Problem Areas Breakdown

Problem Areas Breakdown

Troubleshooting PIX Firewall is rewarding because of its extensive syslog capabilities, with many useful show and debug commands. This section addresses in detail the troubleshooting steps you can take that use the flexible tools and commands that are available. The following functional areas are covered:

• Licensing issues

• Software upgrade/downgrade issues

• Password recovery issues

• Connection issues

• Performance issues

• Transparent firewall issues

• Quality of service (QoS)

More detail discussion follow in the next sections.

Licensing Issues

PIX licensing is accomplished through the activation key, which dictates what features are available for use on the PIX firewall. All available features that are turned on by the activation key can be viewed with the show version command. One important distinction between router and PIX firewall licensing is that for turning on additional features, you must download a new image for the router, whereas on the PIX firewall, you need to a get a new activation key. PIX Firewall has a single image for all the platforms, and all the features are included in the same image, with certain features enabled or disabled based on the activation key. The activation key is tied to the serial number displayed by using the show version command. Hence, when you request the activation key, it's advisable to provide the show version output to the Cisco Licensing department (licensing@cisco.com).

The activation key is saved to Flash, so if you replace the Flash, a new activation key comes with it with default features turned on. So if you need additional features, you will need to get a new activation key.

Requests for the DES/3DES can be made (free) from the following location:

http://www.cisco.com/kobayashi/sw-center/internet/pix-56bit-license-request.shtml

The activation key can be a four-octet number as shown in Example 3-14 or a five-octet number, which can be viewed with the show version output. Example 3-14 also shows how to enter an activation key from the Enable mode.

Example 3-14. Version Output from PIX 515E

! Following command will enter the activation key to the system. Note that this command ! is entered from enable mode not from configuration mode. PIX# activation-key 0x0106cb46 0x440feea5 0xac91a4a0 0xad38381c 0x0d08e782 ! Show version output which shows the running activation key and the features available PIX# show version Cisco PIX Firewall Version 7.0(0)67 Device Manager Version 5.0(0)42 PIX (7.0.0.67) #0: Tue Nov 9 19:14:14 PST 2004 morlee@caldina:/vws/wza/build/f1/7.0.0.65_branch/7.0.0.67/Xpix/target/f1 PIX up 12 days 17 hours Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: Ext: Ethernet0 : media index 0: irq 10 1: Ext: Ethernet1 : media index 1: irq 11 ! Following are the features available License Features for this Platform: Maximum Physical Interfaces : 6 Maximum VLANs : 25 Inside Hosts : Unlimited Failover : Enabled VPN-DES : Enabled VPN-3DES-AES : Enabled Failover active/standby only: Disabled Failover active/active only : Disabled Cut-through Proxy : Enabled Guards : Enabled URL-filtering : Enabled Security Contexts : 5 GTP/GPRS : Disabled VPN Peers : Unlimited This machine has an Unrestricted (UR) license. Serial Number: 807204118 ! Four octet activation key is shown below Running Activation Key: 0x0106cb46 0x440feea5 0xac91a4a0 0xad38381c 0x0d08e783 Configuration last modified by enable_15 at 01:10:18.238 UTC Mon Jan 17 2005 PIX#

The following list describes different types of activation keys for the PIX firewall:

• Before Version 5.0 Licensing was done based on the number of connections, not based on features that must be turned on in versions earlier than PIX Firewall Version 5.0. The connection was counted towards the maximum number of inbound connections through the PIX firewall.

• Version 5.0 and later From Version 5.0 and more recently, the licensing is based on features.

• Restricted versus Unrestricted On certain PIX platforms (PIX 515, 525, and 535), licensing can be based on Restricted (R) or Unrestricted (UR). Restricted has less interface support and failover is disabled.

• For Failover Pair One PIX must have an unlimited license, and the other one can be either Unlimited or Failover only.

• Version 7.0 and later PIX firewall Version 7.0 supports two kinds of license keys:

  - Existing 4-tuple license key available for PIX Version 6.3

  - New 5-tuple license key for PIX Version 7.0 only

  Unlike PIX Version 6.3, which always requires a valid license key to run, PIX Version 7.0 can run without a license key, but it runs in default settings. When upgrading from PIX Version 6.3 to PIX Version 7.0, the existing license key for PIX Version 6.3 is preserved and is saved in a central location on the Flash file system. When downgrading from PIX Version 7.0 to PIX Version 6.2 or 6.3, the existing license key for the original PIX Version 6.2 or 6.3 that was saved during the upgrade procedure is retrieved and saved to the PIX Version 6.2 or 6.3 image.

• PIX Security Context Licenses Context licensing can be 5, 10, 20, 50, 100, 510, 1020, 2050, or 50100 contexts.

Note

If you want to upgrade from one version to another, you do not need to get a new activation key. However, be sure to write down the key from the show version output to proceed with the upgrade. The activation is needed only to enable additional features of the PIX firewall.

Password Recovery Issue

Password recovery needs to be performed on the PIX firewall under following circumstances:

• If you have defined AAA for login purposes, and you lost the username and password. If the AAA server is down, you still can log in with pix as the username and enable password as the password. If the AAA server is down and you forgot enable password, you must perform password recovery.

• If AAA is not configured, but you have lost the login password.

PIX performs password recovery in the ROM monitor mode by loading a utility called npdisk which removes the AAA configuration, and enables password configuration lines from the startup-config file. This, therefore, allows the users to be able to log in to the PIX and get access to the running configuration.

Beginning with PIX Version 7.0, you can disable the password recovery ability, to provide extra security to the PIX firewall. For example, if intruders were to get physical access to the PIX and connect to the console port to perform the password recovery, they could gain access to the PIX configuration and bring the PIX into production. If the password recovery ability was disabled, even though intruders who had physical access to the PIX could get into the ROM monitor mode, and load npdisk image, PIX would wipe out the whole configuration before giving access. So, your PIX configuration would not be compromised, and intruders would not be able to bring the PIX online. It is extremely important to provide stringent physical security for your PIX firewall.

The "allow password recovery" option can be set during the preconfiguration template work-through as follows, or with the no service password-recovery command.

[View full width]
Allow password recovery? [yes]

WARNING: entering 'no' will disable password recovery and disable access to password
 recovery via the npdisk utility. The only means of recovering from lost or forgotten
 passwords will be for npdisk to erase all file systems including configuration files and
 images.

If entering 'no' you should make a backup of your configuration and have a mechanism to
 restore images from the Monitor Mode command line...

Allow password recovery? [yes]

To enable password recovery on the CLI, execute the following command:

PIX(config)# service password-recovery

The following command will turn off the password recovery option:

PIX(config)# no service password-recovery

Be sure to write this configuration to the startup configuration for changes to be effective.

PIX# write memory

Work through the following steps to perform the password recovery:

1.	Boot PIX firewall into a ROM monitor by pressing the Escape key while the PIX is rebooting. Download the npdisk image from the following location: http://www.cisco.com/warp/public/110/34.shtml Note The npdisk is backward-compatible, so if you have np63.bin image, that can be used for PIX running Version 6.3 and earlier.
2.	Download and install any flavor of the Trivial File Transfer Protocol (TFTP) server if you haven't done so already. You can download TFTP server for free from the Internet.
3.	Connect the TFTP server to one of the interfaces (for example, ethernet1) of the PIX using a crossover cable. This will ensure the reliability of the image downloaded to the PIX, as the TFTP is an unreliable protocol. However, you can use the TFTP server in different network segments as depicted in Figure 3-3. Figure 3-3. A TFTP Server Setup for PIX Firewall Upgrade
4.	Load the npdisk image in the root directory of the TFTP server.
5.	From the ROM monitor mode of PIX firewall, configure the network parameters for the interface where the TFTP server is connected. For example, if the ethernet1 interface is connected to the TFTP server, the configuration should like the following (based on Figure 3-3): Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Boot interrupted. Use ? for help. monitor> interface 1 monitor> address 10.1.1.1 monitor> file np63.bin monitor> gateway 10.1.1.2 monitor> server 20.1.1.100
6.	Initiate the TFTP download of the npdisk image. At this stage, you can initiate the download process for npdisk image. If the password recovery is allowed as per configuration, you will see the following output: monitor> tftp tftp np63.bin@20.1.1.100 via 10.1.1.2............ Received 92180 bytes Do you wish to erase the passwords? [yn] y The following lines will be removed from the configuration: enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted aaa authentication serial console LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL Do you want to remove the commands listed above from the configuration? [yn] y Passwords and aaa commands have been erased. Rebooting.. When npdisk is loaded via the monitor mode, npdisk will read the startup-config file. If service password-recovery is present in the configuration, it will operate as it does in previous versionsit will remove only the startup-config lines that are used to configure the enable password, as in the above output. If no service password-recovery is configured on the PIX firewall, the following sequence will occur: [View full width] monitor> tftp ! Following is what's shown when you no password recovery option is configured. Cisco Secure PIX Firewall password tool (3.0) #3: Wed May 5 16:20:53 EDT 2004 . . . . . Using the default startup configuration WARNING: Password recovery has been disabled by your security policy. Choosing YES below will cause ALL configurations, passwords, images, and files systems to be erased and a new image must be downloaded via monitor mode. Erase all file systems? y/n [n]: ! Answering 'yes' to this question will result in a prompt to verify ! deletion and overwriting of all local file systems (flash: for PIX ! platforms). After all file systems are erased the system will reboot ! and a new image must be downloaded via monitor mode. WARNING: Password recovery has been disabled by your security policy. Choosing YES below will cause ALL configurations, passwords, images, and files systems to be erased and a new image must be downloaded via monitor mode. Erase all file systems? y/n [n]: yes Permanently erase flash:? y/n [n]: yes Erasing Flash: ............................... Rebooting... ! Answering 'no' to the question above will result in the system rebooting and ! loading the image on flash: WARNING: Password recovery has been disabled by your security policy. Choosing YES below will cause ALL configurations, passwords, images, and files systems to be erased and a new image must be downloaded via monitor mode. Erase all file systems? y/n [n]: no Rebooting... When you have password recovery option disabled, when npdisk is loaded, it will detect no service password-recovery in the startup-config file. Hence, the user will be prompted to erase the Flash file system. If the user chooses not to erase the Flash, the system will reload. This is because password recovery depends on maintaining the existing configuration; this erasure prevents you from recovering a password. However, if you choose Yes, the configuration will be removed and you will need to load a new image.