Configuring Cisco Devices - PIX/ASA/FWSM/VPN Concentrator

Firewall Analyzer supports the following versions of various Cisco devices.

Cisco IOS Firewalls:

8xx
18xx
28xx
38xx
72xx
73xx

Cisco FWSM Catalyst Series:

6500
7600

Cisco PIX versions:

Cisco ASA:

5500 series

Cisco VPN Concentrators Series:

3000
3500

Model Family	Model	Cisco IOS Software Version
8xx	c871, c876, c877,c878	12.4(4)T
18xx	c1841	12.3(14)T
	c1811, c1812	12.4(4)T
	c1801, c1802, c1803	12.4(4)T
28xx	c2801, c2851, c2821, c2811	12.3(14)T
38xx	c3845, c3825	12.3(14)T
72xx	7206VXR, 7204VXR	12.3(14)T
73xx	CISCO7301	12.3(14)T

To find out the version of your PIX firewall, Telnet to the PIX firewall and enter the show version command.

Cisco PIX does not create log files, but instead directs a log stream to the syslog server, which writes the log information into a file. Make sure the syslog server on Firewall Analyzer can access the PIX firewall on the configured syslog port. For this, you may have to make a rule specific to this situation.

Configuring Cisco PIX using Command Line Interface

Telnet to the PIX firewall and enter the enable mode
Type the following:
configure terminal logging on logging timestamp logging trap informational logging device-id {context-name | hostname | ipaddress interface_name | string text} logging host interface_name syslog_ip [17/<syslog_port>]

where,

`interface_name`	is the interface on the PIX firewall whose logs need to be analyzed ("inside" or "outside," for example)
`syslog_ip`	is the IP address of the syslog server on Firewall Analyzer
`17/<syslog_port>`	indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, logs will be sent to the default 514 port.
`hostname`	firewall's host name (defined with the hostname configuration command)
`ipaddress interface_name`	the IP address of a specific firewall interface named `interface_name`("inside" or "outside," for example)
`string text`	an arbitrary text string (up to 16 characters)
`context-name`	in PIX 7.x or FWSM 2.x operating in multiple-context mode, the name of the firewall context can also be sent.

Example: logging host inside 11.23.4.56 17/1514

To verify your configuration, enter the show logging command after the last command above. This will list the current logging configuration on the PIX firewall.

Configuring Cisco PIX from the Web Interface

Enabling Logging
1. Select Configure > Settings > Logging > Logging Setup
2. Select the Enable logging setup and Enable logging failover checkboxes
3. Click Apply.
  Changes are applied to the assigned PIX firewall configuration files when they are generated. The configuration files are then downloaded to PIX firewalls at deployment.
Configuring Syslog Server
1. Select Configure > Settings > Logging > Syslog
2. Check Include Timestamp.
3. Click Add to add a row.
4. In the Add Syslog Server page that appears, enter the following:
  1. Interface Name - the firewall interface through which Firewall Analyzer can be reached, the interface can be either inside or outside.
  2. IP Address - the IP address of the syslog server to which logs have to be sent
  3. Under Protocol, select the UDP radio button
  4. The default UDP port is 514. If you have configured a different syslog listener port on your syslog server, enter the same port here.
5. Click Apply
Configuring Logging Level
1. Select Configure > Settings > Logging > Other
2. Under Console Level List select Informational so that all report data is available
3. Click Apply

For more information, refer the Cisco PIX documentation.

Configuring Cisco ASA Versions

Telnet to the ASA firewall and enter the enable mode
Type the following:
configure terminal logging enable logging timestamp logging trap informational logging device-id {context-name | hostname | ipaddress interface_name | string text} logging host interface_name syslog_ip [17/<syslog_port>]
If there are no URL Reports available in Firewall Analyzer for CISCO ASA, enable HTTP inspection by executing the following command:
inspect http

Enabling HTTP inspection will generate syslogs with ID 304001. This ID will be used by Firewall Analyzer to generate URL Reports.

Configuring Cisco VPN 3000 Concentrator

Currently we support Cisco IOS Compatible Log Format and Original Log Format for Cisco VPN Concentrator.

Importing of already saved Cisco VPN Concentrator logs is not supported because those logs are saved in either of the following formats which is not supported in Firewall Analyzer:

Multiline
Tab Delimited
Comma Delimited

Follow the below steps to configure the VPN Concentrator:

Configuring Syslog Server
1. Login to the Cisco VPN 3000 Concentrator Management console.
2. Goto Configuration > System> Events >Syslog Servers
3. Click the Add button
4. In the Syslog Server text box enter the IP Address of the machine where Firewall Analyzer is running.
5. Enter the Port value. The default syslog server port for Firewall Analyzer is 514.
6. Facility is Local 7
Configuring Syslog Events

Goto Configuration > System> Events >General
For Syslog Format you can either select Original or Cisco IOS Compatible format.
For Events to Syslog select Severities 1-5
All other configurations are default for this page.
Click Apply button

For more information, refer the Cisco VPN Concentrator documentation.

Configuring Cisco IOS Switch

Follow the below steps to configure the Cisoc IOS Switch:

Login to the Cisco IOS console or telnet to the device.
Change the configuration mode of the device.
Use the following command:

configure terminal

Enable logging by using the following commands:

logging on

logging trap informational

logging <IP Address>

If there is a Firewall module in the IOS device, use the following command to enable audit trail. This will generate traffic information.

ip inspect audit-trail

For more information, refer the Cisco IOS Switch documentation.