Connecting to and Managing Cisco Firewalls

Also see “Allow Remote Management

KB ID 0000075

Problem

To connect to and manage a Cisco firewall you need three things,

  1. To be in possession of a password, (and in some cases a username).
  2. Have the ‘Method of Access granted to you’ (or have physical access to the firewall).
  3. Know a ‘Method of Access‘ to the firewall for management.

Cisco Firewall Passwords

Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).

Cisco Firewall Usernames

As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;

  1. Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
  2. If you have set up authentication to be done by AAA.

Cisco Firewall Forgotten Password Recovery

If you do not know the password then you need to perform some password recovery.

Cisco ASA – Methods of Access.

1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.

2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).

3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.

4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.

5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).

Cisco ASA Remote Management via VPN

Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.

Solution

Connecting to a Cisco Firewall Using a Console Cable

Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.

On each end of the console cable the wiring is reversed.

Old (Top) and New (Bottom) versions of the Console Cable.

Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).

 

 

 

 

Option 1 Using PuTTY for Serial Access.

1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).

2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.

3. You will be connected. (Note: The password you see me entering below is the enable password).

Option 2 Using HyperTerminal for Serial Access

1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.

2. Change the ‘Connect Using’ option to COM1 > OK.

3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.

4. You will be connected. (Note: The password you see me entering below is the enable password).

Connecting to a Cisco Firewall via Telnet

To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.

Option 1 Use Windows Telnet Client for Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Start.

2. In the search/run box type cmd {enter}.

3. Execute the telnet command followed by the IP address of the firewall.

Windows – ‘Telnet’ is not recognized as an internal or external command

4. Enter the telnet password (default password is cisco).

Option 2 Use PuTTy for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Select Telnet > Enter the IP address of the firewall > Open.

3. Enter the telnet password (default password is cisco).

Option 2 Use HyperTerminal for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch HyperTerminal.

2. Give the connection a name > OK.

3. Change the ‘Connect using’ section to TCP/IP (Winsock) > Enter the IP address of the firewall > OK.

4. Enter the telnet password (default password is cisco).

Connect to to a Cisco Firewall via Web Browser

To connect via Web Browser – the firewall’s internal web server needs to be enabled in the firewall configuration, and the IP address of the machine you are on (or the network it is in, also needs to be allowed). If you cannot connect from your web browser you will need to establish a console cable connection.

Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).

The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.

4. You might receive a few Java warning messages, answer them in the affirmative.

5. Run.

6. Enter the ‘Enable’ password > OK.

7. You will be connected.

Connecting to a Cisco Firewall via SSH

To connect via SSH the IP address of the PC you are on, (or the network it is in) needs to have been allowed SSH Access in the firewall’s configuration. You will also need an SSH Client, I prefer PuTTy because its free and works.

Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Tick SSH > enter the IP address of the firewall > Open.

3. The first time you connect you will be asked to accept the certificate > Yes.

4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).

Connecting to a Cisco Firewall via ASDM Client Software

As the name implies you need a v7 (or newer) firewall running ASDM for this to work 🙂 Essentially this is just a “Posh” front end for the firewall’s internal web server, so the same rules apply, the http server must be enabled, the PC you are on (or the network it’s in) need to be allowed https access to the firewall. Also you will need to know the enable password.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Select ‘Install ASDM Launcher and Run ASDM’.

4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.

5. Run (or save if you want to install manually later).

6. Accept all the defaults.

7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).

8. The ASDM will launch and you will be connected.

Connecting to a Cisco Firewall via Pix Device Manager

1. Open your web browser and navigate to the following,

https://{inside IP address of the firewall}

Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.

IE6 Users will see this instead

2. If Prompted leave the username blank, and the password is the firewall’s enable password.

Note if you are using AAA you might need to enter a username and password.

3. You will see this.

4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.

5. The PDM opens. You are successfully connected.

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Manage your firewall form your Windows Mobile device

Cisco ASA 5500 – Remote Management via VPN

Originally Written 09/11/09

Juniper SRX Firewall Alarm Light Lit

KB ID 0000993

Problem

I noticed the alarm light was lit amber on an SRX240 Juniper firewall.

Solution

This will not serve as a solution to every alarm on the SRX, but it should point you where to look, and show you how to resolve the two problems I identified on my firewall.

View SRX Alarm Status in J-Web

The status is displayed on the ‘Dashboard’ tab, here you can see I’ve got two minor alarms.

View SRX Alarm Status at Command Line

If connected via console cable or SSH.

[box]

root@FW-02> show system alarms
2 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved
2014-08-26 21:52:14 GMT Minor Rescue configuration is not set

[/box]

 

Juniper SRX – Rescue Information Is Not Set (J-Web)

This one is easy to fix in J-Web, Maintain > Config Management Rescue > Set Rescue Configuration.

Then click OK.

Juniper SRX – Rescue Information Is Not Set (Command Line)

To do the same via console cable or SSH.

[box]

root@FW-02> request system configuration rescue save

[/box]

Juniper SRX – Autorecovery Information Needs To Be Saved (Command Line)

Despite my best efforts I could not locate how to do this in the GUI, so I had to use command line.

[box]

root@FW-02> show system alarms
1 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved

root@FW-02> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information

root@FW-02>

[/box]

Related Articles, References, Credits, or External Links

NA

HP Procurve Adding a Management IP

KB ID 0000428

Problem

You have an HP Procurve switch, and you would like to add a management IP so you can view the web console.

Solution

Related Articles, References, Credits, or External Links

HP Procurve – Trunking / Aggregating Ports

Connecting to and Configuring Cisco Routers with ‘Cisco Configuration Professional’

KB ID 0000512 

Problem

It’s not often I work on Cisco routers, but as I tend to do most of the Cisco ASA Firewalls, I’m the unofficial “Cisco Guy”. Which is fine until someone wants a router or some complex switching, then I need to do some heavy duty frowning.

Last time I put in a Cisco router it was a baby Cisco 800 series (an 877W) so I assumed the 1921 ISR router I had to put in would be the same. Before I used the Cisco SDM console that’s now either depreciated or not used, and a quick look in the flash memory of the router told me there was nothing in there apart from the IOS.

Now for all your web based router needs, you use the “Cisco Configuration Professional” software, it comes in two flavours:

1. Express – this installs on the router itself and is a cut down version.

2. PC Version – the full suite of tools installs on a Windows PC (that has Java installed) Note: is does NOT need anything else installing on the router.

To download the software you will need a valid Cisco CCO login and a valid support contract (or SmartNet) for your router. (download link).

Solution

1. Using the console cable provided with your router connect a PC/Laptop to the router and access using Hyperterminal or PuTTy, (See here for details).

2. Connect an ethernet port to your LAN, we are going to configure it to get an IP from DHCP (assuming you have DHCP of course if not give is a static IP address).

3. While connected via console cable, go to enable mode, set the ether net port you connected to DHCP, then configure Telnet and SSH login, and finally allow HTTP access.

Note: If you get an error message like “IP address may not be configured on L2 Links” then assign the IP address to the VLAN (usually, but not always VLAN 1).This is seen on smaller 800 series routers, to resolve also make sure the Ethernet port is NOT shutdown like this;

[box]

interface FastEthernet0
! <<<<<<<Note: Make sure the Ethernet ports you will use are NOT in a shutdown state!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192168.1..1 255.255.255.0 <<<Or use DHCP as appropriate

[/box]

4. So all being well, this is what you should see if you issue a “show run” command.

5. Lets make sure it got an IP address with “show ip interface”.

6. Install CCP on you PC and launch it > Select “Manage Devices” > Enter the IP, username and password you set earlier > OK.

7. If discovery fails make sure you’re cabled correctly and select “Discover”.

8. It connects over https so it’s normal to see this, just click yes.

9. You can now configure the router as required.

10. If you have the Security/Firewall IOS you can also manage that from here.

 

Related Articles, References, Credits, or External Links

Original Article Written 26/09/11

 

Backup and Restore a Cisco Firewall.

KB ID 0000076

Problem

There are many different versions of PIX and ASA Firewalls. So, if you want to get a backup of the configuration and save it elsewhere,  (so in the event of a failure, (or more likely someone tinkering and breaking the firewall)). you will be able to recall and restore that configuration. By far the easiest method is to use a TFTP server – and it works on ALL versions, so learn it once and use it many times.

Note: Some people flatly refuse to use command line, if that’s you, you can also backup and restore from the ASDM click here.

OK for starters you need to get a TFTP server – while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I’ve put information on how to get it and how to set it up (about 5 min’s work) HERE. Or if you have a Mac it’s built in.

I’ll assume at this point you have the TFTP server installed and running, and you know the IP address of machine that’s running it.

NOTE: TFTP uses UDP Port 69, if you have firewalls in between the one you are working on, and the TFTP server then this port needs to be open.

Solution

1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

[box]

Petes-ASA> enable
Password:*********
Petes-ASA#

[/box]

2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a “Write Net” command. The syntax is,

write net {ip address}:{filename}

[box]

Petes-ASA# write net 172.254.1.2:firewall_backup
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd
!
[OK]
Petes-ASA#

[/box]

3. On your TFTP server you will see that a file has been received.

4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore.

Restore

1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory.

2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

[box]

Petes-ASA> enable
Password:*********
Petes-ASA#

[/box]

3. Enter configuration mode using the “conf t” command.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# 

[/box]

4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command.

[box]

Petes-ASA(config)# copy tftp start

[/box]

5. Supply it with the IP address of your TFTP Server.

[box]

Address or name of remote host []? 172.254.1.2

[/box]

6. Supply it with the name of the file you backed up earlier.

[box]

Source filename []? firewall_backup

[/box]

7. The file will get copied over.

[box]

Accessing tftp://172.254.1.2/firewall_backup...!
Writing system file...
!
2974 bytes copied in 0.90 secs
Petes-ASA(config)#

[/box]

8. On your TFTP server you will see the file being “copied out”

9. Not finished yet, the file now lives in the “Startup” configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter.

[box]

Petes-ASA(config)# reload

Proceed with reload? [confirm] {Enter}

Petes-ASA(config)#

*** *** — START GRACEFUL SHUTDOWN — Shutting down isakmp Shutting down webvpn Shutting down File system

 

** *** — SHUTDOWN NOW —

 

[/box]

10. After the reboot, you will be running on the restored configuration.

Note: With a Version 6 Firewall – restoring a config from TFTP simply “Merges” the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring

clear config all

Backup a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Backup Configuration > Browse to a Location to Save the File > If you have certificates to backup, then choose and confirm a password > OK.

2. Watch the progress > Close > OK.

Restore a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Restore Configuration  >Browse to the .zip file you saved earlier > Select File > Next > Restore.

2. If you are restoring certificates enter the password you used above > OK > Then choose whether to ‘replace‘ the config on the firewall, or ‘merge‘ the restored config with the one on the firewall.

 

3. The ASDM will detect theres been a change, just drag that window to one side, Wait for the restore to finish > Close. You will probably need to reconnect to the firewall now.

 

Related Articles, References, Credits, or External Links

MAC OS X TFTP Software

Backup and Restore a Cisco Router with TFTP

Install and Use a TFTP Server