the arbitrary text string you have entered in string <text> will appear in the logs sent from the Firewall.
context-name in PIX 7.x or FWSM 2.x operating in multiple-context mode, the name of the firewall context will appear in the logs sent from the Firewall.

Example: logging host inside 11.23.4.56 17/1514

To verify your configuration, enter the show logging command after the last command above. This will list the current logging configuration on the PIX firewall.

 

Configuring Cisco PIX from the User Interface

Log in to the Cisco PIX user interface, and follow the steps below to configure the PIX firewall:

  1. Enabling Logging
    1. Select Configure > Settings > Logging > Logging Setup
    2. Select the Enable logging setup and Enable logging failover check boxes
    3. Click Apply.
      Changes are applied to the assigned PIX firewall configuration files when they are generated. The configuration files are then downloaded to PIX firewalls at deployment.
  2. Configuring Syslog Server
    1. Select Configure > Settings > Logging > Syslog
    2. Check Include Timestamp.
    3. Click Add to add a row.
    4. In the Add Syslog Server page that appears, enter the following:
      1. Interface Name - the firewall interface through which Firewall Analyzer can be reached, the interface can be either inside or outside.
      2. IP Address - the IP address of the syslog server to which logs have to be sent
      3. Under Protocol, select the UDP radio button
      4. The default UDP port is 514. If you have configured a different syslog listener port on your syslog server, enter the same port here.
    5. Click Apply
  3. Configuring Logging Level
    1. Select Configure > Settings > Logging > Other
    2. Under Console Level List select Informational so that all report data is available
    3. Click Apply

For every transaction happening in Cisco PIX Firewall, an ACL configured in it matches. The matched ACL along with complete transaction detail is audited through Message-ID 106100. Ensure that the logging is enabled for 'Message-ID 106100' in Cisco PIX Firewall. For more information about the message ID follow the below link.

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1086617

This message identifier contains the information about both accepted and denied transactions. The log information is parsed to get the 'Used' rules and is available in the 'Firewall Rules Report > Top Used Rules Report'.


Configure/Enable SNMP Protocol for Cisco PIX Firewall device

Using CLI Console:

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:
    configure terminal
    snmp-server host <interface name> <hostname |IP address of Firewall Analyzer>

If you want to create a new SNMP community use the below command:

    configure terminal
    snmp-server community <community-string>

Example:

    configure terminal
    snmp-server community public

 

Configuring Cisco ASA Versions

  1. Telnet to the ASA firewall and enter the enable mode
  2. Type the following:

configure terminal
logging enable
logging timestamp
logging trap informational
logging device-id {context-name | hostname | ipaddress interface_name | string text}
logging host interface_name syslog_ip [udp/<syslog_port>
]

  1. If there are no URL Reports available in Firewall Analyzer for CISCO ASA, enable HTTP inspection by executing the following command:
    inspect http

    Enabling HTTP inspection will generate syslogs with ID 304001. This ID will be used by Firewall Analyzer to generate URL Reports.

interface_name is the interface on the ASA Firewall whose logs need to be analyzed (for example: "inside" or "outside").
syslog_ip is the IP address of the syslog server (i.e. Firewall Analyzer), to which the Firewall should send the Syslogs.
udp/<syslog_port> indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, logs will be sent to the default UDP port 514.
hostname firewall's host name (defined with the hostname configuration command)
ipaddress interface_name the IP address of a specific firewall interface named interface_name (for example: "inside" or "outside")
string text an arbitrary text string (up to 16 characters)
context-name in PIX 7.x or FWSM 2.x operating in multiple-context mode, the name of the firewall context can also be sent.

For more information, refer the Cisco PIX documentation.

 

Configuring Cisco ASA Versions using ASDM

Enable Logging

Carry out the steps given below:

  • Load the ASDM
  • Select Configuration > Device Management > Logging > Logging Setup
  • Select Enable Logging
  • Select Logging > Logging Filters
  • Choose the syslog-servers as Informational
  • Select Logging > Logging Filters > Syslog servers
  • Click Add
  • Enter the IP address and choose the appropriate interface and ensure that you choose UDP and enter the port number
  • Select Logging > Syslog Setup
  • Select 'Include time stamp in syslogs' option and scroll down to ensure the syslog ID's 302013, 302014,302015,302016 are in enabled state and the logging level is set to Informational

Disable Logging

You can disable specific syslog IDs based on your requirement.

Note: By selecting the check mark for the Include timestamp in syslogs option, you can add the date and time that they were generated as a field to the syslogs.

  • Select the syslogs to disable and click Edit.
  • From the Edit Syslog ID Settings window, select the Disable messages option and click OK.
  • The disabled syslogs can be viewed in a separate tab by selecting Disabled syslog IDs from the Syslog ID Setup drop-down menu.

For more information, refer the Cisco PIX documentation.

Configuration for SSL WebVPN in Cisco ASA appliance

Firewall Analyzer requires syslog message IDs 722030 and 722031, which by default is at debug level, to process Cisco SVC VPN logs. Set the information level to these syslog IDs by executing below commands in global configuration mode:

hostname(config)# logging message 722030 level 6
hostname(config)# logging message 722031 level 6

You can confirm by executing the below command:

hostname(config)# show logging message 722030

Configuring Cisco ASA NetFlow Logs and Disabling NetFlow on Cisco ASA/ADM using command line and ASDM

Firewall Analyzer support NetFlow version 9 packets, which is introduced in Cisco ASA 8.2.1/ASDM 6.2.1.

Configuring ASA device using console mode to send NetFlow version 9 packets to Firewall Analyzer is given below:

  • As Firewall Analyzer is capable of receiving either Syslog or NetFlow packet from an ASA box, disable Syslog and enable NetFlow.

To disable Syslog and enable NetFlow execute the following commands:

(config)# flow-export destination inside <Firewall Analyzer Server IP> 1514
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export-syslogs disable ---> This command will disable logging syslog messages
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export

Associate global policy map with netflow class map

  • Option 1

If you have a global policy map, associate the above netflow class-map netflow-export-class to the global policy.

For example: if your global policy map is named global_policy_asa, you need to execute the below commands:

(config)# policy-map global_policy_asa
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type any destination <Firewall Analyzer Server IP>

if the above command fails use the below:

(config-pmap-c)# flow-export event-type all destination <Firewall Analyzer Server IP>

  • Option 2

If you wish to create a new policy map named netflow-export-policy and make this as your global policy follow the below steps:

(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type any destination <Firewall Analyzer Server IP>

if the above command fails use the one below:
(config-pmap-c)# flow-export event-type all destination <Firewall Analyzer Server IP>

Make policy map netflow-export-policy as your global policy:

(config)# service-policy netflow-export-policy global

For UI mode configuration using ASDM access, refer the Cisco forum topic: https://supportforums.cisco.com/docs/DOC-6114

 

To disable NetFlow on Cisco ASA/ADM execute the following commands:

(config)# flow-export disable

(config)# no flow-export destination inside <Firewall Analyzer Server IP> 1514

To disable NetFlow on Cisco ASA/ADM using ASDM

  • Click on Configuration > Firewall
  • Click on Service Policy Rules. Look for the policy indicating netflow export
  • Check the IP address if the flow is pointing to the machine where you want to forward syslog.
  • If so, delete it and write the configuration in to memory (Save it).

 

Configure/Enable SNMP Protocol for Cisco ASA Firewall device

Using CLI Console:

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:
    configure terminal
    snmp-server enable
    snmp-server host <interface name> <hostname | IP address of Firewall Analyzer> [poll]

Example:

    configure terminal
    snmp-server enable
    snmp-server host inside 192.168.101.155 poll

If you want to create a new SNMP community use the below command:

    configure terminal
    snmp-server community <community-string>

Example:

    configure terminal
    snmp-server community public

Configuring Cisco VPN 3000 Concentrator

Currently we support Cisco IOS Compatible Log Format and Original Log Format for Cisco VPN Concentrator.

Importing of already saved Cisco VPN Concentrator logs is not supported because those logs are saved in either of the following formats which is not supported in Firewall Analyzer:

  • Multi line
  • Tab Delimited
  • Comma Delimited

Follow the below steps to configure the VPN Concentrator:

  1. Configuring Syslog Server
    1. Login to the Cisco VPN 3000 Concentrator Management console.
    2. Go to Configuration > System> Events >Syslog Servers
    3. Click the Add button
    4. In the Syslog Server text box enter the IP Address of the machine where Firewall Analyzer is running.
    5. Enter the Port value. The default syslog server port for Firewall Analyzer is 514.
    6. Facility is Local 7
  2. Configuring Syslog Events
    1. Go to Configuration > System> Events >General
    2. For Syslog Format you can either select Original or Cisco IOS Compatible format.
    3. For Events to Syslog select Severities 1-5
    4. All other configurations are default for this page.
    5. Click Apply button

For more information, refer the Cisco VPN Concentrator documentation.

 

Configuring Cisco IOS Switch

Follow the below steps to configure the Cisco IOS Switch:

  1. Login to the Cisco IOS console or Telnet to the device.
  2. Change the configuration mode of the device.

    Use the following command:

configure terminal

  1. Enable logging by using the following commands:

logging on

logging trap informational

logging <IP Address>

  1. If there is a Firewall module in the IOS device, use the following command to enable audit trail. This will generate traffic information.

ip inspect audit-trail

For more information, refer the Cisco IOS Switch documentation.

Configure/Enable SNMP Protocol for Cisco Firewall devices using Cisco ASDM tool

Using Web UI:

Configure SNMP parameters for SNMP Versions 1 and 2c
Carry out the following steps:

  • In the ASDM main window, select Configuration > Device Management > Management Access > SNMP
  • In the Community String (default) field, enter default community string. This applies to SNMP Versions 1 and 2c only
  • Fill appropriate values in Contact and Location fields
  • In the Listening Port field, enter the port number of the security appliance that listens for SNMP requests from management stations; or retain the default port number 161
  • Click Apply

With this, SNMP parameters for Versions 1 and 2c are configured and the changes are saved to the running configuration.
To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

  • In the ASDM main window, choose Configuration > Device Management > Management Access > SNMP
  • In the SNMP Management Stations pane, click Add. The Add SNMP Host Access Entry dialog box appears
  • In the Interface Name drop-down list, choose the interface on which the Firewall Analyzer resides
  • In the IP Address field, enter the Firewall Analyzer IP address
  • In the UDP Port field, enter the Firewall Analyzer UDP port, or retain the default port 162
  • In the Community String field, enter the Firewall Analyzer community string. If no community string is specified for a management station, the value set in the Community String (default) field on the SNMP Management Stations pane is used
  • In the SNMP Version drop-down list, choose the SNMP version used by the Firewall Analyzer
  • If you have selected SNMP Version 3 in the previous step, in the Username drop-down list, choose the name of a configured user
  • To specify the method for communicating with this management station, check the Poll check boxes
  • Click OK. The Add Firewall Analyzer Access Entry dialog box closes.
  • Click Apply.

With this, the management station is configured and changes are saved to the running configuration.
Configure SNMP Parameters for Version 3:

SNMP Version 3 allows you to configure additional authentication and privacy options for more secure protocol operations by means of SNMP server groups and users.

Carry out the following steps:

  • In the ASDM main window, choose Configuration > Device Management > Management Access > SNMP
  • In the SNMPv3 Users pane, to add a configured user or a new user to a group, click Add. To change user parameters, click Edit. To remove a configured user from a group, click Delete. When you remove the last user in a group, ASDM deletes the group

Note: Once a user is created, you cannot change the group to which the user belongs.

  • The Add SNMP User Entry dialog box appears
  • In the Group Name drop-down list, choose the group to which the SNMP user will belong. The available groups are as follows:
    • Auth&Encryption, in which users have authentication and encryption configured
    • Authentication_Only, in which users have only authentication configured
    • No_Authentication, in which users have neither authentication nor encryption configured
  • In the Username field, enter the name of configured user or new user. The username must be unique for the SNMP server group selected
  • To have the password encrypted, click the Encrypt Password radio button. If you choose this option, you must enter the password as MD5 hash value.
  • Indicate the type of authentication you want to use by clicking the appropriate radio button: MD5 or SHA
  • In the Authentication Password field, type the password to use for authentication
  • Indicate the type of encryption you want to use by clicking the appropriate radio button: DES or 3DES, or AES
  • If you chose AES encryption, from the AES Size drop-down list, specify which level of AES encryption to use: 128 or 192 or 256
  • In the Encryption Password field, type the password to use for encryption. The maximum number of characters allowed for this password is 64
  • Click OK to create a group (if this is the first user in that group), display this group in the Group Name drop-down list, and create a user for that group. The Add SNMP User Entry dialog box closes
  • The SNMPv3 Users pane lists the following information: SNMP Version 3 server group name, name of the user that belongs to the specified group, encrypted password setting, authentication setting, encryption algorithm setting, and the AES size setting
  • Click Apply

With this, SNMP parameters for Version 3 are configured, and the changes are saved to the running configuration.

 

 

Copyright © 2013, ZOHO Corp. All Rights Reserved.
ManageEngine