Configuring Cisco Devices – PIX/ASA/FWSM/VPN Concentrator

---

Firewall Analyzer supports the following versions of various Cisco devices.

Cisco IOS Firewalls:

• 8xx
• 18xx
• 28xx
• 38xx
• 72xx
• 73xx
• 3005
• 1900
• 2911
• 3925

Cisco FWSM Catalyst Series:

Cisco PIX versions:

Cisco ASA:

Cisco VPN Concentrators Series :

Model Family	Model	Cisco IOS Software Version
8xx	c871, c876, c877,c878	12.4(4)T
18xx	c1841	12.3(14)T
c1811, c1812	12.4(4)T
c1801, c1802, c1803	12.4(4)T
28xx	c2801, c2851, c2821, c2811	12.3(14)T
38xx	c3845, c3825	12.3(14)T
72xx	7206VXR, 7204VXR	12.3(14)T
73xx	CISCO7301	12.3(14)T

 

To find out the version of your PIX firewall, Telnet to the PIX
firewall enter the show version command .

Cisco PIX does not create log files, but instead directs a log stream to the syslog server, which writes the log information into a file. Make sure the syslog server on Firewall Analyzer can access the PIX firewall on the configured syslog port. For this, you may have to make a rule specific to this situation.

 

---

Virtual Firewall (Virtual Domain) logs

Prerequisite for context/vdom in Cisco Firewalls

Cisco Firewall IP address is be DNS resolvable Firewall Analyzer .

There is no separate configuration required in Firewall Analyzer for receiving logs from Virtual Firewalls of the Cisco physical device.

Configuration in Cisco device for Virtual Firewall In order to support virtual firewalls for Cisco devices, you need to enable logging based on the context –. Otherwise it is not possible for Firewall Analyzer to detect Virtual Firewalls (vdom) of Cisco devices.

---

Configuring Cisco PIX using Command Line Interface

1. Telnet to the PIX firewall enter the enable mode
2. Type following :
   configure terminal
logging on
logging timestamp
logging trap informational
logging device - id { context - | hostname| ipaddress interface_name | string text }
logging host interface_name syslog_ip [17/<syslog_port>]

   where,

interface_name	is the interface on the PIX firewall whose logs need to be analyzed (“inside” “outside,” for example).
syslog_ip	IP address syslog server ( i.e. Firewall Analyzer ) , Firewall send Syslogs .
17/<syslog_port>	indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, the syslogs are sent through the default syslog port (UDP port 514). If the logs are sent through any other port, mention it as 17/<the UDP port number> (For example: 17/1514).
hostname	firewall’s host name (defined with the hostnameconfiguration command). In this case, the hostname will appear in the logs sent from the Firewall.
ipaddress interface_name	the IP address of a specific firewall interface named interface_name (“inside” “outside,” for example). In this case, the IP Address of the Interface Name will appear in the logs sent from the Firewall.
string text	an arbitrary text string ( 16 characters ). In this case, the arbitrary text string you have entered in string <text> will appear in the logs sent from the Firewall.
context -	PIX 7.x FWSM 2.x operating multiple – context mode , name is appear firewall context appear logs sent Firewall .

Example :logging host inside 11.23.4.56 17/1514

To verify your configuration, enter the show logging command
after the last command above. This will list the current logging configuration
on the PIX firewall.

 

Configuring Cisco PIX from the User Interface

Log in to the Cisco PIX user interface, follow the steps below to configure
the PIX firewall:

1. Enabling Logging
   1. Select Configure > Settings > Logging > Logging
      Setup
   2. SelectEnable logging setup Enable
      logging failover check boxes
   3. ClickApply.
      Changes applied assigned PIX firewall configuration files
      generated . configuration files downloaded
      PIX firewalls deployment .
2. Configuring Syslog Server
   1. Select Configure > Settings > Logging > Syslog
   2. Check Include Timestamp.
   3. ClickAdd add row .
   4. In theAdd Syslog Server page that appears, enter
      the following:
      1. Interface Name – the firewall interface through
         which Firewall Analyzer can be reached, the interface can be
         either inside outside.
      2. IP Address – the IP address of the syslog
         server to which logs have to be sent
      3. Under Protocol, selectthe UDP
         radio button
      4. Thedefault UDP port is 514. If you have configured a different
         syslog
         listener port on your syslog server, enter the same port
         here.
   5. ClickApply
      
3. Configuring Logging Level
   1. Select Configure > Settings > Logging > Other
   2. Under Console Level List selectInformational
      so that all report data is available
   3. ClickApply

For every transaction happening in Cisco PIX Firewall, an ACL configured in it matches. Thematched ACL along with complete transaction detail is audited through Message – ID 106100. Ensure that the logging is enabled for ‘Message – ID 106100‘ in Cisco PIX Firewall. For more information about the message ID follow the below link. http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1086617 This message identifier contains the information about both accepted denied transactions. Thelog information is parsed to get the ‘Used’ rules is available in the ‘Firewall Rules Report > Top Used Rules Report‘.

Configure/Enable SNMP Protocol for Cisco PIX Firewall device

Using CLI Console:

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

configure terminal snmp-server host <interface name> <hostname|IP address of Firewall Analyzer>

If you want to create a new SNMP community use the below command:

configure terminal snmp-server community <community-string>

Example:

configure terminal snmp-server community public

 

Configuring Cisco ASA Versions

1. Telnet ASA firewall enterenable mode
2. Type following :

configure terminal
logging enable
logging timestamp
logging trap informational
logging device-id {context - | hostname| ipaddress interface_name | string text}
logging host interface_name syslog_ip [udp/<syslog_port>]

1. If there are no URL Reports available in Firewall Analyzer for CISCO ASA, enable HTTP inspection by executing the following command:
   inspect http

   Enabling HTTP inspection is generate generate syslogs ID 304001 . ID Firewall Analyzer generate URL Reports .

interface_name	is the interface on the ASA Firewall whose logs need to be analyzed (for example: “inside” “outside”).
syslog_ip	IP address syslog server ( i.e. Firewall Analyzer ) , Firewall send Syslogs .
udp/<syslog_port>	indicates logs sent UDP protocol , configured syslog port syslog server . left blank , logs sent default UDP port 514 .
hostname	firewall’s host name (defined with the hostnameconfiguration command)
ipaddress interface_name	the IP address of a specific firewall interface named interface_name (for example: “inside” “outside”)
string text	an arbitrary text string ( 16 characters )
context -	in PIX 7.x FWSM 2.x operating in multiple-context mode, the name of the firewall context can also be sent.

For more information, refer the Cisco PIX documentation.

 

Configuring Cisco ASA Versions using ASDM

Enable Logging

Carry out the steps given below:

• Load the ASDM
• Select Configuration > Device Management > Logging > Logging Setup
• Select Enable Logging
• Select Logging > Logging Filters
• Choose the syslog-servers as Informational
• Select Logging > Logging Filters > Syslog servers
• ClickAdd
• Enter the IP address choose the appropriate interface ensure that you choose UDP enter the port number
• Select Logging > Syslog Setup
• Select ‘ Include time stamp syslogs ‘ option scroll ensure syslog ID 302013 , 302014,302015,302016 is are enabled state logging level setInformational

Disable Logging

You can disable specific syslog IDs based on your requirement.

Note: By selecting the check mark for the Include timestamp in syslogs option, you can add the date time that they were generated as a field to the syslogs.

• Selectsyslogs to disable click Edit.
• From the Edit Syslog ID Settings window, selectthe Disable messages option click OK.
• Thedisabled syslogs can be viewed in a separate tab by selecting Disabled syslog IDs from the Syslog ID Setup drop-down menu.

For more information, refer the Cisco PIX documentation.

Configuration for SSL WebVPN in Cisco ASA appliance

Firewall Analyzer requires syslog message IDs 722030 722031, which by default is at debug level, to process Cisco SVC VPN logs. Set the information level to these syslog IDs by executing below commands in global configuration mode:

hostname(config ) # is logging logging message 722030 level 6 hostname(config)# logging message 722031 level 6

You can confirm by executing the below command:

hostname(config)# show logging message 722030

Configuring Cisco ASA NetFlow LogsDisabling NetFlow on Cisco ASA/ADM using command line ASDM

Firewall Analyzer support NetFlow version 9 packets, which is introduced in Cisco ASA 8.2.1/ASDM 6.2.1.

Configuring ASA device using console mode to send NetFlow version 9 packets to Firewall Analyzer is given below:

• Firewall Analyzer capable receiving Syslog NetFlow packet ASA box , disable Syslog enable NetFlow .

To disable Syslog enable NetFlow execute the following commands:

(config)# flow-export destination inside <Firewall Analyzer Server IP> 1514
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export-syslogs disable —> This command will disable logging syslog messages
( config ) # access – list netflow – export extended permit ip
( config ) # class – map netflow – export – class
(config-cmap)#match access-list netflow-export

Associate global policy map with netflow class map

If you have a global policy map, associate the above netflow class-map netflow-export-class to the global policy.

For example: if your global policy map is named global_policy_asa, you need to execute the below commands:

(config)# policy-map global_policy_asa
( config – pmap ) # class netflow – export – class
(config-pmap-c)# flow-export event-type any destination <Firewall Analyzer Server IP>

if the above command fails use the below:

(config-pmap-c)# flow-export event-type all destination <Firewall Analyzer Server IP>

If you wish to create a new policy map named netflow – export – policy make this as your global policy follow the below steps:

(config)# policy-map netflow – export – policy
( config – pmap ) # class netflow – export – class
(config-pmap-c)# flow-export event-type any destination <Firewall Analyzer Server IP>

command is fails fails use :
(config-pmap-c)# flow-export event-type all destination <Firewall Analyzer Server IP>

Make policy map netflow – export – policy as your global policy:

(config)# service-policy netflow – export – policy global

UI mode configuration ASDM access , refer Cisco forum topic : https://supportforums.cisco.com/docs/DOC-6114

 

disable NetFlow Cisco ASA / ADM execute following commands:

(config)# flow-export disable

(config)# no flow-export destination inside <Firewall Analyzer Server IP> 1514

To disable NetFlow on Cisco ASA/ADM using ASDM

• Clickon Configuration > Firewall
• Clickon Service Policy Rules. Look for the policy indicating netflow export
• Check the IP address if the flow is pointing to the machine where you want to forward syslog.
• If so, delete it write the configuration in to memory (Save it).

 

Configure/Enable SNMP Protocol for Cisco ASA Firewall device

Using CLI Console:

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

configure terminal snmp-server enable snmp-server host <interface name> <hostname| IP address of Firewall Analyzer> [poll]

Example:

configure terminal snmp-server enable snmp-server host inside 192.168.101.155 poll

If you want to create a new SNMP community use the below command:

configure terminal snmp-server community <community-string>

Example:

configure terminal snmp-server community public

Configuring Cisco VPN 3000 Concentrator

Currently we support Cisco IOS Compatible Log Format Original Log Format for Cisco VPN Concentrator.

Importing of already saved Cisco VPN Concentrator logs is not supported because those logs are saved in either of the following formats which is not supported in Firewall Analyzer:

• Multi line
• Tab Delimited
• Comma Delimited

Follow the below steps to configure
the VPN Concentrator:

1. Configuring Syslog Server
   1. Login to the Cisco VPN 3000 Concentrator Management console.
   2. Go toConfiguration > System> Events >Syslog Servers
   3. Clickthe Add button
   4. In theSyslog Server text box enter the IP Address of the machine where Firewall Analyzer is running.
   5. Enter the Port value. Thedefault syslog server port for Firewall Analyzer is 514.
   6. Facility is Local 7
2. Configuring Syslog Events
1. Go toConfiguration > System> Events >General
2. For Syslog Format you can either selectOriginal Cisco IOS Compatible format.
3. For Events to Syslog selectSeverities 1-5
4. configurations default page .
5. ClickApply button

For more information, refer the Cisco VPN Concentrator documentation.

 

Configuring Cisco IOS Switch

Follow the below steps to configure
the Cisco IOS Switch:

1. Login to the Cisco IOS console Telnet to the device.
2. Change the configuration mode of the device.

   Use the following command:

configure terminal

1. Enable logging by using the following commands:

logging on

logging trap informational

logging <IP Address>

1. If there is a Firewall module in the IOS device, use the following command to enable audit trail. This will generate traffic information.

ip inspect audit-trail

For more information, refer the Cisco IOS Switch documentation.

Configure/Enable SNMP Protocol for Cisco Firewall devices using Cisco ASDM tool

Using Web UI:

Configure SNMP parameters for SNMP Versions 1 2c
Carry out the following steps:

• In theASDM main window, selectConfiguration > Device Management > Management Access > SNMP
• In theCommunity String (default) field, enter default community string. This applies to SNMP
  Versions 1 2c only
• Fill appropriate values in Contact Location fields
• In theListening Port field, enter the port number of the security appliance that listens for SNMP requests
  from management stations; retain the default port number 161
• ClickApply

With this, SNMP parameters for Versions 1 2c are configured the changes are saved to the running
configuration.
To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

• In theASDM main window, choose Configuration > Device Management > Management Access > SNMP
• In theSNMP Management Stations pane, click Add.
  TheAdd SNMP Host Access Entry dialog box appears
• In theInterface Name drop-down list, choose the interface on which the Firewall Analyzer resides
• In theIP Address field is enter , enter Firewall Analyzer IP address
• In theUDP Port field, enter the Firewall Analyzer UDP port, retain the default port 162
• In theCommunity String field, enter the Firewall Analyzer community string. If no community string is specified for a management station, the value set in the Community String ( default ) field SNMP Management Stations pane
• In theSNMP Version drop-down list, choose the SNMP version used by the Firewall Analyzer
• If you have selected SNMP Version 3 in the previous step, in the Username drop-down list, choose the name of a configured user
• To specify the method for communicating with this management station, check the Poll check boxes
• ClickOK. TheAdd Firewall Analyzer Access Entry dialog box closes.
• ClickApply.

With this, the management station is configured changes are saved to the running configuration.
Configure SNMP Parameters for Version 3:

SNMP Version 3 allows you to configure additional authentication privacy options for more secure
protocol operations by means of SNMP server groups users.

Carry out the following steps:

• In theASDM main window, choose Configuration > Device Management > Management Access > SNMP
• In theSNMPv3 Users pane, to add a configured user a new user to a group, click Add. To change user parameters, click Edit. remove configured user group , clickDelete. When you remove the last user in a group, ASDM deletes the group

Note: Once a user is created, you cannot change the group to which the user belongs.

• TheAdd SNMP User Entry dialog box appears
• In theGroup Name drop-down list, choose the group to which the SNMP user will belong. Theavailable groups are as follows:
  • Auth&Encryption, in which users have authentication encryption configured
  • Authentication_Only, in which users have only authentication configured
  • No_Authentication, users authentication encryption configured
• In theUsername field, enter the name of configured user new user. Theusername must be unique for the SNMP server group selected
• password encrypted , clickEncrypt Password radio button . choose option , you is enter enter passwordMD5 hash value.
• Indicate the type of authentication you want to use by clicking the appropriate radio button: MD5 SHA
• In theAuthentication Password field, type the password to use for authentication
• Indicate type encryption want use clicking appropriate radio button :DES 3DES, AES
• you is chose choseAES encryption, from the AES Size drop-down list, specify which level of AES encryption to use: 128 192 256
• In theEncryption Password field is type , type password use encryption . maximum number is is characters allowed password64
• ClickOK to create a group (if this is the first user in that group), display this group in the Group Name drop-down list, create a user for that group. TheAdd SNMP User Entry dialog box closes
• TheSNMPv3 Users pane lists the following information: SNMP Version 3 server group name, name of the user that belongs to the specified group, encrypted password setting, authentication setting, encryption algorithm setting, the AES size setting
• ClickApply

With this, SNMP parameters for Version 3 are configured, the changes are saved to the running configuration.