| KB | 0000075 | |
| Dated | 09/11/09 | |
| Revision | 0.03 | |
Connecting to and Managing Cisco Firewalls |
||
Also see "Allow Remote Management" |
||
| Problem | ||
Unless the firewall is brand new (in which case the passwords will either be {blank} or Cisco) to access a PIX firewall you will need a password, (this stands to reason it is a security device after all :) With a few exceptions you do not USUALLY need a username, those exceptions being a. Access via SSH needs the "pix" username and b. If you have set up authentication to be done by AAA. If you do not know the password then you need to perform some password recovery PIX Password Recovery procedure ASA Password recovery procedure Methods of Access. 1. Via Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a molded serial socket on them, the older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. Hyperterminal (Note if you cant find Hyperterminal you may need to add it from add remove programs > windows components, or If you are using Windows Vista CLICK HERE.). 2. Via Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Vista. You can also use Hyperterminal or another third party Telnet client (Like PuTTy) This is considered the LEAST SECURE method of connection as passwords are sent in clear text, on a new firewall the password is usually set to cisco (all lower case). 3. Via Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what "Web Server" you are connecting to, Cisco firewall's running an Operating system of version 6 and below use the "PIX Device Manager", and Devices running Version 7 and above use the "Adaptive Security Device Manager". They have a similar look and feel and both require you have Java installed and working. 4. Via SSH: Secure Sockets Handshake this is sometimes called "secure telnet" as it does not send passwords and usernames in clear text. Once enabled it uses the username of pix and the password you have set for telnet access. 5. Via the ASDM Client software: (Version 7 firewall's and above) You will need to have the software installed on your PC for this to work (you can download it from the firewall's web interface of from the CD that came with the firewall). |
||
| Solution | ||
Option 1: Using a Console Cable |
|
| Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable. | |
 |
On each end of the console cable the wiring is reversed. |
 |
Old (Top) and New (Bottom) versions of the Console Cable. |
 |
Note: If you don't not have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC). |
| Now you will need to locate Hyperterminal on Your PC, On a windows PC its usually in - All Programs > Communications. Remember if its not there you will need to add in in from Control Panel > Add/Remove Programs > Add/Remove Windows Components. You wont find it in Vistaor Windows 7. | |
 |
1. Connect your Firewall's "console" Port to your Laptop/PC's Serial Port using your console cable. |
 |
1. Launch Hyperterminal > You will be asked to give the connection a name > Select something sensible like Cisco Firewall > Then select an Icon for the connection > OK. |
 |
2. In the drop down menu labeled "Connect Using" select the COM port you are connecting with (Note if you don't know I suggest using each one till it works, generally its COM1 or COM2 - in my example its COM6 because I'm using an USB to Serial Converter). Click OK. |
 |
3. Set the properties for the connection, From top to bottom they are, 9600, 8, None, 1 > Apply > OK. |
 |
4. You should see the firewall prompt when you are successfully connected. |
Option 2: Via Telnet |
|
| To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. if you cannot access the firewall using Telnet then you will need to connect via console cable. Note Windows Vista needs to have telnet added. | |
 |
1. On your Windows client click Start > Run > CMD {enter}. |
 |
2. At the command window, enter the following command, telnet {ip of the firewall's inside interface} {enter} |
 |
3. Type in the telnet password (the default is cisco). |
 |
4. You should see the firewall prompt when you are successfully connected. |
Option 3: Via Web Browser |
|
To connect via Web Browser - the firewall's internal web server needs to be enabled in the firewall configuration, and the IP address of the machine you are on (or the network it is in, also needs to be allowed) If you cannot connect from your web browser you will need to establish a console cable connection. Also to access via this method you need to know the firewall's "Enable Password", If you use a proxy server then you will need to remove it from the browsers settings while you carry out the following. Ensure also that you have Java Installed and working. |
|
 |
1. Open your web browser and navigate to the following, https://{inside IP address of the firewall} Note if you are using IE7 (as shown) you will need to click "Continue to this web site (not Recommended)". IE6 Users will see this instead |
 |
2. Leave the username blank, and the password is the firewall's enable password. Note if you are using AAA you might need to enter a username and password. |
 |
3. If you are connecting to a PIX firewall with a PDM you will see this. (If you have a PIX running version 7 or above skip to number 6. |
 |
4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time. |
 |
5. The PDM opens. You are successfully connected. |
 |
6. Click "Run ASDM Applet" (Note for information on the other option (install ASDM launcher see option 5). |
 |
7. You will see this "Splash Screen". |
 |
8. Answer any Java messages that pop up, Note: you may also need to enter the password a second time. |
 |
9. The ASDM Opens, You are successfully connected. |
Option 4: Via SSH |
|
| To connect via SSH the IP address of the PC you are on, (or the network it is in) needs to have been allowed SSH Access in the firewall's configuration. You will also need an SSH Client, I prefer PuTTy because its free and works. You will also need to know the firewall's Telnet password. | |
 |
1. Start up PuTTy and supply it with the IP address of the firewall, Remember to tick SSH > Click Open. |
 |
2. If you get the following warning just click yes. and try again. |
 |
3. It can take a few seconds before it asks, It will ask you who you want to log in as the username is pix (lowercase). |
 |
4. Type in the Telnet password for the firewall. and you are successfully connected. |
Option 4: Via ASDM Client Software |
|
| As the name implies you need a v7 firewall running ASDM for this to work :) Essentially this is just a "Posh" front end for the firewall's internal web server, so the same rules apply, the http server must be enabled, the PC you are on (or the network its in) need to be allowed https access to the firewall. Also you will need to know the enable password. | |
|
1.The simplest way to get the software is from the firewall. Open a web browser and connect to, https://{ip address of the inside of the firewall} Log in as described in section 3 above. Select "Install ASDM Launcher and Run ASDM". |
 |
2. Save. |
 |
3. Store it somewhere sensible like on the desktop. |
 |
4. Double click the application you just saved. |
 |
4. Follow the onscreen prompts. |
 |
5. The application will launch, give it the firewall's IP address and the enable password (username is left blank unless you are using AAA). |
|
6. The ASDM Opens, You are successfully connected. |
| References - Credits - Or External Links | |
| KB0000173 | |
